Educause Security Discussion mailing list archives
Re: NESSUS
From: Josh Richard <jrichar4 () D UMN EDU>
Date: Thu, 24 Feb 2005 10:46:35 -0600
Hi Chad, We are running FreeBSD on a Dell 2650 (2X3Ghz XEON 2GB RAM) and are able to scan 29 /24 bit networks in under 2 hours. I assume when you say subnets, you are talking about /24's. This is achieved by selecting 5 or so Nessus plugin id's we would like to enforce using Jon Ballem's Net::Nessus::ScanLite Perl module to dispatch the scans. The algorithm is simple: if the host is reachable via ICMP Ping scan the host (see http://search.cpan.org/~jpb/Net-Nessus-ScanLite-0.01/lib/Net/Nessus/ScanLite.pm for documentation) react to the scan however you need The 2 hour time frame can be reduced greatly by not scanning the subnets sequentially, but scanning all 20+ subnets at the same time using a wrapper script which calls a Perl program which expects a subnet on the command line. Choosing to do this, is up to you however. Please enjoy these code stubs! The usual disclaimer applies: 'If it does not work for you, you have the code'. :) Wrapper script: ---- #!/usr/bin/perl use strict; my @subnets = (1 .. 20); for (@subnets){ system ("/usr/local/bin/scan_subnet.pl 10.1.$_ &"); } ---- Where <scan_subnet.pl> looks something like this: ---- #!/usr/bin/perl ## # This is a code stub, not really tested and included for reference. # Hopefully this will get you off the ground. # # No warranty implied or otherwise, however we will always give out rope. # - Hanging yourself is optional. # # Please clean this up as needed. # Josh Richard UMD ## use strict; use Net::Ping; # adjust this to remove your gateway or only include ips where machines exist... my @ips = (1 .. 253); my $network = $ARGV[0]; for (@ips){ my $host = "$network.$_"; # needs to run as root for icmp scans... my $p = Net::Ping->new('icmp',1); if ($p->ping($host)){ print "Ping returned ok, scanning $host...\n"; if (&host_is_vulnerable($host)){ # do something, or not. ;) } } } ### # ## SUBS # ### sub host_is_vulnerable{ use Net::Nessus::ScanLite; my $addr = shift; my $plugins = '10394;etc'; # See documentation, John is a good writer... ;) my $user = 'user'; # See documentation my $pwd = '*****'; # See documentation my $nessus_server = 'server_running_nessus'; # See documentation my $logmessage; my $nessus = Net::Nessus::ScanLite->new( host => $nessus_server, port => 1241, ssl => 1, # comment or set to 1 out if using ssl ); # Modify the following if you need to $nessus->preferences( { host_expansion => 'none', safe_checks => 'yes', checks_read_timeout => 1 }); $nessus->plugin_set($plugins); if( $nessus->login($user,$pwd) ) { $nessus->attack($addr); }else{ print "Could not login to server. \n"; die; } # Vulnerability to scan set detected if true if ($nessus->total_holes){ my $ids; my $need_a_semicolon = 0; # Get the ';' string of plugin ids the log file. my @a = $nessus->hole_list; foreach my $obj (@a){ $ids .= ';' if ($need_a_semicolon); $ids .= $obj->ScanID(); $need_a_semicolon = 1; } $logmessage = "scan_subnet: $addr [check:$plugins] [VULN:$ids]"; # Note you could log this to a file easliy... print "$logmessage\n"; return 1; } # Otherwise not vulnerable, continue return 0; } --------------- Code based on this example worked well for us in testing and reduces the time to scan all subnets to a little over the time it takes to scan 1 subnet. We were able to scan about 6000 machines in just over an hour ***. For 20 subnets, you should be safe and be able to make that big server earn it's paycheck. Regards, Josh Richard University of Minnesota Duluth ITSS http://www.d.umn.edu/~jrichar4 *** Footnote of fun: Scanning 6000 (120 subnets) machines at once is not recommended...This required performance tuning the IP Stack on the BSD server, some sleep statements in the wrapper script to stop a dual server meltdown and is just included as a proof of concept. I had to try it once. Have fun :) Chad McDonald wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I amy trying to use Nessus to do a baseline vulnerability scan of our university network. To date, I am not having much luck finding the right hardware that can support this large of a scan (20+ subnets) in a reasonable timeframe. Before I make a purchase, could those of you using Nessus let me know what kind of hardware you have had success with? My current "desktop pc" configuration running on Suse just doesn't fit the bill. Thanks, Chad McDonald, CISSP Chief Information Security Officer Georgia College & State University 478.445.4473 Office 478.454.8250 Cell 478.445.1202 Fax -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQA/AwUBQh3Z9jNg/DEZZq7MEQIjgQCgq9sm0dAi/n1xa9vvMtp0lJGfbrcAn1xS isvpoP2PuAMayP5JdfYvaIj4 =bCEq -----END PGP SIGNATURE----- ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- NESSUS Chad McDonald (Feb 24)
- <Possible follow-ups>
- Re: NESSUS Matthew Keller (Feb 24)
- Re: NESSUS Phillip G Deneault (Feb 24)
- Re: NESSUS Peter Moody (Feb 24)
- Re: NESSUS Matthew Keller (Feb 24)
- Re: NESSUS Josh Richard (Feb 24)
- Re: NESSUS Josh Richard (Feb 24)
- Re: NESSUS Kevin Shalla (Feb 24)
- Re: NESSUS Brian K. Dore' (Feb 24)