Re: [Openvas-discuss] empty reports with OpenVAS 9

2017-07-05 Thread Fábio Fernandes 

> No dia 05/07/2017, às 12:52, Dave Holland  escreveu:
> 
> Hello Fabio,
> 
> thanks for your email. I confirmed that the OpenVAS machine does have
> ping/ssh connectivity to the test target. nmap is installed. It's
> version 7.01 which openvas-check-setup complains about; but I do see the
> spray of packets and replies when the test runs, so it seems to be
> functional.
> 
> In Configuration -> Scan Configs, "Full and very deep" is listed with 0
> familes and 0 NVTs; but when I click into it, I see "53928 of 53943
> in selected families" so that seems OK.

Strange behavior but if it works. After the restart is the "Full and very deep” 
still listed with 0 families and 0 NVTs?

> 
> There was no openvassd.conf so I created /etc/openvas/openvassd.conf
> containing just "log_whole_attack = yes" and after restarting the
> scanner daemon, I'm now getting reports for vulnerabilities. Thanks!
> 
> Seems like that configuration file should have been created by the
> package installer if its presence is necessary?
> 

I’m not 100% sure but i think the scanner can run without this config but if 
it’s existence makes it work then you better leave it. Remember that logging 
the whole attack for lots of targets consumes a lot of space so be careful.



Fábio

> Cheers,
> Dave
> 
> 
> On Mon, Jul 03, 2017 at 08:00:13PM +0100, Fábio Fernandes wrote:
>> First check if you have conectivity to the host from the OpenVAS
>> Scanner machine (ping, telnet a known open port, etc.)
>> Then check if you have nmap installed.
>> If that is ok check if the NVTs installed are ok by checking how many
>> NVTs Full and very deep config is using on the Scan config menu.
>> If the number is between 4 and 5 then it is ok.
>> If that is ok then activate scan nvt execution logs by activating it
>> in the openvassd.conf (the path depends on the installation and
>> distro) and in the Full and very deep config. I think that for both
>> the option is log_whole_attack and check the results.
>> Fabio
>> 
>> Em 03/07/2017 14:39, "Dave Holland" <[1]d...@sanger.ac.uk> escreveu:
>> 
>>  I'm trying out OpenVAS 9 (on Ubuntu Xenial; installed from the
>>  PPA) and
>>  I can't get any reports out of it. When I run a scan, tcpdump
>>  shows
>>  packets going to/from the target machine, but the result is
>>  always:
 The report is empty. This can happen for the following reasons:
 The target hosts could be regarded dead.
>>  The target machine allows ping and has port 22 open. I've set the
>>  alive
>>  test to "ICMP ping" and "Consider alive", no difference in
>>  behaviour.
>>  I checked that redis has the "save 900 1" line commented out as
>>  suggested elsewhere in the mailing list archives; and redis is
>>  running
>>  OK.
>>  The openvassd.messages log messages show nothing obviously
>>  unusual:
>>  [Mon Jul  3 13:09:10 2017][4400] Starts a new scan. Target(s) :
>>  172.27.88.182, with max_hosts = 20 and max_checks = 4
>>  [Mon Jul  3 13:09:10 2017][4400] exclude_hosts: Skipped 0 host(s).
>>  [Mon Jul  3 13:09:10 2017][4400] source_iface: Using eth0
>>  (172.30.17.111 / fe80::8faf:6dcf:d449:fe9a).
>>  [Mon Jul  3 13:09:10 2017][4400] Testing 172.27.88.182
>>  (172.27.88.182) [4512]
>>  [Mon Jul  3 13:09:10 2017][4512] Finished testing 172.27.88.182.
>>  Time : 0.51 secs
>>  [Mon Jul  3 13:09:10 2017][4400] Test complete
>>  [Mon Jul  3 13:09:10 2017][4400] Total time to scan all hosts : 9
>>  seconds
>>  And openvasmd.log:
>>  event task:MESSAGE:2017-07-03 13h09.00 UTC:4399: Status of task
>>  172.27.88.182 full and very deep (8b0a210b-3fce-4efe-9a91-
>>  4ce48ee0b407) has changed to Requested
>>  event task:MESSAGE:2017-07-03 13h09.00 UTC:4399: Task
>>  172.27.88.182 full and very deep (8b0a210b-3fce-4efe-9a91-
>>  4ce48ee0b407) has been requested to start by admin
>>  md manage:   INFO:2017-07-03 13h09.01 UTC:4402:
>>  nvt_selector_plugins: NVTs not explicitly activated anymore for
>>  this config: 1.3.6.1.4.1.25623.1.0.10265;1.
>>  3.6.1.4.1.25623.1.0.103914;1.3.6.1.4.1.25623.1.0.103978;1.
>>  3.6.1.4.1.25623.1.0.95888;1.3.6.1.4.1.25623.1.0.12241;1.3.6.
>>  1.4.1.25623.1.0.11933;1.3.6.1.4.1.25623.1.0.103416;1.3.6.1.
>>  4.1.25623.1.0.12288;1.3.6.1.4.1.25623.1.0.80010;1.3.6.1.4.1.
>>  25623.1.0.810010;1.3.6.1.4.1.25623.1.0.10870;1.3.6.1.4.1.
>>  25623.1.0.80011;1.3.6.1.4.1.25623.1.0.103585;1.3.6.1.4.1.
>>  25623.1.0.103697;1.3.6.1.4.1.25623.1.0.100509;1.3.6.1.4.1.
>>  25623.1.0.80104;1.3.6.1.4.1.25623.1.0.80086;1.3.6.1.4.1.
>>  25623.1.0.900238;. Please adjust the config if you think this is
>>  wrong.
>>  event task:MESSAGE:2017-07-03 13h09.02 UTC:4402: Status of task
>>  172.27.88.182 full and very deep (8b0a210b-3fce-4efe-9a91-
>>  4ce48ee0b407) has changed to Running
>>  event task:MESSAGE:2017-07-03 13h09.11 UTC:4402: Status of task
>>  172.27.88.182 full and very deep (8b0a210b-3fce-4efe-9a91-
>>  4ce48ee0b407) has changed to Done
>>  What can I do to get more debug information? Or can anyone suggest
>>  a

Re: [Openvas-discuss] empty reports with OpenVAS 9

2017-07-05 Thread Dave Holland 
Hello Fabio,

thanks for your email. I confirmed that the OpenVAS machine does have
ping/ssh connectivity to the test target. nmap is installed. It's
version 7.01 which openvas-check-setup complains about; but I do see the
spray of packets and replies when the test runs, so it seems to be
functional.

In Configuration -> Scan Configs, "Full and very deep" is listed with 0
familes and 0 NVTs; but when I click into it, I see "53928 of 53943
in selected families" so that seems OK.

There was no openvassd.conf so I created /etc/openvas/openvassd.conf
containing just "log_whole_attack = yes" and after restarting the
scanner daemon, I'm now getting reports for vulnerabilities. Thanks!

Seems like that configuration file should have been created by the
package installer if its presence is necessary?

Cheers,
Dave


On Mon, Jul 03, 2017 at 08:00:13PM +0100, Fábio Fernandes wrote:
> First check if you have conectivity to the host from the OpenVAS
> Scanner machine (ping, telnet a known open port, etc.)
> Then check if you have nmap installed.
> If that is ok check if the NVTs installed are ok by checking how many
> NVTs Full and very deep config is using on the Scan config menu.
> If the number is between 4 and 5 then it is ok.
> If that is ok then activate scan nvt execution logs by activating it
> in the openvassd.conf (the path depends on the installation and
> distro) and in the Full and very deep config. I think that for both
> the option is log_whole_attack and check the results.
> Fabio
> 
> Em 03/07/2017 14:39, "Dave Holland" <[1]d...@sanger.ac.uk> escreveu:
> 
>   I'm trying out OpenVAS 9 (on Ubuntu Xenial; installed from the
>   PPA) and
>   I can't get any reports out of it. When I run a scan, tcpdump
>   shows
>   packets going to/from the target machine, but the result is
>   always:
>   >> The report is empty. This can happen for the following reasons:
>   >> The target hosts could be regarded dead.
>   The target machine allows ping and has port 22 open. I've set the
>   alive
>   test to "ICMP ping" and "Consider alive", no difference in
>   behaviour.
>   I checked that redis has the "save 900 1" line commented out as
>   suggested elsewhere in the mailing list archives; and redis is
>   running
>   OK.
>   The openvassd.messages log messages show nothing obviously
>   unusual:
>   [Mon Jul  3 13:09:10 2017][4400] Starts a new scan. Target(s) :
>   172.27.88.182, with max_hosts = 20 and max_checks = 4
>   [Mon Jul  3 13:09:10 2017][4400] exclude_hosts: Skipped 0 host(s).
>   [Mon Jul  3 13:09:10 2017][4400] source_iface: Using eth0
>   (172.30.17.111 / fe80::8faf:6dcf:d449:fe9a).
>   [Mon Jul  3 13:09:10 2017][4400] Testing 172.27.88.182
>   (172.27.88.182) [4512]
>   [Mon Jul  3 13:09:10 2017][4512] Finished testing 172.27.88.182.
>   Time : 0.51 secs
>   [Mon Jul  3 13:09:10 2017][4400] Test complete
>   [Mon Jul  3 13:09:10 2017][4400] Total time to scan all hosts : 9
>   seconds
>   And openvasmd.log:
>   event task:MESSAGE:2017-07-03 13h09.00 UTC:4399: Status of task
>   172.27.88.182 full and very deep (8b0a210b-3fce-4efe-9a91-
>   4ce48ee0b407) has changed to Requested
>   event task:MESSAGE:2017-07-03 13h09.00 UTC:4399: Task
>   172.27.88.182 full and very deep (8b0a210b-3fce-4efe-9a91-
>   4ce48ee0b407) has been requested to start by admin
>   md manage:   INFO:2017-07-03 13h09.01 UTC:4402:
>   nvt_selector_plugins: NVTs not explicitly activated anymore for
>   this config: 1.3.6.1.4.1.25623.1.0.10265;1.
>   3.6.1.4.1.25623.1.0.103914;1.3.6.1.4.1.25623.1.0.103978;1.
>   3.6.1.4.1.25623.1.0.95888;1.3.6.1.4.1.25623.1.0.12241;1.3.6.
>   1.4.1.25623.1.0.11933;1.3.6.1.4.1.25623.1.0.103416;1.3.6.1.
>   4.1.25623.1.0.12288;1.3.6.1.4.1.25623.1.0.80010;1.3.6.1.4.1.
>   25623.1.0.810010;1.3.6.1.4.1.25623.1.0.10870;1.3.6.1.4.1.
>   25623.1.0.80011;1.3.6.1.4.1.25623.1.0.103585;1.3.6.1.4.1.
>   25623.1.0.103697;1.3.6.1.4.1.25623.1.0.100509;1.3.6.1.4.1.
>   25623.1.0.80104;1.3.6.1.4.1.25623.1.0.80086;1.3.6.1.4.1.
>   25623.1.0.900238;. Please adjust the config if you think this is
>   wrong.
>   event task:MESSAGE:2017-07-03 13h09.02 UTC:4402: Status of task
>   172.27.88.182 full and very deep (8b0a210b-3fce-4efe-9a91-
>   4ce48ee0b407) has changed to Running
>   event task:MESSAGE:2017-07-03 13h09.11 UTC:4402: Status of task
>   172.27.88.182 full and very deep (8b0a210b-3fce-4efe-9a91-
>   4ce48ee0b407) has changed to Done
>   What can I do to get more debug information? Or can anyone suggest
>   a
>   cause?
>   thanks,
>   Dave
>   --
>   ** Dave Holland ** Systems Support -- Informatics Systems Group **
>   ** 01223 496923 ** The Sanger Institute, Hinxton, Cambridge, UK **
>   --
>The Wellcome Trust Sanger Institute is operated by Genome
>   Research
>Limited, a charity registered in England with number 1021457 and
>   a
>company registered in England with number 2742969, whose
>   registered
>office is 215 Euston Road, London, NW1 2BE.
>