RE: [ISSForum] Optimizing Internet Scanner

[Wisniewski, Michael]

Title: Message

Here is the response I received from ISS.  Even though the ISS training I received was extremely valuable, they didn't not touch much on the "speeding scans up" area.  I love ISS and their products, but this is really my largest gripe.      You are correct to say that a "console mode scan" does speed the scans up.  I haven't tried turning off the checks below, but I'd like to do a scan that is the most reliable, fastest, and scan for the most exploits.  Granted, the more checks you add, the longer it takes.  But for me, it just seems to hang up on the port scanning.      Another thing that stumps me is that while I'm doing a scan, if you check the CPU utilization, memory, and processes, absolutely nothing is being pegged.  The ISS_Winnt process is maybe using like 4% utilization.  When I look at the NIC, there is like no activity on it.  I went through the options and optimized those areas.  I set the "maximum parallel scan threads" to 128, the "parallel service scans" to 16, max connects to 50, and max connections (port scan) to 1024.  I set the delay to 10 ms and the timeout to 4000 ms.  It seemed as if this had no effect on the scan.      While it does the scan (I've tried both console and gui mode, and the same results), in gui mode, if you see which checks are currently running, it looks like the port scans tcp and stealth) take the longest.  I know I may be banned from saying this forbidden word here, but with nmap on linux, it takes no time flat to do a tcp port scan.  Even as far as a nessus scan goes on linux, when it does the scan, you can hear the drive chugging and the utilization of the machine rising.  And then it does the scan in a few minutes.      I prefer ISS than Nessus any day because, I believe, the checks are more accurate.  But this depends on who you talk to.  I'm also trying a product out called "Shadow Security Scanner" that does a scan in a quarter of the time ISS' Internet Scanner does.      Like I said before, I love ISS and the Internet Scanner.  But it's just a little frustrating when you have to scan thousands of hosts and it takes a few days to do it, while there's no utilization on the machine or nic.    Mike   -----Original Message----- From: ISS Technical Support [mailto:[EMAIL PROTECTED]] Sent: Monday, December 02, 2002 9:36 AM To: Wisniewski, Michael Subject: RE: 625431 - IS 6.2.1 - optimizing internet scanner   Hello Michael, Your old systems were equipped with more than the system requirements for Internet Scanner. So I can see why adding additional hardware did not speed things up. It sounds like you were not over-utilizing the system resources as it was. Some of our checks do take a long time to complete. If you would like to speed things up, you may consider disabling or reconfiguring some of the checks/options listed below: --Enumerating NetBIOS shares --Enumerating shares --Enumerating NFS mounts (in Vulnerabilities Standard NFS, disable nfsexp or the NFS exports check) --Nbdict (dictionary attack against shares) (in Vulnerabilities Standard Shares, disable nbdict) --Nbperm (password permutations) checks (in Vulnerabilities Standard Shares, disable nbperm) --Password guessing and brute force attacks (disable all options in Vulnerabilities Standard Brute Force) --Full Port Scans (under Common SettingsPort Scan, clear the Run Scan check box) --ICQClient-The ICQClient may bind at any port, causing inconsistent behavior from one boot to the next. The ICQClient check has been configured to scan the most likely ports, using a default port range from 1024 to 2124. Scanning this entire port range could take a considerable amount of time, as the check determines if the client is bound to a port somewhere within the default range. However, it is possible that the client may be bound outside the port range entered, which could result in a false positive. --IP Spoofing (disable all options in Vulnerabilities Standard Protocol Spoofing) --Guessing Windows NT passwords against large domain controllers (under Common SettingsBrute Force Lists, clear the Use Default Login File check box) --SNMP checks (disable all options in Vulnerabilities Standard SNMP) --Spoofing (disable Common SettingsIP SpoofingSpoof Lists if you have lots of users and trusted hosts) Stealth Scans (in ServicesTCPStealth Port Scan, disable the Stealth Port Scan). Thank you and have a great day. ><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>< ***PLEASE NOTE*** If you are using any ISS RealSecure products that utilize the ISSED database and have not applied the critical database update, please obtain this patch from the ISS Knowledgebase at: http://www.iss.net/support/knowledgebase/ Reference Answer Number 722   ****IMPORTANT**** RealSecure products using the ISSED database will not function properly after 7-17-2002 without this patch. ><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>< Thank you, ================================================= David Dewey Technical Support Engineer ****ATTENTION**** RealSecure Critical Update: Please go to the ISS Knowledge Base at: http://www.iss.net/support/knowledgebase/ and reference Answer Number 722 for an update to your ISSED database. Internet Security Systems: http://www.iss.net Phone: (404) 236-2700 or (888) 447-4861 Technical Support email: [EMAIL PROTECTED] PGP Public Keys http://www.iss.net/support/howto_encrypted_email.php Training http://www.iss.net/education/ Internet Security Systems Product Knowledgebase http://www.iss.net/support/knowledgebase/ ================================================= -----Original Message----- From: Orahood Mark S Civ 910 CF/SCBN [mailto:[EMAIL PROTECTED]] Sent: Monday, December 02, 2002 10:53 AM To: Wisniewski, Michael Subject: RE: [ISSForum] Optimizing Internet Scanner Mike, Try running your next scan in "Console Mode".  Select Scan, then select "Console Mode".  It will be like running a scan from the command line.  You should see better performance without the GUI running. Mark Orahood Network Protection Tech. DSN:346-1229 or Comm:330-609-1229 -----Original Message----- From: Wisniewski, Michael [mailto:[EMAIL PROTECTED]] Sent: Monday, December 02, 2002 9:37 AM To: '[EMAIL PROTECTED]' Subject: [ISSForum] Optimizing Internet Scanner         Hi!  I was wondering if anybody had any tips or tricks to make Internet Scanner run faster.  I'm very confused and wished that it would speed things up.  We've upgraded our scanning systems to a P4, 1.8 GHz, 256 meg ram, and gigabit fiber nic, and the scans still run at the same pace as our 500 MHz, 256 meg ram, and 100mbps nic.  If anybody has any ideas or tips to optimize the scans, that would be great!  Thanks!     --------------------------------------------------------------- Michael Wisniewski Cyber Security Analyst - Sans GIAC Security Essentials Certified - - Internet Security Systems Certified - Argonne National Laboratory Office of the Chief Information Officer 630-252-7560 (Work) 630-514-2874 (Mobile)