How to modify the NVT default timeouts and also disable NVT using gvm-cli

Question - 1 ?

• Can default NVT timeouts be overriden. For Eg: Generic HTTP Directory Traversal (Web Root) - Active Check NVT: 1.3.6.1.4.1.25623.1.0.106756 has timeout of 1200 seconds. I used gvm-cli to override the default timeout and set the value to 300 as you can see below.

image3250×282 50.5 KB

However after my scan is done, I could see all timeouts with 1200 seconds. Why? I configured timeout as 300 seconds.

image4694×954 314 KB

• NOTE: I have stopped all containers, deleted redis volume so all NVT will be loaded again into cache, but still did not work.

Question - 2:

• How to disable a single VT inside a NVT family using gvm-cli.

For Eg:

• I am trying to disable the checkbox (for ex: for CPE inventory which is enabled)
  

  

  image2479×393 76 KB

• I tried using gvm-cli modify_configs, but it did not work. Here is the command I tried

 gvm-cli --gmp-username admin --gmp-password admin socket --socketpath run/gvmd/gvmd.sock --xml '<modify_config config_id="766ff569-80aa-4a48-9bf4-6d586f288e7a"><preference><nvt oid="1.3.6.1.4.1.25623.1.0.810002"/><name>nvt:1.3.6.1.4.1.25623.1.0.810002</name><value>bm8=</value></preference></modify_config>'

• where the value bm8== is base64 encoded version of no. I also tried base 64 encoded version of 0 as value still, i could see there is no change.

• I tried below command, but unfortunately, all the VT’s within Service detection got disabled except the CPE inventory.

gvm-cli --gmp-username admin --gmp-password admin socket --socketpath gvmd/gvmd.sock --xml '<modify_config config_id="766ff569-80aa-4a48-9bf4-6d586f288e7a"><nvt_selection><family>Service detection</family><nvt oid="1.3.6.1.4.1.25623.1.0.810002"/><name>nvt:1.3.6.1.4.1.25623.1.0.810002</name><value>MA==</value></nvt_selection></modify_config>'

• I though passing single nvt with disable status will actually remove only it. But instead it actually removed rest of the NVT from the family.

Note

My post was hidden strangely due to wrong category selection. Just copying the contents from my previous questions into single one.

• Original issues at: How to update NVT timeout, plugins_timeout and max_vts_timeouts not working - #3
• How to disable a VT via gvm-cli using oid - #3
• Is the default timeout for NVT be overriden - Seems like timeout never getting updated - #3 by mahidhar190699
• How to update NVT script timeouts using gvm-cli - #3 by mahidhar190699

Also, I have observed that VT’s are taking longer than default Timeout.

For Eg: The current server time is 08:28, and the NASL script gb_generic_http_web_root_dir_trav.nasl started at 7:57 am, so its like almost 30 Minutes. The default timeout for gb_generic_http_web_root_dir_trav is 1200 seconds. So any idea why is it taking more than 20 min and still no time out occured.

• However in the GSA, when errors are looked, it says NVT Timed out at 1200 seconds.

ubuntu@ubuntu-dev-vulnscanner-1:~$ date
Fri Dec  6 08:28:14 UTC 2024
ubuntu@ubuntu-dev-vulnscanner-1:~$ ps -eo pid,lstart,cmd | grep "[o]penvas: testing"
 ubuntu@ubuntu-dev-vulnscanner-1:~$ ps -eo pid,lstart,cmd | grep "[o]penvas: testing"
  15591 Fri Dec  6 07:26:14 2024 openvas: openvas: testing XX.YY.ZZ.AA
  17532 Fri Dec  6 07:26:46 2024 openvas: openvas: testing XX.YY.ZZ.AA
  17671 Fri Dec  6 07:26:47 2024 openvas: openvas: testing XX.YY.ZZ.AA
 125056 Fri Dec  6 07:57:29 2024 openvas: openvas: testing XX.YY.ZZ.AA (gb_generic_http_web_root_dir_trav.nasl)
 125057 Fri Dec  6 07:57:29 2024 openvas: openvas: testing XX.YY.ZZ.AA (gb_generic_http_web_root_dir_trav.nasl)
 125058 Fri Dec  6 07:57:29 2024 openvas: openvas: testing XX.YY.ZZ.AA (gb_generic_http_web_root_dir_trav.nasl)
 125857 Fri Dec  6 07:57:37 2024 openvas: openvas: testing XX.YY.ZZ.AA (gb_generic_http_web_root_dir_trav.nasl)
 125858 Fri Dec  6 07:57:37 2024 openvas: openvas: testing XX.YY.ZZ.AA (gb_generic_http_web_root_dir_trav.nasl)
 125859 Fri Dec  6 07:57:37 2024 openvas: openvas: testing XX.YY.ZZ.AA (gb_generic_http_web_root_dir_trav.nasl)
 126017 Fri Dec  6 07:57:39 2024 openvas: openvas: testing XX.YY.ZZ.AA (gb_generic_http_web_root_dir_trav.nasl)
 126018 Fri Dec  6 07:57:39 2024 openvas: openvas: testing XX.YY.ZZ.AA (gb_generic_http_web_root_dir_trav.nasl)
 126019 Fri Dec  6 07:57:39 2024 openvas: openvas: testing XX.YY.ZZ.AA (gb_generic_http_web_root_dir_trav.nasl)
ubuntu@ubuntu-dev-vulnscanner-1:~$ 

Hello,
have you been able to solve the problem? I am also experiencing huge timeouts with NVTs: Directory scanner and Generic Generic HTTP Directory Traversal (Web Root) - Active Check.

@KokotomMak

Great that no one seems responding even from the greenbone community. So pathetic. Sorry for late reply, I was so confident that no one would reply so I haven’t look at forum for a long time.

For now, i wrote a script which kills NASL scripts running longer than 300 seconds. Thats a better option.

I can give you a couple quick hints for your problems, but the answer is to read the docs carefully.

For modifying a scan config you are using the modify_config command. Reading the docs:

This command can perform four types of actions: 1) modifying preferences, 2) changing the family selection, 3) changing the NVT selection of families, or 4) modifying basic fields like the name or comment.

The third option, NVT selections, must include a family and may include any number of NVTs. The manager updates each given family in the config to include only the given NVTs. If the family selection is also changed, this should be done first as it can also change the NVT selection of families.

This functionality is also the same as python-gvm’s modify_scan_config_set_nvt_selection

So the answer is that it adjusts the scan config family to include only the given NVTs. It doesn’t turn them on or off one by one.

Next issue, if you want to set a global timeout for plugins, it should be set using the plugins_timeout flag option when starting openvas-scanner. This will kill the plugin process when it is over the plugins_timeout value in seconds.

plugins_timeout: This is the maximum lifetime, in seconds of a plugin. It may happen that some plugins are slow because of the way they are written or the way the remote server behaves. This option allows you to make sure your scan is never caught in an endless loop because of a non-finishing plugin. Doesn’t affect ACT_SCANNER plugins.

You should also be able to modify each plugin’s default timeout using gvm-cli or python-gvm. The python-gvm function is modify_scan_config_set_nvt_preference. For gvm-cli, read the GMP docs carefully.

From the docs:

The first type modifies the preferences on the config. If a preference includes an NVT, then the preference is an NVT preference, otherwise the preference is a scanner preference. If the preference includes a value then the manager updates the value of the preference, otherwise the manager removes the preference. The value must be base64 encoded.

Maybe also related to the following PR below which has the following text included:

and fixes timeouts in the config being overwritten by their default values.