Mailing List Archive

Michael Condon wrote:
> Nessus 3 (win32) began doing this yesterday for some uknown reason - it
> starts a scan and then just stops, no report whatsoever. I have
> uninstalled/reinstalled, but get the same behavior.
> How can I diagnose & resolve the issue?

There could be a few things you could do:

- open up a ticket with our support group. We help commercial Nessus users
diagnose these types of issues all the time. There are a variety of firewall,
security and network settings that can mess with Nessus.

- you can look at your logs. Logs for Nessus windows are in
C:\Program Files\Tenable\Nessus\logs by default. There is a separate scan.log
and server.log.

Ron Gula
Tenable Network Security
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus

In scan.log there is a key phrase: "the remote host (ip address) is dead.
I know that it indeed is not
Any suggestions on how to remediate the problem?
----- Original Message -----
From: "Ron Gula" <rgula@tenablesecurity.com>
To: <nessus@list.nessus.org>
Sent: Tuesday, November 11, 2008 6:53 PM
Subject: Re: Nessus stops


> Michael Condon wrote:
>> Nessus 3 (win32) began doing this yesterday for some uknown reason - it
>> starts a scan and then just stops, no report whatsoever. I have
>> uninstalled/reinstalled, but get the same behavior.
>> How can I diagnose & resolve the issue?
>
> There could be a few things you could do:
>
> - open up a ticket with our support group. We help commercial Nessus users
> diagnose these types of issues all the time. There are a variety of
> firewall,
> security and network settings that can mess with Nessus.
>
> - you can look at your logs. Logs for Nessus windows are in
> C:\Program Files\Tenable\Nessus\logs by default. There is a separate
> scan.log
> and server.log.
>
> Ron Gula
> Tenable Network Security
> _______________________________________________
> Nessus mailing list
> Nessus@list.nessus.org
> http://mail.nessus.org/mailman/listinfo/nessus
>

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus

On Nov 11, 2008, at 11:49 PM, Michael Condon wrote:

> In scan.log there is a key phrase: "the remote host (ip address) is
> dead.
> I know that it indeed is not
> Any suggestions on how to remediate the problem?

Given that you know it's not dead, this usually is a problem caused by
ping_host.nasl so I would recommend looking at how you have that
plugin configured in your scan. Look under the Advanced tab of your
scan policy, under the "Ping the remote host" pull-down menu.

First, check whether it's configured to do an ARP ping. The plugin
will only try to do an ARP ping if a target is on the local network
and is not the localhost. If so, by default the plugin will try do
this first; if it fails, the host will be marked as dead.

Next, check if it's configured to do a TCP ping and, if so, the TCP
ping destination port(s). Make sure at least one of those is open or
the host sends back an RST in response to a SYN packet. You can either
specific a list of ports or use the keywords "built-in" or "extended",
both of which are described in the source to the plugin itself.

George
--
theall@tenablesecurity.com



_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus

Yes, I was aware of the ack scan applying only to the local network. I
thought I had tried all iterations of turning TCP/ICMP/UDP scans on/off
before, but apparently I was suffering from lack of sleep.

- I turned off "Ping the Remote Host" under general options.
- Turned off TCP/ICMP & UDP scans alternately under Advanced/Ping the remote
host. With all off, it ran & produced a report - not very informative, and
also declared in the log the the remote host was dead.

Apparently the server/firewall settings are pretty well hardened.


----- Original Message -----
From: "George A. Theall" <theall@tenablesecurity.com>
To: <nessus@list.nessus.org>
Sent: Wednesday, November 12, 2008 6:05 AM
Subject: Re: Nessus stops


> On Nov 11, 2008, at 11:49 PM, Michael Condon wrote:
>
>> In scan.log there is a key phrase: "the remote host (ip address) is
>> dead.
>> I know that it indeed is not
>> Any suggestions on how to remediate the problem?
>
> Given that you know it's not dead, this usually is a problem caused by
> ping_host.nasl so I would recommend looking at how you have that
> plugin configured in your scan. Look under the Advanced tab of your
> scan policy, under the "Ping the remote host" pull-down menu.
>
> First, check whether it's configured to do an ARP ping. The plugin
> will only try to do an ARP ping if a target is on the local network
> and is not the localhost. If so, by default the plugin will try do
> this first; if it fails, the host will be marked as dead.
>
> Next, check if it's configured to do a TCP ping and, if so, the TCP
> ping destination port(s). Make sure at least one of those is open or
> the host sends back an RST in response to a SYN packet. You can either
> specific a list of ports or use the keywords "built-in" or "extended",
> both of which are described in the source to the plugin itself.
>
> George
> --
> theall@tenablesecurity.com
>
>
>
> _______________________________________________
> Nessus mailing list
> Nessus@list.nessus.org
> http://mail.nessus.org/mailman/listinfo/nessus
>

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus

On Nov 12, 2008, at 1:03 PM, Michael Condon wrote:

> Yes, I was aware of the ack scan applying only to the local network.
> I thought I had tried all iterations of turning TCP/ICMP/UDP scans
> on/off before, but apparently I was suffering from lack of sleep.
>
> - I turned off "Ping the Remote Host" under general options.
> - Turned off TCP/ICMP & UDP scans alternately under Advanced/Ping
> the remote host. With all off, it ran & produced a report - not very
> informative, and also declared in the log the the remote host was
> dead.
>
> Apparently the server/firewall settings are pretty well hardened.

With ping_host.nasl, there is a configurable preference that controls
whether dead hosts appear in the report - "Make the dead hosts appear
in the report". By default, it's set to "no".

Other than that, there are other plugins that can declare a host as
dead. For example, dont_scan_printers.nasl / dont_scan_netware.nasl
may determine that a host is a fragile device and mark it as dead to
avoid causing any damage even when safe checks are enabled. And there
are some destructive plugins that attempt to kill the host and will
mark the host as dead if they were successful. In these cases, there
should be a plugin report that lets you know why the plugin declared a
host as dead.

George
--
theall@tenablesecurity.com



_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus