Hi,
On 27.04.2015 16:40, Thibaut Pouzet wrote:
Hello Lukas,
I'm not sure disabling conntrack on the firewall is a good solution to
this problem... Or a good idea either.
It is , it´s the only solution to be able to scan in a useful time frame.
First you need to understand how TCP/IP works and how your network
landscape looks like, then you will see ;-)
Surely this is a solution that
works, but if I was willing to disable it, I would not have seeked help
here in the first place.
You have to understand how connection tracking is working, and why this
will not provide you any benefit here.
For every TCP-SYN your netfilter is allocating a connection, if you scan
one host with all TCP you will allocate 65535 places in the table.
If you next firewall is dropping that packet, you need to wait until the
timout is cleaning the table.
That is why you need to understand how this is working. If you scann
without filling up the table, you might miss many vulnerabilities.
We managed today to tune nmap through a scan-config to be less
aggressive, but this is only nmap, and another tool might still be too
aggressive. I was looking for a more global configuration, something
like the "low impact" scanning profile you can see in Qualys for instance.
Sure you can limit the amount of sessions, but this will limit the
amount of results as well.
Let me have my cake and eat it, too will not work in this scenario.
Cheers,
--
Regards
Lukas Grunwald
_______________________________________________
Openvas-discuss mailing list
[email protected]
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
