NNM Settings Section

The NNM Settings section provides options for configuring the network settings for NNM. This includes what networks are monitored or excluded, how to monitor those networks, and what network interfaces NNM has identified for monitoring. If your NNM is licensed to run in High Performance mode, you can also Configure NNM Performance Mode.

Note: While you can configure many advanced settings via the command line using custom parameters, others use standard parameters. For example, while the ACAS Classification setting uses the custom --add parameter, the Login Banner setting does not require the --add parameter.

Note: The Network Interfaces Settings view only shows network interfaces that don't have IP addresses assigned to them. As a result, if all interfaces have assigned IP addresses, in High Performance mode, the list is empty.

Name Description
ACAS Classification

ACAS

You can enable support for ACAS banners from the command line of the NNM server service using the /opt/nnm/bin/nnm --config --add "ACAS Classification" "SECRET" command. SECRET may be replaced by UNCLASSIFIED, CONFIDENTIAL, TOP SECRET, or NOFORN. Once enabled, a drop-down box for the ACAS option appears in the user interface front end.

You can disable support for ACAS banners from the command line of the NNM server using the /opt/nnm/bin/nnm --config --delete "ACAS Classification" command from the binary directory on the server.

Advanced
Maximum Plugins Update Frequency Specifies the maximum frequency with which plugins update.

Login Banner

Specifies a login banner.

Note: You can also configure login banners via the command line using the /opt/nnm/bin/nnm --config "Login Banner" "NNM Banner Text" command.

HTTP Header Hostname Validation

If you use a domain name to connect to NNM, specify it in this box. Also enable Validate Host.

To protect against malicious attacks such as header injection, NNM validates that the domain name given to the browser matches your NNM server. The check is case insensitive.

Validate Host

When enabled, specifies whether NNM should validate the hostname to protect against malicious attacks.

If you enable this setting, you must enter a value for HTTP Header Hostname Validation.

Validate CSRF

When enabled, NNM sends anti-Cross Source Request Forgery (CSRF) tokens. This protects against malicious attacks.

Session Data Size

A box in which you can specify the maximum number of bytes of application layer data (e.g., FTP, HTTP, or SSH data) stored in the transport layer session cache per session. By default, the value is 3072 bytes. You can specify a minimum of 1024 bytes and a maximum of 2147483647 bytes.

Enable PII Obfuscation

Specifies whether or not to mask data from plugins that are expected to contain sensitive information (like Personally Identifiable Information [PII]). When enabled, the sensitive data is masked with asterisks. When disabled, the sensitive information appears in clear text in plugin output and logs. Type 0 to disable and 1 to enable the obfuscation.

Note: By default, this option is enabled. This option cannot be disabled if your NNM is connected to another application (for example, Industrial Security, Tenable.io, Tenable.sc).

Maximum SIEM Trending Data Points

Adjust this value to increase the number of SIEM Trending Data Points to take for events. SIEM events can also be increased with the Maximum Event Trending Data Points option. By default, this option is set to 10,000.

Note: Increasing this value requires NNM to allocate more memory, Tenable recommends you keep it at 10,000.

Maximum Event Trending Data Points

Adjust this value to increase the number of sample points to take for events. By default, this option is set to 10,000.

Note: Increasing this value requires NNM to allocate more memory, Tenable recommends you keep it at 10,000.

Event Data Sample Interval In Minutes

Increase this value by multiples of 5, up to the maximum of 60 (1 hour), to extend the Event Data sampling interval. The default of one minute allows you to save data for up to a week. You can also increase the number of sample points to take for events with the Maximum Event Trending Data Points and Maximum SIEM Trending Data Points options. By default, this option is set to 1.

Analysis Modules

Enable SCADA/ICS Analysis Module

Enables the SCADA/ICS Analysis Module. Click the caret button to the left of the setting name to display a list of individual module detections within the module. Click on individual module detections within the list to disable/enable them. Disabling a SCADA/ICS module detection enables the legacy PASL. See the SCADA/ICS Analysis Module for more information.

Enable Connection Analysis Module

Enables the Connection Analysis Module. Click the caret button to the left of the setting name to display a list of individual module detections within the module. Click on individual module detections within the list to disable/enable them. See the Connection Analysis Module for more information.

Enable IoT Analysis Module When enabled, NNM detects plugins in the IoT family. By default, this option is enabled.
DNS Query

DNS Cache Lifetime Analysis Module

Specifies the amount of time NNM retains and stores a given host’s DNS record, in seconds. By default, this option is set to 43200 (12 hours), but can be set to any value between 3600 and 172800 (48 hours).

DNS Query Time Interval

Specifies the delay between sets of DNS queries, in seconds. By default, this option is set to 5, but can be set to any value between 1 and 120.

DNS Queries per Interval

Specifies the maximum number of concurrent DNS requests made at the time of the DNS Query, in seconds. By default, this option is set to 5, but can be set to any value between 0 and 1000. Setting this value to 0 disables this feature and prevents further DNS queries from being made.

Database
Enable Malformed Database Recovery When enabled, allows NNM to recover a malformed database.
Memory

Sessions Cache Size

Specifies the size, in megabytes, of the session table. Adjust the session size as needed for the local network. By default, this option is set to 50.

Packet Cache Size

Specifies the maximum size, in megabytes, of the cache used to store the contents of the packets collected before processing. By default, this option is set to 128 MB with a maximum size of 512 MB. When the cache is full, any subsequent packets captured drop until space in the cache becomes available.

Monitoring

Run in Discovery Mode

Specifies whether or not NNM runs in discovery mode. When enabled, NNM discovers basic asset data instead of reporting vulnerabilities. This includes IP addresses, MAC addresses, hostnames, and other relevant asset data. This option is enabled by default during initial NNM installation.

Note: The NNM dashboards do not display informational-level plugins. Dashboards display vulnerability plugins with a higher severity level.

Note: If you want to link NNM to an instance of Industrial Security, disable this option.

In discovery mode, users can expect to see the following detections:

  • 0: Open Port.
  • 12: Number of Hops
  • 18: Generic Protocol Detection
  • 19: VLAN ID Detection
  • 20: Generic IPv6 Tunnel Traffic Detection
  • 113: VXLAN ID Detection
  • 132: Host Attribute Enumeration

Monitored Network Interfaces

A list of the network devices used for sniffing packets. You can select devices individually or in multiples. Select at least one interface from the list of available devices.

Note: High Performance mode does not support e1000 NICs as monitored interfaces on virtual machines. If you are running NNM on a virtual machine in High Performance mode and select an e1000 monitored interface, NNM automatically reverts to Standard mode.

Monitored Network IP Addresses and Ranges

Specifies the networks monitored. The default setting is 0.0.0.0/0, which instructs NNM to monitor all IPv4 addresses. Change this to monitor only target networks; otherwise NNM may quickly become overwhelmed. Separate multiple addresses by commas. When monitoring VLAN networks, you must use the syntax vlan ipaddress/subnet.

Example: 192.0.2.0/24,2001:DB8::/64,10.2.3.0/22,vlan 192.0.2.0/16,192.168.3.123/32

Note: The syntax is case-sensitive.

Excluded Network IP Addresses and Ranges

Specifies, in CIDR notation, any networks to exclude specifically from NNM monitoring. This option accepts both IPv4 and IPv6 addresses. Separate multiple addresses by commas. When excluding VLAN networks, you must use the syntax vlan ipaddress/subnet. No addresses are excluded if this box is left blank.

Note: You can exclude up to 128 CIDR entries at one time.

Example: 192.0.2.0/24,2001:DB8::/64,10.2.3.0/22,vlan 192.0.2.0/16,192.168.3.123/32

Extended Packet Filter

Specifies a BPF primitive.

This feature does not support the net, IP, IPv6, and VLAN primitives. Also, Windows platforms do not support the protochain primitive.

For information about available primitives, see the PCAP Filter man page.

Enable VXLAN Traffic Analysis Enables decoding of Virtual Extensible LAN protocol (VXLAN) traffic.
NNM Proxy

NNM Restart Attempts

The number of times the NNM proxy attempts to restart the NNM engine in the event the engine stops running. By default, this option is set to 10, but can be set to any value between 1 and 15. Once the restart attempt limit is reached, the proxy stops trying for 30 minutes.

NNM Restart Interval

The amount of time, in minutes, between NNM restart attempts. By default, this option is set to 10, but can be set to any value between 1 and 3600.

NNM Web Server

Enable SSL for Web Server

When selected, enables SSL protection for connections to the web server. By default, this check box is selected. Tenable does not recommend clearing the check box, as it allows the sending of unencrypted traffic between a browser and NNM. You may install custom SSL certificates in the /opt/nnm/var/nnm/ssl directory. Restart NNM after making changes to this setting.

Note: Changing this option while NNM is running makes communication between the client and server either encrypted or unencrypted. If you select or clear the Enable SSL for Web Server check box, the Web Server automatically ends your current NNM session.

Minimum Password Length

Specifies the lowest number of characters a password may contain. By default, this option is set to 5, but can be set to any value between 5 and 32.

NNM Web Server Address

Specifies the IPv4 or IPv6 address on which the NNM web server listens. The default setting is 0.0.0.0, which instructs the web server to listen on all available IPv4 and 1Pv6 addresses.

Note: Link-local addresses are not supported for IPv6 addresses.

NNM Web Server Port

Specifies the NNM web server-listening port. The default setting is 8835, but can be changed as appropriate for the local environment.

Note: If you change the value in this box, the Web Server automatically ends your current NNM session.

NNM Web Server Idle Session Timeout

Specifies the number of minutes of inactivity before a web session becomes idle. By default, this option is set to 30, but can be set to any value between 5 and 60.

Enable SSL Client Certificate Authentication

When enabled, allows the web server to accept only SSL client certificates for user authentication.

Enable Debug Logging for NNM Web Server

When enabled, allows the web server to include debug information in the logs for troubleshooting issues related to the web server. The logs become large if this option is enabled routinely.

Maximum User Login Attempts

Specifies the number of times a user can type an incorrect password in a 24-hour period before the user’s account is locked.

Max Sessions per User

Specifies the number of concurrent sessions a user can have running at one time.

Enforce Complex Passwords

When enabled, forces the user’s passwords to contain at least one uppercase character, one lowercase character, one digit, and one special character from the following: #$%^&*().

Use TLS 1.2

When enabled, the NNM web server uses TLS 1.2 communications. By default, this option is enabled.

Note: If you disable this option, the NNM web server uses TLS 1.1, which is less secure.

Disable CBC Ciphers

When enabled, disables the use of CBC ciphers in TLS 1.2. By default, this option is disabled.

Note: This setting is used in conjunction with Enable NIAP Mode. For more information, see Configure NNM for NIAP Compliance.

Enable Strong Encryption

When enabled, forces NNM to select the strongest ciphers in the TLS 1.2 communications suite. By default, this option is enabled.

When strong encryption is enabled, the user can expect to see typical ciphers such as:

  • TLS_RSA_WITH_AES_128_CBC_SHA

  • TLS_RSA_WITH_AES_128_CBC_SHA256

  • TLS_RSA_WITH_AES_128_GCM_SHA256

  • TLS_RSA_WITH_AES_256_CBC_SHA

  • TLS_RSA_WITH_AES_256_CBC_SHA256

  • TLS_RSA_WITH_AES_256_GCM_SHA384

  • TLS_RSA_WITH_CAMELLIA_128_CBC_SHA

  • TLS_RSA_WITH_CAMELLIA_256_CBC_SHA

If this option is disabled, the NNM uses the following ciphers:

  • TLS_RSA_WITH_AES_128_CBC_SHA

  • TLS_RSA_WITH_AES_256_CBC_SHA

To configure NIAP-compliant ciphers, see Configure NNM for NIAP Compliance.

Plugins

Process High Speed Plugins Only

NNM is designed to find various protocols on non-standard ports. For example, NNM can easily find an Apache server running on a port other than 80. However, on a high traffic network, NNM can be run in High Performance mode, which allows it to focus certain plugins on specific ports. When High Performance mode is enabled and this check box is selected, any plugin that utilizes the keywords hs_dport or hs_sport are executed only on traffic traversing the specified ports.

Realtime Events

Realtime Events File Size

Specifies the maximum amount of data from real-time events that is stored in one text file. The option must be specified in kilobytes, megabytes, or gigabytes by appending a K, M, or G, respectively, to the value.

Log Realtime Events to Realtime Log File

When enabled, allows NNM detected real-time events to be recorded to a log file in the following location:

/opt/nnm/var/nnm/logs/realtime-logs-##.txt

You can configure this option via the CLI.

Enable Realtime Event Analysis

When enabled, allows NNM to analyze real-time events.

Maximum Viewable Realtime Events

Specifies the maximum number of most recent events cached by the NNM engine. This setting is in effect only when Realtime Event Analysis is enabled.

Maximum Realtime Log Files

Specifies the maximum number of real-time log files written to the disk.

Reports

Report Threshold

Specifies the number of times the encryption detection algorithm executes during a session. Once the threshold is reached, the algorithm no longer executes during the session. By default, this option is set to 3 by def.

Report Lifetime

Specifies, in days, how long vulnerabilities and snapshot reports are cached. After the configured number of days is met, discovered vulnerabilities and snapshot reports are removed. This option can be set to a maximum value of 90 days. By default, this option is set to 7 and cannot be set higher than the Host Lifetime value.

Host Lifetime

Specifies, in days, how long hosts are cached. After the configured number of days is met, discovered hosts are removed. This option can be set to a maximum value of 365 days. By default, this option is set to 7 and cannot be set lower than the Report Lifetime value.

Report Frequency

Specifies, in minutes, how often NNM writes a report. By default, this option is set to 15. Tenable.sc retrieves the NNM report every 15 minutes.

Knowledgebase Lifetime

Specifies, in seconds, the maximum length of time that a knowledgebase entry remains valid after its addition. By default, this option is set to 864000.

New Asset Discovery Interval

Specifies, in days, how long NNM monitors traffic before detecting new hosts. NNM listens to network traffic and attempts to discover when a new host has been added. To do this, NNM constantly compares a list of hosts that have generated traffic in the past to those currently generating traffic. If it finds a new host generating traffic, it issues a “new host alert” via the real-time log. For large networks, NNM can be configured to run for several days to gain knowledge about which hosts are active. This prevents NNM from issuing an alert for hosts that already exist. For large networks, Tenable® recommends that NNM operate for at least two days before detecting new hosts. By default, this option is set to 2.

Connections to Services

When enabled, allows NNM to log which clients attempt to connect to servers on the network and to what port they attempt to connect. They indicate only that an attempt to connect was made, not whether the connection was successful. Events detected by NNM of this type are logged as NNM internal plugin ID 2.

Show Connections

When enabled, instructs NNM to record clients in the focus network that attempt to connect to a server IP address and port and receive a positive response. The record contains the client IP address, the server IP address, and the server port that the client attempted to connect to. For example, if four different hosts within the focus network attempt to connect with a server IP over port 80 and received a positive response, then a list of those hosts are reported under NNM internal plugin ID 3 and port 80.

Known Hosts File

Note: You can only configure this feature via the command-line interface.

A configuration parameter in which you can type the location of the known-hosts.txt file. Manually create the Known Hosts file.

This feature supports a single row for each IP (IPv4 or IPv6). Hyphenated ranges and CIDR notation are not supported. New host alerts no longer appear for the hosts listed in this file.

Note: Blank rows are ignored, and invalid entries are noted in the NNM log file. If you make any changes to the Known Hosts file, you must restart NNM.

Session Analysis

Encrypted Sessions Dependency Plugins

Specifies the Plugin IDs, separated by commas, used to detect encrypted traffic.

Encrypted Sessions Excluded Network Ranges

Specifies the IPv4 and IPv6 addresses and ports, in CIDR notation, excluded from monitoring for encrypted traffic.

Example: 192.0.2.0/24,2001:DB8::/64,10.2.3.0/22,vlan 192.0.2.0/16,192.168.3.123/32

Interactive Sessions Dependency Plugins

Specifies the plugin IDs, separated by commas, used to detect interactive sessions.

Interactive Sessions Excluded Network Ranges

Specifies the IPv4 and IPv6 addresses and ports, in CIDR notation, excluded from monitoring for interactive sessions.

Example: 192.0.2.0/24,2001:DB8::/64,10.2.3.0/22,vlan 192.0.2.0/16,192.168.3.123/32

SIEM Processing Options
Note: SIEM analysis features are only available for RH/CentOS 7 and RH/CentOS 8.
Enable SIEM Assets Discovery When selected, allows NNM to discover assets through SIEM analysis. For more information, see SIEM Analysis Section.
Enable SIEM User Account Activity When selected, allows NNM to detect user account activity through SIEM analysis. For more information, see SIEM Analysis Section.
Enable SIEM Software Detection When selected, allows NNM to detect software events through SIEM analysis. For more information, see SIEM Analysis Section.
Enable SIEM Service Modification When selected, allows NNM to detect service modification events through SIEM analysis. For more information, see SIEM Analysis Section.
SIEM Polling Interval The interval, in minutes, after which NNM updates its status with the SIEM servers and asks for a list of jobs. Options are in the range of 5-10 minutes.
SIEM Servers
SIEM Servers List
Note: SIEM analysis features are only available for RH/CentOS 7 and RH/CentOS 8.

Lists the servers used to track SIEM-related events. The charts shown in the SIEM Analysis section pull data from these servers. This section provides three options:

  • Add - Add a new SIEM server setting. Enter the following information:

    • IP - The server IP address.

    • Port (TCP) - The server IP port number.

    • SIEM Type - The server's SIEM type (Splunk).

    • User - The username that grants server access.

    • Password - The password that grants server access.

  • Edit - Edit the SIEM server settings listed above.

  • Delete - Delete the selected SIEM server and all related SIEM queries.

Note: SIEM server entries are displayed as _Address:Port (e.g., :8089). The combination of these three parameters is unique; entries with the same three parameters are rejected.

Note: Tenable recommends that you only use trusted self-signed certificates for Splunk instances used with NNM.

Syslog

Realtime Syslog Server List

Specifies the IPv4 or IPv6 address and port of a Syslog server to receive real-time events from NNM. Click Add to save the address. A local Syslog daemon is not required. Syslog items can be specified to Standard or CEF formats and UDP or TCP protocols.

Example: 192.0.2.12:4567,10.10.10.10:514,[2001:DB8::23B4]:514

Vulnerability Syslog Server List

Specifies the IPv4 or IPv6 address and port of a Syslog server to receive vulnerability data from NNM. Click Add to save the address. A local Syslog daemon is not required. You can specify Syslog items to Standard or CEF formats and UDP or TCP protocols.

Example: 192.0.2.12:4567,10.10.10.10:514,[2001:DB8::23B4]:514

Note: While NNM may display multiple log events related to one connection, it sends only a single event to the remote Syslog server(s).