TOC & Recently Viewed

Recently Viewed Topics

Advanced Settings

The Advanced page allows you to manually configure the Nessus daemon.

Details

  • Advanced settings are global settings.
  • Settings are key/value pairs.
  • To configure advanced settings, you must use a Nessus System Administrator user account.
  • Changes go into effect a few minutes after the setting is saved.
  • Custom policy settings supersede the global advanced settings.

Settings

Setting

Default

Description

allow_post_scan_editing

Yes

Allows a user to make edits to scan results after the scan is complete.

auto_enable_dependencies

Yes

Automatically activates the plugins that are depended on. If disabled, not all plugins may run despite being selected in a scan policy.

auto_update

Yes

Automatically updates plugins. If enabled and Nessus is registered, fetch the newest plugins from plugins.nessus.org automatically. Disable if the scanner is on an isolated network that is not able to reach the Internet.

auto_update_delay

24

Number of hours to wait between two updates. Four (4) hours is the minimum allowed interval.

cgi_path

/cgi-bin:/scripts

A colon-delimited list of CGI paths.

checks_read_timeout

5

Read timeout for the sockets of the tests.

disable_ui

No

Disables the user interface on managed scanners.

disable_ntp

Yes

Disables the old NTP legacy protocol.

disable_xmlrpc

No

Disables the new XMLRPC (Web Server) interface.

dumpfile

C:\ProgramData\Tenable\Nessus\nessus\logs\nessusd.dump

Location of a dump file for debugging output if generated.

global.max_hosts

2150

Maximum number of simultaneous checks against each host tested.

global.max_scans

0

If set to non-zero, this defines the maximum number of scans that may take place in parallel.

If this option is not used, no limit is enforced.

global.max_simult_tcp_sessions

50

Maximum number of simultaneous TCP sessions between all scans.

If this option is not used, no limit is enforced.

global.max_web_users

1024

If set to non-zero, this defines the maximum of (web) users who can connect in parallel.

If this option is not used, no limit is enforced.

listen_address

0.0.0.0

IPv4 address to listen for incoming connections. If set to 127.0.0.1, this restricts access to local connections only.

log_whole_attack

No

Logs every detail of the attack. Helpful for debugging issues with the scan, but this may be disk intensive.

logfile

C:\ProgramData\Tenable\Nessus\nessus\logs\nessusd.messages

Location where the Nessus log file is stored.

login_banner

None

A text banner that appears before the initial login the Flash or HTML5 client.

max_hosts

5

Maximum number of hosts checked at one time during a scan.

max_checks

5

Maximum number of simultaneous checks against each host tested.

nasl_log_type

Normal

Direct the type of NASL engine output in nessusd.dump.

nasl_no_signature_check

No

Determines if Nessus considers all NASL scripts as being signed. Selecting “yes” is unsafe and not recommended.

nessus_syn_scanner. global_throughput.max

65536

Sets the max number of SYN packets that Nessus sends per second during its port scan (no matter how many hosts are scanned in parallel). Adjust this setting based on the sensitivity of the remote device to large numbers of SYN packets.

nessus_udp_scanner.max_run_time

31536000

Used to specify the maximum run time, in seconds, for the UDP port scanner. If the setting is not present, a default value of 365 days (31536000 seconds) is used instead.

non_simult_ports

139, 445, 3389

Specifies ports against which two plugins cannot not be run simultaneously.

optimize_test

Yes

Optimizes the test procedure. Changing this to “no” causes scans to take longer and typically generate more false positives.

plugin_upload

Yes

Designates if admin users may upload plugins.

plugins_timeout

320

Maximum lifetime of a plugin’s activity (in seconds).

port_range

Default

Range of the ports the port scanners scans. Can use keywords “default” or “all”, as well as a comma delimited list of ports or ranges of ports.

purge_plugin_db

No

Determines if Nessus purges the plugin database at each update. This directs Nessus to remove, re-download, and re-build the plugin database for each update. Choosing yes causes each update to be considerably slower.

qdb_mem_usage

Low

Directs Nessus to use more or less memory when idle. If Nessus is running on a dedicated server, setting this to “high” uses more memory to increase performance. If Nessus is running on a shared machine, settings this to “low” uses considerably less memory, but at the price of a moderate performance impact.

reduce_connections_on_congestion

No

Reduces the number of TCP sessions in parallel when the network appears to be congested.

report_crashes

Yes

Anonymously reports crashes to Tenable Network Security.

When set to yes, Nessus crash information is sent to Tenable Network Security to identify problems. Personal nor system-identifying information is sent to Tenable Network Security.

remote_listen_port

None

This setting allows Nessus to operate on different ports: one dedicated to communicating with remote agents and scanners (comms port) and the other for user logins (management port).

By adding this setting, you can link your managed scanners and agents a different port (Example: 9000) instead of the defined in xmlrpc_listen_port (default 8834).

rules

C:\ProgramData\Tenable\Nessus\conf\nessusd.rules

Location of the Nessus Rules file (nessusd.rules).

safe_checks

Yes

Safe checks rely on banner grabbing rather than active testing for a vulnerability.

silent_dependencies

Yes

If enabled, the list of plugin dependencies and their output are not included in the report. A plugin may be selected as part of a policy that depends on other plugins to run. By default, Nessus runs those plugin dependencies, but does not include their output in the report. Setting this option to no causes both the selected plugin and any plugin dependencies to all appear in the report.

slice_network_addresses

No

If this option is set, Nessus does not scan a network incrementally (10.0.0.1, then 10.0.0.2, then 10.0.0.3, and so on) but attempts to slice the workload throughout the whole network (e.g., it scans 10.0.0.1, then 10.0.0.127, then 10.0.0.2, then 10.0.0.128, and so on).

ssl_cipher_list

Strong

Nessus only supports 'strong' SSL ciphers when connecting to port 8834.

ssl_mode

tls_1_2

Minimum supported version of TLS.

If not present or if removed, Nessus will use TLS 1.0 (tls_1_0).

stop_scan_on_disconnect

No

Stops scanning a host that seems to have been disconnected during the scan.

stop_scan_on_hang

No

Stops a scan that seems to be hung.

throttle_scan

Yes

Throttles scan when CPU is overloaded.

user_max_login_attempt

None

The number of possible invalid login attempts before a user is locked out.

Note: A user with administrative privileges must edit the locked account to unlock the user.

www_logfile

C:\ProgramData\Tenable\Nessus\nessus\logs\www_server.log

Location where the Nessus Web Server (user interface) log is stored.

xmlrpc_idle_session_timeout

30

XMLRPC Idle Session Timeout in minutes. Value defaults to 30 minutes. If the value is set to zero (0), the default value of 30 minutes applies. There is no maximum limit for this value.

xmlrpc_listen_port

8834

Port for the Nessus Web Server to listen on (new XMLRPC protocol).

Copyright 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.