5 Replies Latest reply: Dec 13, 2012 5:35 AM by asabban RSS

    Qualys Security Scanner strikes down MWG


      Hi all,

      hase anyone seen the same problem? When a Qualys security scanner scans mwg the systems is running on 100% CPU. After rebooting the system there is also 100% CPU used.

      This happens directly after the systems was scanned by the qualys agent.


      The Access LOG shows the following entry (there are up to 20 entries per second)

      [23/Nov/2012:09:27:12 +0100] "" 502 "GET //WWW.QUALYS.COM HTTP/1.1" "Business, Internet Services" "Unverified" "" 2928 223672 "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDC)" "" "0" ""

      -> physical IP on eth0 -> HA VIP on eth0


      The Acces Denied LOG shows that this request was blocked! But the entries shown above are generated in the access log file.

      - A TCP Dump is showing no client connection on MWG

      - There is no HTTP traffic visible in the tcpdump


      For me it seems there is something looping......



      Finally i added this Ruleset and it seems this ends the "loop".... Could this be?





        • 1. Re: Qualys Security Scanner strikes down MWG



          it does not make too much sense that the problem persists when a restart was performed. Maybe the request was still queued at the director and handed to the scanning node when it came back after the reboot?


          However I strongly recommend to create a feedback of the affected MWG and provide all the information to support. If there is any kind of loop caused by the requests this has to be analyzed, found and fixed by engineering.




          • 2. Re: Qualys Security Scanner strikes down MWG
            Jon Scholten

            I'm guessing you are turning off the via header which may cause the proxy loop.


            MWG uses the via header to detect and stop proxy loops.


            Perhaps only turn the via header off if the "client.ip is not in range".



            • 3. Re: Qualys Security Scanner strikes down MWG

              Hi all,

              thanks for the info. I checked the system today. Customer is testing a "high load" situation where mwg is completely overloaded. This are normal test situations at my customer. Customer is aware, that the system is not reachable during the security scan. But, the system should reach a normal state when the scan finished.


              This scan results in an overload of the antimalware queue. The mwg-core error log shows the problem. The qeue is also not cleared after the system is rebooted.


              Is it possible to clear the anti-malware queue manually?


              @Jon: i also removed the "remove via header" rule to let the via header available for mwg. :-)





              Nachricht geändert durch Troja on 26.11.12 18:28:22 MEZ


              Nachricht geändert durch Troja on 26.11.12 18:28:41 MEZ
              • 4. Re: Qualys Security Scanner strikes down MWG

                Hi Andre, hi Jon,

                we figured out what is going on with MWG when doing a security scan.


                If you start a normal "Webserver Scan" where the URL host is the IP-adress of mwg something starts to loop. If you reboot mwg the system does not reach a normal system state. CPU is running on 100% CPU. After 3 days or more MWG is still running on 100% CPU and the system is not useable.


                There is only one way to stop this behavior. A ruleset where the MWG IPs are blocked.



                From my opinion this is a bug in the mwg ruleengine.




                • 5. Re: Qualys Security Scanner strikes down MWG

                  Hi Thorsten,


                  if not already done are you please able to file a service request?


                  Please add a tcpdump that shows the start of the security scan to allow us to replicate the problem without having the security scanner. Support will replicate the issue and file a bug with development. They will look at whats happening and fix the issue.


                  We can't do that from within the community.