"advanced" target definition


I must scan about 300 servers periodically.

Every server has 1 to 10 open ports. There are no similiar servers, since they operate veeeery variated services (except ports 22 and 443 which are quite common).

That is, the real target to be scaned are about of 1500 pairs of (IP:port)

The problem is that, as far as I know, OpenVAS target definitions does not allow pair definitions, but a cartesian product of IP’s a and ports. So 300 servers x ~200 possible services equals ~60.000 targets to be scanned, and that takes long.

As far as I know, my 2 options are:

  1. Define one target including 300 servers and ~200 ports. This is easy to configure and manage, but takes very long to execute and stresses the system unnecessarily.
  2. Define 300 targets, one for every server. That means scheduling 300 scans, managing 300 reports. I can’t handle that.

Ideally, I’d like to be able to provide OpenVAS a list of targets as a tuple ot IP and a list of ports. E.g. [(,[22,80,443]),(,[22,443,8080]),(,[22,8080,5100,5900,6231])]

Did anyone find a workaround to solve this scenario?

Why does it take long time, if you use only TCP that is blazing fast, UDP and wrong configured systems and alive criteria are the huge time killer.

Additional why do you limit only to some ports, there is a huge risk to miss vulnerabilities.

Hi Lukas

  1. Some of the ports are UDP too
  2. Those ports are the ones exposed externally, so I want to check them regularly


Just make two jobs, one for UDP and one for TCP.

OK. Thank you for the approach