Thanks for the response, Jay. I double-checked my .nessusrc file at your suggestion, and I only have one entry for each of the plugins you listed below. I actually checked a little more thoroughly, and couldn't find any duplicate entries at all.
So, I still can't figure out why two port scans are running, nor am I entirely clear on what's actually running. I'm I correct in thinking that synscan.nes is the built-in Nessus scanner, and that nmap_tcp_connect.nes is a connect() scan through Nmap? Any others suggestions or ideas on how I can get this to work properly? Thanks. -- Jared Breland International Paper [EMAIL PROTECTED] Information Security 901-419-5077 http://irm.ipaper.com/ "Jay Jacobson" <[EMAIL PROTECTED]> Sent by: To [EMAIL PROTECTED] "Jared M Breland" st.nessus.org <[EMAIL PROTECTED]> cc [EMAIL PROTECTED] 09/15/2004 03:10 Subject PM Re: scan/plugins question Hi Jared. You may have the same problem for all of your questions. It is possible for the "SCANNER SET" plugins to be listed twice in the .nessusrc file. You may have them disabled in the SCANNER_SET, but still enabled in the plugins list. What do you get if you grep your .nessusrc file for those plugin IDs (10180, 10335, 10336, 10796, and 11219)? Do they show up multiple times? Also remember that the .nessusrc file gets modified by the client at run-time. Try launching a scan, wait a few minutes for it to fully connect to the Nesuss server and get going, then ctrl-c the client and grep the .nessusrc file. Do they show up multiple times? ~Jay On Wed, 15 Sep 2004, Jared M Breland wrote: > Actually, I have several related questions, but I figured I'd put them all > in one e-mail to avoid flooding the list. > > I've been working on a custom .nessusrc file to optimize the test for my > environment. One of the things I want to do is use Nmap for port scanning > rather than Nessus, and I'd like Nmap to perform a SYN scan. Here's my > current config for this, with just the relevant parts: > > begin(SCANNER_SET) > 10180 = no #nessus ping > 10335 = no #nessus TCP port scan > 10336 = yes #nmap port scan > 10796 = no #LaBrea tarpitted scan > 11219 = no #nessus SYN port scan > end(SCANNER_SET) > > begin(SERVER_PREFS) > port_range = default > end(SERVER_PREFS) > > begin(PLUGINS_PREFS) > Nmap[checkbox]:Identify the remote OS = yes > Nmap[checkbox]:Ping the remote host = yes > Nmap[radio]:Port range = Default range > Nmap[checkbox]:RPC port scan = no > Nmap[entry]:Source port : = any > Nmap[radio]:Timing policy : = Normal > Nmap[radio]:TCP scanning technique : = SYN scan > Nmap[checkbox]:UDP port scan = no > Nmap[checkbox]:Use hidden option to identify the remote OS = no > Ping the remote host[checkbox]:Do a TCP ping = no > Ping the remote host[checkbox]:Do an ICMP ping = no > Ping the remote host[checkbox]:Log live hosts in the report = no > Ping the remote host[checkbox]:Make the dead hosts appear in the report = > no > Ping the remote host[entry]:Number of retries (ICMP) : = 10 > Ping the remote host[entry]:TCP ping destination port(s) : = built-in > end(PLUGINS_PREFS) > > Ok, so according to my interpretation of this, Nessus built-in scanning and > pinging should be disabled, and Nmap pinging and scanning should be > enabled, with Nmap doing a SYN scan (eg., -sS). However, scans take nearly > an hour to complete now (up from about 20 minutes previously). I enabled > full reporting in the logs, and saw this information: > > [Wed Sep 15 10:38:06 2004][21035] connection from 127.0.0.1 > <SNIP> > [Wed Sep 15 10:38:18 2004][21135] user nessus : launching > global_settings.nasl against w02ajbrela21408.ipaper.com [21136] > [Wed Sep 15 10:38:18 2004][21135] global_settings.nasl (process 21136) > finished its job in 0.009 seconds > [Wed Sep 15 10:38:18 2004][21135] user nessus : launching labrea.nasl > against w02ajbrela21408.ipaper.com [21137] > [Wed Sep 15 10:38:24 2004][21135] labrea.nasl (process 21137) finished its > job in 6.188 seconds > [Wed Sep 15 10:38:24 2004][21135] user nessus : launching ping_host.nasl > against w02ajbrela21408.ipaper.com [21138] > [Wed Sep 15 10:38:24 2004][21135] ping_host.nasl (process 21138) finished > its job in 0.008 seconds > [Wed Sep 15 10:38:24 2004][21135] user nessus : launching TLD_wildcard.nasl > against w02ajbrela21408.ipaper.com [21139] > [Wed Sep 15 10:38:24 2004][21135] TLD_wildcard.nasl (process 21139) > finished its job in 0.007 seconds > [Wed Sep 15 10:38:24 2004][21135] user nessus : launching synscan.nes > against w02ajbrela21408.ipaper.com [21140] > [Wed Sep 15 10:41:56 2004][21135] synscan.nes (process 21140) finished its > job in 212.201 seconds > [Wed Sep 15 10:41:56 2004][21135] user nessus : launching nmap_wrapper.nes > against w02ajbrela21408.ipaper.com [21145] > [Wed Sep 15 10:43:14 2004][21135] nmap_wrapper.nes (process 21145) finished > its job in 77.404 seconds > [Wed Sep 15 10:43:14 2004][21135] user nessus : launching > nmap_tcp_connect.nes against w02ajbrela21408.ipaper.com [21148] > [Wed Sep 15 11:25:03 2004][21135] nmap_tcp_connect.nes (process 21148) > finished its job in 2509.705 seconds > <SNIP> > > Ok, so here are my questions: > > It looks like Nessus is using its built-in pinger rather than Nmap for > pinging (ping_host.nasl). Is this correct, or am I reading it wrong? If > so, how do I force it to use Nmap instead? > > As with pinging, it also looks like Nessus is running a SYN scan with its > built-in scanner, rather than calling Nmap (synscan.nes). Again, is this > correct? > > After running the SYN scan (which finishes in just 3 1/2 minutes), it then > kicks off another port scan (nmap_tcp_connect.nes), which takes a > ridiculously long 42 minutes to complete. First, why is it running two > port scans? Second, this appears to be a connect() scan, but as I said I > want a SYN scan. How do I set this up correctly? > > And my last question, somewhat related - why is the labrea.nasl plugin > being run? I have that disabled in the SCANNER_SET options (10796). Did I > do something wrong there? > > > Sorry for the long e-mail, but as I said, I thought it'd be easiest to get > this all out at once. Thanks! > > -- > Jared > > > _______________________________________________ > Nessus mailing list > [EMAIL PROTECTED] > http://mail.nessus.org/mailman/listinfo/nessus > -- .. .. Jay Jacobson .. Edgeos, Inc. - 480.961.5996 - http://www.edgeos.com .. .. Network Security Auditing and .. Vulnerability Assessment Managed Services .. _______________________________________________ Nessus mailing list [EMAIL PROTECTED] http://mail.nessus.org/mailman/listinfo/nessus _______________________________________________ Nessus mailing list [EMAIL PROTECTED] http://mail.nessus.org/mailman/listinfo/nessus
