OpenVAS Errors: Investigating Potential Issues

TL;DR

OpenVAS reporting strange errors? It’s likely not a direct attack, but could indicate problems with your scanner configuration, network connectivity, or the targets you’re scanning. This guide helps you troubleshoot and determine if further investigation is needed.

1. Understand Common OpenVAS Errors

Before panicking, know what errors are typical. Here’s a breakdown:

• NVT (Network Vulnerability Test) Failures: These mean a specific test couldn’t complete successfully. Reasons include closed ports, unresponsive targets, or outdated NVT definitions.
• Host Discovery Errors: OpenVAS can’t find the target machine on the network. Check IP addresses and network reachability.
• Connection Refused/Timeout Errors: The target isn’t accepting connections on the ports OpenVAS is trying to use. Firewalls or the target service being down are common causes.
• Scan Configuration Issues: Problems with your scan settings (credentials, port ranges) can lead to errors.

These errors don’t automatically mean you’ve been hacked.

2. Check OpenVAS Scanner Status

1. GreenPly: Ensure the GreenPly service is running. This handles scan execution.

   sudo systemctl status greenbone-scanner

   If it’s stopped, start it:

   sudo systemctl start greenbone-scanner

2. OpenVAS Manager: Verify the OpenVAS manager is running.

   sudo systemctl status openvas-manager

   Restart if necessary:

   sudo systemctl restart openvas-manager

3. Logs: Examine the scanner logs for detailed error messages. These are usually located in /var/log/greenbone/. Look for files like scanner.log and openvasmd.log. Use a tool like tail -f /var/log/greenbone/scanner.log to view the log in real-time during a scan.

3. Verify Network Connectivity

1. Ping Test: Can you ping the target machine from the OpenVAS server?

   ping <target_ip_address>

2. Port Scan (Basic): Use nmap to check if essential ports are open.

   nmap -p 22,80,443 <target_ip_address>

   (Replace 22, 80, and 443 with relevant ports for your target.)

3. Firewall Rules: Ensure firewalls on both the OpenVAS server and the target machine aren’t blocking communication.

4. Review Scan Configuration

1. Target Settings: Double-check the IP address or hostname of your targets in OpenVAS. Typos are common!
2. Credentials: If you’re using credentials for authentication, verify they are correct and have sufficient permissions on the target system.
3. Port Ranges: Are you scanning an appropriate port range? Scanning unnecessary ports can increase scan time and generate errors if those ports are closed or filtered.
4. Scan Intensity: Reduce the scan intensity (number of concurrent hosts/NVTs) if you suspect resource limitations on either the OpenVAS server or the target machine.

5. Update NVT Definitions

Outdated NVTs can cause errors because they may be looking for vulnerabilities that no longer exist, or using outdated detection methods.

1. Update Feed: Run the following command to update the OpenVAS vulnerability feed:

   greenbone-feed-sync --type GVMD_DATA

2. Check Status: Verify the feeds are up-to-date in the OpenVAS web interface (Configuration > Feed Status).

6. Investigate Unusual Activity (If Errors Persist)

If you’ve checked everything above and still see strange errors, consider these possibilities:

• Target System Compromise: The target machine might be compromised and actively interfering with the scan. Run a full malware scan on the target system.
• IDS/IPS Interference: An intrusion detection or prevention system (IDS/IPS) could be blocking OpenVAS scans, mistaking them for malicious activity. Check your IDS/IPS logs.
• Man-in-the-Middle Attack: Although rare, a man-in-the-middle attack could be altering network traffic and causing scan errors. Monitor network traffic for suspicious patterns.

In these cases, consult with a cyber security professional.