Mailing List Archive

[Database-devel] Issue with nessus sql in 2.2.4
Javier,

I added your latest db patch to nessus 2.2.4 which compiled fine.

Whenever I start nessusd the first nessus scan seems to hang. In the db
I get a single entry for a new session indicating that the scan started
but with a NULL endtime (which is ok at this stage ;)

The nessus client doesn't even show any indicator of portscan or check.

In this stage nessus.messages states:
Sat Jul 2 19:04:31 2005][6857] nessusd 2.2.4. started
[Sat Jul 2 19:05:35 2005][6857] connection from 127.0.0.1
[Sat Jul 2 19:05:35 2005][6865] Client requested protocol version 12.
[Sat Jul 2 19:05:35 2005][6865] successful login of root from 127.0.0.1
[Sat Jul 2 19:06:09 2005][6865] Redirecting debugging output to
/var/nessus/logs/nessusd.dump
[Sat Jul 2 19:07:04 2005][6865] MYSQL : connected to DB host: localhost
[Sat Jul 2 19:07:04 2005][6865] Error ! max_hosts = 0 -- check
/etc/nessus/nessusd.conf
[Sat Jul 2 19:07:04 2005][6865] user root starts a new scan. Target(s)
: 192.168.2.1, with max_hosts = 5 and max_checks = 10
[Sat Jul 2 19:07:04 2005][6865] user root : testing 192.168.2.1
(192.168.2.1) [6868]
[Sat Jul 2 19:07:04 2005][6868] SQL : find by name: "router"

Nothing more.
Then when I kill the according nessusd process the session table is
updated and some additional entries in nessusd.messages are logged:
[Sat Jul 2 19:16:44 2005][6865] user root : test complete
[Sat Jul 2 19:16:44 2005][6865] DATABASE: closed DB connection
[Sat Jul 2 19:16:44 2005][6865] user root : Kept alive connection

Further scans are no longer logged to the db, and nessusd.messages states:
[Sat Jul 2 19:18:21 2005][6920] DATABASE: can't add host, no DB connection

Nothing's written to the db but from now the scan is run (showing
indicators for portscan and checks as expected).

My setup is:
Fedora Core 3
mysql-3.23.58-16.FC3.1
kernel 2.6.11-1.14_FC3smp on a P4 with HT enabled

Any idea?

Thanks,
Sandro
--
"Linux is like a wigwam: no windows, no gates ... apache inside!"

http://www.lug-burghausen.org/
Re: [Database-devel] Issue with nessus sql in 2.2.4/2.2.5 - solved [ In reply to ]
Javier,

after lots of debugging and searching the web I think I found the issue:

nessusd uses fork() to create various processes for handling scans.
Within these processes your db code uses always the same connection from
different processes which is said not to be the "clean" way (see e.g.
http://www.issociate.de/board/post/9207/DBD::mysql_fork()_problem.html
although this is not C related it fits anyway ;)

My code adds overhead of opening and closing a db connection for each
scan, but this - at least for me ;) - is acceptable.

The changes have been primarily made (and tested) for the mysql code so
postgresql has to be reviewed and patched accordingly.

To optimize that one could find a better solution by checking
parent/child process and open/close the connection only where really
needed and not everytime.

Additionally I did:
- corrected arg_set_value length parameters: Use real length instead of type
- added some missing frees in database.c

Find attached my patch to your distributed diff.

Setup tested with the following versions:
Fedora Core 4
Nessus 2.2.5
kernel-2.6.12-1.1398_FC4smp on a P4 with HT enabled
mysql-4.1.12-2.FC4.1

Regards,
Sandro

Sandro Poppi wrote:
> Javier,
>
> I added your latest db patch to nessus 2.2.4 which compiled fine.
>
> Whenever I start nessusd the first nessus scan seems to hang. In the db
> I get a single entry for a new session indicating that the scan started
> but with a NULL endtime (which is ok at this stage ;)
>
> The nessus client doesn't even show any indicator of portscan or check.
>
> In this stage nessus.messages states:
> Sat Jul 2 19:04:31 2005][6857] nessusd 2.2.4. started
> [Sat Jul 2 19:05:35 2005][6857] connection from 127.0.0.1
> [Sat Jul 2 19:05:35 2005][6865] Client requested protocol version 12.
> [Sat Jul 2 19:05:35 2005][6865] successful login of root from 127.0.0.1
> [Sat Jul 2 19:06:09 2005][6865] Redirecting debugging output to
> /var/nessus/logs/nessusd.dump
> [Sat Jul 2 19:07:04 2005][6865] MYSQL : connected to DB host: localhost
> [Sat Jul 2 19:07:04 2005][6865] Error ! max_hosts = 0 -- check
> /etc/nessus/nessusd.conf
> [Sat Jul 2 19:07:04 2005][6865] user root starts a new scan. Target(s)
> : 192.168.2.1, with max_hosts = 5 and max_checks = 10
> [Sat Jul 2 19:07:04 2005][6865] user root : testing 192.168.2.1
> (192.168.2.1) [6868]
> [Sat Jul 2 19:07:04 2005][6868] SQL : find by name: "router"
>
> Nothing more.
> Then when I kill the according nessusd process the session table is
> updated and some additional entries in nessusd.messages are logged:
> [Sat Jul 2 19:16:44 2005][6865] user root : test complete
> [Sat Jul 2 19:16:44 2005][6865] DATABASE: closed DB connection
> [Sat Jul 2 19:16:44 2005][6865] user root : Kept alive connection
>
> Further scans are no longer logged to the db, and nessusd.messages states:
> [Sat Jul 2 19:18:21 2005][6920] DATABASE: can't add host, no DB connection
>
> Nothing's written to the db but from now the scan is run (showing
> indicators for portscan and checks as expected).
>
> My setup is:
> Fedora Core 3
> mysql-3.23.58-16.FC3.1
> kernel 2.6.11-1.14_FC3smp on a P4 with HT enabled
>
> Any idea?
>
> Thanks,
> Sandro

--
"Linux is like a wigwam: no windows, no gates ... apache inside!"

http://www.lug-burghausen.org/
Re: Re: [Database-devel] Issue with nessus sql in 2.2.4/2.2.5 - solved [ In reply to ]
Sandro Poppi wrote:

> Javier,
>
> after lots of debugging and searching the web I think I found the issue:
>
> nessusd uses fork() to create various processes for handling scans.
> Within these processes your db code uses always the same connection from
> different processes which is said not to be the "clean" way (see e.g.
> http://www.issociate.de/board/post/9207/DBD::mysql_fork()_problem.html
> although this is not C related it fits anyway ;)

An overall better way to handle this is to fork out a "db-writer"
process _before_ any scanning is started, and then use shared memory, or
some other messaging technique to send the results to the db-writer for
processing. This also paves the way for messages to be queued up and
even temporarily stored to disk, should there be any problems preventing
the db-writer from offloading the results to the database.

--
Jan Fredrik Leversund
Phalanx Security Services
Re: Re: [Database-devel] Issue with nessus sql in 2.2.4/2.2.5 - solved [ In reply to ]
Err, I should probably have mentioned that said db-writer should
establish the database connection only _after_ it's been forked from the
parent process, to keep things clean.

--
Jan Fredrik Leversund
Phalanx Security Services