Open-AudIT
https://www.open-audit.org/phpBB3/

slow scanning OA 1.12.8
https://www.open-audit.org/phpBB3/viewtopic.php?f=20&t=6553
Page 1 of 1

Author:  vanderheyde [ Fri Sep 02, 2016 7:21 am ]
Post subject:  slow scanning OA 1.12.8

Hi,

I'm currently running a scan on a /17 subnet. On average, this takes 93seconds per ip address. Which roughly translates to 35 days.
Is this normal, or am I missing some settings to tweak?

Running version 1.12.8.1 on Debian 8 VM with 4 CPU's and 1GB RAM. It's a clean install, not an upgrade.

thanks :)

Author:  Mark [ Mon Sep 05, 2016 10:17 am ]
Post subject:  Re: slow scanning OA 1.12.8

Will need more information.
A /17 is a LOT of ip addresses ( > 32,000 ip addresses).
I'd suggest breaking it down into more manageable chunks.

Do you have credentials for the devices? An SNMP scan will take a while to attempt to connect to the device and have to time out for each SNMP version (1,2c,3) with each credential set. Once you have the correct credentials associated with a device, these are attempted first, so next time around scanning should be much quicker. Same with other methods (WMI / SSH).

Author:  vanderheyde [ Mon Sep 05, 2016 6:42 pm ]
Post subject:  Re: slow scanning OA 1.12.8

a /17 was the easiest way to scan, since I wasn't really looking forward to starting 128 /24 scans. Though if that's what's needed to get a shorter scan time...

There's multiple types of devices in each /24 subnet, so I have matching credential sets for each one.
Is there a way to decide which set gets tested first? For example, as most of the devices are windows devices (some with snmp enabled), it would make more sense to test the windows credentials before snmp.

I currently have 3 sets of windows credentials and 1 snmp community.

I've also noticed the timeout on a dead IP takes a long time. Can I change this to be shorter? There's a few /24's in there that are not in use (closed stores), so that's a lot of time lost.

thanks :)

Author:  Mark [ Wed Sep 07, 2016 9:09 am ]
Post subject:  Re: slow scanning OA 1.12.8

Quote:
Is there a way to decide which set gets tested first?

Not at present, no. We could possibly do something here depending on the Nmap reported open ports.
Quote:
I've also noticed the timeout on a dead IP takes a long time.

This is Nmap I assume. The initial scan is of the entire submitted range like below:
Code:
nmap -n -sL ip_range

For each device that responds, it's scanned using the below options.
Code:
nmap -vv -n -Pn --host-timeout 90 T4 your_ip_address

You might see if there are any other Nmap options that might be of use to you.

I think the single biggest issue is scanning a /17.

Page 1 of 1 All times are UTC + 10 hours
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/