OpenVAS Change Request #49: Introduce new phase for network scans

Status: Voted +9. Implemented it SVN revision 9365 and 9366.

Purpose

To make scanning large networks more effective and to simplify integration of network based external tools.

References

• Initial proposal and patch
• Clarification and updated patch

Rationale

Please note: This change request draws heavily from Change Request #26 and intends to make the proposal more specific. Many thanks to Vlatko Kosturjak for the initial Change Request.

Currently, OpenVAS is a host oriented vulnerability scanner. That means that it forks for each IP tested and for each NVT. In some cases it would be more effective in terms of memory usage and scan speed to launch an NVT a single time against a group of hosts or an entire network. Launching nmap is one of the cases.

NVTs always belong to one category (e.g. "ACT_INIT", "ACT_ATTACK", "ACT_END") which correlates with the phase of the scan in which the NVT is run.

Effects

Advantages

• Running NVTs that are able to collect information on a network level would become a lot easier and more effective.
• Integrating external tools that operate on a network level (e.g. nmap) would become a lot easier and more effective.

Disadvantages

• In order to use this new functionality, NVT authors will need to make a few minor adjustments to their NVTs.

Design and Implementation

To enable openvas-scanner to collect information on the network level, a new scan phase for certain NVTs (e.g. port scanners) should be introduced to allow them to gather information on this level. This scan phase will have the following special properties:

• NVTs can use the new scan_phase command to determine the current scan phase.
• When NVTs run in the network scan phase, they can use the new network_targets command to determine the targets for this phase.
• NVTs in this phase operate on a knowledge base (KB) separate from the per host KBs and will store information gathered about individual hosts prefixed with the IP of the host, e.g. "192.168.12.34/Ports/tcp/80=1".
• When preparing a scan of an individual host, openvas-scanner will look for entries matching the IP of the current target in the network level KB. If entries are present in this KB, they are copied to the host KB and are then available to all NVTs running against this target.

History

• 2010-11-09 Michael Wiegand <michael dot wiegand at greenbone dot net>:
  Updated status.
• 2010-11-02 Michael Wiegand <michael dot wiegand at greenbone dot net>:
  Added references.
• 2010-11-01 Michael Wiegand <michael dot wiegand at greenbone dot net>:
  Updated to better reflect actual implementation and to provide better examples.
• 2010-07-29 Michael Wiegand <michael dot wiegand at greenbone dot net>:
  Initial text based on Change Request #26.