TOC & Recently Viewed

Recently Viewed Topics

Advanced Settings

The Advanced page allows you to manually configure the Nessus daemon.

Details

  • Advanced settings apply globally across your Nessus instance.

  • To configure advanced settings, you must use a Nessus administrator user account.
  • Not all advanced settings are automatically populated in the Nessus interface.
  • If you enter an invalid setting or value, it has no effect on global settings.
  • Changes may take several minutes to take effect.
  • Most settings require service restart for the new setting to apply.
  • Custom policy settings supersede the global advanced settings.

Settings

Setting

Default

Description

acas_classification None

Adds a classification banner to the top and bottom of the Nessus user interface, and turns on last successful and failed login notification.

Possible values are UNCLASSIFIED (green banner), CONFIDENTIAL (blue banner), SECRET (red banner), or a custom value (orange banner).

allow_post_scan_editing

yes

Allows a user to make edits to scan results after the scan is complete.

attached_report_maximum_size 25 Specifies the maximum size, in megabytes (MB), of any report attachment. If the report exceeds the maximum size, then it is not attached to the email. Nessus does not support report attachments larger than 50 MB.

auto_enable_dependencies

yes

Automatically activates the plugins that are depended on. If disabled, not all plugins may run despite being selected in a scan policy.

auto_update

yes

Automatically updates plugins. If enabled and Nessus is registered, fetch the newest plugins from plugins.nessus.org automatically. Disable if the scanner is on an isolated network that is not able to reach the Internet.

auto_update_delay

24

Number of hours to wait between two updates. 4 hours is the minimum allowed interval.

cgi_path

/cgi-bin:/scripts

A colon-delimited list of CGI paths.

checks_read_timeout

5

Read timeout for the sockets of the tests.

disable_ui

no

Disables the user interface on managed scanners.

disable_ntp

yes

Disables the old NTP legacy protocol.

disable_xmlrpc

no

Disables the new XMLRPC (Web Server) interface.

dumpfile

Nessus log directory for your operating system

Location of a dump file for debugging output if generated.

The following are the defaults for each operating system:

Linux: /opt/nessus/var/nessus/logs/nessud.dump

Mac OS X: /Library/Nessus/run/var/nessus/logs/nessusd.dump

Windows: C:\ProgramData\Tenable\Nessus\nessus\logs\nessusd.dump

global.max_hosts

2150

Maximum number of hosts that can be scanned simultaneously across all scans.

global.max_scans

0

Maximum number of simultaneous scans that can take place.

If this option is not used, no limit is enforced.

global.max_simult_tcp_sessions

50

Maximum number of simultaneous TCP sessions across all scans.

If this option is not used, no limit is enforced.

global.max_web_users

1024

Maximum web users who can connect simultaneously.

If this option is not used, no limit is enforced.

listen_address

0.0.0.0

IPv4 address to listen for incoming connections. If set to 127.0.0.1, this restricts access to local connections only.

log_whole_attack

no

Logs every detail of the attack. Helpful for debugging issues with the scan, but this may be disk intensive.

logfile

C:\ProgramData\Tenable\Nessus\nessus\logs\nessusd.messages

Location where the Nessus log file is stored.

login_banner

None

A text banner displays that appears after you attempt to log in to Nessus.

Note: The banner only appears the first time you log in on a new browser or computer.

max_hosts

5

Maximum number of hosts checked at one time during a scan.

max_checks

5

Maximum number of simultaneous checks against each host tested.

min_password_length 1 The minimum number of characters a password must contain. A value of 0 means no minimum password length.

nasl_log_type

normal

The type of NASL engine output in nessusd.dump. Possible values arenormal, none, trace, or full.

nasl_no_signature_check

no

Determines if Nessus considers all NASL scripts as being signed. Setting this to yes is unsafe and not recommended.

nessus_syn_scanner. global_throughput.max

65536

Sets the max number of SYN packets that Nessus sends per second during its port scan (no matter how many hosts are scanned in parallel). Adjust this setting based on the sensitivity of the remote device to large numbers of SYN packets.

nessus_udp_scanner.max_run_time

31536000

Used to specify the maximum run time, in seconds, for the UDP port scanner. If the setting is not present, a default value of 365 days (31536000 seconds) is used instead.

non_simult_ports

139, 445, 3389

Specifies ports against which two plugins cannot not be run simultaneously.

optimize_test

yes

Optimizes the test procedure. Changing this to no causes scans to take longer and typically generate more false positives.

passwd_complexity no Requires password to have a minimum of 8 characters, and at least three of the following: an upper case letter, a lower case letter, a special character, and a number.
passwd_notifications no Enables login notifications, which allow the user to see the last successful login and failed login attempts (date, time, and IP), and if any failed login attempts have occurred since the last successful login.

plugin_upload

yes

Designates if admin users may upload plugins.

plugins_timeout

320

Maximum lifetime of a plugin’s activity in seconds.

port_range

default

Range of the ports the port scanners scans. Possible values are default, all, or a comma separated list of ports or port ranges.

purge_plugin_db

no

Determines if Nessus purges the plugin database at each update. This directs Nessus to remove, re-download, and re-build the plugin database for each update. Setting this to yes causes each update to be considerably slower.

qdb_mem_usage

low

Directs Nessus to use more or less memory when idle. If Nessus is running on a dedicated server, setting this to high uses more memory to increase performance. If Nessus is running on a shared machine, setting this to low uses considerably less memory, but at the price of a moderate performance impact.

reduce_connections_on_congestion

no

Reduces the number of TCP sessions in parallel when the network appears to be congested.

report_crashes

yes

When enabled, Nessus crash information is anonymously sent to Tenable, Inc. to identify problems. Personal nor system-identifying information is sent to Tenable, Inc..

remote_listen_port

None

This setting allows Nessus to operate on different ports: one dedicated to communicating with remote agents and scanners (comms port) and the other for user logins (management port).

By adding this setting, you can link your managed scanners and agents to a different port (e.g., 9000) instead of the port defined in xmlrpc_listen_port (default 8834).

rules

Nessus configuration directory for your operating system

Location of the Nessus rules file (nessusd.rules).

The following are the defaults for each operating system:

Linux: /opt/nessus/var/nessus/conf/nessusd.rules

Mac OS X: /Library/Nessus/run/var/nessus/conf/nessusd.rules

Windows: C:\ProgramData\Tenable\Nessus\nessus\conf\nessusd.rules

safe_checks

yes

When enabled, Nessus uses safe checks, which use banner grabbing rather than active testing for a vulnerability.

scan_history_expiration_days 0 The number of days after which scan history and data for completed scans is permanently deleted. The minimum possible value is 3. A value of 0 means all history is retained.

silent_dependencies

yes

If enabled, the list of plugin dependencies and their output are not included in the report. A plugin may be selected as part of a policy that depends on other plugins to run. By default, Nessus runs those plugin dependencies, but does not include their output in the report. Setting this option to no causes both the selected plugin and any plugin dependencies to all appear in the report.

slice_network_addresses

no

If this option is set, Nessus does not scan a network incrementally (10.0.0.1, then 10.0.0.2, then 10.0.0.3, and so on) but attempts to slice the workload throughout the whole network (e.g., it scans 10.0.0.1, then 10.0.0.127, then 10.0.0.2, then 10.0.0.128, and so on).

ssl_cipher_list

strong

Nessus only supports strong SSL ciphers when connecting to port 8834. Possible values are noexp, strong, and edh.

ssl_mode

tls_1_2

Minimum supported version of TLS.

If the value is left blank, Nessus uses TLS 1.0 (tls_1_0).

Possible values are compat, ssl_3_0, tls_1_1, and tls_1_2.

stop_scan_on_disconnect

no

Stops scanning a host that seems to have been disconnected during the scan.

stop_scan_on_hang

no

Stops a scan that seems to be hung.

throttle_scan

yes

Throttles scan when CPU is overloaded.

user_max_login_attempt

None

The number of possible invalid login attempts before a user is locked out.

Note: The user is locked out indefinitely until a user with administrative privileges manually resets the locked account.

www_logfile

Nessus log directory for your operating system

If log.json does not already exist, this setting controls where the server log file (www_logfile) is stored. Changing this setting after log.json is already created does not change the location of the server log file.

The following are the defaults for each operating system:

Linux: /opt/nessus/var/nessus/logs/www_server.log

Mac OS X: /Library/Nessus/run/var/nessus/logs/www_server.log

Windows: C:\ProgramData\Tenable\Nessus\nessus\logs\www_server.log

 

xmlrpc_idle_session_timeout

30

The number of minutes after which an idle Nessus web server session times out. If the value is set to 0, the default value of 30 minutes applies. There is no maximum limit for this value.

xmlrpc_listen_port

8834

The port that the Nessus web server listens on.

Copyright 2017 - 2018 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc. Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.