Ouch, see below for comments:
> -----Original Message-----
> From: eric [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, March 24, 2004 1:54 PM
> To: [EMAIL PROTECTED]
> Subject: Speeding Up Nessus Performance
>
> We've recently started scanning portions of our /16 frequently, and
> plan on doing full scans of large portions of the network on a
> scheduled basis.
I've found that it is easier to do an nmap ping scan of sparsely populated
Class Bs and then feed the live hosts to Nessus via a command line
invocation.
> What I've noticed is that, with the following attributes in my config
> file, the load average sits quite high.
>
> max_hosts = 96
> max_checks = 16
> be_nice = no
> optimize_test = yes
You realize you're telling nessus to run 1536 tests simultaneously? I
forget the limitations of the *BSD bpf, but if setting it to 256 means 256
network/pcap sessions are allowed at the same time, you're trying to cram
1536 tests into 256 pipes. I think I remember a note from Renaud saying
bpfs weren't a problem any more, but I'm not sure.
Of course, if you've only got 5 or 10 tests selected, this won't be as bad
as Nessus will only do 96*5 or 10 simultaneous tests.
[snip]
>
> The hardware we're running on is an IBM x345 with a P4 2.4Ghz Xeon
> processor and 1.5GB of RAM. We're already addressing the issue of
> adding a second CPU. The network is 100 full-duplex with little
> latency throughout our campus.
I'm scanning for about 5 tests per host on 0.5mil IPs on a daily basis by
using the nmap ping then Nessus method. I haven't tried with significantly
more tests, but the ping really cuts down on the time. My max's are set to:
max_hosts = 64
max_checks = 2
On a 2xPentium II, 500MHz w/1GB RAM. I'll put a skeleton of the script I
use at the bottom...
> Now to the issue...
>
> When running any types of scans tcp_connect, syn scans or nmap scans,
> etc. the load average will quite often sit at 30 or more on the host,
> taking days to scan 6 /24's. This is with "all but dangerous"
> plugins enabled.
To me that means their all blocking/waiting on the network, but maybe just
to swap in based on 1536 processes being spawned. Use vmstat or systat (? -
I forget on *BSD) to check your swapping, blocked processes, etc.
> So my question is: what have folks done to speed nessus up?
> Are there any words of wisdom you can offer?
>
> I have two single processor hosts that I've been thinking of setting
> up to run scans from as well, and export the nessus data directories
> via NFS from the main host. Are there any plans to build distributed
> scanning techniques into nessus?
More sensors are good, but since you can run multiple clients from one host
and have them branch out to all the distributed sensors, I'm not sure I see
the point of NFS.
> Thanks for any insight. I can summarize if you reply off-list.
>
> - Eric
Owen
#/bin/bash
# First I have a directory structure that looks like:
# /tmp/nessus/UTC+1200
# /tmp/nessus/UTC+1100
# ...
# /tmp/nessus/UTC-0600
# /tmp/nessus/UTC-0700
# ...
# In each directory are singe files for each admin with the admin's # name
and .net. The files contain the networks (in nmap format) # for which the
admin is responsible.
# Then I setup cron jobs to call this script at a time approximating # 9AM
in each timezone with the directory as an argument.
set -e
cd /tmp/nessus
DATE=`date +'%Y%m%d-%H%M'`
for file in `find $1 -type f -name "*.net"`
do
echo Ping scanning networks in $file
file=${file%.net}
nmap -sP -PT21 -iL ${file}.net -oG - | awk '/Status: Up/ { print $2 }' >
${file}-${DATE}.nmap
echo Updating nessusrc file
# update-nessusrc is available on the net and I have just the tests I want
enabled in it.
./update-nessusrc -s nessusrc # nessusrc was originally created from the
nessus client
echo Running Nessus scan on `wc -l ${file}-${DATE}.nmap | awk '{print
$1}'` hosts
/usr/local/bin/nessus -c nessusrc -q localhost 1241 username password
${file}-${DATE}.nmap ${file}-${DATE}.nbe Done
# You have to figure out what to do with the .nbe files yourself...
_______________________________________________
Nessus mailing list
[EMAIL PROTECTED]
http://mail.nessus.org/mailman/listinfo/nessus
