How does the throttle in SecureRecon work?
|Article:HOWTO55836|||||Created: 2011-07-01|||||Updated: 2011-11-07|||||Article URL http://www.symantec.com/docs/HOWTO55836|
There are two types of throttles in SecureRecon that can be used to control scanning behavior. This is designed so that we can adjust the scanning numbers to get a high amount of scans without the vulnerability scanner overloading the network to the point that it can't see the hosts. Frequently when this happens you will see the scheduled vulnerability scans finishing very rapidly and then giving the error "No hosts found".
There are 2 “throttles” used with the vulnerability scans:
1. The scan throttle set in the Risk Automation Suite UI, i.e. totals scans, scans per scanner
2. The batch setting in SecureRecon
The first item controls how many IP addresses scan requests are sent to securerecon,
The second item controls how many IP addresses securerecon requests Nessus to scan. SecureRecon will send batches to Nessus in parallel.
Here’s an example of how the two throttles can be used:
UI throttle = 50 scans per scanner
SecureRecon Batch setting = 60
In this case 50 IP addresses will be sent to Nessus in a single Nessus scan , so however fast Nessus scans, is the throughput we’ll get
There will be no more than 50 IPs scanned at any given time
Risk Automation Suite UI throttle = 50 scans per scanner
SecureRecon Batch setting = 10
In this case, the 50 IP addresses will be sent to Nessus in 5 parrallel requests of 10 IPs each.
There will be no more than 50 IPs scanned at any given time.
*The RAS UI throttle is set during the vulnerability scan schedule setup, the SecureRecon batch setting is configured during the SecureRecon setup on the Nessus server.
If you are having issues with receiving the "No hosts found" error, you can troubleshoot by dropping the first throttle way down, to less than 10 scans at a time, and setting the SecureRecon batch higher than throttle the schedule's batch setting. This should effectively allow Nessus to control its traffic on the network. After you have the configuration stable and are getting reliable results for hosts that you are expecting to see, you can increase the throttle that is set in the UI until you see where the system starts to overload the network. When this happens, simply decrease the throttle to the last reliable setting that was used.
Article URL http://www.symantec.com/docs/HOWTO55836