Tenable Nessus Network Monitor Settings Section

The Tenable Nessus Network Monitor Settings section provides options for configuring the network settings for Tenable Nessus Network Monitor. This includes what networks are monitored or excluded, how to monitor those networks, and what network interfaces Tenable Nessus Network Monitor has identified for monitoring. If your Tenable Nessus Network Monitor is licensed to run in High Performance mode, you can also Configure Tenable Nessus Network Monitor Performance Mode.

Note: While you can configure many advanced settings via the command line using custom parameters, others use standard parameters. For example, while the ACAS Classification setting uses the custom --add parameter, the Login Banner setting does not require the --add parameter.

Note: The Network Interfaces Settings view only shows network interfaces that don't have IP addresses assigned to them. As a result, if all interfaces have assigned IP addresses, in High Performance mode, the list is empty.

Name

Description

ACAS Classification

ACAS

You can enable support for ACAS banners from the command line of the Tenable Nessus Network Monitor server service using the /opt/nnm/bin/nnm --config --add "ACAS Classification" "SECRET" command. SECRET may be replaced by a different classification, for example, UNCLASSIFIED, CONFIDENTIAL, TOP SECRET, or NOFORN. This field supports alphanumeric characters and the following special characters: / - . _ #

Once enabled, a drop-down box for the ACAS option appears in the user interface front end.

You can disable support for ACAS banners from the command line of the Tenable Nessus Network Monitor server using the /opt/nnm/bin/nnm --config --delete "ACAS Classification" command from the binary directory on the server.

Advanced

Maximum Plugins Update Frequency

Specifies the maximum frequency with which plugins update.

Login Banner

Specifies a login banner.

Note: You can also configure login banners via the command line using the /opt/nnm/bin/nnm --config "Login Banner" "NNM Banner Text" command.

HTTP Header Hostname Validation

If you use a domain name to connect to Tenable Nessus Network Monitor, specify it in this box. Also enable Validate Host.

To protect against malicious attacks such as header injection, Tenable Nessus Network Monitor validates that the domain name given to the browser matches your Tenable Nessus Network Monitor server. The check is case insensitive.

Validate Host

When enabled, specifies whether Tenable Nessus Network Monitor should validate the hostname to protect against malicious attacks.

If you enable this setting, you must enter a value for HTTP Header Hostname Validation.

Validate CSRF

When enabled, Tenable Nessus Network Monitor sends anti-Cross Source Request Forgery (CSRF) tokens. This protects against malicious attacks.

Session Data Size

A box in which you can specify the maximum number of bytes of application layer data (e.g., FTP, HTTP, or SSH data) stored in the transport layer session cache per session. By default, the value is 3072 bytes. You can specify a minimum of 1024 bytes and a maximum of 2147483647 bytes.

Enable PII Obfuscation

Specifies whether or not to mask data from plugins that are expected to contain sensitive information (like Personally Identifiable Information [PII]). When enabled, the sensitive data is masked with asterisks. When disabled, the sensitive information appears in clear text in plugin output and logs. Type 0 to disable and 1 to enable the obfuscation.

Note: By default, this option is enabled. This option cannot be disabled if your Tenable Nessus Network Monitor is connected to another application (for example, Industrial Security, Tenable Vulnerability Management, Tenable Security Center).

Maximum SIEM Trending Data Points

Adjust this value to increase the number of SIEM Trending Data Points to take for events. SIEM events can also be increased with the Maximum Event Trending Data Points option. By default, this option is set to 10,000.

Note: Increasing this value requires Tenable Nessus Network Monitor to allocate more memory, Tenable recommends you keep it at 10,000.

Maximum Event Trending Data Points

Adjust this value to increase the number of sample points to take for events. By default, this option is set to 10,000.

Note: Increasing this value requires Tenable Nessus Network Monitor to allocate more memory, Tenable recommends you keep it at 10,000.

Event Data Sample Interval In Minutes

Increase this value by multiples of 5, up to the maximum of 60 (1 hour), to extend the Event Data sampling interval. The default of one minute allows you to save data for up to a week. You can also increase the number of sample points to take for events with the Maximum Event Trending Data Points and Maximum SIEM Trending Data Points options. By default, this option is set to 1.

Analysis Modules

Enable SCADA/ICS Analysis Module

Enables the SCADA/ICS Analysis Module. Click the caret button to the left of the setting name to display a list of individual module detections within the module. Click on individual module detections within the list to disable/enable them. Disabling a SCADA/ICS module detection enables the legacy PASL. See the SCADA/ICS Analysis Module for more information.

Enable Connection Analysis Module

Enables the Connection Analysis Module. Click the caret button to the left of the setting name to display a list of individual module detections within the module. Click on individual module detections within the list to disable/enable them. See the Connection Analysis Module for more information.

Enable IoT Analysis Module

When enabled, Tenable Nessus Network Monitor detects plugins in the IoT family. By default, this option is enabled.

DNS Query

DNS Cache Lifetime Analysis Module

Specifies the amount of time Tenable Nessus Network Monitor retains and stores a given host’s DNS record, in seconds. By default, this option is set to 43200 (12 hours), but can be set to any value between 3600 and 172800 (48 hours).

DNS Query Time Interval

Specifies the delay between sets of DNS queries, in seconds. By default, this option is set to 5, but can be set to any value between 1 and 120.

DNS Queries per Interval

Specifies the maximum number of concurrent DNS requests made at the time of the DNS Query, in seconds. By default, this option is set to 5, but can be set to any value between 0 and 1000. Setting this value to 0 disables this feature and prevents further DNS queries from being made.

Database

Enable Malformed Database Recovery

When enabled, allows Tenable Nessus Network Monitor to recover a malformed database.

Memory

Sessions Cache Size

Specifies the size, in megabytes, of the session table. Adjust the session size as needed for the local network. By default, this option is set to 50.

Packet Cache Size

Specifies the maximum size, in megabytes, of the cache used to store the contents of the packets collected before processing. By default, this option is set to 128 MB with a maximum size of 512 MB. When the cache is full, any subsequent packets captured drop until space in the cache becomes available.

Monitoring

Run in Discovery Mode

Specifies whether or not Tenable Nessus Network Monitor runs in discovery mode. When enabled, Tenable Nessus Network Monitor discovers basic asset data instead of reporting vulnerabilities. This includes IP addresses, MAC addresses, hostnames, and other relevant asset data. This option is enabled by default during initial Tenable Nessus Network Monitor installation.

Note: The Tenable Nessus Network Monitor dashboards do not display informational-level plugins. Dashboards display vulnerability plugins with a higher severity level.

Note: If you want to link Tenable Nessus Network Monitor to an instance of Industrial Security, disable this option.

In discovery mode, users can expect to see the following detections:

  • 0: Open Port.

  • 12: Number of Hops

  • 18: Generic Protocol Detection

  • 19: VLAN ID Detection

  • 20: Generic IPv6 Tunnel Traffic Detection

  • 113: VXLAN ID Detection

  • 132: Host Attribute Enumeration

Monitored Network Interfaces

A list of the network devices used for sniffing packets. You can select devices individually or in multiples. Select at least one interface from the list of available devices.

Note: High Performance mode does not support e1000 NICs as monitored interfaces on virtual machines. If you are running Tenable Nessus Network Monitor on a virtual machine in High Performance mode and select an e1000 monitored interface, Tenable Nessus Network Monitor automatically reverts to Standard mode.

Monitored Network IP Addresses and Ranges

Specifies the networks monitored. The default setting is 0.0.0.0/0, which instructs Tenable Nessus Network Monitor to monitor all IPv4 addresses. Change this to monitor only target networks; otherwise Tenable Nessus Network Monitor may quickly become overwhelmed. Separate multiple addresses by commas. When monitoring VLAN networks, you must use the syntax vlan ipaddress/subnet.

Example: 192.0.2.0/24,2001:DB8::/64,10.2.3.0/22,vlan 192.0.2.0/16,192.168.3.123/32

Note: The syntax is case-sensitive.

Excluded Network IP Addresses and Ranges

Specifies, in CIDR notation, any networks to exclude specifically from Tenable Nessus Network Monitor monitoring. This option accepts both IPv4 and IPv6 addresses. Separate multiple addresses by commas. When excluding VLAN networks, you must use the syntax vlan ipaddress/subnet. No addresses are excluded if this box is left blank.

Note: You can exclude up to 128 CIDR entries at one time.

Example: 192.0.2.0/24,2001:DB8::/64,10.2.3.0/22,vlan 192.0.2.0/16,192.168.3.123/32

Extended Packet Filter

Specifies a Berkeley Packet Filtering (BPF) expression to expand or narrow down the IP addresses being monitored. Use "or" or "and" to join your expression to the total expression for packet filtering.

For example:

  • To filter vlan hierarchies two levels deep in addition to the IP address list, in the Extended Packet Filter dialog, enter: or (vlan && vlan).

  • To require that the packets filtered by the IP address list also be two levels deep, in the Extended Packet Filter dialog, enter:and (vlan && vlan).

Note: These options are for packet filtering experts only. For information about available primitives, see the PCAP Filter man page.

Enable VXLAN Traffic Analysis

Enables decoding of Virtual Extensible LAN protocol (VXLAN) traffic.

Tenable Nessus Network Monitor Proxy

Tenable Nessus Network Monitor Restart Attempts

The number of times the Tenable Nessus Network Monitor proxy attempts to restart the Tenable Nessus Network Monitor engine in the event the engine stops running. By default, this option is set to 10, but can be set to any value between 1 and 15. Once the restart attempt limit is reached, the proxy stops trying for 30 minutes.

Tenable Nessus Network Monitor Restart Interval

The amount of time, in minutes, between Tenable Nessus Network Monitor restart attempts. By default, this option is set to 10, but can be set to any value between 1 and 3600.

Tenable Nessus Network Monitor Web Server

Enable SSL for Web Server

When selected, enables SSL protection for connections to the web server. By default, this check box is selected. Tenable does not recommend clearing the check box, as it allows the sending of unencrypted traffic between a browser and Tenable Nessus Network Monitor. You may install custom SSL certificates in the /opt/nnm/var/nnm/ssl directory. Restart Tenable Nessus Network Monitor after making changes to this setting.

Note: Changing this option while Tenable Nessus Network Monitor is running makes communication between the client and server either encrypted or unencrypted. If you select or clear the Enable SSL for Web Server check box, the Web Server automatically ends your current Tenable Nessus Network Monitor session.

Minimum Password Length

Specifies the lowest number of characters a password may contain. By default, this option is set to 5, but can be set to any value between 5 and 32.

Tenable Nessus Network Monitor Web Server Address

Specifies the IPv4 or IPv6 address on which the Tenable Nessus Network Monitor web server listens. The default setting is 0.0.0.0, which instructs the web server to listen on all available IPv4 and 1Pv6 addresses.

Note: Link-local addresses are not supported for IPv6 addresses.

Tenable Nessus Network Monitor Web Server Port

Specifies the Tenable Nessus Network Monitor web server-listening port. The default setting is 8835, but can be changed as appropriate for the local environment.

Note: If you change the value in this box, the Web Server automatically ends your current Tenable Nessus Network Monitor session.

Tenable Nessus Network Monitor Web Server Idle Session Timeout

Specifies the number of minutes of inactivity before a web session becomes idle. By default, this option is set to 30, but can be set to any value between 5 and 60.

Enable SSL Client Certificate Authentication

When enabled, allows the web server to accept only SSL client certificates for user authentication.

Enable Debug Logging for Tenable Nessus Network Monitor Web Server

When enabled, allows the web server to include debug information in the logs for troubleshooting issues related to the web server. The logs become large if this option is enabled routinely.

Maximum User Login Attempts

Specifies the number of times a user can type an incorrect password in a 24-hour period before the user’s account is locked.

Max Sessions per User

Specifies the number of concurrent sessions a user can have running at one time.

Enforce Complex Passwords

When enabled, forces the user’s passwords to contain at least one uppercase character, one lowercase character, one digit, and one special character from the following: !@#$%^&*().

Use TLS 1.2

When enabled, the Tenable Nessus Network Monitor web server uses TLS 1.2 communications. By default, this option is enabled.

Note: If you disable this option, the Tenable Nessus Network Monitor web server uses TLS 1.1, which is less secure.

Disable CBC Ciphers

When enabled, disables the use of CBC ciphers in TLS 1.2. By default, this option is disabled.

Note: This setting is used in conjunction with Enable NIAP Mode. For more information, see Configure Tenable Nessus Network Monitor for NIAP Compliance.

Enable Strong Encryption

When enabled, forces Tenable Nessus Network Monitor to select the strongest ciphers in the TLS 1.2 communications suite. By default, this option is enabled.

When strong encryption is enabled, the user can expect to see typical ciphers such as:

  • TLS_RSA_WITH_AES_128_CBC_SHA

  • TLS_RSA_WITH_AES_128_CBC_SHA256

  • TLS_RSA_WITH_AES_128_GCM_SHA256

  • TLS_RSA_WITH_AES_256_CBC_SHA

  • TLS_RSA_WITH_AES_256_CBC_SHA256

  • TLS_RSA_WITH_AES_256_GCM_SHA384

  • TLS_RSA_WITH_CAMELLIA_128_CBC_SHA

  • TLS_RSA_WITH_CAMELLIA_256_CBC_SHA

If this option is disabled, the Tenable Nessus Network Monitor uses the following ciphers:

  • TLS_RSA_WITH_AES_128_CBC_SHA

  • TLS_RSA_WITH_AES_256_CBC_SHA

To configure NIAP-compliant ciphers, see Configure Tenable Nessus Network Monitor for NIAP Compliance.

Plugins

Process High Speed Plugins Only

Tenable Nessus Network Monitor is designed to find various protocols on non-standard ports. For example, Tenable Nessus Network Monitor can easily find an Apache server running on a port other than 80. However, on a high traffic network, Tenable Nessus Network Monitor can be run in High Performance mode, which allows it to focus certain plugins on specific ports. When High Performance mode is enabled and this check box is selected, any plugin that utilizes the keywords hs_dport or hs_sport are executed only on traffic traversing the specified ports.

Realtime Events

Realtime Events File Size

Specifies the maximum amount of data from real-time events that is stored in one text file. The option must be specified in kilobytes, megabytes, or gigabytes by appending a K, M, or G, respectively, to the value.

Log Realtime Events to Realtime Log File

When enabled, allows Tenable Nessus Network Monitor detected real-time events to be recorded to a log file in the following location:

/opt/nnm/var/nnm/logs/realtime-logs-##.txt

You can configure this option via the CLI.

Enable Realtime Event Analysis

When enabled, allows Tenable Nessus Network Monitor to analyze real-time events.

Maximum Viewable Realtime Events

Specifies the maximum number of most recent events cached by the Tenable Nessus Network Monitor engine. This setting is in effect only when Realtime Event Analysis is enabled.

Maximum Realtime Log Files

Specifies the maximum number of real-time log files written to the disk.

Reports

Report Threshold

Specifies the number of times the encryption detection algorithm executes during a session. Once the threshold is reached, the algorithm no longer executes during the session. By default, this option is set to 3 by def.

Report Lifetime

Specifies, in days, how long vulnerabilities and snapshot reports are cached. After the configured number of days is met, discovered vulnerabilities and snapshot reports are removed. This option can be set to a maximum value of 90 days. By default, this option is set to 7 and cannot be set higher than the Host Lifetime value.

Host Lifetime

Specifies, in days, how long hosts are cached. After the configured number of days is met, discovered hosts are removed. This option can be set to a maximum value of 365 days. By default, this option is set to 7 and cannot be set lower than the Report Lifetime value.

Report Frequency

Specifies, in minutes, how often Tenable Nessus Network Monitor writes a report. By default, this option is set to 15. Tenable Security Center retrieves the Tenable Nessus Network Monitor report every 15 minutes.

Knowledgebase Lifetime

Specifies, in seconds, the maximum length of time that a knowledgebase entry remains valid after its addition. By default, this option is set to 864000.

New Asset Discovery Interval

Specifies, in days, how long Tenable Nessus Network Monitor monitors traffic before detecting new hosts. Tenable Nessus Network Monitor listens to network traffic and attempts to discover when a new host has been added. To do this, Tenable Nessus Network Monitor constantly compares a list of hosts that have generated traffic in the past to those currently generating traffic. If it finds a new host generating traffic, it issues a “new host alert” via the real-time log. For large networks, Tenable Nessus Network Monitor can be configured to run for several days to gain knowledge about which hosts are active. This prevents Tenable Nessus Network Monitor from issuing an alert for hosts that already exist. For large networks, Tenable® recommends that Tenable Nessus Network Monitor operate for at least two days before detecting new hosts. By default, this option is set to 2.

Connections to Services

When enabled, allows Tenable Nessus Network Monitor to log which clients attempt to connect to servers on the network and to what port they attempt to connect. They indicate only that an attempt to connect was made, not whether the connection was successful. Events detected by Tenable Nessus Network Monitor of this type are logged as Tenable Nessus Network Monitor internal plugin ID 2.

Show Connections

When enabled, instructs Tenable Nessus Network Monitor to record clients in the focus network that attempt to connect to a server IP address and port and receive a positive response. The record contains the client IP address, the server IP address, and the server port that the client attempted to connect to. For example, if four different hosts within the focus network attempt to connect with a server IP over port 80 and received a positive response, then a list of those hosts are reported under Tenable Nessus Network Monitor internal plugin ID 3 and port 80.

Known Hosts File

Note: You can only configure this feature via the command-line interface.

A configuration parameter in which you can type the location of the known-hosts.txt file. Manually create the Known Hosts file.

This feature supports a single row for each IP (IPv4 or IPv6). Hyphenated ranges and CIDR notation are not supported. New host alerts no longer appear for the hosts listed in this file.

Note: Blank rows are ignored, and invalid entries are noted in the Tenable Nessus Network Monitor log file. If you make any changes to the Known Hosts file, you must restart Tenable Nessus Network Monitor.

Session Analysis

Encrypted Sessions Dependency Plugins

Specifies the Plugin IDs, separated by commas, used to detect encrypted traffic.

Encrypted Sessions Excluded Network Ranges

Specifies the IPv4 and IPv6 addresses and ports, in CIDR notation, excluded from monitoring for encrypted traffic.

Example: 192.0.2.0/24,2001:DB8::/64,10.2.3.0/22,vlan 192.0.2.0/16,192.168.3.123/32

Interactive Sessions Dependency Plugins

Specifies the plugin IDs, separated by commas, used to detect interactive sessions.

Interactive Sessions Excluded Network Ranges

Specifies the IPv4 and IPv6 addresses and ports, in CIDR notation, excluded from monitoring for interactive sessions.

Example: 192.0.2.0/24,2001:DB8::/64,10.2.3.0/22,vlan 192.0.2.0/16,192.168.3.123/32

SIEM Processing Options

Note: SIEM analysis features are only available for RH/CentOS 7 and RH/CentOS 8.

Enable SIEM Assets Discovery

When selected, allows Tenable Nessus Network Monitor to discover assets through SIEM analysis. For more information, see SIEM Analysis Section.

Enable SIEM User Account Activity

When selected, allows Tenable Nessus Network Monitor to detect user account activity through SIEM analysis. For more information, see SIEM Analysis Section.

Enable SIEM Software Detection

When selected, allows Tenable Nessus Network Monitor to detect software events through SIEM analysis. For more information, see SIEM Analysis Section.

Enable SIEM Service Modification

When selected, allows Tenable Nessus Network Monitor to detect service modification events through SIEM analysis. For more information, see SIEM Analysis Section.

SIEM Polling Interval

The interval, in minutes, after which Tenable Nessus Network Monitor updates its status with the SIEM servers and asks for a list of jobs. Options are in the range of 5-10 minutes.

SIEM Servers

SIEM Servers List

Note: SIEM analysis features are only available for RH/CentOS 7 and RH/CentOS 8.

Lists the servers used to track SIEM-related events. The charts shown in the SIEM Analysis section pull data from these servers. This section provides three options:

  • Add - Add a new SIEM server setting. Enter the following information:

    • IP - The server IP address.

    • Port (TCP) - The server IP port number.

    • SIEM Type - The server's SIEM type (Splunk).

    • User - The username that grants server access.

    • Password - The password that grants server access.

  • Edit - Edit the SIEM server settings listed above.

  • Delete - Delete the selected SIEM server and all related SIEM queries.

Note: SIEM server entries are displayed as User@IP_Address:Port (e.g., [email protected]:8089). The combination of these three parameters is unique; entries with the same three parameters are rejected.

Note: Tenable recommends that you only use trusted self-signed certificates for Splunk instances used with Tenable Nessus Network Monitor.

Syslog

Realtime Syslog Server List

Specifies the IPv4 or IPv6 address and port of a Syslog server to receive real-time events from Tenable Nessus Network Monitor. Click Add to save the address. A local Syslog daemon is not required. Syslog items can be specified to Standard or CEF formats and UDP or TCP protocols.

Example: 192.0.2.12:4567,10.10.10.10:514,[2001:DB8::23B4]:514

Vulnerability Syslog Server List

Specifies the IPv4 or IPv6 address and port of a Syslog server to receive vulnerability data from Tenable Nessus Network Monitor. Click Add to save the address. A local Syslog daemon is not required. You can specify Syslog items to Standard or CEF formats and UDP or TCP protocols.

Example: 192.0.2.12:4567,10.10.10.10:514,[2001:DB8::23B4]:514

Note: While Tenable Nessus Network Monitor may display multiple log events related to one connection, it sends only a single event to the remote Syslog server(s).