Re: [squid-users] Nessus vulnerability scan crashes squid

 Apparently nobody else has ever seen this problems, so I'll answer it
myself :-)

 The problem was the 2G filesize limit. The cache.log was filling up and
causing Squid to stop responding or even die entirely. The logrotate
command was used to fix the problem. The only reason nessus triggered the
problem was that it sends out large number of http requests that are
susbsequently cached by Squid leading to the log file filling up even
faster!

--Greg Redder
  Network Analyst
  Colorado State University

 On Mon, 9 Jun 2003, Greg Redder
wrote:

> Date: Mon, 9 Jun 2003 11:26:28 -0600 (MDT)
> From: Greg Redder <redder@yuma.acns.colostate.edu>
> To: squid-users@squid-cache.org
> Subject: [squid-users] Nessus vulnerability scan crashes squid
>
>
> I'm running Squid 2.5 Stable1 on Redhat Linux 9.0, kernel 2.4.20-18.
>
> Our cache is running fine until we use a vulnerability scanner (Nessus).
> Nessus has many vulnerability scans, but one set of the scans check for
> httpd vulnerabilities. When we start the scan of another network, the
> router (via WCCP) intercepts the http requests and forwards them to the
> squid box. Eventually (somewhere between 1 minute and 30 minutes), the
> squid box stops forwarding back out requests and the clients don't get
> their web requests fulfilled and then the screaming starts ;-)
>
> A couple of notes:
>
> o We are not scanning the squid box directly. We are scanning machines
> elsewhere on the network and the http requests (that are part of
> some of the vulnerability scans) get redirected to the web cache.
>
> o Thinking that the squid box would lock up because of something in
> the scans themselves, we scanned the squid box directly and it
> kept humming along just fine.
>
> o We use WCCP version 1 off a Cisco 6500 running 12.1.13. We do not
> configure the clients to use a proxy.
>
> o It all works fine until the scans start and it seems to ride them
> out for a little while. We can easily (unfortunately) recreate
> the problem.
>
> o The box is not overwhelmed - the nessus scanner only sends out an
> http request as part of its scan every second or so.
>
> o No errors are reported in the squid logs that I can find that
> would indicate a problem.
>
> o WCCP continues to work because the router thinks it has a good cache
> engine and sends it request, but the squid box just "eats" them.
>
> o We have temporarily solved this by putting an access list on the router
> telling the router not to redirect http packets from the nessus
> machines to the squid cache. However, this is not a feasible long
> term solution as others on our campus of 25,000 may do a nessus scan
> from somewhere and then our cache engine will die.
>
> Has anyone else witnessed this problem? I have searched the archives for
> related issues and found none :-(
>
> Thank you
> --Greg Redder
> Network Analyst
> Colorado State University
>
> ===============================================================================
> Greg Redder Academic Computing & Networking Services
> Colorado State University, ACNS Phone:(970)491-7222 FAX: (970)491-1958
> 601 S. Howes, Room 625 E-mail: redder@yuma.colostate.edu
> Fort Collins, CO 80523 PGP Fprint:299F83B58A72BE7428E064E801749C69FFA537C6
> ===============================================================================
>
>
>
>

===============================================================================
Greg Redder Academic Computing & Networking Services
Colorado State University, ACNS Phone:(970)491-7222 FAX: (970)491-1958
601 S. Howes, Room 625 E-mail: redder@yuma.colostate.edu
Fort Collins, CO 80523 PGP Fprint:299F83B58A72BE7428E064E801749C69FFA537C6
===============================================================================
Received on Thu Jun 12 2003 - 13:07:35 MDT