Discussion:
Zenoss + Nessus Scan = Alert Explosion
Davian
2011-12-07 14:49:08 UTC
Permalink
Davian [http://community.zenoss.org/people/Davian] created the discussion

"Zenoss + Nessus Scan = Alert Explosion"

To view the discussion, visit: http://community.zenoss.org/message/63096#63096

--------------------------------------------------------------
I ran into an interesting problem the other day.  I scanned my internal network using Nessus and when the scanner hit my Zenoss machines, they alerted like crazy.  The Zenoss servers reported every single one of the monitored servers as down, they couldn't poll for data at all.  Once the scan finished, the Zenoss servers came back to normal like nothing ever happened.  I can't fathom why a vulnerability scan would cause Zenoss to freak out like that.  I was running the scan in safe-mode so it shouldn't have used any plugins that would break anything.  There's absolutely nothing out of the ordinary in the logs, as far as I can see.  Any ideas?  Has anyone seen this before?
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/63096#63096]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Davian
2011-12-07 14:55:23 UTC
Permalink
Davian [http://community.zenoss.org/people/Davian] created the discussion

"Re: Zenoss + Nessus Scan = Alert Explosion"

To view the discussion, visit: http://community.zenoss.org/message/63097#63097

--------------------------------------------------------------
Clarification:  It looks like Nessus doesn't necessarily have to scan Zenoss to cause Zenoss to think that systems are down.  I just have to scan the systems that it is monitoring and Zenoss will think they are down or won't be able to get certain data.
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/63097#63097]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Chet Luther
2011-12-07 15:08:05 UTC
Permalink
Chet Luther [http://community.zenoss.org/people/cluther] created the discussion

"Re: Zenoss + Nessus Scan = Alert Explosion"

To view the discussion, visit: http://community.zenoss.org/message/63098#63098

--------------------------------------------------------------
That's an odd one. Can't say I've seen anything like that before.

What kinds of devices are the monitored systems? Linux servers, Windows servers, networking equipment? My first guess would be that Nessus is saturating some resource on them like throughput or state tables (for firewalls.) My next guess would be that they have some kind of security feature that is shutting down communication in response to the Nessus scan. It might be useful to check their logs.
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/63098#63098]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Davian
2011-12-08 15:15:17 UTC
Permalink
Davian [http://community.zenoss.org/people/Davian] created the discussion

"Re: Zenoss + Nessus Scan = Alert Explosion"

To view the discussion, visit: http://community.zenoss.org/message/63136#63136

--------------------------------------------------------------
Zenoss is montioring Windows, Linux and Cisco network devices.  I'm not seeing anything in the system logs about snmp errors or any other type of saturation. What's interesting is that I think Zenoss will start alerting on systems that aren't even being scanned...
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/63136#63136]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
jmp242
2011-12-07 15:08:23 UTC
Permalink
jmp242 [http://community.zenoss.org/people/jmp242] created the discussion

"Re: Zenoss + Nessus Scan = Alert Explosion"

To view the discussion, visit: http://community.zenoss.org/message/63119#63119

--------------------------------------------------------------
It sounds like saturation of the remote devices, or theres some security software on them that is shutting down access during the scan. Per cluther...

--
James Pulver
ZCA Member
LEPP Computer Group
Cornell University
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/63119#63119]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Loading...