------------------------------ Message: 3 Date: Fri, 15 Sep 2006 10:23:44 -0400 From: "Joel Elwell" <[EMAIL PROTECTED]> Subject: Nessus 3.0.3 scan abends Btcpcom.nlm To: <[email protected]> Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=US-ASCII
After updating (uninstall old, clean install new) from Nessus 2.6 to 3.0.3, our recent scan caused multiple abends on our NetWare 6.5 servers. It effected about 50% of the servers scanned. Abend was: EIP in LIBC.NLM at code start +0008BB95h Running process: BTCPCOM.NLM 6 Process Thread Owned by NLM: BTCPCOM.NLM Safe checks were enabled and port scanning was enabled. This approach worked ok with (no NetWare abends) using our previous version of Nessus. I did read a Novell TID from 2003 (2966492) concerning a field fix for Nessus port scanning causing an abend with Btcpcom.nlm, but all our servers have the same date and version recommended by the TID. Servers are a mix of NetWare service pack level, SP2, SP3, SP5. We are working to get all to SP5. It was about a 50-50 mix of effected servers in relation to the service pack level. I have yet to find any pattern to pursue, other than the obvious info from the abend logs. Does anyone have similar experience or any insight? Thanks Joel Elwell Network Security Engineer Corporate Email Administrator [EMAIL PROTECTED] ------------------------------ Message: 4 Date: Fri, 15 Sep 2006 16:57:12 +0200 From: Michel Arboi <[EMAIL PROTECTED]> Subject: Re: Nessus 3.0.3 scan abends Btcpcom.nlm To: "Joel Elwell" <[EMAIL PROTECTED]> Cc: [email protected] Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=us-ascii On Fri Sep 15 2006 at 16:23, Joel Elwell wrote: > After updating (uninstall old, clean install new) from Nessus 2.6 I suppose that you mean 2.2.6. And that you are using nessus_tcp_scanner. > Safe checks were enabled and port scanning was enabled. Which was the value of max_checks ("Number of checks to perform at the same time")? > This approach worked ok with (no NetWare abends) using our previous > version of Nessus. There have been several modifications in nessus_tcp_scanner since 2.2.6. The most noticeable one is an improvement of scan time against machines which implement RST rate limitation (mainly BSD). If Netware uses such a trick, Nessus 2.2.8 or 3+ will be much more aggressive against it. If not, the behaviour should be unchanged and maybe you'll have to check your parameters (you may have changed some of them when you switched from 2.x to 3.x) > I have yet to find any pattern to pursue Concerning Netware itself, I cannot help you. You are not the first one to report such problems. Meanwhile, you could try to reduce max_checks or even switch to Nessus SYN scanner instead of the TCP scanner. -- http://arboi.da.ru/ http://ma75.blogspot.com/ PGP key ID : 0x0BBABA91 - 0x1320924F0BBABA91 Fingerprint: 1048 B09B EEAF 20AA F645 2E1A 1320 924F 0BBA BA91 ------------------------------ Message: 5 Date: Fri, 15 Sep 2006 11:49:13 -0400 From: "Joel Elwell" <[EMAIL PROTECTED]> Subject: Re: Nessus 3.0.3 scan abends Btcpcom.nlm To: <[EMAIL PROTECTED]> Cc: [email protected] Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=US-ASCII Thanks for your response, You are correct, our previous version was 2.2.6, and we are indeed using nessus_tcp_scanner. Max_check is set for 5. Since I have inherited the scanning from a former co-worker, I may easily have different settings than prevous. (I did attempt to keep as many the same as possible.) I'll look into the possiblity of Netware using a type of RST rate limitation, I am uncertain at this time. I can apreciate your comment about Netware. I should be able to setup a test using your suggestion about reducing max_checks or switching to Nessus SYN scanner instead of the TCP scanner. Thanks, Joel --------------------------------- As a follow up to my post, by process of elimination I was able to determine the plugin that apparently abended many of our Novell servers during the first Nessus 3.0.3 scan. SAP DB/MaxDB Detection Nessus ID # 11929 CVE: NOCVE (N/A) Bugtraq ID: NOBID (N/A) I ran a scan (with Syn port scan) with only this plugin enabled. The result was the abend I posted previously. To confirm, I ran another scan with all plugins enabled, except that one, and the scan completed without abending the Novell server. This was tested on only one server but I will be testing at least 2 others. I''l post the results. Joel Elwell Network Security Engineer Home Properties, Inc. _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
