OpenVAS scans Fast and Full do Brute force?

Good day everyone,

recently we have been putting in to place a bunch of network monitoring software to keep an eye on any shady activity on our domain. One piece of monitoring software in particular has been alerting us with failed logon attempts in the hundreds every night (which i had just now realized its coming form the greenbone equipment i have set up, GSM 150). I have a rotating scan each night for each of our domain controllers that are on site at each location.

When scanning with OpenVAS and Fast and Full does the scan attempt a slew of logon attempts with a set list of well known usernames? Our logs point this out and is there a way to stop it running that portion of the scan in particular. I have set our threshold to not alert us when these happen now but the logs it builds up is more than we would like in our database requiring us to purge or move them monthly instead of semi yearly.

Thanks,

Kyle

Hi Kyle,

Yes, “Full and Fast” will do some default credential checks. You can disable them in “Options for Brute Force NVTs” (OID: 1.3.6.1.4.1.25623.1.0.103697).

Please be aware that by doing so you will reduce the coverage of the scan and might miss crucial vulnerabilities.

There might be more safe approaches by e.g. filter attempts from the scanner IP or other measures depending on your log server capabilities.

Chris

1 Like

Hey Chris,

Our log server does have specific thresholds we can put in place before it spits out a alert to the team. I think i will keep a deep scan in place for our servers once a month and remove the brute force from the weekly scans to drop some of the log build up in our database.

Thanks for the help!

2 Likes