Optimal timeout setting for OpenVAS

Hi,

I am writing to seek for advices on tuning the OpenVAS software for better performance.

The OpenVAS version I am using is 9, and most of the target systems run Linux.

The scanning environment is roughly like this :

  1. the firewalls of the OpenVAS host and the target systems are configured to allow all packets from each other;
  2. only one target system is scanned at a time;
  3. in each scan, all ports (TCP 1-65535, UDP 1-65535) are scanned, and the scan mode is “Full and very deep ultimate”.

With these settings, it is found that each scan takes very long to complete (12-14 hrs). The progress bar looks frozen at “1%” for many hours.

If the scans are repeated with the “scanner_plugins_timeout” value reduced from the default “36000” to “9000”, then the scans can run faster (6-7 hrs to complete) and the results show no significant
difference apparently.

I would like to ask : is there an “optimal” choice for the timeout value which can shorten the run time without sacrificing the scan quality ?

Hi,

please have a look at the description of the scanner_plugins_timeout setting:

scanner_plugins_timeout : This is the maximum lifetime (in seconds) for all NVTs from the Port scanners family. If a NVT runs longer the plugin is terminated.

This setting doesn’t have any affect on performance / scan speed and will only cause the Port scanner (Default: Nmap (NASL wrapper) (OID: 1.3.6.1.4.1.25623.1.0.14259)) to be terminated without returning any results of open ports as soon as this timeout is reached.

You only see no significant difference within your result because you’re using this scan config:

This scan config has the following two settings set to no:

  • unscanned_closed : This parameter defines if TCP ports that were not scanned should be treated like closed ports.
  • unscanned_closed_udp : This parameter defines if UDP ports that were not scanned should be treated as closed ports.

This basically means that your current scan configuration is (as soon as the Port scanner got terminated) only checking the default ports defined within the existing vulnerability tests (some HTTP ones would e.g. only check for port 80/tcp).

Instead of trying to modify the scanner_plugins_timeout you could re-think the following:

Please read into UDP port scanning on resources like the following:

Basically scanning all 65k UDP ports could takes hours or even a day depending on the network and/or target.

Unfortunately no specific recommendation can be given as those are highly depending on your network and target environment. Personally i’m using the following setting to have a middle ground between scan speed and scan coverage:

Scan-Config: Full and Fast + unscanned_closed_udp set to no
Port-List: All TCP without any UDP ports

2 Likes

IMHO, you could also consider nmap TOP TCP/UDP ports which should give pretty good coverage in normal use cases, and those are considerable faster.

1 Like

Thank you very much for the explanations and recommendations.

I do understand that my port ranges are too broad, but the scan reports will be used in preparation for internal security audit, therefore they have to be as comprehensive and exhaustive as possible.