Archived community.zenoss.org | full text search
Skip navigation
Up to Discussions in zenoss-users
5624 Views 4 Replies Latest reply: Dec 8, 2011 10:15 AM by Davian RSS
Davian Newbie
Davian
3 posts since
Dec 3, 2011
Currently Being Moderated

Dec 7, 2011 9:48 AM

Zenoss + Nessus Scan = Alert Explosion

I ran into an interesting problem the other day.  I scanned my internal network using Nessus and when the scanner hit my Zenoss machines, they alerted like crazy.  The Zenoss servers reported every single one of the monitored servers as down, they couldn't poll for data at all.  Once the scan finished, the Zenoss servers came back to normal like nothing ever happened.  I can't fathom why a vulnerability scan would cause Zenoss to freak out like that.  I was running the scan in safe-mode so it shouldn't have used any plugins that would break anything.  There's absolutely nothing out of the ordinary in the logs, as far as I can see.  Any ideas?  Has anyone seen this before?

  • Davian Newbie
    Davian
    3 posts since
    Dec 3, 2011
    Currently Being Moderated
    1. Dec 7, 2011 9:55 AM (in response to Davian)
    Re: Zenoss + Nessus Scan = Alert Explosion

    Clarification:  It looks like Nessus doesn't necessarily have to scan Zenoss to cause Zenoss to think that systems are down.  I just have to scan the systems that it is monitoring and Zenoss will think they are down or won't be able to get certain data.

  • Chet Luther ZenossEmployee
    Chet Luther
    1,302 posts since
    May 22, 2007
    Currently Being Moderated
    2. Dec 7, 2011 10:07 AM (in response to Davian)
    Re: Zenoss + Nessus Scan = Alert Explosion

    That's an odd one. Can't say I've seen anything like that before.

     

    What kinds of devices are the monitored systems? Linux servers, Windows servers, networking equipment? My first guess would be that Nessus is saturating some resource on them like throughput or state tables (for firewalls.) My next guess would be that they have some kind of security feature that is shutting down communication in response to the Nessus scan. It might be useful to check their logs.

  • jmp242 ZenossMaster
    jmp242
    4,060 posts since
    Mar 7, 2007
    Currently Being Moderated
    3. Dec 7, 2011 10:08 AM (in response to Davian)
    Re: Zenoss + Nessus Scan = Alert Explosion

    It sounds like saturation of the remote devices, or theres some security software on them that is shutting down access during the scan. Per cluther...

     

    --

    James Pulver

    ZCA Member

    LEPP Computer Group

    Cornell University

  • Davian Newbie
    Davian
    3 posts since
    Dec 3, 2011
    Currently Being Moderated
    4. Dec 8, 2011 10:15 AM (in response to Chet Luther)
    Re: Zenoss + Nessus Scan = Alert Explosion

    Zenoss is montioring Windows, Linux and Cisco network devices.  I'm not seeing anything in the system logs about snmp errors or any other type of saturation. What's interesting is that I think Zenoss will start alerting on systems that aren't even being scanned...

More Like This

  • Retrieving data ...

Legend

  • Correct Answers - 4 points
  • Helpful Answers - 2 points