• Support
  • Forums
  • Blogs

New Release!

AlienVault v5.1.1 is now available for OSSIM and USM. Learn more

Update!

Check out the new Open Threat Exchange (OTX) - with social sharing of threat data. Sign up today

OpenVAS hangs at 1%, how to fix?

I've been dealing with problems with my OpenVAS scans not completing for a while, at least a couple weeks. Thought it might have been a bug introduced in a previous upgrade. I've tried running alienvault-reconfig and alienvault-upgrade multiple times. 

Nothing shows in in the agent, framework, frameworkd or frameworkd_error logs. 

I'm getting the following in /var/log/ossim/nessus_cron.log. 

2013-01-09 15:19:04 [15106] INFO task id='76fd2f2d-b6d2-40d2-a38f-445b936b3cd7' Running (1%)
2013-01-09 15:19:12 [15106] INFO /usr/bin/omp -h 192.168.100.42 -p 9390 -u ossim -w ossim -iX "<get_tasks task_id='76fd2f2d-b6d2-40d2-a38f-445b936b3cd7'/>" > /usr/share/ossim/www/vulnmeter/tmp/tmp_nessus_jobs15106.xml 2>&1


I tried looking at the command output from above. Of interest the host_progress is always at zero. 

    <get_tasks_response status="200" status_text="OK">
      <task_count>1</task_count>
      <sort>
        <field>ROWID
          <order>ascending</order>
        </field>
      </sort>
      <apply_overrides>0</apply_overrides>
      <task id="9c9459ac-3b1a-4025-8651-82b6490a9c7a">
        <name>Test</name>
        <comment></comment>
        <owner>
          <name>ossim</name>
        </owner>
        <observers></observers>
        <config id="14d5ec70-892c-45d0-b00d-07eb2d06233f">
          <name>Default</name>
          <trash>0</trash>
        </config>
        <escalator id="">
          <name></name>
          <trash>0</trash>
        </escalator>
        <target id="08f4540c-881a-4a8a-9ace-aafda2808978">
          <name>target17388</name>
          <trash>0</trash>
        </target>
        <slave id="">
          <name></name>
          <trash>0</trash>
        </slave>
        <status>Running</status>
        <progress>1
          <host_progress>0
            <host>192.168.100.50</host>
          </host_progress>
        </progress>
        <report_count>1
          <finished>0</finished>
        </report_count>
        <trend></trend>
        <schedule id="">
          <name></name>
          <next_time>over</next_time>
          <trash>0</trash>
        </schedule>
        <preferences>
          <preference>
            <name>Maximum concurrently executed NVTs per host</name>
            <scanner_name>max_checks</scanner_name>
            <value>10</value>
          </preference>
          <preference>
            <name>Maximum concurrently scanned hosts</name>
            <scanner_name>max_hosts</scanner_name>
            <value>5</value>
          </preference>
        </preferences>
      </task>
    </get_tasks_response>


Then I looked at the openvas running processes:

 ps -ax | grep openvas
Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
13408 pts/1    S+     0:00 grep --color=auto openvas
13704 pts/0    S      0:06 /usr/sbin/openvasmd --database=/var/lib/openvas/mgr/tasks.db --listen=0.0.0.0 --port=9390 --slisten=127.0.0.1 --sport=9391
14493 ?        Ss     0:09 openvassd: waiting for incoming connections
21130 ?        SNs    0:07 openvassd: serving 127.0.0.1
21131 pts/0    S      0:02 /usr/sbin/openvasmd --database=/var/lib/openvas/mgr/tasks.db --listen=0.0.0.0 --port=9390 --slisten=127.0.0.1 --sport=9391
21148 ?        SN     0:00 openvassd: testing 192.168.100.50
21447 ?        SN     0:00 openvassd: testing 192.168.100.50 (/var/lib/openvas/plugins/portscan-tcp-simple.nasl)
24584 pts/0    S+     0:00 tail openvasmd.log -f

I tried renaming teh portscan-tcp-simple.nasl to see if it might be the problem based on some outside research but that resulted in the same behavior again with a different port scanner:

ps -ax | grep openvas
Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
13704 pts/0    S      0:09 /usr/sbin/openvasmd --database=/var/lib/openvas/mgr/tasks.db --listen=0.0.0.0 --port=9390 --slisten=127.0.0.1 --sport=9391
14493 ?        Ss     0:10 openvassd: waiting for incoming connections
18139 ?        SNs    0:07 openvassd: serving 127.0.0.1
18144 pts/0    S      0:05 /usr/sbin/openvasmd --database=/var/lib/openvas/mgr/tasks.db --listen=0.0.0.0 --port=9390 --slisten=127.0.0.1 --sport=9391
18259 ?        SN     0:00 openvassd: testing 192.168.100.50
19347 ?        SN     0:00 openvassd: testing 192.168.100.50 (/var/lib/openvas/plugins/portscan-strobe.nasl)
23582 pts/1    S+     0:00 grep --color=auto openvas
24584 pts/0    S+     0:00 tail openvasmd.log -f

How can I proceed from here?


Best Answer

  • Yeah try using the stealth profile, you'll find it goes much faster.  Something is up with the default profile as it calls all the port scanners, which takes for ever.  You worked around this by disabling strobe and tcp-simple.

Answers

  • One thing that I found is that the first scan after an OpenVAS update takes a while because it has to rebuild the database and reindex everything. How long are you letting the scans run before canceling them?
  • @IanHayes - I've let them run for 8 hours before the scan times out. The hang is at the same point if I cancel it or not. 
  • Strange.. After all this work I just renamed the two files 

    /var/lib/openvas/plugins/portscan-tcp-simple.nasl
    /var/lib/openvas/plugins/portscan-strobe.nasl

    and things are good. Tried the suggestion from the post above without impact. 
  • Hello,

    These are original files what should be the new rename files????????????

    /var/lib/openvas/plugins/portscan-tcp-simple.nasl
    /var/lib/openvas/plugins/portscan-strobe.nasl
  • @Sandip - it doesn't matter. I renamed them with a .old extension. 
  • It's a bug on the current version. Openvas certs has expired. There is a workaround to fix it. Please, follow this instructions:

    1º Regenerate openvas server certificate:
    # openvas-mkcert -f
    Accept all with "intro" key

    2º Regenerate openvas client certificate (in all sensors):
    # openvas-mkcert-client -n om -i

    3º Restart all open-face services in the server and all sensors:
    # /etc/init.d/openvas-manager restart
    # /etc/init.d/openvas-scanner restart

    Wait some minutes and execute the scan again.  
This discussion has been closed.