For the tests I picked one scan target to run the jobs against, a single IP address on my network that I know had a few minor vulnerabilities. I wanted to test the various settings such as max_hosts, max_checks, be_nice and whether or not the host was already in the database. I made one change at a time and submitted the job to the default scanner using the "Full and fast" scan type each time. My submission XML looks like this:
<create_task>
<name>New 10.0.0.9</name>
<comment>cmdline scan</comment>
<config id="daba56c8-73ec-11df-a475-002264764cea"/>
<target id="5b9c2dde-77ab-4511-b439-c96984843f5b"/>
<preferences>
<preference>
<scanner_name>max_checks</scanner_name>
<value>12</value>
</preference>
</preferences>
</create_task>
My script to submit that to the scanner is:
#!/bin/bash
#
RETVAL=$(cat create_task.xml | omp --xml -)
TMPTASK=$(echo $RETVAL | awk '{print $2}' | awk -F= '{print $2}')
TASK=$(echo $TMPTASK | tr -d \")
RETVAL=$(omp --start-task $TASK)
I tracked the results of each scan, here's the raw data:
|
And a couple charts based on that data:
What did I find?
- Whether or not the host is in the database doesn't appear to impact performance. There appears to be no appreciable benefit on a single host scan if there is existing data.
- The be_nice setting in openvassd.conf doesn't appear to have an appreciable impact on performance.
- After 6-8 checks per host there is no noticeable positive effect on performance, it plateaus around there then starts to drop, by 12 performance is BAD. But remember, this system only has 4 cores in it.
- Load average on the system went pretty high during the scans, as much as 5 at some points but the system was still useable while at that level. I'm amazed at these little boxes. vi would hesitate a bit on load but nothing terrible.
So, what happens if you want to scan a dozen hosts? If you're using only one ODROID I'm recommending you don't exceed 8 active plugins running at any point in time, so you'd set max_hosts to 2 and max_checks to 4 or just allow 1 host at a time and 8 checks, up to you. I plan on testing multiple hosts next, we shall see if there's any benefit in running more than one host at a time. The other option? Split that scan up across multiple ODROIDS using something like Celery and RabbitMQ, that's what my service is built on.
Caveats, notes and todos
Caveats, notes and todos
- The target I tested had very few minor vulnerabilities though OpenVAS runs whatever was specified in the scan config regardless.
- Remember, this system only has 4 cores.
- Need to run the same tests against a VM that has vulnerabilities, Metasploitable or DVWA.
- Test multiple hosts at the same time to see where things get crappy.
- No idea if the decreases in performance around 10 are due to I/O, I wasn't monitoring it but my gut says no, it's not.
No comments:
Post a Comment