[Openvas-discuss] Not scanning machines which don't respond to pings

Whit Blauvelt whit at transpect.com
Fri Aug 10 18:42:05 CEST 2012


On Fri, Aug 10, 2012 at 06:23:32PM +0100, Matthew Mundell wrote:
> > > You'll have to make a new config though, in order to edit it.
> >
> > This is a bug, and a bad one. When will this be fixed?
> 
> It's intentional.  They're the predefined configs.  This keeps them the
> same everywhere.

Yes but ... the "same everywhere" basic scan should be _sane_. Having a
baseline scan that skips IPs that don't respond to pings assumes that
everyone will leave ping response on across their IP range. Ping response is
turned off for many IPs that nonetheless have active services, precisely to
hide from script kiddies dumb or lazy enough to only probe systems which
respond to pings. I see this all the time. Staff contacts me asking, "I
having trouble connecting to XYZ's server, is it up?" So I ping, don't see
it, yet find it when I probe the service in question. Ping is off for a
large percentage of public IPs that yet have services exposed. Used to be
rare; on its way to becoming standard.

We need to scan our networks for vulnerabilities on the assumption that
someone _smart_ is who we have to defend them from, not just dumb and lazy
script kiddies. A tool's defaults should match best practices in security.
And best practice these days is to scan regardless of ping response.

> The behaviour that is likely to change is having to make a new task to use
> the new config.

Thanks for that! ;>

Whit



More information about the Openvas-discuss mailing list