Tenable Nessus Network Monitor Settings Section
The Tenable Nessus Network Monitor Settings section provides options for configuring the network settings for Tenable Nessus Network Monitor. This includes what networks are monitored or excluded, how to monitor those networks, and what network interfaces Tenable Nessus Network Monitor has identified for monitoring. If your Tenable Nessus Network Monitor is licensed to run in High Performance mode, you can also Configure Tenable Nessus Network Monitor Performance Mode.
Note: While you can configure many advanced settings via the command line using custom parameters, others use standard parameters. For example, while the ACAS Classification setting uses the custom --add
parameter, the Login Banner setting does not require the --add
parameter.
Note: The Network Interfaces Settings view only shows network interfaces that don't have IP addresses assigned to them. As a result, if all interfaces have assigned IP addresses, in High Performance mode, the list is empty.
Name |
Description |
---|---|
ACAS Classification |
|
ACAS |
You can enable support for ACAS banners from the command line of the Tenable Nessus Network Monitor server service using the Once enabled, a drop-down box for the ACAS option appears in the user interface front end. You can disable support for ACAS banners from the command line of the Tenable Nessus Network Monitor server using the |
Advanced |
|
Maximum Plugins Update Frequency |
Specifies the maximum frequency with which plugins update. |
Login Banner |
Specifies a login banner. Note: You can also configure login banners via the command line using the |
HTTP Header Hostname Validation |
If you use a domain name to connect to Tenable Nessus Network Monitor, specify it in this box. Also enable Validate Host. To protect against malicious attacks such as header injection, Tenable Nessus Network Monitor validates that the domain name given to the browser matches your Tenable Nessus Network Monitor server. The check is case insensitive. |
Validate Host |
When enabled, specifies whether Tenable Nessus Network Monitor should validate the hostname to protect against malicious attacks. If you enable this setting, you must enter a value for HTTP Header Hostname Validation. |
Validate CSRF |
When enabled, Tenable Nessus Network Monitor sends anti-Cross Source Request Forgery (CSRF) tokens. This protects against malicious attacks. |
Session Data Size |
A box in which you can specify the maximum number of bytes of application layer data (e.g., FTP, HTTP, or SSH data) stored in the transport layer session cache per session. By default, the value is 3072 bytes. You can specify a minimum of 1024 bytes and a maximum of 2147483647 bytes. |
Enable PII Obfuscation |
Specifies whether or not to mask data from plugins that are expected to contain sensitive information (like Personally Identifiable Information [PII]). When enabled, the sensitive data is masked with asterisks. When disabled, the sensitive information appears in clear text in plugin output and logs. Type 0 to disable and 1 to enable the obfuscation. Note: By default, this option is enabled. This option cannot be disabled if your Tenable Nessus Network Monitor is connected to another application (for example, Industrial Security, Tenable Vulnerability Management, Tenable Security Center). |
Maximum Event Trending Data Points |
Adjust this value to increase the number of sample points to take for events. By default, this option is set to 10,000. Note: Increasing this value requires Tenable Nessus Network Monitor to allocate more memory, Tenable recommends you keep it at 10,000. |
Event Data Sample Interval In Minutes |
Increase this value by multiples of 5, up to the maximum of 60 (1 hour), to extend the Event Data sampling interval. The default of one minute allows you to save data for up to a week. You can also increase the number of sample points to take for events with the Maximum Event Trending Data Points and Maximum SIEM Trending Data Points options. By default, this option is set to 1. |
Analysis Modules |
|
Enable SCADA/ICS Analysis Module |
Enables the SCADA/ICS Analysis Module. Click the caret button to the left of the setting name to display a list of individual module detections within the module. Click on individual module detections within the list to disable/enable them. Disabling a SCADA/ICS module detection enables the legacy PASL. See the SCADA/ICS Analysis Module for more information. |
Enable Connection Analysis Module |
Enables the Connection Analysis Module. Click the caret button to the left of the setting name to display a list of individual module detections within the module. Click on individual module detections within the list to disable/enable them. See the Connection Analysis Module for more information. |
Enable IoT Analysis Module |
When enabled, Tenable Nessus Network Monitor detects plugins in the IoT family. By default, this option is enabled. |
DNS Query |
|
DNS Cache Lifetime Analysis Module |
Specifies the amount of time Tenable Nessus Network Monitor retains and stores a given host’s DNS record, in seconds. By default, this option is set to 43200 (12 hours), but can be set to any value between 3600 and 172800 (48 hours). |
DNS Query Time Interval |
Specifies the delay between sets of DNS queries, in seconds. By default, this option is set to 5, but can be set to any value between 1 and 120. |
DNS Queries per Interval |
Specifies the maximum number of concurrent DNS requests made at the time of the DNS Query, in seconds. By default, this option is set to 5, but can be set to any value between 0 and 1000. Setting this value to 0 disables this feature and prevents further DNS queries from being made. |
Database |
|
Enable Malformed Database Recovery |
When enabled, allows Tenable Nessus Network Monitor to recover a malformed database. |
Memory |
|
Sessions Cache Size |
Specifies the size, in megabytes, of the session table. Adjust the session size as needed for the local network. By default, this option is set to 50. |
Packet Cache Size |
Specifies the maximum size, in megabytes, of the cache used to store the contents of the packets collected before processing. By default, this option is set to 128 MB with a maximum size of 512 MB. When the cache is full, any subsequent packets captured drop until space in the cache becomes available. |
Run in Discovery Mode |
Specifies whether or not Tenable Nessus Network Monitor runs in discovery mode. When enabled, Tenable Nessus Network Monitor discovers basic asset data instead of reporting vulnerabilities. This includes IP addresses, MAC addresses, hostnames, and other relevant asset data. This option is enabled by default during initial Tenable Nessus Network Monitor installation. Note: The Tenable Nessus Network Monitor dashboards do not display informational-level plugins. Dashboards display vulnerability plugins with a higher severity level. Note: If you want to link Tenable Nessus Network Monitor to an instance of Industrial Security, disable this option. In discovery mode, users can expect to see the following detections:
|
Monitored Network Interfaces |
A list of the network devices used for sniffing packets. You can select devices individually or in multiples. Select at least one interface from the list of available devices. Note: High Performance mode does not support e1000 NICs as monitored interfaces on virtual machines. If you are running Tenable Nessus Network Monitor on a virtual machine in High Performance mode and select an e1000 monitored interface, Tenable Nessus Network Monitor automatically reverts to Standard mode. |
Monitored Network IP Addresses and Ranges |
Specifies the networks monitored. The default setting is 0.0.0.0/0, which instructs Tenable Nessus Network Monitor to monitor all IPv4 addresses. Change this to monitor only target networks; otherwise Tenable Nessus Network Monitor may quickly become overwhelmed. Separate multiple addresses by commas. When monitoring VLAN networks, you must use the syntax Example: 192.0.2.0/24,2001:DB8::/64,10.2.3.0/22,vlan 192.0.2.0/16,192.168.3.123/32 Note: The syntax is case-sensitive. |
Excluded Network IP Addresses and Ranges |
Specifies, in CIDR notation, any networks to exclude specifically from Tenable Nessus Network Monitor monitoring. This option accepts both IPv4 and IPv6 addresses. Separate multiple addresses by commas. When excluding VLAN networks, you must use the syntax Note: You can exclude up to 128 CIDR entries at one time. Example: 192.0.2.0/24,2001:DB8::/64,10.2.3.0/22,vlan 192.0.2.0/16,192.168.3.123/32 |
Specifies a Berkeley Packet Filtering (BPF) expression to expand or narrow down the IP addresses being monitored. Use "or" or "and" to join your expression to the total expression for packet filtering. For example:
Note: These options are for packet filtering experts only. For information about available primitives, see the PCAP Filter man page. |
|
Enable VXLAN Traffic Analysis |
Enables decoding of Virtual Extensible LAN protocol (VXLAN) traffic. |
Tenable Nessus Network Monitor Proxy |
|
Tenable Nessus Network Monitor Restart Attempts |
The number of times the Tenable Nessus Network Monitor proxy attempts to restart the Tenable Nessus Network Monitor engine in the event the engine stops running. By default, this option is set to 10, but can be set to any value between 1 and 15. Once the restart attempt limit is reached, the proxy stops trying for 30 minutes. |
Tenable Nessus Network Monitor Restart Interval |
The amount of time, in minutes, between Tenable Nessus Network Monitor restart attempts. By default, this option is set to 10, but can be set to any value between 1 and 3600. |
Tenable Nessus Network Monitor Web Server |
|
Enable SSL for Web Server |
When selected, enables SSL protection for connections to the web server. By default, this check box is selected. Tenable does not recommend clearing the check box, as it allows the sending of unencrypted traffic between a browser and Tenable Nessus Network Monitor. You may install custom SSL certificates in the Note: Changing this option while Tenable Nessus Network Monitor is running makes communication between the client and server either encrypted or unencrypted. If you select or clear the Enable SSL for Web Server check box, the Web Server automatically ends your current Tenable Nessus Network Monitor session. |
Minimum Password Length |
Specifies the lowest number of characters a password may contain. By default, this option is set to 5, but can be set to any value between 5 and 32. |
Tenable Nessus Network Monitor Web Server Address |
Specifies the IPv4 or IPv6 address on which the Tenable Nessus Network Monitor web server listens. The default setting is 0.0.0.0, which instructs the web server to listen on all available IPv4 and 1Pv6 addresses. Note: Link-local addresses are not supported for IPv6 addresses. |
Tenable Nessus Network Monitor Web Server Port |
Specifies the Tenable Nessus Network Monitor web server-listening port. The default setting is 8835, but can be changed as appropriate for the local environment. Note: If you change the value in this box, the Web Server automatically ends your current Tenable Nessus Network Monitor session. |
Tenable Nessus Network Monitor Web Server Idle Session Timeout |
Specifies the number of minutes of inactivity before a web session becomes idle. By default, this option is set to 30, but can be set to any value between 5 and 60. |
Enable SSL Client Certificate Authentication |
When enabled, allows the web server to accept only SSL client certificates for user authentication. |
Enable Debug Logging for Tenable Nessus Network Monitor Web Server |
When enabled, allows the web server to include debug information in the logs for troubleshooting issues related to the web server. The logs become large if this option is enabled routinely. |
Maximum User Login Attempts |
Specifies the number of times a user can type an incorrect password in a 24-hour period before the user’s account is locked. |
Max Sessions per User |
Specifies the number of concurrent sessions a user can have running at one time. |
Enforce Complex Passwords |
When enabled, forces the user’s passwords to contain at least one uppercase character, one lowercase character, one digit, and one special character from the following: !@#$%^&*(). |
Use TLS 1.2 |
When enabled, the Tenable Nessus Network Monitor web server uses TLS 1.2 communications. By default, this option is enabled. Note: If you disable this option, the Tenable Nessus Network Monitor web server uses TLS 1.1, which is less secure. |
Disable CBC Ciphers |
When enabled, disables the use of CBC ciphers in TLS 1.2. By default, this option is disabled. Note: This setting is used in conjunction with Enable NIAP Mode. For more information, see Configure Tenable Nessus Network Monitor for NIAP Compliance. |
When enabled, forces Tenable Nessus Network Monitor to select the strongest ciphers in the TLS 1.2 communications suite. By default, this option is enabled. When strong encryption is enabled, the user can expect to see typical ciphers such as:
If this option is disabled, the Tenable Nessus Network Monitor uses the following ciphers:
To configure NIAP-compliant ciphers, see Configure Tenable Nessus Network Monitor for NIAP Compliance. |
|
Plugins |
|
Process High Speed Plugins Only |
Tenable Nessus Network Monitor is designed to find various protocols on non-standard ports. For example, Tenable Nessus Network Monitor can easily find an Apache server running on a port other than 80. However, on a high traffic network, Tenable Nessus Network Monitor can be run in High Performance mode, which allows it to focus certain plugins on specific ports. When High Performance mode is enabled and this check box is selected, any plugin that utilizes the keywords |
Realtime Events |
|
Realtime Events File Size |
Specifies the maximum amount of data from real-time events that is stored in one text file. The option must be specified in kilobytes, megabytes, or gigabytes by appending a K, M, or G, respectively, to the value. |
Log Realtime Events to Realtime Log File |
When enabled, allows Tenable Nessus Network Monitor detected real-time events to be recorded to a log file in the following location: /opt/nnm/var/nnm/logs/realtime-logs-##.txt You can configure this option via the CLI. |
Enable Realtime Event Analysis |
When enabled, allows Tenable Nessus Network Monitor to analyze real-time events. |
Maximum Viewable Realtime Events |
Specifies the maximum number of most recent events cached by the Tenable Nessus Network Monitor engine. This setting is in effect only when Realtime Event Analysis is enabled. |
Maximum Realtime Log Files |
Specifies the maximum number of real-time log files written to the disk. |
Reports |
|
Report Threshold |
Specifies the number of times the encryption detection algorithm executes during a session. Once the threshold is reached, the algorithm no longer executes during the session. By default, this option is set to 3 by def. |
Report Lifetime |
Specifies, in days, how long vulnerabilities and snapshot reports are cached. After the configured number of days is met, discovered vulnerabilities and snapshot reports are removed. This option can be set to a maximum value of 90 days. By default, this option is set to 7 |
Host Lifetime |
Specifies, in days, how long hosts are cached. After the configured number of days is met, discovered hosts are removed. This option can be set to a maximum value of 365 days. By default, this option is set to 7 and cannot be set lower than the Report Lifetime value. |
Report Frequency |
Specifies, in minutes, how often Tenable Nessus Network Monitor writes a report. By default, this option is set to 15. Tenable Security Center retrieves the Tenable Nessus Network Monitor report every 15 minutes. |
Knowledgebase Lifetime |
Specifies, in seconds, the maximum length of time that a knowledgebase entry remains valid after its addition. By default, this option is set to 864000. |
New Asset Discovery Interval |
Specifies, in days, how long Tenable Nessus Network Monitor monitors traffic before detecting new hosts. Tenable Nessus Network Monitor listens to network traffic and attempts to discover when a new host has been added. To do this, Tenable Nessus Network Monitor constantly compares a list of hosts that have generated traffic in the past to those currently generating traffic. If it finds a new host generating traffic, it issues a “new host alert” via the real-time log. For large networks, Tenable Nessus Network Monitor can be configured to run for several days to gain knowledge about which hosts are active. This prevents Tenable Nessus Network Monitor from issuing an alert for hosts that already exist. For large networks, Tenable® recommends that Tenable Nessus Network Monitor operate for at least two days before detecting new hosts. By default, this option is set to 2. |
Connections to Services |
When enabled, allows Tenable Nessus Network Monitor to log which clients attempt to connect to servers on the network and to what port they attempt to connect. They indicate only that an attempt to connect was made, not whether the connection was successful. Events detected by Tenable Nessus Network Monitor of this type are logged as Tenable Nessus Network Monitor internal plugin ID 2. |
Show Connections |
When enabled, instructs Tenable Nessus Network Monitor to record clients in the focus network that attempt to connect to a server IP address and port and receive a positive response. The record contains the client IP address, the server IP address, and the server port that the client attempted to connect to. For example, if four different hosts within the focus network attempt to connect with a server IP over port 80 and received a positive response, then a list of those hosts are reported under Tenable Nessus Network Monitor internal plugin ID 3 and port 80. |
Known Hosts File |
Note: You can only configure this feature via the command-line interface. A configuration parameter in which you can type the location of the This feature supports a single row for each IP (IPv4 or IPv6). Hyphenated ranges and CIDR notation are not supported. New host alerts no longer appear for the hosts listed in this file. Note: Blank rows are ignored, and invalid entries are noted in the Tenable Nessus Network Monitor log file. If you make any changes to the Known Hosts file, you must restart Tenable Nessus Network Monitor. |
Security Options |
|
Enable FIPS Mode |
When enabled, Tenable Nessus Network Monitor uses OpenSSL 3.0 FIPS module security features. The OpenSSL 3.0 FIPS module is a set of encryption modules satisfying the requirements of the FIPS 140-2 standard defined by the National Institute of Standards and Technology (NIST). Note: If you use the FIPS module, you may need to restart Tenable Nessus Network Monitor a few times. |
Enable National Information Assurance Partnership (NIAP) Mode |
When enabled, Tenable Nessus Network Monitor uses NIAP ciphers in compliance with NIAP standards. If you enable this setting, then you must also enable Enable FIPS Mode. |
NIAP Mode Disabled Due to Upgrade |
When enabled, Tenable Nessus Network Monitor does not use FIPS or NIAP security features. |
Session Analysis |
|
Encrypted Sessions Dependency Plugins |
Specifies the Plugin IDs, separated by commas, used to detect encrypted traffic. |
Encrypted Sessions Excluded Network Ranges |
Specifies the IPv4 and IPv6 addresses and ports, in CIDR notation, excluded from monitoring for encrypted traffic. Example: 192.0.2.0/24,2001:DB8::/64,10.2.3.0/22,vlan 192.0.2.0/16,192.168.3.123/32 |
Interactive Sessions Dependency Plugins |
Specifies the plugin IDs, separated by commas, used to detect interactive sessions. |
Interactive Sessions Excluded Network Ranges |
Specifies the IPv4 and IPv6 addresses and ports, in CIDR notation, excluded from monitoring for interactive sessions. Example: 192.0.2.0/24,2001:DB8::/64,10.2.3.0/22,vlan 192.0.2.0/16,192.168.3.123/32 |
SIEM Processing Options |
|
Note: SIEM analysis features are only available for RH/CentOS 7 and RH/CentOS 8. |
|
Enable SIEM Assets Discovery |
When selected, allows Tenable Nessus Network Monitor to discover assets through SIEM analysis. For more information, see SIEM Analysis Section. |
Enable SIEM User Account Activity |
When selected, allows Tenable Nessus Network Monitor to detect user account activity through SIEM analysis. For more information, see SIEM Analysis Section. |
Enable SIEM Software Detection |
When selected, allows Tenable Nessus Network Monitor to detect software events through SIEM analysis. For more information, see SIEM Analysis Section. |
Enable SIEM Service Modification |
When selected, allows Tenable Nessus Network Monitor to detect service modification events through SIEM analysis. For more information, see SIEM Analysis Section. |
SIEM Polling Interval |
The interval, in minutes, after which Tenable Nessus Network Monitor updates its status with the SIEM servers and asks for a list of jobs. Options are in the range of 5-10 minutes. |
Maximum SIEM Trending Data Points |
Adjust this value to increase the number of SIEM Trending Data Points to take for events. SIEM events can also be increased with the Maximum Event Trending Data Points option. By default, this option is set to 10,000. Note: Increasing this value requires Tenable Nessus Network Monitor to allocate more memory, Tenable recommends you keep it at 10,000. |
SIEM Servers |
|
SIEM Servers List |
Note: SIEM analysis features are only available for RH/CentOS 7 and RH/CentOS 8. Lists the servers used to track SIEM-related events. The charts shown in the SIEM Analysis section pull data from these servers. This section provides three options:
Note: SIEM server entries are displayed as User@IP_Address:Port (e.g., [email protected]:8089). The combination of these three parameters is unique; entries with the same three parameters are rejected. Note: Tenable recommends that you only use trusted self-signed certificates for Splunk instances used with Tenable Nessus Network Monitor. |
Syslog |
|
Realtime Syslog Server List |
Specifies the IPv4 or IPv6 address and port of a Syslog server to receive real-time events from Tenable Nessus Network Monitor. Click Add to save the address. A local Syslog daemon is not required. Syslog items can be specified to Standard or CEF formats and UDP or TCP protocols. Example: 192.0.2.12:4567,10.10.10.10:514,[2001:DB8::23B4]:514 |
Vulnerability Syslog Server List |
Specifies the IPv4 or IPv6 address and port of a Syslog server to receive vulnerability data from Tenable Nessus Network Monitor. Click Add to save the address. A local Syslog daemon is not required. You can specify Syslog items to Standard or CEF formats and UDP or TCP protocols. Example: 192.0.2.12:4567,10.10.10.10:514,[2001:DB8::23B4]:514 Note: While Tenable Nessus Network Monitor may display multiple log events related to one connection, it sends only a single event to the remote Syslog server(s). |