Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
Nessus scans overloading state tables
« previous
next »
Print
Pages: [
1
]
Author
Topic: Nessus scans overloading state tables (Read 1377 times)
TrixieBell
Newbie
Posts: 8
Karma: 1
Nessus scans overloading state tables
«
on:
February 22, 2023, 09:47:33 pm »
Possibly off topic but I thought perhaps it belonged in the Intrusion Prevention threads.
We use Nessus for vulnerability scanning, currently if I scan a subnet which is the other side of my OPNsense firewall it quickly fills up the state table on the firewall and I end up DOSing myself.
It doesn't seem to matter if I use SYN, UDP or TCP port scanning, I assume this may be related to block vs reject in my default rules?
The Nessus docs say -
"It may also be beneficial to review which port scanner your policy is using. While the SYN scanner is the default, and works well in most situations, it can cause connections to be “left open” in the state table of the firewalls you’re scanning through. The TCP scanner will attempt a full 3-way handshake, including closing the connection."
But this doesn't seem to make much difference in my case.
Can anyone confirm whether changing block to reject might fix this or does anyone have any other suggestions or experience with this sort of issue?
Thanks.
Logged
TrixieBell
Newbie
Posts: 8
Karma: 1
Re: Nessus scans overloading state tables
«
Reply #1 on:
March 01, 2023, 03:04:54 am »
I changed all my block rules to reject and am still seeing this issue, I have throttled my Nessus scan down to a single host and TCP scans but it still grows the state table alarmingly.
Interestingly, if I scan from one subnet to another where there are no drop rules (only allows) it doesn't fill the table.
I was wondering, would it be worth setting either
State Type
to
None
or
Max source states
to a value (it says Maximum state entries per host which I think sounds like a great idea) on my drop rules?
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
Nessus scans overloading state tables