Mailing List Archive

better timeout values for WAN-based scans?
Now that nessus has gone fully commercial, we've had to reduce the
number of Nessus installs we have - and now have to scan networks
remotely over slow WAN links. :-(

I'm now getting a lot of problems with "poor" reports. e.g. Nessus
running with full local admin privs no longer "seeing" what remote
services and software is installed on the remote PC - and therefore
misreports the AV status, patches missing, etc. If I run the same scan a
second/third time, it might actually work 100% - it all comes down to
timeouts/etc.

So: which of the timeout options should I look at increasing?
"checks_read_timeout"? "Services[entry]:Network connection timeout"?
What about "plugins_timeout"? What if it takes 4 minutes to completely
enumerate the services installed on the remote PC?

Also, I am assuming this is a timeout problem. Should the failure to get
enumeration of software and services on a remote PC (with full admin
privs, and lots of evidence the process works in general) show up as
failures in nessusd.messages? I've looked through there and cannot find
"timed","killed" and I'd expect to.

This is with nessus-3.2.1 under RHE4

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
Re: better timeout values for WAN-based scans? [ In reply to ]
On Thursday 21 August 2008 02:33:31 Jason Haar wrote:
> So: which of the timeout options should I look at increasing?
> "checks_read_timeout"?

This will affect all network connections. You should increase it on a slow
WAN. Keep in mind that the value in nessusd.conf is only a default, and that
it may be overridden by the client (from your .nessusrc or your Nessus XML
policy).

> "Services[entry]:Network connection timeout"?

This only affects find_service.nasl. There is a second timeout (for read).
Use the same value as checks_read_timeout or greater.
You may also reduce the parallelism here.

> What about "plugins_timeout"? What if it takes 4 minutes to completely
> enumerate the services installed on the remote PC?

Unless your machine is real slow, increasing it is not necessary.

> Also, I am assuming this is a timeout problem.

If you are running several scans on the same slow link, it may be overloaded.
In that case, decrease the parallelism (max_checks & max_hosts). The TCP scan
can kill a slow link. Reduce the port range if possible (e.g. use "default"
rather than "1-65535")
If you are using nessus_tcp_scanner, and if your machines are not firewalled,
disable the "Firewall detection".
You can also play with the hidden option nessus_tcp_scanner.micro_timeout; try
setting it to 300 µs (in nessusd.conf or .nessusrc...)
nessus_tcp_scanner.micro_timeout=300

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
Re: better timeout values for WAN-based scans? [ In reply to ]
On Aug 21, 2008, at 1:32 PM, Michel Arboi wrote:

>
> You can also play with the hidden option
> nessus_tcp_scanner.micro_timeout; try
> setting it to 300 µs (in nessusd.conf or .nessusrc...)
> nessus_tcp_scanner.micro_timeout=300

To other options to set in your nessusrc file (or nessusd.conf) :


use_kernel_congestion_detection = yes
reduce_connections_on_congestion = yes


-- Renaud


_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
Re: better timeout values for WAN-based scans? [ In reply to ]
Renaud Deraison wrote:
>
> use_kernel_congestion_detection = yes
> reduce_connections_on_congestion = yes
>
>
Sorry - I forgot to mention I don't think this is a congestion problem.
This is a "lite" scan - just hitting the NetBIOS ports and doing
Registry and WMI checks. So I don't think it's generating a lot of
traffic (?but what would I know). But I am getting this issue where a
given remote LAN now produces a report containing a mixture of
"untrustworthy" host data and "good" host data - even though all the
hosts are in the same domain,etc.

I've just checked the nessus.messages file again - and I am actually
getting "killing" errors (some webpage on Google told me to look for
"killed" - but I should have been looking for "killing"). They are all
against smb_hotfixes.nasl

e.g.

[Thu Aug 21 20:34:49 2008][19296] user apache : launching
smb_hotfixes.nasl against 10.1.82.45 [73]
[Thu Aug 21 20:41:50 2008][19296] smb_hotfixes.nasl (pid 73) is slow to
finish - killing it
[Thu Aug 21 20:41:50 2008][19296] user apache : launching
smb_nt_ms04-008.nasl against 10.1.82.45 [74]

That's a seven minute timeout - that's quite long. Hmmm, the remote site
this scan is to do with is a T1 low-latency (US to US) link - this can't
be congestion or WAN delays...?

Any other ideas? Now I'm thinking this isn't a network problem, but
rather that some machines are in "a weird state"? I have just
successfully (under Windows) used "Manage Computer" and a WMI tool
against this box - so as far as Windows is concerned, it is "perfectly
fine". This is now sounding like Nessus isn't doing the same tricks
Windows can do - and is basically failing against some boxes?

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
Re: better timeout values for WAN-based scans? [ In reply to ]
On Thursday 21 August 2008 23:13:06 Jason Haar wrote:
> Sorry - I forgot to mention I don't think this is a congestion problem.

Then try to increase the network timeouts.

> I've just checked the nessus.messages file again - and I am actually
> getting "killing" errors (some webpage on Google told me to look for
> "killed"

Increase the script timeout too.

> That's a seven minute timeout - that's quite long.

Is thorough_tests enabled? If so, disable it.
Which version of smb_hotfixes were you running? The latest version is quicker.

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus