Spontaneous scanning

We have deployed a version of GCE 6.0.2
Our SIEM system detected port scan traffic on systems that were previously scanned.
There are no schedules in Openvas and manual scan tasks did not start.
How can this behavior be explained?

Please note the descried features are enterprise level features available with any Greenbone Appliance , the GCE is for SOHO User. This typical class of user does not have a SIEM in most cases :wink:

I suggest you contact Greenbone Sales for a test drive for a real appliance (physical / virtual) to integrate this into you SIEM.

Other Greenbone Customer send a notification before a Scan starts to the SIEM to allow scanning form now on, and after the scan is finished the scan results are pushed as XML to the SIEM and the SIEM now can detect the scans again.

Of course, we did’t use GCE in a enterprise environment. GCE is deployed in a test environment.
The problem is that openvas scans ports on its own. No one ran a manual or scheduled scan task. Why is this happening?

Are you sure ?

Might is be possible that someone froze a VM and resumed it in a scanning state ?

1 Like

You’re right! Network device frozen and post old traffic :rage:

1 Like

I had the same, when the web interface showed that all scans are stopped, but from the logs in shell it was clear that the scanning was running.