Does Nessus scan a host for more than 6 hours normal?

Ruiyuan Jiang Ruiyuan_Jiang at liz.com
Wed Aug 11 17:29:25 EDT 2004 

I run Linux kernel 2.6.5.x (Fedora Core 2). I don't pay a lot of attention
to CPU utilization when the session was going on because I walked away since
it took long time. When I scanned another three hosts and I did see the CPU
and swap space used a lot. What I did observed was that in the output of 'ps
-ef | grep nessus', it changed plugins when nessus started again to scan
from port 1 and went up. I stopped the scanning finally. Thanks.


Ryan

-----Original Message-----
From: Confused Scanner [mailto:confuserscanner at yahoo.co.uk]
Sent: Wednesday, August 11, 2004 6:43 AM
To: nessus at list.nessus.org
Cc: Ruiyuan Jiang
Subject: Re: Does Nessus scan a host for more than 6 hours normal?


 --- Ruiyuan Jiang <Ruiyuan_Jiang at liz.com> wrote: 
> Hi, I connected my laptop to a DSL line and tried to
> scan one of my hosts in
> overseas. I started to scan at 10:36 AM EST time. Up
> to now my laptop is
> still scanning the host (4:30 PM EST). On the
> scanning screen, I saw
> portscan bar is at 100% around 1 PM EST and now it
> is still at the same
> location (100%) 3 and half hours later. On the
> remote host that is being
> scanned, I saw my laptop is doing portscanning which
> is what I want. I saw
> the same port is being scanned more than once. I
> don't know why? I don't
> know how long it needs to finish the job.
> 
> On the nessus setup screen, I did "SYN scan" and
> "User specified range" for
> "Port range" and I define the range from port
> 1-60000. I disabled the ping
> and tcp ping. 
> 
> On my laptop, I did "uptime" and "top" and I don't
> see that the load is
> high. I did "ps -ef | grep nessus" and I saw "nessus
> -D" is listening. I
> also saw that nessusd does "test" with the plugins
> "synscan.nasl".
> 
> Is it normal to take more than 6 hours? Thanks in
> advance.
> 
> Ryan
> > _______________________________________________
> Nessus mailing list
> Nessus at list.nessus.org
> http://mail.nessus.org/mailman/listinfo/nessus 

Sounds like the same thing as happens to me, are you
running Linux kernel 2.6.x?
I see the same symptoms with kernel 2.4.x but the CPU
load during this second phase is much lower (10x). The
CPU load also appears to go up with the number of
ports being scanned.

For example 
   kernel 2.6.6 1-5000 ports 1 host 25-30% CPU
   kernel 2.4.26 1-5000 ports 1 host 3-4%  CPU
   kernel 2.6.6 1-65000 ports 1 host 85-90% CPU 
   kernel 2.4.26 1-65000 ports 1 host 16-17% CPU

Not sure why it happens, if any one else knows, please
tell me!

To confirm this use tcpdump host <IPBEINGSCANNED>, you
should see the ports count up, along with the progress
bar in the GUI. When the port hits 5000, or 60000 or
whatever, you will then see it start again (but the
GUI hangs at ~98%). It is at this point that the CPU
(with 2.6 esp) goes crazy.

Let me know how you get on.

Regards

Paul





	
	
		
___________________________________________________________ALL-NEW Yahoo!
Messenger - all new features - even more fun!  http://uk.messenger.yahoo.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.nessus.org/pipermail/nessus/attachments/20040811/c61fe0c0/attachment.html

More information about the Nessus mailing list