I have a report from one of our server admins that a scan may have taken down one of our services and they have provided a web request which they suspect may have been responsible. Is there a way I can search the NVT database for elements of that URL to find out which NVT was being tested at that time, to identify the vulnerability in question as the results from the scan don’t seem to show anything which matches.
You can use e.g. grep on your local installation path (e.g. $install_prefix/var/lib/openvas/plugins) to search for the related string.
As an alternative to determine the related VT you can also:
- Add / update
log_whole_attack = yesin youropenvas.conf(Seeopenvas -s | grep config_filefor the location and create the file manually with just that entry if it doesn’t exist) - Re-run the scan and notice down the time once the system is getting down
- Compare the previous noted time with the launch time of VTs in your
openvas.log($install_prefix/var/log/gvm/openvas.log)
Thanks @cfi, none of that works for me, possibly because I have a greenbone scanner and not the open source version, they seem to move stuff around or rename it. I think I’ll log it as a support question.
Regards