Re: [Openvas-discuss] Is too much power disruptive?

2018-04-27 Thread Peter Collins 
On Thu, Apr 26, 2018 at 11:09 AM, Louis Bohm  wrote:

> I honesty do not remember all I remember is that it runs on Linux hosts
> and does a directory scan of either /opt or maybe it was /var/www.
>
> When I looked at the NVTs in that group they all were looking for older
> software then what we were using on Centos 6 so I disabled the entire group.
>
> Louis
> :
> Louis Bohm - Sr. Systems Engineer
> Dell TechDirect Certified
>
> > On Apr 26, 2018, at 12:22 PM, Alex Smirnoff  wrote:
> >
> > Just out of the curiosity, which NVT was that?
> >
> > On Thu, Apr 26, 2018 at 06:40:03AM -0400, Louis Bohm wrote:
> >>
> >> I have only once encountered a case where the endpoint even noticed the
> scan.  And that in itself was a total fluke that I was even alerted to it.
> One of the NVT checks actually caused such a load on the drives that it
> paused the server for 1 minute.  I only found out because some one was
> giving a demo on one of the hosts being tested at the time and saw the Java
> web page completly stop.  After 2 minutes they were back with no issue, no
> data loss.
> >>
> >> Now that I have stripped that NVT check out no one notices the scans at
> all on the end point.  My end point are running a Java front end with a
> mysql back end and can sometimes hit high loads just on their own
> processing.  But still the scans incur far more network traffic then then
> anything else.
> >>
> >
>
>
Thanks everyone. This information is helpful. I failed to note that the
issue I'm trying to address is slow scanning rate. Jobs taking too long.

Regards

Peter
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Is too much power disruptive?

2018-04-26 Thread Louis Bohm 
I honesty do not remember all I remember is that it runs on Linux hosts and 
does a directory scan of either /opt or maybe it was /var/www.  

When I looked at the NVTs in that group they all were looking for older 
software then what we were using on Centos 6 so I disabled the entire group.

Louis
:
Louis Bohm - Sr. Systems Engineer
Dell TechDirect Certified

> On Apr 26, 2018, at 12:22 PM, Alex Smirnoff  wrote:
> 
> Just out of the curiosity, which NVT was that?
> 
> On Thu, Apr 26, 2018 at 06:40:03AM -0400, Louis Bohm wrote:
>> 
>> I have only once encountered a case where the endpoint even noticed the 
>> scan.  And that in itself was a total fluke that I was even alerted to it.  
>> One of the NVT checks actually caused such a load on the drives that it 
>> paused the server for 1 minute.  I only found out because some one was 
>> giving a demo on one of the hosts being tested at the time and saw the Java 
>> web page completly stop.  After 2 minutes they were back with no issue, no 
>> data loss.
>> 
>> Now that I have stripped that NVT check out no one notices the scans at all 
>> on the end point.  My end point are running a Java front end with a mysql 
>> back end and can sometimes hit high loads just on their own processing.  But 
>> still the scans incur far more network traffic then then anything else.
>> 
> 

___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Is too much power disruptive?

2018-04-26 Thread Alex Smirnoff 
Just out of the curiosity, which NVT was that?

On Thu, Apr 26, 2018 at 06:40:03AM -0400, Louis Bohm wrote:
> 
> I have only once encountered a case where the endpoint even noticed the scan. 
>  And that in itself was a total fluke that I was even alerted to it.  One of 
> the NVT checks actually caused such a load on the drives that it paused the 
> server for 1 minute.  I only found out because some one was giving a demo on 
> one of the hosts being tested at the time and saw the Java web page completly 
> stop.  After 2 minutes they were back with no issue, no data loss.
> 
> Now that I have stripped that NVT check out no one notices the scans at all 
> on the end point.  My end point are running a Java front end with a mysql 
> back end and can sometimes hit high loads just on their own processing.  But 
> still the scans incur far more network traffic then then anything else.
> 

___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Is too much power disruptive?

2018-04-26 Thread Christian Fischer 
Hi,

On 26.04.2018 11:16, Thijs Stuurman wrote:
> (I always have the feeling my Nessus scanner performs the same tests
way faster and with a lot less CPU stress)

to have some sort of comparable numbers / data here you would need to
enable CGI Scanning and Throughout Tests in Nessus if not already done.

In OpenVAS CGI Scanning is enabled by default and the Throughout Test
was removed some time ago and all plugins are "Throughout". But IIRC
both are disabled by default in Nessus.

Regards,

--

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Is too much power disruptive?

2018-04-26 Thread Louis Bohm 
My master has 8vCPUs and 8GB RAM and I am always pushing it to the max.  My 
concurrent NVTs is set to 5 while my concurrent hosts is set to 20.  When I say 
I regularly push it to the max I mean I see loads on the host between 10 and 30 
for a few hours at a time.

My slaves are setup with similar specs and they get pushed to similar loads.

I have only once encountered a case where the endpoint even noticed the scan.  
And that in itself was a total fluke that I was even alerted to it.  One of the 
NVT checks actually caused such a load on the drives that it paused the server 
for 1 minute.  I only found out because some one was giving a demo on one of 
the hosts being tested at the time and saw the Java web page completly stop.  
After 2 minutes they were back with no issue, no data loss.

Now that I have stripped that NVT check out no one notices the scans at all on 
the end point.  My end point are running a Java front end with a mysql back end 
and can sometimes hit high loads just on their own processing.  But still the 
scans incur far more network traffic then then anything else.

The moral of the story is make your scanner as beefy as you can afford.  Then 
drop the number of concurrent tests per host down as low as you can to make the 
scans as un-noticable as possible.  But increase the number of concurrent hosts 
as high as you can so long as you are not freaking out your network team.

Louis
:
Louis Bohm - Sr. Systems Engineer
Dell TechDirect Certified

> On Apr 26, 2018, at 5:20 AM, Roger Davies  wrote:
> 
> Hi Peter
> 
> You will need to adjust the concurrent NVTs parameter to best suit your 
> client machines, but with the extra CPU on the server, you can scan more 
> targets concurrently, so the whole scan will complete quicker. 
> 
> So, set the "Maximum concurrently executed NVTs per host" to a nice low 
> figure to best suit the clients, but set the "Maximum concurrently scanned 
> hosts" to 20 or more (only really affects the server), see how the server 
> load reacts and adjust down/up accordingly. 
> 
> Roger
> 
> 
> 
> On 25 April 2018 at 21:16, Peter Collins  > wrote:
> I'm currently scanning on a 4-core vm with 4gm ram, in Virtualbox on a 
> laptop, within OSSIM. Traffic average during a scan is about 4kB/s 
> (kiloBYTES). Network pipe is not the bottleneck. It can provide 20mb/s 
> (megaBITS) easily. If I get a 12-core/24-thread server with SSD and 32G ram, 
> will the scans go faster, all settings being the same? And, will it hammer on 
> the targets too hard and disrupt them?
> 
> thanks
> 
> Peter
> 
> (please no asshat questions about bytes and bits. I have indicated clearly)
> 
> ___
> Openvas-discuss mailing list
> Openvas-discuss@wald.intevation.org 
> 
> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss 
> 
> 
> 
> 
> ___
> Openvas-discuss mailing list
> Openvas-discuss@wald.intevation.org
> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Is too much power disruptive?

2018-04-26 Thread Roger Davies 
Hi Peter

You will need to adjust the concurrent NVTs parameter to best suit your
client machines, but with the extra CPU on the server, you can scan more
targets concurrently, so the whole scan will complete quicker.

So, set the "Maximum concurrently executed NVTs per host" to a nice low
figure to best suit the clients, but set the "Maximum concurrently scanned
hosts" to 20 or more (only really affects the server), see how the server
load reacts and adjust down/up accordingly.

Roger



On 25 April 2018 at 21:16, Peter Collins  wrote:

> I'm currently scanning on a 4-core vm with 4gm ram, in Virtualbox on a
> laptop, within OSSIM. Traffic average during a scan is about 4kB/s
> (kiloBYTES). Network pipe is not the bottleneck. It can provide 20mb/s
> (megaBITS) easily. If I get a 12-core/24-thread server with SSD and 32G
> ram, will the scans go faster, all settings being the same? And, will it
> hammer on the targets too hard and disrupt them?
>
> thanks
>
> Peter
>
> (please no asshat questions about bytes and bits. I have indicated clearly)
>
> ___
> Openvas-discuss mailing list
> Openvas-discuss@wald.intevation.org
> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
>
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Is too much power disruptive?

2018-04-26 Thread Thijs Stuurman 
I don't think the SSD or RAM will do much, it's the concurrent threads that 
will help.
Somehow my OpenVAS machines use quite a bit of CPU per NVT test which makes me 
limit my 4 core slaves to 2 tasks at once.
Not all tasks are the same of course, when there is no web service running the 
amount of tests being executed is a lot less.

(I always have the feeling my Nessus scanner performs the same tests way faster 
and with a lot less CPU stress)


Thijs Stuurman
Security Operations Center | KPN Internedservices B.V.
thijs.stuur...@internedservices.nl | thijs.stuur...@kpn.com
T: +31(0)299476185 | M: +31(0)624366778
PGP Key-ID: 0x16ADC048 (https://pgp.surfnet.nl/)
Fingerprint: 2EDB 9B42 D6E8 7D4B 6E02 8BE5 6D46 8007 16AD C048

W: https://www.internedservices.nl | L: https://nl.linkedin.com/in/thijsstuurman


-Oorspronkelijk bericht-
Van: Openvas-discuss  Namens 
Reindl Harald
Verzonden: donderdag 26 april 2018 11:02
Aan: openvas-discuss@wald.intevation.org
Onderwerp: Re: [Openvas-discuss] Is too much power disruptive?


Am 25.04.2018 um 22:16 schrieb Peter Collins:
> I'm currently scanning on a 4-core vm with 4gm ram, in Virtualbox on a 
> laptop, within OSSIM. Traffic average during a scan is about 4kB/s 
> (kiloBYTES). Network pipe is not the bottleneck. It can provide 20mb/s
> (megaBITS) easily. If I get a 12-core/24-thread server with SSD and 
> 32G ram, will the scans go faster, all settings being the same? And, 
> will it hammer on the targets too hard and disrupt them?

as both sides and a ton of params are involved it won't be magically faster 
unless you raise the number of concurrent NVT's and if a simple security scan 
will disrupt the target you have bigger problems at all

"please no asshat questions about bytes and bits. I have indicated clearly" 
which is pretty idiotic when you just could wirte it correct from the start and 
"4gm ram" is nosense at all ___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Is too much power disruptive?

2018-04-26 Thread Reindl Harald 

Am 25.04.2018 um 22:16 schrieb Peter Collins:
> I'm currently scanning on a 4-core vm with 4gm ram, in Virtualbox on a
> laptop, within OSSIM. Traffic average during a scan is about 4kB/s
> (kiloBYTES). Network pipe is not the bottleneck. It can provide 20mb/s
> (megaBITS) easily. If I get a 12-core/24-thread server with SSD and 32G
> ram, will the scans go faster, all settings being the same? And, will it
> hammer on the targets too hard and disrupt them?

as both sides and a ton of params are involved it won't be magically
faster unless you raise the number of concurrent NVT's and if a simple
security scan will disrupt the target you have bigger problems at all

"please no asshat questions about bytes and bits. I have indicated
clearly" which is pretty idiotic when you just could wirte it correct
from the start and "4gm ram" is nosense at all
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

[Openvas-discuss] Is too much power disruptive?

2018-04-25 Thread Peter Collins 
I'm currently scanning on a 4-core vm with 4gm ram, in Virtualbox on a
laptop, within OSSIM. Traffic average during a scan is about 4kB/s
(kiloBYTES). Network pipe is not the bottleneck. It can provide 20mb/s
(megaBITS) easily. If I get a 12-core/24-thread server with SSD and 32G
ram, will the scans go faster, all settings being the same? And, will it
hammer on the targets too hard and disrupt them?

thanks

Peter

(please no asshat questions about bytes and bits. I have indicated clearly)
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss