Some IP ranges don't scan, others do. I'm puzzled

weisker · October 13, 2022, 9:04am

Hi,

I’m using the current containers and I added some /24 to scan, but some just won’t scan at all.
Like 192.168.8.0/24 scans just fine, 192.168.2.0/24 doesn’t. 9 out of 21 subnets are like this.

Here is a stripped down version of the huge log from that /24 scan.
Sometimes it shows 254 hosts, in this case it shows only 1 even if it is a whole subnet. Every host in this subnet is reachable from the server and with packet captures, I see there’s not even a try to contact these.

Do I miss something? Are there other logs that show why it thinks they are dead?

2022-10-13 08:51:50,446: DEBUG: (ospd.ospd) ce5eec9a-968d-4872-9e14-9d75aff50c80: Current scan status: QUEUED,
2022-10-13 08:51:50,446: DEBUG: (ospd.ospd) ce5eec9a-968d-4872-9e14-9d75aff50c80: Results sent successfully to the client. Cleaning temporary result list.
2022-10-13 08:51:54,730: DEBUG: (ospd.ospd) ce5eec9a-968d-4872-9e14-9d75aff50c80: Set scan status INIT,
2022-10-13 08:51:54,733: DEBUG: (ospd.ospd) ce5eec9a-968d-4872-9e14-9d75aff50c80: Set scan status RUNNING,
2022-10-13 08:51:55,478: DEBUG: (ospd.ospd) ce5eec9a-968d-4872-9e14-9d75aff50c80: Results sent successfully to the client. Cleaning temporary result list.
2022-10-13 08:51:58,099: DEBUG: (ospd_openvas.preferencehandler) The VT 1.3.6.1.4.1.25623.1.1.12.2010.999.1 is handled by notus. Ignoring.

[30790 Lines of Ignoring stuff]

2022-10-13 08:52:07,109: DEBUG: (ospd_openvas.preferencehandler) The VT 1.3.6.1.4.1.25623.1.1.2.2017.1087 is handled by notus. Ignoring.
2022-10-13 08:52:10,523: DEBUG: (ospd.ospd) ce5eec9a-968d-4872-9e14-9d75aff50c80: Current scan status: RUNNING,
2022-10-13 08:52:10,523: DEBUG: (ospd.ospd) ce5eec9a-968d-4872-9e14-9d75aff50c80: Current scan progress: 0,
2022-10-13 08:52:10,523: DEBUG: (ospd.ospd) ce5eec9a-968d-4872-9e14-9d75aff50c80: Check scan process:
Progress 0
Status: RUNNING
2022-10-13 08:52:15,544: DEBUG: (ospd.ospd) ce5eec9a-968d-4872-9e14-9d75aff50c80: Results sent successfully to the client. Cleaning temporary result list.
2022-10-13 08:52:19,845: DEBUG: (ospd_openvas.preferencehandler) hosts_ordering is a scanner only setting and should not be set by the client. Setting needs to be included in OpenVAS configuration file instead.
2022-10-13 08:52:19,887: DEBUG: (ospd.ospd) ce5eec9a-968d-4872-9e14-9d75aff50c80: Current scan status: RUNNING,
2022-10-13 08:52:19,909: DEBUG: (ospd_openvas.openvas) Starting scan with niceness 10
2022-10-13 08:52:19,918: DEBUG: (ospd_openvas.daemon) pid = 493
2022-10-13 08:52:20,546: DEBUG: (ospd.server) New request from /run/ospd/ospd-openvas.sock
2022-10-13 08:52:20,546: DEBUG: (ospd.ospd) Handling get_scans command request.
2022-10-13 08:52:20,923: DEBUG: (root) ce5eec9a-968d-4872-9e14-9d75aff50c80: Current progress:
{‘count_alive’: 0,
‘count_dead’: 0,
‘count_excluded’: 0,
‘count_total’: 1,
‘current_hosts’: {},
‘overall’: 0}
2022-10-13 08:52:20,924: DEBUG: (ospd.scan) ce5eec9a-968d-4872-9e14-9d75aff50c80: Setting the following hosts as dead: []
2022-10-13 08:52:20,924: DEBUG: (ospd.scan) ce5eec9a-968d-4872-9e14-9d75aff50c80: Setting the following hosts as finished: []
2022-10-13 08:52:21,926: DEBUG: (ospd.ospd) ce5eec9a-968d-4872-9e14-9d75aff50c80: Current scan status: RUNNING,
2022-10-13 08:52:21,927: DEBUG: (ospd.ospd) Calculating scan progress with the following data:
2022-10-13 08:52:21,927: DEBUG: (ospd.ospd) ce5eec9a-968d-4872-9e14-9d75aff50c80: Current scan progress: 0,
2022-10-13 08:52:21,928: DEBUG: (root) ce5eec9a-968d-4872-9e14-9d75aff50c80: Current progress:
{‘count_alive’: 0,
‘count_dead’: 0,
‘count_excluded’: 0,
‘count_total’: 1,
‘current_hosts’: {},
‘overall’: 0}
2022-10-13 08:52:22,932: DEBUG: (ospd.scan) ce5eec9a-968d-4872-9e14-9d75aff50c80: Setting the following hosts as dead: []
2022-10-13 08:52:22,932: DEBUG: (ospd.scan) ce5eec9a-968d-4872-9e14-9d75aff50c80: Setting the following hosts as finished: []
2022-10-13 08:52:23,934: DEBUG: (ospd_openvas.daemon) Process is a Zombie, waiting for it to clean up
2022-10-13 08:52:23,934: DEBUG: (ospd.ospd) ce5eec9a-968d-4872-9e14-9d75aff50c80: Current scan status: RUNNING,
2022-10-13 08:52:23,935: DEBUG: (ospd_openvas.daemon) ce5eec9a-968d-4872-9e14-9d75aff50c80: Set total hosts counted by OpenVAS: 0
2022-10-13 08:52:23,935: DEBUG: (ospd.ospd) Calculating scan progress with the following data:
2022-10-13 08:52:23,935: DEBUG: (ospd.ospd) ce5eec9a-968d-4872-9e14-9d75aff50c80: Current scan progress: 0,
2022-10-13 08:52:23,936: DEBUG: (root) ce5eec9a-968d-4872-9e14-9d75aff50c80: Current progress:
{‘count_alive’: 0,
‘count_dead’: 0,
‘count_excluded’: 0,
‘count_total’: 0,
‘current_hosts’: {},
‘overall’: 0}
2022-10-13 08:52:23,936: DEBUG: (ospd.scan) ce5eec9a-968d-4872-9e14-9d75aff50c80: All hosts dead or excluded.
2022-10-13 08:52:23,937: DEBUG: (ospd.scan) ce5eec9a-968d-4872-9e14-9d75aff50c80: Setting the following hosts as dead: []
2022-10-13 08:52:23,937: DEBUG: (ospd.scan) ce5eec9a-968d-4872-9e14-9d75aff50c80: Setting the following hosts as finished: []
2022-10-13 08:52:25,559: DEBUG: (ospd.ospd) ce5eec9a-968d-4872-9e14-9d75aff50c80: Current scan status: FINISHED,
2022-10-13 08:52:25,559: DEBUG: (ospd.ospd) ce5eec9a-968d-4872-9e14-9d75aff50c80: Current scan progress: 100,
2022-10-13 08:52:25,560: DEBUG: (ospd.ospd) ce5eec9a-968d-4872-9e14-9d75aff50c80: Check scan process:
Progress 100
Status: FINISHED

Eero · October 14, 2022, 6:46am

@weisker is keep alive check configured correctly?

2022-10-13 08:52:23,936: DEBUG: (ospd.scan) ce5eec9a-968d-4872-9e14-9d75aff50c80: All hosts dead or excluded.

or some exclude range configure?

Eero

weisker · October 14, 2022, 7:06am

That would be too easy. There are no exclusions set. Keep Alive check is the default for all scans. There’s no difference in these 9 scans that fail compared to the others, except it is a different /24.

In the targets list it shows 254 hosts for these /24s.
In the log it shows a count_total of 254 and next is 0 and then all dead.

Maybe it has something to do with this:
(ospd_openvas.daemon) Process is a Zombie, waiting for it to clean up

Seems openvas is crashing at whatever it tries to start, but I can’t find any logs for that.

nichtsfrei · October 14, 2022, 8:20am

You can copy the openvas log via:

docker cp greenbone-community-edition_ospd-openvas_1:/var/log/gvm/openvas.log /tmp/openvas.log

to your file system or print it via:

docker exec greenbone-community-edition_ospd-openvas_1 cat /var/log/gvm/openvas.log

weisker · October 17, 2022, 7:50am

Nothing more in it than that after starting a /24 scan:

sd   main:MESSAGE:2022-10-17 07h41.12 utc:299504: openvas 22.4.1~dev1 started
sd   main:MESSAGE:2022-10-17 07h41.12 utc:299504: attack_network_init: INIT MQTT: SUCCESS
sd   main:MESSAGE:2022-10-17 07h41.18 utc:299504: Vulnerability scan 389e1a08-923a-4c48-a1eb-76cd11de01e5 finished in 6 seconds: 0 alive hosts of 0

The docker-compose logs show this again:

ospd-openvas_1         | OSPD[1] 2022-10-17 07:41:18,523: DEBUG: (ospd.ospd) 389e1a08-923a-4c48-a1eb-76cd11de01e5: Current scan status: RUNNING,
ospd-openvas_1         | OSPD[1] 2022-10-17 07:41:18,524: DEBUG: (ospd.ospd) Calculating scan progress with the following data:
ospd-openvas_1         | OSPD[1] 2022-10-17 07:41:18,524: DEBUG: (ospd.ospd) 389e1a08-923a-4c48-a1eb-76cd11de01e5: Current scan progress: 0,
ospd-openvas_1         | OSPD[1] 2022-10-17 07:41:18,524: DEBUG: (root) 389e1a08-923a-4c48-a1eb-76cd11de01e5: Current progress: 
ospd-openvas_1         | {'count_alive': 0,
ospd-openvas_1         |  'count_dead': 0,
ospd-openvas_1         |  'count_excluded': 0,
ospd-openvas_1         |  'count_total': 254,
ospd-openvas_1         |  'current_hosts': {},
ospd-openvas_1         |  'overall': 0}
ospd-openvas_1         | OSPD[1] 2022-10-17 07:41:18,525: DEBUG: (ospd.scan) 389e1a08-923a-4c48-a1eb-76cd11de01e5: Setting the following hosts as dead: []
ospd-openvas_1         | OSPD[1] 2022-10-17 07:41:18,525: DEBUG: (ospd.scan) 389e1a08-923a-4c48-a1eb-76cd11de01e5: Setting the following hosts as finished: []
ospd-openvas_1         | OSPD[1] 2022-10-17 07:41:19,526: DEBUG: (ospd_openvas.daemon) Process is a Zombie, waiting for it to clean up
ospd-openvas_1         | OSPD[1] 2022-10-17 07:41:19,527: DEBUG: (ospd.ospd) 389e1a08-923a-4c48-a1eb-76cd11de01e5: Current scan status: RUNNING,
ospd-openvas_1         | OSPD[1] 2022-10-17 07:41:19,528: DEBUG: (ospd_openvas.daemon) 389e1a08-923a-4c48-a1eb-76cd11de01e5: Set total hosts counted by OpenVAS: 0

weisker · October 17, 2022, 7:58am

In addition to that, my host had now 14200 defunct processes that only disappeared after stopping the openvas container.
openvas, nmap, grep, pnscan

Lukas · October 17, 2022, 9:50am

I would check your alive criteria. Can you ping (ICMP) the hosts, then switch to that criteria. It fully depends on your network setup, if a firewall is in between you need to place a sensor there.

weisker · October 20, 2022, 8:10am

I changed the alive check to ping, but no difference at all.
Meanwhile all the other /24s are fine like they always have been.

Of course the server can reach all the hosts in all the subnets I scan without limitations.

With the packet capture there’s not a single contact to this subnet when the scan runs for its 5 seconds before it dies.