Alerting
When Tenable Nessus Network Monitor detects a real-time event, it can:
-
Send the event to a local log file.
-
Send the event via Syslog to a log aggregator such as Tenable Log Correlation Engine, an internal log aggregation server.
-
Send the event to a third party security event management vendor.
New Host Alerting
You can configure Tenable Nessus Network Monitor to detect when a new host has been added to the network. By default, Tenable Nessus Network Monitor has no knowledge of your network’s active hosts, so the first packets Tenable Nessus Network Monitor sniffs trigger an alert. To avoid this, you can configure Tenable Nessus Network Monitor to learn the network over a period of days. Once this period is over, any “new” traffic must be from a host that has not communicated during the initial training.
To prevent Tenable Nessus Network Monitor from triggering new host alerts on known hosts, you can create a known hosts file in the location to which the Known Hosts File configuration parameter is set. Each line of the Known
Hosts File supports a single IPv4 or IPv6 address. Hyphenated ranges and CIDR notation are not supported. Tenable Nessus Network Monitor must be restarted after creating or making any changes to the Known Hosts File.
Note: When Tenable Nessus Network Monitor logs a new host, the Ethernet address saves in the message. When Tenable Nessus Network Monitor is more than one hop away from the sniffed traffic, the Ethernet address is that of the local switch and not the actual host. If the scanner is deployed in the same collision domain as the sniffed server, then the Ethernet address is accurate.
For DHCP networks, Tenable Nessus Network Monitor often detects a “new” host. Tenable® recommends deploying this feature on non-volatile networks such as DMZ. Users should also consider analyzing Tenable Nessus Network Monitor “new” host alerts with Tenable Security Center, which can sort real-time Tenable Nessus Network Monitor events by networks.