TOC & Recently Viewed

Recently Viewed Topics

Advanced Settings

The Advanced Settings page allows you to manually configure Nessus. You can configure advanced settings from the Nessus user interface, or from the command line interface. Nessus validates your input values to ensure only valid configurations are allowed.

Advanced Settings are grouped into the following categories:

Details

  • Advanced settings apply globally across your Nessus instance.

  • To configure advanced settings, you must use a Nessus administrator user account.
  • Not all advanced settings are automatically populated in the Nessus interface.
  • Changes may take several minutes to take effect.
  • Some settings require restarting Nessus for the change to apply.
  • Custom policy settings supersede the global advanced settings.

User Interface

Setting

Identifier

Description

Default Valid Values

Allow Post-Scan Editing

allow_post_scan_editing

Allows a user to make edits to scan results after the scan is complete.

yes yes or no

Disable Nessus Web Server

disable_xmlrpc

Disables the new XMLRPC (Web Server) interface.

no

yes or no

Disable UI disable_ui Disables the user interface on managed scanners. no yes or no

Maximum Concurrent Web Users

global.max_web_users

Maximum web users who can connect simultaneously.

1024

Integers.

If set to 0, no limit is enforced.

Nessus Web Server IP

listen_address

IPv4 address to listen for incoming connections. If set to 127.0.0.1, this restricts access to local connections only.

0.0.0 String in the format of an IP address
Nessus Web Server Port xmlrpc_listen_port The port that the Nessus web server listens on. 8843 Integers

Scanning

Setting

Identifier

Description

Default Valid Values
Auto Enable Plugin Dependencies auto_enable_dependencies Automatically activates the plugins that are depended on. If disabled, not all plugins may run despite being selected in a scan policy. yes yes or no
CGI Paths for Web Scans cgi_path

A colon-delimited list of CGI paths to use for web server scans.

/cgi-bin:/scripts

String
Log Verbose Scan Details log_whole_attack Logs every detail of the attack. Helpful for debugging issues with the scan, but this may be disk intensive. no yes or no
Maximum Ports in Scan Reports report.max_ports The maximum number of allowable ports. If there are more ports in the scan results than this value, the excess will be discarded. This limit helps guard against fake targets that may have thousands of reported ports, but can also result in valid results being deleted from the scan results database, so you may want to increase the default if this is a problem. 1024 Integers
Nessus Rules File Location rules

Location of the Nessus rules file (nessusd.rules).

The following are the defaults for each operating system:

Linux: /opt/nessus/var/nessus/conf/nessusd.rules

Mac OS X: /Library/Nessus/run/var/nessus/conf/nessusd.rules

Windows: C:\ProgramData\Tenable\Nessus\nessus\conf\nessusd.rules

Nessus config directory for your operating system String
Non-Simultaneous Ports non_simult_ports Specifies ports against which two plugins cannot not be run simultaneously. 139, 445, 3389 String
Paused Scan Timeout paused_scan_timeout The duration, in minutes, that a scan can remain in the paused state before it is terminated. 0 Integers 0-10080
PCAP Snapshot Length pcap.snaplen The snapshot size used for packet capture; the maximum size of a captured network packet. Typically, this value is automatically set based on the scanner's NIC. However, depending on your network configuration, packets may be truncated, resulting in the following message in your scan report: "The current snapshot length of ### for interface X is too small." You can increase the length to avoid packets being truncated. 0 Integers 0-262144
Port Range port_range Range of the ports the port scanners scans. default default, all, a comma-separated list of ports and/or port ranges.
Reverse DNS Lookups reverse_lookup When enabled, targets are identified by their fully qualified domain name (FQDN) in the scan report. When disabled, the report identifies the target by hostname or IP address. no yes or no
Safe Checks safe_checks

When enabled, Nessus uses safe checks, which use banner grabbing rather than active testing for a vulnerability.

yes yes or no
Silent Plugin Dependencies silent_dependencies When enabled, the list of plugin dependencies and their output are not included in the report. A plugin may be selected as part of a policy that depends on other plugins to run. By default, Nessus runs those plugin dependencies, but does not include their output in the report. When disabled, Nessus includes both the selected plugin and any plugin dependencies in the report. yes yes or no
Slice Network Addresses slice_network_addresses If this option is set, Nessus does not scan a network incrementally (10.0.0.1, then 10.0.0.2, then 10.0.0.3, and so on) but attempts to slice the workload throughout the whole network (e.g., it scans 10.0.0.1, then 10.0.0.127, then 10.0.0.2, then 10.0.0.128, and so on). no yes or no

Logging

Setting

Identifier

Description

Default Valid Values
Log Additional Scan Details log_details When enabled, scan logs includes the user name, scan name, and current plugin name in addition to the base information. no yes or no
Nessus Dump File Location dumpfile

Location of a dump file for debugging output if generated.

The following are the defaults for each operating system:

Linux: /opt/nessus/var/nessus/logs/nessud.dump

Mac OS X: /Library/Nessus/run/var/nessus/logs/nessusd.dump

Windows: C:\ProgramData\Tenable\Nessus\nessus\logs\nessusd.dump

Nessus log directory for your operating system

String
Nessus Dump File Log Level nasl_log_type

The type of NASL engine output in nessusd.dump.

normal normal, none, trace, or full.
Nessus Scanner Log Location logfile

Location where the Nessus log file is stored.

The following are the defaults for each operating system:

Linux: /opt/nessus/var/nessus/logs/nessusd.messages

Mac OS X: /Library/Nessus/run/var/nessus/logs/nessusd.messages

Windows: C:\ProgramData\Tenable\Nessus\nessus\logs\nessusd.messages

Nessus log directory for your operating system String
Use Milliseconds in Logs logfile_msec When enabled, log timestamps are in milliseconds. When disabled, log timestamps are in seconds. no yes or no

Performance

Setting

Identifier

Description

Default Valid Values
Global Max Hosts Concurrently Scanned global.max_hosts

Maximum number of hosts that can be scanned simultaneously across all scans.

2150

Integers
Global Max TCP Sessions global.max_simult_tcp_sessions Maximum number of simultaneous TCP sessions across all scans. 50

Integers 0 - 2000.

If set to 0, no limit is enforced.

Max Concurrent Checks Per Host max_checks

Maximum number of simultaneous plugins that can run concurrently on each host.

5

Integers.

If set to 0, no limit is enforced.

Max Concurrent Hosts Per Scan max_hosts Maximum number of hosts checked at one time during a scan. 5

Integers.

If set to 0, no limit is enforced.

Max Concurrent Scans global.max_scans Maximum number of simultaneous scans that can be run by the scanner. 0

0-1000

If set to 0, no limit is enforced.

Max TCP Sessions Per Host host.max_simult_tcp_sessions

Maximum number of simultaneous TCP sessions for a single host.

This TCP throttling option also controls the number of packets per second the SYN scanner sends, which is 10 times the number of TCP sessions. E.g., if this option is set to 15, the SYN scanner sends 150 packets per second at most.

0

Integers.

If set to 0, no limit is enforced.

Max TCP Sessions Per Scan max_simult_tcp_sessions Maximum number of simultaneous TCP sessions for the entire scan, regardless of the number of hosts being scanned. 0

Integers 0-2000.

If set to 0, no limit is enforced.

Optimize Tests optimize_test Optimizes the test procedure. If you disable this setting, scans may take longer and typically generate more false positives. yes yes or no
Plugin Check Optimization Level optimization_level

Determines the type of check that is performed before a plugin runs.

If this setting is set to open_ports, then Nessus checks that required ports are open; if they are not, the plugin does not run.

If this setting is set to required_keys, then Nessus performs the open port check, and also checks that required keys (KB entries) exist, ignoring the excluded key check.

None open_ports or required_keys
Plugin Timeout plugins_timeout Maximum lifetime of a plugin’s activity in seconds. 320 Integers 0-1000
QDB Memory Usage qdb_mem_usage Directs Nessus to use more or less memory when idle. If Nessus is running on a dedicated server, setting this to high uses more memory to increase performance. If Nessus is running on a shared machine, settings this to low uses considerably less memory, but has a moderate performance impact. low low or high
Reduce TCP Sessions on Network Congestion reduce_connections_on_congestion Reduces the number of TCP sessions in parallel when the network appears to be congested. no yes or no
Scan Check Read Timeout checks_read_timeout

Read timeout for the sockets of the tests.

5 Integers 0-1000
Stop Scan on Host Disconnect stop_scan_on_disconnect When enabled, Nessus stops scanning a host that seems to have been disconnected during the scan. no yes or no
Stop Scan on Host Hang stop_scan_on_hang When enabled, Nessus stops scanning a scan that seems to be hung. no yes or no
Throttle Scan on CPU Overload throttle_scan When enabled, Nessus throttles scan when the CPU is overloaded. yes yes or no
Webserver Thread Pool Size www_thread_pool_size Thread pool size for the webserver/backend. 100 Integers 0-500

Security

Setting

Identifer

Description

Default Valid Values
Cipher Files on Disk cipher_files_on_disk Encipher files that Nessus writes. yes yes or no
Max Concurrent Sessions Per User max_sessions_per_user Maximum concurrent sessions per user 0

Integers 0-2000.

If set to 0, no limit is enforced.

 

SSL Cipher List ssl_cipher_list Cipher list to use for Nessus backend connections. Nessus only supports strong SSL ciphers when connecting to port 8834. strong noexp, strong, and edh.
SSL Mode ssl_mode

Minimum supported version of TLS.

tls_1_0 compat, ssl_3_0, tls_1_1, and tls_1_2.

Agents & Scanners

Note: The following settings are only available in Nessus Manager.

Setting

Identifier

Description

Default Valid Values
Agent Software Updates agent_software_update Controls whether agent updates are allowed to be downloaded. yes yes or no
Agents Check-ins Per Second cloud.manage.agents_per_second he number of agents allowed to check in per second. 10 Integers
Agents Progress agents_progress_viewable When a scan gathers information from agents, Nessus Manager does not show detailed agents information if the number of agents exceeds this setting. Instead, a message indicates that results are being gathered and will be viewable when the scan is complete. 100

Integers.

If set to 0, this defaults to 100.

Automatic Hostname Update update_hostname When enabled, when the hostname on the endpoint is modified the new hostname will be updated in the agent's manager. This feature is disabled by default to prevent custom agent names from being overridden. no yes or no
Concurrent Agent Software Updates cloud.manage.download_max The maximum concurrent agent update downloads. 10 Integers
Track Unique Agents track_unique_agents (When enabled, Nessus Manager checks if MAC addresses of agents trying to link match MAC addresses of currently linked agents with the same hostname, platform, and distro. Nessus Manager deletes duplicates that it finds. no yes or no

Miscellaneous

Setting

Identifier

Description

Default Valid Values
Automatic Update Delay auto_update_delay Number of hours that Nessus waits between automatic updates. 24 Integers > 4
Automatic Updates auto_update Automatically updates plugins. If enabled and Nessus is registered, Nessus automatically gets the newest plugins from Tenable when they are available. If your scanner is on an isolated network that is not able to reach the internet, disable this setting. yes yes or no
Automatically Update Nessus auto_update_ui Automatically download and apply Nessus updates. yes yes or no
Initial Sleep Time ms_agent_sleep (Nessus Manager only) Sleep time between managed scanner and agent requests. This can be overridden by Nessus Manager or Tenable.io. 30 Integers 5-3300
Max HTTP Client Requests max_http_client_requests Maximum number of concurrent outbound HTTP connections on managed scanners and agents. 4 Integers > 0
Nessus Debug Port dbg_port The port on which nessusd listens for ndbg client connections. If left empty, no debug port is established. None String in one of the following formats:  port or localhost:port or ip:port
Nessus Preferences Database config_file

Location of the configuration file that contains the engine preference settings.

The following are the defaults for each operating system:

Linux: /opt/nessus/etc/nessus/nessusd.db

Mac OS X: /Library/Nessus/run/etc/nessus/conf/nessusd.db

Windows: C:\ProgramData\Tenable\Nessus\conf\nessusd.db

Nessus database directory for your operating system String
Non-User Scan Result Cleanup Threshold report_cleanup_threshold_days The age threshold (in days) for removing old system-user scan reports. 30 Integers > 0
Remote Scanner Port remote_listen_port This setting allows Nessus to operate on different ports: one dedicated to communicating with remote agents and scanners (comms port) and the other for user logins (management port). By adding this setting, you can link your managed scanners and agents a different port (e.g., 9000) instead of the port defined in xmlrpc_listen_port (default 8834). None Integer
Report Crashes to Tenable report_crashes When enabled, Nessus crash information is automatically sent to Tenable, Inc.. to identify problems. No personal or system-identifying information is sent to Tenable, Inc. yes yes or no
Scan Source IP(s) source_ip Source IPs to use when running on a multi-homed host. If multiple IPs are provided, Nessus will cycle through them whenever it performs a new connection. None IP address or comma-separated list of IP addresses.

Custom

Not all advanced settings are populated in the Nessus user interface, but some settings can be set in the command line interface.

The following table lists available advanced settings that are not listed by default in the Nessus user interface but can still be configured.

Identifier

Description

Default Valid Values
acas_classification

Adds a classification banner to the top and bottom of the Nessus user interface, and turns on last successful and failed login notification.

None UNCLASSIFIED (green banner), CONFIDENTIAL (blue banner), SECRET (red banner), or a custom value (orange banner).
nessus_syn_scanner.global_throughput.max Sets the max number of SYN packets that Nessus sends per second during its port scan (no matter how many hosts are scanned in parallel). Adjust this setting based on the sensitivity of the remote device to large numbers of SYN packets. 65536 Integers
login_banner

A text banner displays that appears after you attempt to log in to Nessus. The banner only appears the first time you log in on a new browser or computer.

None String

Copyright 2017 - 2018 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc. Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.