Dec 7, 2011 9:48 AM
Zenoss + Nessus Scan = Alert Explosion
-
Like (0)
I ran into an interesting problem the other day. I scanned my internal network using Nessus and when the scanner hit my Zenoss machines, they alerted like crazy. The Zenoss servers reported every single one of the monitored servers as down, they couldn't poll for data at all. Once the scan finished, the Zenoss servers came back to normal like nothing ever happened. I can't fathom why a vulnerability scan would cause Zenoss to freak out like that. I was running the scan in safe-mode so it shouldn't have used any plugins that would break anything. There's absolutely nothing out of the ordinary in the logs, as far as I can see. Any ideas? Has anyone seen this before?
Clarification: It looks like Nessus doesn't necessarily have to scan Zenoss to cause Zenoss to think that systems are down. I just have to scan the systems that it is monitoring and Zenoss will think they are down or won't be able to get certain data.
That's an odd one. Can't say I've seen anything like that before.
What kinds of devices are the monitored systems? Linux servers, Windows servers, networking equipment? My first guess would be that Nessus is saturating some resource on them like throughput or state tables (for firewalls.) My next guess would be that they have some kind of security feature that is shutting down communication in response to the Nessus scan. It might be useful to check their logs.
It sounds like saturation of the remote devices, or theres some security software on them that is shutting down access during the scan. Per cluther...
--
James Pulver
ZCA Member
LEPP Computer Group
Cornell University
Zenoss is montioring Windows, Linux and Cisco network devices. I'm not seeing anything in the system logs about snmp errors or any other type of saturation. What's interesting is that I think Zenoss will start alerting on systems that aren't even being scanned...
Follow Us On Twitter »
|
Latest from the Zenoss Blog » | Community | Products | Services Resources | Customers Partners | About Us | ||
Copyright © 2005-2011 Zenoss, Inc.
|
||||||||