- [00:45:54]*stephan (~stephan@p5496F005.dip.t-dialin.net) has quit (Remote host closed the connection)
- [01:43:54]*Piet (~Piet__@28IAAAHUI.tor-irc.dnsbl.oftc.net) has quit (Ping timeout: 480 seconds)
- [05:32:10]*bchandra (~bchandra@119.82.127.3) entered the channel
- [06:58:30]*lmwangi (~lmwangi@196.1.0.57) has quit (Ping timeout: 480 seconds)
- [08:07:50]*mwiegand (~michael@aktaia.intevation.org) entered the channel
- [08:36:18]*lmwangi (~lmwangi@ebene47.mu.afrinic.net) entered the channel
- [08:36:29]*ckuerste (~chris@ppp-58-9-147-192.revip2.asianet.co.th) has quit (Quit: Ex-Chat)
- [08:38:11]*atomicturtle (~sshinn@c-68-50-185-134.hsd1.va.comcast.net) entered the channel
- [08:43:52]*atomicturtle1 (~sshinn@c-68-50-185-134.hsd1.dc.comcast.net) has quit (Ping timeout: 480 seconds)
- [09:24:58][machine]hmmm
- [09:25:34][machine]just found an sqli in gforge on wald i think (by accident)
- [09:25:51][machine]appears to affect the main code base too
- [09:29:05]felix[machine]: you mean main gforge code base
- [09:29:08][machine]yeh
- [09:29:30][machine]may have found more than one actually
- [09:29:37][machine]just started looking at code base
- [09:29:39][machine]UNf
- [09:31:04][machine]will release it as an openvas advisory methinks :)
- [09:31:13][machine](with associated plugin)
- [09:39:07]bchandra[machine]: go ahead, give us zero day advantage :)
- [09:44:40]*ekah (c1626c31@webchat.mibbit.com) entered the channel
- [09:46:04][machine]perhaps we should have another mailing list for such matters, i find so many bugs that it would be nice to share with openvas early :)
- [09:48:36]felixopenvas-plugins-0day ;)
- [09:49:40][machine]anyway.. need to go to the office now..
- [09:58:49]felixmorning ekah
- [10:02:00]ekahmorning to all
- [10:10:25]*karl_hr (~el_kallo@aktaia.intevation.org) entered the channel
- [10:33:33]*ekah (c1626c31@webchat.mibbit.com) has quit (Quit: http://www.mibbit.com ajax IRC Client)
- [11:13:26]*jan_oliver (~jan@aktaia.intevation.org) entered the channel
- [11:38:47]*atomicturtle1 (~sshinn@c-68-50-185-134.hsd1.va.comcast.net) entered the channel
- [11:38:47]*atomicturtle (~sshinn@c-68-50-185-134.hsd1.va.comcast.net) has quit (Read error: Connection reset by peer)
- [11:47:16]felixGSoC 2010 page is out http://socghop.appspot.com/
- [12:46:39]kostfelix: great. would gladly help in application.
- [12:48:33]felixkost: oh i was missing that you are online
- [12:48:54]felixkost: have you ever applied as mentor/organization for gsoc?
- [12:49:23]felixkost: maybe we should announce on -devel or -discuss and start working on application etc in private mail
- [12:49:48]felixkost: Also we need to collect ideas. I can create an idea page on openvas.org
- [12:50:31]kostfelix: we can go through CRs for a start and see if something can be used as idea.
- [12:50:51]kostfelix: Never applied as organization/mentor.
- [12:56:02][machine]ssl stuff :)
- [12:56:21][machine]that would be a great contribution on its own
- [12:56:41]felix[machine], kost: agreed. nmap.
- [12:57:09]kostmaybe it's tme for openvas wiki?
- [12:57:21][machine]btw... whilst on site... i was thinking, you know what would be awesome if after an initial scan, you could take an issue and rerun the plugin that reported it, with the existing kb
- [12:57:46][machine]kost: i wish that there was some way to write all the ideas i have about things we /could/ do
- [12:57:59][machine]i bet other people do too
- [12:58:15]*geoff (~geoff@p508A7CA8.dip.t-dialin.net) entered the channel
- [12:58:21][machine]for example, that idea i just mentioned
- [12:58:46][machine]nessus was reporting snmp is a way that i couldn't recreate, even after looking at the plugin
- [12:59:04][machine]it would have been nice to right click, replay with wireshark open
- [12:59:18][machine]none of the va products i've used will do that
- [13:00:42]felix[machine]: You mean to reuse the kb but for only one single nvt?
- [13:01:18][machine]yeh
- [13:01:26][machine]the old protocol can't do it easily
- [13:01:33][machine]wondered if the new one could
- [13:04:40][machine]felix: think of it as a "retest this issue" button, for checking for example fixes
- [13:05:20]kostyes, that would be good
- [13:05:35]felix[machine], kost: Maybe you can start a thread on the mailing list. I am a bit busy right now and have to go soon.
- [13:05:41][machine]sure
- [13:05:51][machine]i will send an email to -develop :)
- [13:05:56]kostAlso, I think OpenVAS has gone very far to bloatware/modularity, and not into compactness ;)
- [13:06:16][machine]kost: what areas?
- [13:06:33]kostand vulnerability identification which should be core stuff.
- [13:06:50][machine]ah, all the management stuff?
- [13:07:05]kostyes, too much attention to that stuff, but not to the vulns itself.
- [13:07:13][machine]well, maybe, but that's what makes it worth jan for example investing
- [13:07:18][machine]i do agree though
- [13:07:25]kostthere is too many local ones, and not too much remote ones :)
- [13:07:29][machine][machine] nods
- [13:07:32][machine]yeh
- [13:07:37][machine]agreed on that too
- [13:08:06][machine]but... you need more time and different skills to create remote tests
- [13:08:20]kostfor example, if you look original Nessus, it becomes compacted, it now has www on server/scanner and you just point your browser for scanning...
- [13:08:31][machine]that's something to bring up on -plugins
- [13:08:54][machine]kost: how do you sue openvas?
- [13:09:02][machine]i still use the gtk client + server
- [13:09:17][machine]haven't looked at all at the new components
- [13:09:28][machine]that works fine for me
- [13:09:35]*masterwild (~niko@et-1-20.gw-nat.bs.ka.oneandone.net) entered the channel
- [13:09:35]kostopenvas? tried to use it for remote scans, but too much f/p and not too much useful info...
- [13:09:39]masterwildhi
- [13:09:51]kost...i'm not admin, so I don't need it for local scans
- [13:09:59][machine][machine] nods
- [13:10:04][machine]totally agree
- [13:10:19][machine]bring it up on -plugins/-discuss
- [13:10:27][machine]i'd support you
- [13:10:35]kost(except if I penetrate the system and then for further exploitation, I point OpenVAS with creds, but never done that - i.e. running openvas in that point)
- [13:10:54]kost(have better tools for that :)
- [13:11:20][machine]but part of the problem is getting a few more pen testers who can dig around in packet dumps etc involved
- [13:11:52]felixhi masterwild
- [13:11:58][machine]local checks are cheap to produce, which is why they're done first
- [13:12:07]kost[machine]: this paper http://security.lss.hr/images/stories/documents/Nessus_vs_OpenVAS_en.pdf backups my thinking. openvas misses too much remote ones ;)
- [13:12:21][machine]yeh, i know, seen it
- [13:12:22]kostor better :(
- [13:12:50][machine]the lss guys are doing some good work, as is mime(?)
- [13:13:05][machine]but we could do with a few more,... and for me to have 48 hour days :)
- [13:13:09]kost[machine]: I understand that, but usually it happens that remote ones never shows up ;)
- [13:13:28]kostI could do that too (if I have 48 hours days)
- [13:13:43]atomicturtle1need to attract more people
- [13:13:51][machine][machine] nods
- [13:14:02]kostgsoc is one way...
- [13:14:08][machine]absolutely
- [13:14:13][machine]okay.. a suggestion
- [13:14:16][machine]if we do gsco
- [13:14:23]kostand attracting more poeople, there is two another ways:
- [13:14:41][machine]make all of the goals, remote specific
- [13:14:43]kostmake it attractive tool (with initial number of remote vulns attractive and only available in openVAS)
- [13:14:54]atomicturtle1Ive worked on a different gsoc project, we were turning people away we had so many volunteers
- [13:14:57]kostand second, talk at the conferences/events/etc
- [13:15:12][machine]yep
- [13:15:22]kostwith local vulns, you are attracting only sysadmins
- [13:15:25]atomicturtle1get it into the SANS lineup
- [13:15:28]masterwildone question: my openvasscan is really slow and i want to figure out whats wrong. How to enable debug ?
- [13:15:35]felixatomicturtle1: might we contact you regarding application, if we cant figure out what exactly they want? :)
- [13:15:37]kostwith remote vulns, you are attarcting pentesters then
- [13:15:44]atomicturtle1felix: SANS?
- [13:15:54]atomicturtle1or GSOC?
- [13:16:33]felixatomicturtle1: application as mentor/organization for gsoc. havent seen a form yet, but probably there is enough info about what info to provide in the faq.
- [13:17:36]atomicturtle1sure I know some folks we can ask about it, the other project is an open source medical records system (openmrs). They've been doing GSOC for 4 or 5 years now
- [13:19:13]atomicturtle1another thing is that most infosec people here in the US work in the government, and for the most part they cant get to openvas.org because for some silly reason they block access to non-US hosted sites
- [13:20:25]atomicturtle1Im trying to get something set up with forge.mil, but its slow slow going
- [13:21:52]bchandramasterwild: in openvasd.conf, you need to say yes to log_whole_attack
- [13:22:06]bchandramasterwild: it is openvassd.conf if you have openvas 3.0
- [13:23:31]masterwildbchandra: ahh thought this ends up in a large pcap
- [13:24:54]bchandramasterwild: not really, it just shows some messages in the server log (openvasd.messages), indicating how much time each plugin took
- [13:27:50]felixkost, [machine]: I think we dont lack ideas about how to improve stuff :)
- [13:35:51]masterwildhmm, got a lot of this in my logs: hints?
- [13:35:57]masterwild[Wed Feb 10 03:13:46 2010][12233] process_internal_msg for mozilla_CB-A08-0017.nasl returned -1
- [13:35:59]masterwild[Wed Feb 10 03:13:46 2010][12233] shared_socket: Secret/SSH/socket is unknown
- [13:36:15]masterwildthe *.nasl isn't only that one
- [13:36:30]masterwildcan grep for it if it matters
- [13:37:25]bchandramasterwild: For SSH based local checks, you need to supply SSH credentials, it looks like that is not provided, so it is a non-issue if you don't want to scan local checks
- [13:38:09]masterwildok...
- [13:39:00]bchandramasterwild: otherwise, you need to provide SSH credentials
- [13:39:51]masterwildno I don't want it.
- [13:40:50]masterwildmy problem is: I try to scan a /24. within that /24 there are 2 Hosts but the scan runs the whole night for 15 hosts out of the /24
- [13:43:24]bchandramasterwild: I think I understand the prob, in a /24 n/w, you may not have all the IP's up. There looks to be a bug which has re-appeared, if the systems aren't reachable, scanning continues forever
- [13:45:48]mimemasterwild: OpenVAS-Client -> Prefs -> Ping Host -> Mark unrechable Hosts as dead
- [13:54:51]masterwildok, I'll give it a try
- [14:06:15]masterwildmime: how long should it take until an ip is marked as "dead"
- [14:10:31]mimemasterwild: sorry, forgotten. You have to activate "Ping Host" under "OpenVAS-Client -> General -> Port Scanner"
- [14:11:20]masterwilddo have an OID for me? using the cli
- [14:12:02]mime1.3.6.1.4.1.25623.1.0.100315
- [14:12:37]masterwildthx
- [14:13:29]masterwildseems to performe now
- [14:13:42]masterwild^^s/e//
- [14:14:15]masterwildat least the log fills up with more stuff
- [14:14:40]masterwildnote to myself: consider to use the gui
- [14:16:16]geoffRE: conferences to attract more developers, I had been planning on presenting something at FOSDEM 2010, but ran short of time. Would someone like to collaborate on a paper for FOSDEM 2011?
- [14:17:08]geoffMaybe the LiveCD will be ready by then. ;)
- [14:43:07]kostgeoff: sure
- [14:43:14]kostwhat help do you need?
- [14:57:12]masterwildmime: obviously it doesn't work...
- [14:57:28]masterwildgrr
- [14:57:48]masterwildthe IPs aren't marked as dead
- [14:58:05]masterwildscan is still going on the "dead IPs"
- [14:59:21]mimemasterwild: what is your openvas version?
- [15:02:21]masterwild[Wed Feb 10 09:15:12 2010][14883] openvasd 2.0.1. started
- [15:02:23]masterwild[Wed Feb 10 09:17:38 2010][14883] connection from 127.0.0.1
- [15:02:24]masterwild[Wed Feb 10 09:17:38 2010][14919] Client requested protocol < OTP/1.0 > .
- [15:05:18]mimemasterwild: ping_host was executed? "grep ping_host /path/to/openvas.messages"
- [15:05:46]masterwildhmmm
- [15:05:48]masterwildno
- [15:06:24]mimelog_whole_attack is "yes" in openvas.conf?
- [15:06:49]*mattm (~mattm@aktaia.intevation.org) entered the channel
- [15:07:06]masterwildmime: yes
- [15:07:29]mimeok, then ping_host.nasl was not executed...
- [15:07:51]masterwildwithin openvasrc
- [15:08:09]masterwildthere are 3 yes in the SCANNER_SET section
- [15:08:15]masterwild1.3.6.1.4.1.25623.1.0.10180 = yes
- [15:08:19]masterwild1.3.6.1.4.1.25623.1.0.10335 = yes
- [15:08:24]masterwild1.3.6.1.4.1.25623.1.0.100315 = yes
- [15:08:41]masterwildI cannot figure out what the first two OIDs are
- [15:09:04]masterwildopenvas.org did not find nasl to that OIDs
- [15:09:42]masterwildI actually restarted the server after changing the values in openvasd.conf
- [15:11:18]masterwildeehm.
- [15:11:23]masterwildfound this: http://lists.wald.intevation.org/pipermail/openvas-devel/2009-November/001897.html
- [15:11:53]masterwildisn't the same problem but my host is also a xen guest
- [15:12:13]mimeyour openvasd is running on xen?
- [15:12:40]masterwildyes+#
- [15:13:15]mimehmm...but ping_host.nasl should be executed. And you should see this in the openvas.messages.
- [15:15:17]masterwildif I activate only ping_host.nasl no portscan would be executed, right?
- [15:21:59]mimemasterwild: http://pastebin.com/m5b1b0ba5 <- first host is up, second down. Could you please test if it works for you.
- [15:24:57]mimebtw.: 1.3.6.1.4.1.25623.1.0.10335 == openvas_tcp_scanner.nes
- [15:26:26]masterwildmime: hmm strange results
- [15:26:36]masterwildnone reachable:
- [15:26:38]*raimund (~ruediger@aktaia.intevation.org) entered the channel
- [15:27:03]masterwildhost:/opt/openvas-client/bin# /opt/openvas/bin/openvas-nasl -X -t 10.222.223.3 /opt/openvas/lib/openvas/plugins/ping_host.nasl
- [15:27:04]masterwild[17358] plug_set_key:internal_send(0)['3 /tmp/start_time=1265812003;
- [15:27:06]masterwild']: Socket operation on non-socket
- [15:27:15]masterwildreachable
- [15:27:37]masterwildhost:/opt/openvas-client/bin# /opt/openvas/bin/openvas-nasl -X -t 172.19.1.108 /opt/openvas/lib/openvas/plugins/ping_host.nasl
- [15:27:39]masterwild[17353] plug_set_key:internal_send(0)['3 /tmp/start_time=1265811965;
- [15:27:40]masterwild']: Socket operation on non-socket
- [15:27:49]masterwildping on cli works fine...
- [15:28:03]masterwildhost:/opt/openvas-client/bin# ping 172.19.1.108
- [15:28:04]masterwildPING 172.19.1.108 (172.19.1.108) 56(84) bytes of data.
- [15:28:06]masterwild64 bytes from 172.19.1.108: icmp_seq=1 ttl=64 time=0.037 ms
- [15:28:07]masterwild64 bytes from 172.19.1.108: icmp_seq=2 ttl=64 time=0.030 ms
- [15:28:37]felixmasterwild: consider looking at openvasd.dump as well. are you running openvasd as root?
- [15:28:55]masterwildfelix: yes as root
- [15:29:55]felixmime, geoff_: Would you mind writing a FAQ entry about "Scanning a large network with just a few alive/reachable hosts takes ages, what to do?"?
- [15:30:34]masterwildwould be great ;)
- [15:30:54]masterwildhow you define "large"?
- [15:31:08]felixmime, geoff_, masterwild: Obviously, ~ the faster the scan is the less accurate it will be :)
- [15:31:22]masterwilda /24 isn't much IMHO
- [15:32:21]felixmasterwild: gotcha. rephrase: "When scanning a network, scanning non-reachable hosts takes much longer than scanning the alive ones, what can I do to speed things up?"?
- [15:32:56]felixor just strip "large" :)
- [15:33:16]masterwildyes but "host alive" should work with ICMP. We allow icmp, so this would greatly enhance speed
- [15:34:49]mimemasterwild: could you rerun "openvas-nasl -X -t ..." and check with tcpdump/wireshark what is going on?
- [15:34:55]masterwildsure
- [15:35:18]*sid77 (~sid77@moko.slackware.it) entered the channel
- [15:38:48]*sid77 (~sid77@moko.slackware.it) has quit ()
- [15:39:30]masterwildmime: whoops. my mistake...
- [15:39:50]masterwildmime: 172.19.1.108 is the scan host own ip...
- [15:40:11]masterwildwith another host reachable I get the same result as you
- [15:40:34]felixmime: ping_host.nasl:109 is not necessary, is it? (nvt exits in line 55 if mark_dead >< "no")
- [15:41:36]masterwildso the question is: why is ping_host.nasl not executed by openvasd...
- [15:41:38]*sid77 (~sid77@moko.slackware.it) entered the channel
- [15:42:15]felixmime: Also, maybe a log or debug message could be issued if TARGET_IS_IPV6 (maybe only if "Report about .." is "yes")
- [15:43:39]*sid77 (~sid77@moko.slackware.it) has quit ()
- [15:43:58]mimefelix: 1. right. 2. Good idea.
- [15:45:00]mimefelix: exit on line 55 was added as i changed the default for mark_dead from yes to no.
- [15:45:49]felixmime: strange that it works when you run it with openvas-nasl standalone interpreter btw
- [15:46:10]mimewhy?
- [15:46:12]felixmime: it would normally exit in 55 then, right?
- [15:46:27]*sid77 (~sid77@moko.slackware.it) entered the channel
- [15:46:31]felixmime: dunno how preferences are dealt with in the standalone interpreter
- [15:46:41]mimemark_dead is not "no" with standalone interpreter
- [15:46:55]mimeit's empty...
- [15:47:08]felixaaahhh :)
- [15:47:12]mime:)
- [15:47:18]felixnice one
- [15:48:07]felixmime: so basically in openvas-nasl preferences dont get their default value but are empty
- [15:48:34]mimeyes
- [15:49:59]felixmasterwild: again, did openvas.dump show anything interesting?
- [15:50:08]felixmasterwild: sry openvasd.dump
- [15:50:34]mimemasterwild: could you test with gui?
- [15:50:53]masterwilduhm yes...
- [15:51:42]felixgtg
- [15:56:19]masterwildping_host and openvas_tcp scanner aktiv?
- [15:56:34]mimeyes
- [15:59:08]mimeyou should see something like 'The remote host (192.168.2.15) is dead' in openvas.messages
- [15:59:16]mimeif it works...
- [15:59:35]masterwildwhere I have to activate the openvas.dump?
- [16:00:01]masterwildcouldn't find an option
- [16:00:21]mimedumpfile in openvasd.conf
- [16:00:35]mimedumpfile = /opt/openvas3/var/log/openvas/openvassd.dump
- [16:00:44]masterwildno enable_dump = yes or similar?
- [16:00:49]mimeno
- [16:03:18]masterwilduser admin : launching nmap.nasl against 10.222.223.3 [17750]
- [16:03:27]masterwilddidn't activate that
- [16:04:39]masterwilddump isn't helpful:
- [16:04:47]masterwildSSH-DEBUG: Not setting login information for local checks at 10.222.223.29 : No mapping found.
- [16:05:44]mimesomething about ping_host in openvasd.messages
- [16:05:48]masterwildnope
- [16:07:17]bchandramime: who's consuming the KB item set by ping_host.nasl, I see only nmap.nasl uses, other port scanners aren't using
- [16:08:09]masterwildI'm considering to flush my openvasrc file? would that be an option?
- [16:08:28]mimebchandra: openvas-scanner/openvassd/attack.c
- [16:10:11]bchandramime: ah! ok, didn't check that
- [16:18:15]*bchandra (~bchandra@119.82.127.3) has quit (Ping timeout: 480 seconds)
- [16:38:02]*atomicturtle (~sshinn@c-68-50-185-134.hsd1.dc.comcast.net) entered the channel
- [16:38:02]*atomicturtle1 (~sshinn@c-68-50-185-134.hsd1.va.comcast.net) has quit (Read error: Connection reset by peer)
- [16:57:35]*deepsa (~deepsa@115.184.84.144) entered the channel
- [17:04:59]*mwiegand (~michael@aktaia.intevation.org) has quit (Quit: leaving)
- [17:38:04]*deepsa (~deepsa@115.184.84.144) has quit (Ping timeout: 480 seconds)
- [17:47:47]*FrozenIowan (~chatzilla@12.104.194.8) entered the channel
- [17:48:48]*deepsa (~deepsa@115.184.42.249) entered the channel
- [17:56:43]*atomicturtle1 (~sshinn@c-68-50-185-134.hsd1.dc.comcast.net) entered the channel
- [17:56:43]*atomicturtle (~sshinn@c-68-50-185-134.hsd1.dc.comcast.net) has quit (Read error: Connection reset by peer)
- [18:02:55]*raimund (~ruediger@aktaia.intevation.org) has left the channel (Kopete 0.12.7 : http://kopete.kde.org)
- [18:03:48]*FrozenIowan (~chatzilla@12.104.194.8) has left the channel ()
- [18:47:23]*karl_hr (~el_kallo@aktaia.intevation.org) has quit (Remote host closed the connection)
- [19:05:06]*mattm (~mattm@aktaia.intevation.org) has left the channel ()
- [20:31:49]*deepsa (~deepsa@115.184.42.249) has quit (Quit: http://lugj.in)
- [21:30:19]*geoff_ (~geoff@p508A654C.dip.t-dialin.net) entered the channel
- [21:37:44]*geoff (~geoff@p508A7CA8.dip.t-dialin.net) has quit (Ping timeout: 480 seconds)
Last 30 days: