Well. you need to configure number on NVT run at same time and then also portscanner (nmap) parameters. You and also limit openvas line on your router or firewall.
Disabling connection tracking (iptables) on openvas machine is good idea for best results. -- Eero 2015-04-27 17:40 GMT+03:00 Thibaut Pouzet <[email protected]>: > Le 27/04/2015 11:54, Lukas Grunwald a écrit : > > Hi, > > > > On 27.04.2015 11:22, Thibaut Pouzet wrote: > >> Hi, > >> > >> > >> * Under a normal load, the firewall is following 10000 connections > >> * When we launch OpenVAS, this goes up to 65535 and the firewall starts > >> dropping packets > >> * We increased the max value to 120000, launched a scan, and the table > >> was once again full, firewall dropping packets. > > > > Disable the connection tracking feature, this table will fill up > > automatically. > > OpenVAS is doing port scans, depending on your infrastructure, you > > firewalls > > (dropping TCP-FIN) and your environment this will never work. > > > >> > >> We usually limit the number of hosts scanned to 4, with 5 NVT per host, > >> and the scanning machine has 4 CPU and 2G of RAM (Virtual machine). > >> > >> It seems that the value of the max conntrack has to be properly tuned on > >> the firewall as it has an impact on RAM consumption, we are working on > >> it. > >> > >> However, I would like to know how I can have controll of what the > >> scanning machine is doing, and limit in OpenVAS this amount of > >> connexions opened. If I cannot do this : > >> * Either I put some rate-limiting on the firewall, and requests will be > >> dropped, OpenVAS might miss some things. > >> * Or I don't put rate-limiting, and when I scan, the firewall drops > >> legitimate trafic. > > > > Disable the connection tracking feature in your Linux kernel and build > > one without it. > > > >> > >> Do somebody has anything that could help me on this topic ? > >> > >> Thank You > >> > > > > > > Hello Lukas, > > I'm not sure disabling conntrack on the firewall is a good solution to > this problem... Or a good idea either. Surely this is a solution that > works, but if I was willing to disable it, I would not have seeked help > here in the first place. > > We managed today to tune nmap through a scan-config to be less > aggressive, but this is only nmap, and another tool might still be too > aggressive. I was looking for a more global configuration, something > like the "low impact" scanning profile you can see in Qualys for instance. > > Cheers, > > Thibaut Pouzet. > _______________________________________________ > Openvas-discuss mailing list > [email protected] > https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss >
_______________________________________________ Openvas-discuss mailing list [email protected] https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
