Shulou(Shulou.com)06/01 Report--

Detailed explanation of vulnerability scanning in Ossim

Openvas is an open source vulnerability scanning system, if manual building requires a complex process, it will cost a lot of manpower and time, because it is a free vulnerability scanning system, the function is not inferior to the commercial version of the vulnerability scanner, favored by many users, the following table compares the main functions of NeXpose, RSAS and Qiming vulnerability scanners.

With the above background, the following mainly focuses on how to graphically operate the vulnerability scanning process under the OSSIM platform.

Preparation: first make sure there are no running scanning processes and tasks

Scanning for vulnerabilities while upgrading the vulnerability library can cause the upgrade to fail.

Step 1: synchronize plug-ins

# openvas-nvt-sync

[I] This script synchronizes an NVT collection with the 'OpenVAS NVT Feed'.

[I] The 'OpenVAS NVT Feed' is provided by' The OpenVAS Project'.

[I] Online information about this feed: 'http://www.openvas.org/openvas-nvt-feed.html'.

[i] NVT dir: / var/lib/openvas/plugins

[i] Will use rsync

[i] Using rsync: / usr/bin/rsync

[i] Configured NVT rsync feed: rsync://feed.openvas.org:/nvt-feed

OpenVAS feed server-http://www.openvas.org/

This service is hosted by Intevation GmbH-http://intevation.de/

All transactions are logged.

Please report synchronization problems to openvas-feed@intevation.de.

If you have any other questions, please use the OpenVAS mailing lists

Or the OpenVAS IRC chat. See http://www.openvas.org/ for details.

Receiving incremental file list

Deleting gb_openssl_38562.nasl.asc

Deleting gb_openssl_38562.nasl

. /

COPYING

588% 574.22kB/s 0:00:00 (xfer#1, to-check=13347/13355)

COPYING.GPLv2

18002 17.17MB/s 0:00:00 (xfer#2, to-check=13346/13355)

COPYING.files

1819904 1.77MB/s 0:00:00 (xfer#3, to-check=13345/13355)

DDI_Directory_Scanner.nasl

32957 32.74kB/s 0:00:00 (xfer#4, to-check=13342/13355)

DDI_Directory_Scanner.nasl.asc

198% 0.20kB/s 0:00:00 (xfer#5, to-check=13341/13355)

......

Synchronizing tens of thousands of plug-ins takes a long time and does not consume much resources, so you can go for a cup of coffee or learn about the composition of the plug-in.

Table 1 Classification and distribution of main Openvas scripts

Rule name

Quantity

Remarks

IIS_frontpage_DOS_2.nasl

one

Phpbb

eight

RA_ssh_detect

RA_www_css

RA_www_detect

three

RHSA_2009_03**

two hundred and seventy nine

Redhat Security Advisory

3com_switches

one

Weblogic*

three

Cisco_ids

Cisco_***

Ciscoworks

sixteen

Awstats

four

Apache

twenty-three

DDI

thirty

EZ_hotscripts

three

Anti_nessus

one

Basilix

eight

Bluecoat

one

Bugbear

three

Bugzilla

nine

Ca_unicenter

two

Cacti

five

Calendar

three

Spoll_7_5_sql_injection

two

Avaya_switches

one

Citrix

eight

Clamav

two

CUPS

twelve

Cutenews

twelve

Checkpoint

six

CheopsNG

four

Cvstrac

twenty-four

DB2

four

Deb_*.nasl

2595

Debian Linux

DNS

five

DeluxeBB

three

Eftp

three

Ls exchange*

Exchange

two

Fcore

six hundred and eighty four

Find_service

five

Fortigate

one

Freebsd

2009

Ftp

thirty

Gb_CESA

1528

Gb_RHSA

eight hundred and seventy one

Gb_adobe

one hundred and sixty seven

Gb_apple

seventy

Gb_baofeng_storm

three

Gb_bpsoft

three

Gb_clamav

sixteen

Gb_ccproxy

two

Gb_clamav

sixteen

Gb_fedora

4679

Gb_google

one hundred and sixty two

Gb_hp_ux

two hundred and forty two

HP-UNIX

Gb_ibm_db2

twenty-seven

Gb_ibm_websphere

eight

Gb_ibm_tivoli

five

Gb_ibm_was

sixteen

Gb_ibm_lotus

ten

Gb_mandriva

1684

Gb_java

two

Gb_kaspersky

six

Gb_google_chrome

one hundred and fifty three

Gb_foxmail

two

Gb_fsecure

seven

Gb_ms

one hundred and fifty five

Windows correlation

Gb_ubuntu

1261

Gb_samba

twelve

Gb_sun_java

thirty-five

Gb_wireshark

eighty-seven

Glsa

1727

Gb_vmware

forty-one

IIS

twenty

Lotus

five

Ipswitch

five

Mysql

five

Gb_nmap

one hundred and eighty seven

Nortel

seven

Nagios

five

Openssh

four

Oscommerce

five

Postgresql

five

Phpgroupware

twelve

Phpmyadmin

seven

Phpbb

eight

Smb

fifty-two

Sendmail

fifteen

Suse

sixty-five

Ssh

eleven

Smtp

nine

Ubuntu

one hundred and seventy nine

Tomcat

six

Tftp

eleven

Wu_ftpd

six

Step 2: update the plug-in (it is recommended to do this under light load)

# perl / usr/share/ossim/scripts/vulnmeter/updateplugins.pl migrate / * compare the consumption of CPU and disk IZX O * /

2015-09-07 07:27:33 Framework profile has been found...

2015-09-07 07:27:33 Deleting all tasks in 192.168.11.150.

2015-09-07 07:27:33 updateplugins: configured to not updateplugins

2015-09-07 07:27:33 updateplugins: configured to not repair DB

2015-09-07 07:27:33 BEGIN-DUMP PLUGINS

2015-09-07 07:29:01 FINISH-DUMP PLUGINS [Process took 88 seconds]

2015-09-07 07:29:01 BEGIN-IMPORT PLUGINS

2015-09-07 07:30:00 FINISH-IMPORT PLUGINS [40473 plugins-Process took 59 seconds]

2015-09-07 07:30:00 BEGIN-UPDATE CATEGORIES

2015-09-07 07:30:00 FINISH-UPDATE CATEGORIES [Process took 0 seconds]

2015-09-07 07:30:00 BEGIN-UPDATE FAMILIES

2015-09-07 07:30:00 FINISH-UPDATE FAMILIES [Process took 0 seconds]

2015-09-07 07:30:00 BEGIN-UPDATE OPENVAS_PLUGINS

2015-09-07 07:30:03 FINISH-UPDATE OPENVAS_PLUGINS [Process took 3 seconds]

2015-09-07 07:30:03 BEGIN-UPDATE NESSUS_PREFERENCES

2015-09-07 07:30:03 show tables like "vuln_nessus_preferences_defaults"

2015-09-07 07:30:03 updateprefs: Getting plugin preferences

2015-09-07 07:30:05 FINISH-UPDATE NESSUS_PREFERENCES [Process took 2 seconds]

2015-09-07 07:30:06 Creating Deep profile...

2015-09-07 07:30:06 Filling categories.

2015-09-07 07:30:06 Done

2015-09-07 07:30:06 Filling families...

2015-09-07 07:30:06 Done

2015-09-07 07:30:06 Filling plugins...

2015-09-07 07:30:13 Filling preferences in Alienvault DB...

2015-09-07 07:30:14 Done

2015-09-07 07:30:14 Deep profile inserted

2015-09-07 07:30:15 Creating Default profile...

2015-09-07 07:30:15 Filling categories.

2015-09-07 07:30:15 Done

2015-09-07 07:30:15 Filling families...

2015-09-07 07:30:15 Done

2015-09-07 07:30:15 Filling plugins...

2015-09-07 07:30:23 Filling preferences in Alienvault DB...

2015-09-07 07:30:24 Done

2015-09-07 07:30:24 Default profile inserted

2015-09-07 07:30:24 Creating Ultimate profile...

2015-09-07 07:30:24 Filling categories.

2015-09-07 07:30:24 Done

2015-09-07 07:30:24 Filling families...

2015-09-07 07:30:24 Done

2015-09-07 07:30:24 Filling plugins...

2015-09-07 07:30:32 Filling preferences in Alienvault DB...

2015-09-07 07:30:33 Done

2015-09-07 07:30:33 Ultimate profile inserted

2015-09-07 07:30:33 BEGIN-UPDATE PORT SCANNER

2015-09-07 07:30:35 FINISH-UPDATE PORT SCANNER [Process took 2 seconds]

Updating plugin_sid vulnerabilities scanner ids

Plugins fetched

Updating...

Script id:94151, Name:IT-Grundschutz M4.288: Sichere Administration von VoIP-Endger?ten, Priority:0

Script id:703073, Name:Debian Security Advisory DSA 3073-1 (libgcrypt11-security update), Priority:1

Script id:804624, Name:Adobe Reader Plugin Signature Bypass Vulnerability (Windows), Priority:2

Script id:868149, Name:Fedora Update for kernel FEDORA-2014-9959, Priority:5

Script id:95048, Name:IT-Grundschutz M5.145: Sicherer Einsatz von CUPS, Priority:0

Script id:842216, Name:Ubuntu Update for linux USN-2616-1, Priority:4

Script id:105036, Name:Open × × Detection, Priority:0

Script id:868005, Name:Fedora Update for audacious-plugins FEDORA-2014-8183, Priority:1

Script id:869350, Name:Fedora Update for springframework FEDORA-2015-6862, Priority:5

... ...

Script id:105084, Name:Multiple ManageEngine Products Arbitrary File Upload Vulnerability, Priority:3

Script id:867751, Name:Fedora Update for python-keystoneclient FEDORA-2014-5555, Priority:3

Script id:882209, Name:CentOS Update for nss CESA-2015:1185 centos6, Priority:2

Script id:842209, Name:Ubuntu Update for libmodule-signature-perl USN-2607-1, Priority:5

After waiting for a quarter of an hour, the update was finally completed. Note that the process needs to be done in one fell swoop and cannot be forced to exit halfway.

The timeline below shows the evolution order and time spent of each step, as shown in the following figure. The process starting at 00:34:34 and ending at 00:38:50 on a certain day.

If some users are not used to operating upgrade commands under CLI, this work can also be done in WebUI.

Step 3: verify updates

We see that the last line shows a total of 40473, which, together with the number of downloaded plug-ins, indicates that the upgrade is complete.

Note: vulnerability upgrade video can be accessed: http://www.tudou.com/programs/view/kyTmc42Ky14/

Step 4: start vulnerability scanning-customize policy

First of all, scan the assets and establish a resource pool, which is not described in detail here. Three policies are defined by default in the OSSIM system, and the default is Default, which is the most commonly used.

If you need to change the policy, click the CREATE NEW PROFILE button.

Then start scanning, fill in the task name, select Sensor, select policy, select the host in the resource pool, and finally click the New Task button.

Scan preparation

Which processes are busiest during vulnerability scanning?

Htop is an interactive process viewing tool in Linux systems, and this command can help administrators understand the changes that have taken place in scanning. # htop-d 50

How many machines are appropriate to scan at a time?

If the number of monitored network segment servers exceeds 25, assuming that there are 100, then at least 4 scans are performed, such as directly entering "192.168.11.0 check 24", which indicates a network segment, then the load of the OSSIM system will increase significantly, and the scan waiting time will be significantly prolonged, which may be as long as several days, until it exceeds the cycle of a planned task, which may create a vicious circle until it drags down the entire system.

After more than 300 minutes without the end of the mission finally can not escape the fate of failure.

Analysis of scanning results

However, in the analysis, when it comes to the problem of "outdated" vulnerabilities, those system vulnerabilities and network server vulnerabilities that once existed in some ancient operating systems Windows NT/2000, Solaris7/8, Linux (2.2,2.4 kernels) have been eliminated in modern systems, and the affected systems have been repaired, and this vulnerability has become worthless. It makes no sense to scan these systems for vulnerabilities.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.