Hello,
I'm running a Nessus v3.2.1 server on Windows 2003 Server and using the NessConnect v1.0.1 client.
I'm noticing that when I specify particularly long lists of IP's to scan or any sizable CIDR's, it will stop scanning after somewhere around 300-400 hosts.
The logs don't indicate any problems and indicate the scan finished normally.
As an example, I ran a scan last night on 192.168.0.0/16. The scan ran for 1 hr 56 mins but only finished hosts 192.168.0.1 - 192.168.1.208; hosts 209-212 were initiated but never completed. I was only scanning w/ 2 plugins (Ping the remote host [ARP/TCP/ICMP] & SYN Scan).
The server.log shows:
[Tue Aug 12 16:46:14 2008][2636] 23117 plugins loaded
[Tue Aug 12 16:46:15 2008][2636] Nessus Service started
[Tue Aug 12 16:47:40 2008][2636] Successful login of rdrake from 10.10.1.84
[Tue Aug 12 17:01:03 2008][2636] user rdrake starts a new scan. Target(s) : 192.168.0.0/16, with max_hosts = 10, max_checks = 5 and safe_checks = yes
[Tue Aug 12 18:57:55 2008][2636] user rdrake : test of 192.168.0.0/16 completed
The last 25 lines of the scan.log show:
[Tue Aug 12 18:55:21 2008][2444] Finished testing 192.168.1.196. Time : 148.639 secs, 16 plugins launched
[Tue Aug 12 18:55:21 2008][2444] Finished testing 192.168.1.198. Time : 147.983 secs, 16 plugins launched
[Tue Aug 12 18:55:21 2008][2444] Finished testing 192.168.1.195. Time : 148.514 secs, 16 plugins launched
[Tue Aug 12 18:55:21 2008][2444] Scan 192.168.1.201 using 2 plugins
[Tue Aug 12 18:55:21 2008][2444] user rdrake : testing 192.168.1.203 (192.168.1.203) [2444]
[Tue Aug 12 18:55:22 2008][2444] user rdrake : testing 192.168.1.205 (192.168.1.205) [2444]
[Tue Aug 12 18:55:22 2008][2444] Finished testing 192.168.1.197. Time : 149.124 secs, 16 plugins launched
[Tue Aug 12 18:55:22 2008][2444] user rdrake : testing 192.168.1.207 (192.168.1.207) [2444]
[Tue Aug 12 18:55:22 2008][2444] Scan 192.168.1.204 using 2 plugins
[Tue Aug 12 18:55:22 2008][2444] user rdrake : testing 192.168.1.206 (192.168.1.206) [2444]
[Tue Aug 12 18:55:22 2008][2444] Scan 192.168.1.203 using 2 plugins
[Tue Aug 12 18:55:22 2008][2444] user rdrake : testing 192.168.1.208 (192.168.1.208) [2444]
[Tue Aug 12 18:55:22 2008][2444] Scan 192.168.1.207 using 2 plugins
[Tue Aug 12 18:55:23 2008][2444] Scan 192.168.1.205 using 2 plugins
[Tue Aug 12 18:55:23 2008][2444] Scan 192.168.1.208 using 2 plugins
[Tue Aug 12 18:55:23 2008][2444] Scan 192.168.1.206 using 2 plugins
[Tue Aug 12 18:57:04 2008][2444] Finished testing 192.168.1.199. Time : 237.779 secs, 16 plugins launched
[Tue Aug 12 18:57:04 2008][2444] user rdrake : testing 192.168.1.209 (192.168.1.209) [2444]
[Tue Aug 12 18:57:04 2008][2444] Scan 192.168.1.209 using 2 plugins
[Tue Aug 12 18:57:51 2008][2444] Finished testing 192.168.1.202. Time : 150.155 secs, 16 plugins launched
[Tue Aug 12 18:57:51 2008][2444] Finished testing 192.168.1.204. Time : 150.155 secs, 16 plugins launched
[Tue Aug 12 18:57:51 2008][2444] Finished testing 192.168.1.200. Time : 150.717 secs, 16 plugins launched
[Tue Aug 12 18:57:51 2008][2444] user rdrake : testing 192.168.1.210 (192.168.1.210) [2444]
[Tue Aug 12 18:57:51 2008][2444] user rdrake : testing 192.168.1.212 (192.168.1.212) [2444]
[Tue Aug 12 18:57:51 2008][2444] user rdrake : testing 192.168.1.211 (192.168.1.211) [2444]
When I look at the Application Event log I see this arounnd the same time as the last entry:
Source: DrWatson
Event ID: 4097
The application, C:\Program Files\Tenable\Nessus\scan.exe, generated an application error The error occurred on 08/12/2008 @ 18:57:55.089 The exception generated was c0000005 at address 7C81BD02 (ntdll!ExpInterlockedPopEntrySListFault)
What's causing the scan to just die? This has been rather frustrating and prevents me from making practical use of Nessus for scanning my network.
Thanks,
RD
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
I'm running a Nessus v3.2.1 server on Windows 2003 Server and using the NessConnect v1.0.1 client.
I'm noticing that when I specify particularly long lists of IP's to scan or any sizable CIDR's, it will stop scanning after somewhere around 300-400 hosts.
The logs don't indicate any problems and indicate the scan finished normally.
As an example, I ran a scan last night on 192.168.0.0/16. The scan ran for 1 hr 56 mins but only finished hosts 192.168.0.1 - 192.168.1.208; hosts 209-212 were initiated but never completed. I was only scanning w/ 2 plugins (Ping the remote host [ARP/TCP/ICMP] & SYN Scan).
The server.log shows:
[Tue Aug 12 16:46:14 2008][2636] 23117 plugins loaded
[Tue Aug 12 16:46:15 2008][2636] Nessus Service started
[Tue Aug 12 16:47:40 2008][2636] Successful login of rdrake from 10.10.1.84
[Tue Aug 12 17:01:03 2008][2636] user rdrake starts a new scan. Target(s) : 192.168.0.0/16, with max_hosts = 10, max_checks = 5 and safe_checks = yes
[Tue Aug 12 18:57:55 2008][2636] user rdrake : test of 192.168.0.0/16 completed
The last 25 lines of the scan.log show:
[Tue Aug 12 18:55:21 2008][2444] Finished testing 192.168.1.196. Time : 148.639 secs, 16 plugins launched
[Tue Aug 12 18:55:21 2008][2444] Finished testing 192.168.1.198. Time : 147.983 secs, 16 plugins launched
[Tue Aug 12 18:55:21 2008][2444] Finished testing 192.168.1.195. Time : 148.514 secs, 16 plugins launched
[Tue Aug 12 18:55:21 2008][2444] Scan 192.168.1.201 using 2 plugins
[Tue Aug 12 18:55:21 2008][2444] user rdrake : testing 192.168.1.203 (192.168.1.203) [2444]
[Tue Aug 12 18:55:22 2008][2444] user rdrake : testing 192.168.1.205 (192.168.1.205) [2444]
[Tue Aug 12 18:55:22 2008][2444] Finished testing 192.168.1.197. Time : 149.124 secs, 16 plugins launched
[Tue Aug 12 18:55:22 2008][2444] user rdrake : testing 192.168.1.207 (192.168.1.207) [2444]
[Tue Aug 12 18:55:22 2008][2444] Scan 192.168.1.204 using 2 plugins
[Tue Aug 12 18:55:22 2008][2444] user rdrake : testing 192.168.1.206 (192.168.1.206) [2444]
[Tue Aug 12 18:55:22 2008][2444] Scan 192.168.1.203 using 2 plugins
[Tue Aug 12 18:55:22 2008][2444] user rdrake : testing 192.168.1.208 (192.168.1.208) [2444]
[Tue Aug 12 18:55:22 2008][2444] Scan 192.168.1.207 using 2 plugins
[Tue Aug 12 18:55:23 2008][2444] Scan 192.168.1.205 using 2 plugins
[Tue Aug 12 18:55:23 2008][2444] Scan 192.168.1.208 using 2 plugins
[Tue Aug 12 18:55:23 2008][2444] Scan 192.168.1.206 using 2 plugins
[Tue Aug 12 18:57:04 2008][2444] Finished testing 192.168.1.199. Time : 237.779 secs, 16 plugins launched
[Tue Aug 12 18:57:04 2008][2444] user rdrake : testing 192.168.1.209 (192.168.1.209) [2444]
[Tue Aug 12 18:57:04 2008][2444] Scan 192.168.1.209 using 2 plugins
[Tue Aug 12 18:57:51 2008][2444] Finished testing 192.168.1.202. Time : 150.155 secs, 16 plugins launched
[Tue Aug 12 18:57:51 2008][2444] Finished testing 192.168.1.204. Time : 150.155 secs, 16 plugins launched
[Tue Aug 12 18:57:51 2008][2444] Finished testing 192.168.1.200. Time : 150.717 secs, 16 plugins launched
[Tue Aug 12 18:57:51 2008][2444] user rdrake : testing 192.168.1.210 (192.168.1.210) [2444]
[Tue Aug 12 18:57:51 2008][2444] user rdrake : testing 192.168.1.212 (192.168.1.212) [2444]
[Tue Aug 12 18:57:51 2008][2444] user rdrake : testing 192.168.1.211 (192.168.1.211) [2444]
When I look at the Application Event log I see this arounnd the same time as the last entry:
Source: DrWatson
Event ID: 4097
The application, C:\Program Files\Tenable\Nessus\scan.exe, generated an application error The error occurred on 08/12/2008 @ 18:57:55.089 The exception generated was c0000005 at address 7C81BD02 (ntdll!ExpInterlockedPopEntrySListFault)
What's causing the scan to just die? This has been rather frustrating and prevents me from making practical use of Nessus for scanning my network.
Thanks,
RD
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus