NAC Nessus scanning

Is there a list of the most common plugins used for Nessus scanning in NAC?
Thanks . . .

I did figure it out at the end of the day yesterday. I should have posted then. It turned out to be a layer 8 issue on my part. I had the plugins selected for All and Windows_All was pointing to All but my individual Windows selections, like WindowsXP, where not pointing to the Windows_All so it was working but just didn't have anything selected. Thank you for your reply, Jonathan. These message boards have proven to be a big help.

Similar Messages

  • NAC Appliance & Nessus Scanning

    Hi All,
    In the process of getting our NAC appliance setup moved into a production level. We have everything working up to getting Nessus scanning working. I'm a bit confused by the documentation. It appears as though Nessus scanning only applys to web login users... is this correct? The doc shows activating Nessus vulnerability handling under General Setup -> Web Login. I don't see anywhere how to enable it for an agent environment. I have a setup where our test user is placed into the proper roles, and I have selected a Nessus vulnerabilty for that role. I never see the scan happen though. It's as if the agent isn't required to go through vulnerability scanning before being placed into his or her role. Is that correct? Thanks in advance for any help!
    -Mike

    Paul,
    Good to hear from you. I have been rather busy and I'm hoping to get some time in the near future to get the blog updated. The CMPC program I wrote has been quite popular with nearly 400 downloads so far.
    Back to the issue of Nessus scans. We're looking good, getting scans done now on the agent side. But I'm trying to test by enabling the TFTP server detected plugin. I have it setup as seen in the attachment. When I test against the workstation, it shows that it detected the TFTP server running. But, when the user logs in with the agent and is placed in that same role, they never are notified they are vulnerable. Why is that?
    Thanks for the help so far!
    -Mike
    http://cs-mars.blogspot.com

  • Nessus scan on AS 10.1.2.0.2 gives HIGH vulnarabilities

    Anyone run into "nessus" scan problems with AS?
    I have SSL enabled AS using SSLConfigTool and "nessus" gives below when Secuity scans the server. I have applied the Jan07 CPU to this AS.
    Any advise, greatly appreciated.
    Scan Results:
    nv-video (4444/tcp)
    It was possible to kill the HTTP proxy by
    sending an invalid request with a too long header
    A cracker may exploit this vulnerability to make your proxy server
    crash continually or even execute arbitrary code on your system.
    Solution: upgrade your software
    Risk Factor : High
    CVE : CVE-2002-0133, CVE-2002-0133
    BID : 3904, 3905, 3904
    Other references : OSVDB:6804
    Plugin ID : 11715
    It was possible to kill the web server by
    sending an invalid request with a too long HTTP 1.1 header
    (Accept-Encoding, Accept-Language, Accept-Range, Connection,
    Expect, If-Match, If-None-Match, If-Range, If-Unmodified-Since,
    Max-Forwards, TE, Host)
    A cracker may exploit this vulnerability to make your web server
    crash continually or even execute arbirtray code on your system.
    Solution: upgrade your software or protect it with a filtering reverse proxy

    Anyone run into "nessus" scan problems with AS?
    I have SSL enabled AS using SSLConfigTool and "nessus" gives below when Secuity scans the server. I have applied the Jan07 CPU to this AS.
    Any advise, greatly appreciated.
    Scan Results:
    nv-video (4444/tcp)
    It was possible to kill the HTTP proxy by
    sending an invalid request with a too long header
    A cracker may exploit this vulnerability to make your proxy server
    crash continually or even execute arbitrary code on your system.
    Solution: upgrade your software
    Risk Factor : High
    CVE : CVE-2002-0133, CVE-2002-0133
    BID : 3904, 3905, 3904
    Other references : OSVDB:6804
    Plugin ID : 11715
    It was possible to kill the web server by
    sending an invalid request with a too long HTTP 1.1 header
    (Accept-Encoding, Accept-Language, Accept-Range, Connection,
    Expect, If-Match, If-None-Match, If-Range, If-Unmodified-Since,
    Max-Forwards, TE, Host)
    A cracker may exploit this vulnerability to make your web server
    crash continually or even execute arbirtray code on your system.
    Solution: upgrade your software or protect it with a filtering reverse proxy

  • CiscoWorks Nessus scan yellow vulnerability issue

    Hi,
    Nessus scan reports yellow Vulnerability for our CiscoWorks server:
    x.x.x.x (ip address of CiscoWorks server) YELLOW Sybase ASA Client Connection Broadcast Remote
    Information Disclosure Locate service enabled on Sybase server
    sybaseanywhere 2638
    If anyone knows the status for this issue, please let me know.
    We have the following CiscoWorks products and version:
    (LMS 2.6)
    CiscoWorks Common Services 3.0.6
    Campus Manager 4.0.6
    CiscoView 6.1.5
    Device Fault Manager 2.0.11
    Internetwork Performance 2.6.0
    Resource Manager Essentials 4.0.5
    Your help would be greatly appreciated.
    Thanks.
    GY (Gongyuan Yao)
    Contractor (LHC Network Support)
    [email protected] 301-435-3168(o)
    240-417-1488 (c)

    This is CSCsk35018:
    http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsk35018
    The following two discussions will shed additional light on top of what the Bug Tool provides:
    http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=Network%20Management&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40^1%40%40.2cc0b896/4#selected_message
    http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=Network%20Management&topicID=.ee71a02&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cbec487

  • NAC Agent scan running application

    Dear colleagues,
    My customer is being on ISE PoC. They want to test the Posture feature for running application.
    I would like to ask: what is the scan interval of NAC agent. If I want to use NAC Agent to scan an illegal application on PC, but at first, when logging in, the application is not running. After NAC agent notify that the client is compliant, user start that application. So the question is, can NAC Agent detect that?
    Please kindly share your experience on it. Thank you for your support.
    Kind regards,
    Hiep

    Hiep,
    The feature you are asking for is passive reassessment and is done on intervals configured by the administrator.
    www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_pos_pol.html#wp1482451
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • ACAS Nessus scans of Cisco devices

    Hello, we have an ACAS configuration with Security Center and Nessus scanner running on RHEL 5.10.
    Our infrastructure consists of WS-6509, WS-3750X's, G's and some old E's.
    We configured Nessus scanner with the proper Username/Password/Enable Password combinations.
    At this time it will scan one 3750 switch but none of the other 130 devices.
    If I attempt to ssh into a device from Nessus server it fails either a connection refusal from the device on port 22 or it doesn't like the cipher choices.
    I checked the switch that it does access against the others and found ip ssh authentication-retries 4 was configured and some SNMP settings that don't exist in the switches that can't be scanned.
    Anyone have this issue?
    ej

    Hello,
    You may find useful Pretty Good Terminal http://www.prettygoodterminal.com which has recently been published. This software is more about device management (via ssh/telnet) in large scales and through several jump server hops, than a terminal application. It was developed by me when I was given a task to configure more than 50000 CPE routers.So this software is a response to a real challenge and it is a good fit to collect device information.
    Regards,
    Laszlo

  • CSS and Nessus Scans (SSH vulernability)

    I have a CSS 11503 running 8.20.3.03. I have performed a Nessus vulnerability scan against the CSS. The scans have shown vulnerabilities against SSH. It is reporting that we need to upgrade to OpenSSH version 5.0 or later.
    If I upgrade to 8.20.5.01 will that address this issue? I looked thru the caveats for the other code versions and I do not see that being addressed as an issue or a fix.
    If not is there something else I can do address this issue?
    Any help would be appreciated.

    Cesar,
    The scans identified a few vulnerabilities,
    CVE-2002-0639
    CVE-2002-0640
    CVE-2003-0682
    CVE-2003-0693
    CVE-2003-0695
    CVE-2002-0575
    CVE-2002-0083
    CVE-2003-0386
    CVE-2008-1483
    I noticed that you state that 8.20.5.01 runs OpenSSH_3.0.2p1. This is the same SSH that 8.20.3.03 is reporting. So upgrading does not look to be a solution.
    Side note I am not leveraging the Web NS function. I just SSH or console into the CSS.

  • NAC - How to troubleshooting network scanning not working

    I'm testing Cisco NAC agentless in-bound layer2 mode following the CAM manual:
    •Configure the Quarantine Role
    •Load Nessus Plugins into the Clean Access Manager Repository,
    •Configure General Setup,
    •Apply Plugins,
    •Configure Plugin Options,
    •Configure Vulnerability Handling,
    •Test Scanning (I can successfully "test from Manager" from "test" tab)
    I'm sure I disabled personal firewall on the testing client on untrusted vlan.
    When I using a testing PC to open a browser to access internet, I was redirected to the authentication pape, after login, I got unlimited access. The problem is It looks CAS did not do any scan to the PC as expected according to the policy I defined for "unauthenticated" role, there is no any scan report poped up.
    1.Any way I can check if Nessus Scanning is working properly on CAS?
    2.Any log or evidence I can check to make sure the scanning start, in process, complete , so I can know the status.
    3.How to check all plugin already pushed and sycronized by CAM?
    Thanks in advance

    Following links may help you
    http://www.cisco.com/en/US/products/ps6128/products_tech_note09186a0080545b62.shtml
    http://www.cisco.com/en/US/docs/security/nac/profiler/configuration_guide/217/p_integration.html#wp1055771

  • Cannot view web server logs in Server Admin

    It has been a terrible day.
    First, the interesting part:
    I woke up to find that 25 sites that are hosted on an XServe G5 running OS X Server 10.3.9 had been defaced. As the part-time, unpaid admin of this server, it was my responsibility to track down the vulnerability in the system and restore the defaced files from backups. The hacker had replaced the index.html file for each of the sites with his own, special version, in which he proudly declared that my server had been owned. I did a Nessus scan of the server and came up with nothing. I pulled what was left of my hair out looking for every vulnerability I could come up with, and still nothing.
    I then decided to use Google to get more information about him, using the name he proudly posted on the defaced sites, and was able to get his IM address. I proceeded to have an awkwardly pleasant conversation with him, in which he declared that he has discovered a new vulnerability and decided to try it out on my machine for the challenge. He apologized, but would not reveal the vulnerability (although he hinted that it had something to do with mod_security). He also promised to leave my machine alone now ....
    (Now for the not so interesting part, and the nature of my current problem)
    Anyway, I did what I could to clean up the mess, and wound up viewing the access logs in the Console app via ARD. That led me nowhere, so I decided to call it a night and logged out of ARD. A few minutes later, I thought I would log into ServerAdmin and take another look at those logs, but alas, they could no longer be viewed through ServerAdmin! The log section is empty. I ssh'd into the machine to see if he had broken his promise and messed around some more, but the logs still existed where they had always been. I ran tail -f on them to make sure they are still being updated, and they are.
    So after all that, it seems my big problem at the moment is viewing logs in ServerAdmin. I did not make any changes to httpd.conf (outside of disabling mod_security, which commented out the appropriate LoadModule and AddModule lines). I also disabled a few other unnecessary mods earlier in the evening via ServerAdmin, but I doubt that any particular mod controls whether or not I can view log files in ServerAdmin.
    I apologize for the length of this post, but it has been quite a day. If anyone can provide any clues as to either the location of error logs for the ServerAdmin app or any sort of known resolution to this issue, I would name my first born after you.
    Thanks.
    XServe G5   Mac OS X (10.3.9)  

    skvaish1 wrote:
    What purpose you will solve by loading the web server logs into the database? I will not advice it. It will be much easier for you to manage these logs at file system level as well monitor these for any issues, rather than loading it into database and then running sone database job to dig into those logs for any errors. Loading logs into database will help if you need to keep them for long time (More than 1 Year time frame or for regulatory purpose), otherwise it is better for logs to keep it on file system and just get regular backups of these logs into tape.
    My 2 cents
    RegardsOverall, I agree but I don't understand your comment about "Loading logs into database will help if you need to keep them for long time". Even if needed for regulatory reasons, one can manage them quite nicely outside of the database.
    Also to expand on this a bit for the OP .... if the need arose to use SQL to mine the logs for information that would be hard to get using the search feature of a simple text editor, one could always define an external table on an as-needed basis.

  • PHP 5.2.6 vs PHP 5.2.4

    I have recently brought my first X-Serve online running 10.5.2. I subscribe to Network Solution's Watchdog service and their scan is correctly showing that PHP 5.2.4 is running and that it has numerous vulnerabilities. Network Solution's considers PHP releases prior to 5.2.6 to have serious flaws and they rate the vulnerability as URGENT. Here is the notice they are giving as to those vulnerabilities.
    Synopsis : The remote web server uses a version of PHP that is affected by multiple flaws.
    Description : According to its banner, the version of PHP installed on the remote host is older than 5.2.6. Such versions may be affected by the following issues : - A stack buffer overflow in FastCGI SAPI. - An integer overflow in printf(). - An security issue arising from improper calculation of the length of PATH_TRANSLATED in cgi_main.c. - A safe_mode bypass in cURL. - Incomplete handling of multibyte chars inside escapeshellcmd(). - Issues in the bundled PCRE fixed by version 7.6. See also : http://archives.neohapsis.com/archive s/fulldisclosure/2008-05/0103.html http: //archives.neohapsis.com/archives/fulldi sclosure/2008-05/0107.html http://www.ph p.net/releases/526.php
    Now my question to the group is, has anyone upgraded to 5.2.6 at this point? I looked at the PHP site and they are showing the latest compiled version for OS-X of Apache along with PHP is using PHP 5.2.4, so to upgrade would require compiling the code. I am concerned that doing so will negate turning to Apple Support as I do have a 3 year OS Maintenance Contract.
    Any thoughts or suggestions.
    David
    Message was edited by: darkside escapee

    Darkside,
    I am surprised that no one from Apple has responded to your post. This is a serious issue. Indeed, I get similar warnings when I run a Nessus scan on our fully patched (10.5.3) Leopard Web server:
    A stack buffer overflow in FastCGI SAPI.
    An integer overflow in printf().
    A security issue arizsing from improper calculation of the length of PATH_TRANSLATED in cgi_main.c.
    A safe_mode bypass in cURL
    Incomplete handling of multibyte chars inside of escapeshellcmd().
    issues in the bundled PCRE fixed by version 7.6.
    All of these have been addressed in PHP 5.2.6. Apple has not recompiled their proprietary version of PHP5 to 5.2.6 (as of 10.5.3).
    Why not? Red Hat has already addressed these issues. How much longer to we have to wait until Apple addresses these legitimate security concerns? Should I revert to my Red Hat box until Apple "gets around to it?"
    Note to Apple:
    Web application security is grave concern of every network admin who wants to remain among the gainfully employed. You cannot seriously expect to contend for market share with "the Big Boyz" if your Web application software is back-level and shows up on every hacker reconnaissance software with buffer overflow vulnerabilities. This is totally unacceptable.
    Please fix your proprietary PHP5 plugin and do make a better effort to take security more seriously.
    Joe Moorman
    Sr. Systems Admin
    Covenant Life Church

  • How can I disable SSLv2 on OS X 10.8.5 server

    After running a Nessus scan we get the following finding:
    SSL Version 2 (v2) Protocol Detection
    This script is Copyright (C) 2005-2013 Tenable Network Security, Inc.
    Synopsis :
    The remote service encrypts traffic using a protocol with known
    weaknesses.
    Description :
    The remote service accepts connections encrypted using SSL 2.0, which
    reportedly suffers from several cryptographic flaws and has been
    deprecated for several years. An attacker may be able to exploit
    these issues to conduct man-in-the-middle attacks or decrypt
    communications between the affected service and clients.
    See also :
    http://www.schneier.com/paper-ssl.pdf
    http://support.microsoft.com/kb/187498
    http://www.linux4beginners.info/node/disable-sslv2
    Solution :
    Consult the application's documentation to disable SSL 2.0 and use
    SSL 3.0, TLS 1.0, or higher instead.
    Risk factor :
    Medium / CVSS Base Score : 5.0
    (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
    I cannot find where or how to disable SSLv2? Please help.

    You should post in the server forum, that's where the experts are.
    https://discussions.apple.com/community/servers_enterprise_software?view=overvie w

  • How to update revoked certificate issue with CS5 suite?

    I have a security issue found with a Nessus scan that states:
    Synopsis: An application installed on the remote Windows host is signed by a revoked certificate.
    Description
: The remote host is using Adobe software that has been digitally signed by a revoked certificate. An Adobe build server was compromised, which has caused at least two malicious utilities to be signed with Adobe's code signing certificate. Any software signed by this revoked certificate (including legitimate Adobe software) is no longer trusted.
    I have followed everything I found on how to correct this, but most information is regarding CS6.  I have updated the certificate through Acrobat (version 9), but that has not fixed my issue. 
    The programs it says that are affected are:
    Bridge.exe
    Extension Manager
    Illustrato
    Photoshop
    I see no way to update anytype of certificate in these programs.
    Is it just that CS5 is no longer supported, or have I missed an update?
    Thanks,
    Dan

    Rahul,
    You can do this in the doDMl method of your Entity Object.
    See this white paper:
    http://www.oracle.com/technology/products/jdev/collateral/papers/10131/businessrulesinadfbctechnicalwp.pdf
    If you have follow-up questions, please use the JDeveloper forum, since your question is not related to JHeadstart.
    Steven Davelaar,
    JHeadstart Team.

  • Solaris 10 - /var unnecessary files

    Hello,
    We are facing the following problem in our T2000 server:
    Preinstalled Solaris 10, partitioned the disk in 15GB slices and everything was mounted on /. I have allocated my partitions for the Users and our tools but the default partition is almost full. I am afraid that it will stuck soon. The df -hk shows :
    Filesystem size used avail capacity Mounted on
    /dev/dsk/c0t0d0s0 15G 14G 384M 98% /
    What i have noticed is that /var dominates the partition (about 6,7GB). Can you suggest any unnecessary files that i can delete to resolve the problem? I have seen that there are two huge files named X1msgs & X2 msgs in the /var/adm file. What are those? Can i delete them or not?
    I know that the best solution is to reformat but i would like to avoid this, if possible. A partition extension can be useful but i have read that growfs cannot work on / partition. What else can i do?
    Thank you in advance,
    George
    Edited by: gthe on Nov 17, 2009 8:05 AM

    We have some Sun Solaris machines with VNC installed, set to no authentication (you need to connect in x-windows though). Running an nmap scan with these settings, nmap -sV -T4 -oN scan.nmap 192.168.1.0/24, these servers X1msgs (X2msgs, etc) in /var/adm files begin to grow quickly and end up eating
    all space on the drive (even after the scan has been cancelled). The message filling up the logs is:
    XserverDesktop: XserverDesktop::wakeupHandler: unable to accept new
    connection: Invalid argument (22)
    XserverDesktop: XserverDesktop::wakeupHandler: unable to accept new
    connection: Invalid argument (22)
    XserverDesktop: XserverDesktop::wakeupHandler: unable to accept new
    connection: Invalid argument (22)
    XserverDesktop: XserverDesktop::wakeupHandler: unable to accept new
    connection: Invalid argument (22)
    I've noticed this in the past doing Nessus scans, and the option that stopped this was happening was "Open port
    recheck" under General plugins. Has anyone on the list seen something similar and do you know why this occurs, and
    hopefully how to fix it? I figured this might be a good place to ask...

  • New W520 & Open Ports

    I just bought a new W520.  I was testing the Norton Firewall and running port scans against the machine.  I noticed some open ports so I did a recovery to factory condition.  I ran the port scan again and see a number of ports (25, 80, 110, 8080 - if memory serves correct).  I telnet to the ports and they respond but the is no visiable text so it is difficult to figure out what is running.  I've tried using Tcpview and other tools to view the open ports via Windows 7, but I don't see those ports listening.  I am wondering if there are some Lenovo tools/utilities that use these ports?  I may just be paranoid
    Thanks!

    I decided to break out the big guns. I ran a Nessus scan and NMAP againts my W520. The same ports weren't open when compared to the scan by Advanced Port Scan by RAdmin. These are the results of nmap which mirror the open ports Nessus found. Keep in mind, I had the firewall turned off since I am testing Bitdefender's Internet Security 2012. I used TCPViiew to link the process to these ports and found:
    135 
    139 
    443 - VMWare Worksation
    445 
    902 - VMWare Workstation
    912 - VMWare Workstation
    5357 - svchost.exe
    49152 - wininit.exe
    49153 - wininit.exe
    49154 - wininit.exe
    49155 - wininit.exe
    49165 - wininit.exe
    When I enable the firewall, none of the ports are visable. I am looking at using the BitDefender or Kaspersky's Internet Security Suites. Thoughts from other security folks appreciated!

  • No events logged while VMS offline

    IDS and VMS are working fine, the issue is when my Windows box running VMS goes offline(crash, reboot....). I bring the VMS box back online and poll the IDS, but it reports no events.
    I tested it by running Nessus while the VMS box is offline, from the CLI I see events, but when the VMS box comes online and polls the IDS....Nothing...
    Do I need to setup the IDS to store the events until the VMS box can poll again?
    Thanks,
    Jamey

    I did a "sh event alert past 23:00" and it does show the old alerts, however security monitor still does not show then. It only show alerts that happen while it is connected.
    I cleared the alerts on the IDS. ran Nessus, then did "sh event alert past 23:00" and it did show the past events (from the nessus scan). I then turned on the VMS box. But security monitor does not show any events (it is set show earliest).
    Any other thoughts?
    Jamey

Maybe you are looking for