While I was scanning my target lists using the full vulnerability scan, I had decided to use the "All" option in Services in order to detect all of the running services. However, if you do that, you need to decrease the Interpacket Delay from 12 (default) to keep having a good performance I imagine. I realized, though, that the accuracy of my results was decreased as well... For instance, Foundstone was identifying wrong OS for my targets, instead of Solaris, it was showing windows... Are they known numbers to set in order to balance performance with accuracy or I should split the target list in smaller parts in order not to decrease my Interpacket Delay and risk my accuracy in favor of performance??
There a no known parameters to set the scan too because its very dependent on your network. We do try and make a best guess as to what works for most customers but at the end of the day its just a guess as there many unknown factors. My suggestion is to run a few test scans with differnt setting to find what works best in your environment.
I guess i understand what you mean.
In a real scenario, is it normal to scan 59 Solaris servers using "All" TCP to detect the hosts and "All" to identify the UDP and TCP services and after around 10 hours, only 20% is complete...?Not to forget that the Interpacket delay was decreased from 12 to 10. The rest parameters were left the same.
I think now I will try the "default" TCP and UDP for Hosts detection hoping that I will save time.
Its hard to define normal but it wouldn't surprise me if the scan was taking that long. When you say you are only scanning 59 hosts do you mean you only discovered 59 hosts or do you only have 59 IP's to be scanned in the scan config?
This is why I want to know.
Discovery can be broken down into two parts. Host and Service Discovery.
Basically this is used to determine if a host is live on the network. We will send packets to that IP until we receive one back. Once we receive one back we determine that the host is live and that IP is passed into service discovery. If you are scanning two IP Addresses on your network and only one was actually there Host discovery would find one open port on the live IP and then move on. On the non live IP a packet would be sent to 65,535 UDP and TCP ports before we give up on that IP based on your settings. It takes much longer to scan for a IP that isn't live than to detect a live IP.
Each port configured in the scan will be scanned.
So if you are scanning a large IP Address space and there are 59 live systems the scan can take a long time.
Oh sorry Jeffrey. I forgot to mention that I was scanning 59 IPs with Full Vulnerability Scan type (Non-intrusive). And with All TCP and Default UDP for Host Detection and All both TCP and UDP for Services, it needed around 10 hrs to complete just the 20%. And I had to pause it. So, I do not know if it had completed the host detection and services identification or not even that...
I guess I have to experiment with the parameters.. But at least, I wanted to know if it was a normal performance for a target list of that size or not..In that way, I may understand what I need to adjust.