Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[JSA/STRM] How to stop a vulnerability scan

0

0

Article ID: KB16044 KB Last Updated: 17 Sep 2020Version: 2.0
Summary:

Vulnerability scans can often take a long time to finish.  If there is need to stop a long scan from STRM, this article shows how to do that using the nmap scanner installed locally on the STRM.

Symptoms:

An nmap (network mapper) vulnerability scan covering a CIDR range of IP addresses is started and subsequently needs to be stopped.  Deleting the scan from the scheduled scans list will prevent it from starting again but the existing scan is still spawning nmap processes for each new IP to be scanned.

Solution:

When STRM initiates a vulnerability scan, it essentially passes the scan parameters configured in the scheduled scan to the vulnerability scanner software which resides on either the local STRM box or a remote system with the scanner software installed.  The nmap (or other) scanner is then responsible to start and run the scans and report back to STRM.

In the case of an nmap scan directed to scan an entire subnet, (as shown below) the scanner can initiate one process for each IP to be scanned.



If you subsequently stop the scan or delete it from the list of scheduled scans, the initial run of the scan is still queued up and, by default, will continue until complete.  The process in STRM which controls the vulnerability scans is the VIS process.

To stop a scan which is currently in progress, the following commands must be run at the command line of the STRM console:

NOTE: In this example, the nmap scanner is running locally on the STRM. Step 4 below would be carried out on the remote scanner system if the scanner was not installed locally

  1. #cd /opt/qradar/init
  2. #./vis stop vis0
  3. #./vis stop passive
  4. #ps -ef | grep nmap
  5. #kill <pid of any nmap process returned from the above command>


The vis processes will restart on their own.  Any other scans that were queued up behind the troublesome scan will no longer be scheduled and will have to be restarted in the STRM UI.

Modification History:
2020-09-16: Article reviewed for accuracy. Content is valid.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search