Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
Nessus Network Monitor 5.7.x UserGuide
Last Updated: January 14, 2021
Table of Contents
Welcome to Nessus Network Monitor 7
Get Started with NNM 8
System Requirements 9
NNM Hardware Requirements 10
NNM Software Requirements 12
NNM Licensing Requirements 14
Download NNM 15
Install NNM 16
Upgrade NNM 25
Upgrade NNM on Linux 26
Upgrade NNM on Windows 27
Upgrade NNM on macOS 28
Set up NNM 29
Configure NNM 30
Register NNM Offline via the NNM Interface 32
Register NNM Offline via the CLI 34
Register High Performance Mode NNM for Tenable.sc in an Air-gapped Environment 36
Configure High Performance Mode 39
Configure NNM in High Performance Mode on Hyper-V 40
Configure Hyper-V NIC in Promiscuous Mode 46
Remove NNM 47
Remove NNM from Linux 48
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of
Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.
Remove NNM fromWindows 49
Remove NNM from macOS 50
NNM Navigation 51
Monitoring Page 53
Dashboards Section 57
Rearrange Charts 60
Refresh a Chart 61
Set a Date Range for the Dashboards Section 62
Remove a Chart from a Dashboard 63
Hosts Section 64
Vulnerabilities Section 69
Delete a Vulnerability 70
Applications Section 71
Operating Systems Section 72
Connections Section 73
Mobile Devices Section 74
Filter Monitoring Results 75
Export Monitoring Results 76
Launch a Nessus Scan 77
Results Page 78
Upload a Report 79
Upload a Pcap 80
Filter Results 81
Delete Results 82
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of
Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.
Users Page 83
Create a New User 84
Modify a User Account 85
Reset a Locked Account 86
Delete a User 87
Configuration Page 88
NNM Settings Section 89
Configure the Performance Mode 98
Feed Settings Section 100
Download New Vulnerability Plugins 102
Updating the NNMManagement Interface 103
Cloud Settings Section 104
Industrial Security Settings Section 106
Web Proxy Settings Section 108
Chart Settings Section 109
Create a Custom Chart 110
Delete a Chart 112
Email Settings Section 113
Create an Email Notification 115
Delete an Email Notification 117
Plugin Settings Section 118
Add a Plugin Field 121
Delete a Custom Plugin 122
Nessus Scanner Settings Section 123
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of
Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.
Add a Nessus Scanner 124
Delete a Nessus Scanner 125
Additional Resources 126
Command Line Operations 127
Common Command Line Operations 128
Linux Command Line Operations 132
Windows Command Line Operations 136
macOS Command Line Operations 138
Unknown or Customized Ports 140
Real-Time Traffic Analysis Configuration Theory 141
Focus Network 142
Detecting Server and Client Ports 143
Detecting Specific Server and Client Port Usage 144
Firewall Rules 146
Working with Tenable.sc 147
Selecting Rule Libraries and Filtering Rules 148
Detecting Encrypted and Interactive Sessions 149
Routes and Hop Distance 150
Alerting 151
Modules 152
Connection Analysis Module 153
Configure NNM for use with Industrial Security 156
Internal NNM Plugin IDs 163
NNM Plugins 165
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of
Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.
About NNM Plugins 166
NNM Fingerprinting 167
NNM Plugin Syntax 168
Network Client Detection 173
Pattern Matching 174
Time Dependent Plugins 177
Plugin Examples 179
NNM Real-Time Plugin Syntax 182
Real-Time Plugin Examples 184
NNM Corporate Policy Plugins 188
Detecting Custom Activity Prohibited by Policy 189
Detecting Confidential Data in Motion 192
Working with Tenable.sc 194
Managing Vulnerabilities 195
Offline NNM Plugin Update in Tenable.sc 196
Tenable.sc Troubleshooting 198
Syslog Messages 200
Standard Syslog Message Types 201
CEF Syslog Message Types 203
Custom SSL Certificates 204
Configure NNM for Certificates 206
Create a Custom CA and Server Certificate 207
Create NNM SSL Certificates for Login 208
Connect to NNM with a User Certificate 210
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of
Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.
- 7 -
Welcome to Nessus Network Monitor
This user guide describes theTenable®Nessus Network Monitor® 5.7.x (Patent 7,761,918B2) architecture,installation, operation, and integrationwith Tenable.sc andTenable.io, and export of data to third parties. Forassistance, contact TenableSupport.
Tip: If you are new to NNM, see theWorkflow.
Passive vulnerability scanning is the process ofmonitoring network traffic at the packet layer to determinetopology, clients, applications, and related security issues. NNM also profiles traffic and detects compromisedsystems.
NNM can:
l Detect when systems are compromisedwith application intrusion detection.
l Highlight all interactive and encrypted network sessions.
l Detect when new hosts are added to a network.
l Track which systems are communicating onwhich ports.
l Detect which ports are served andwhich are browsed by each system.
l Detect the number of hops to eachmonitored host.
Note: For security purposes, Tenable® does not recommend configuring NNM as internet facing software.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 8 -
Get Started with NNM
1. Ensure that your setupmeets theminimum system requirements:
l Hardware requirements
l Software requirements
2. Obtain the proper license or Activation Code for NNM for your configuration.
Note: See special activation code instructions for integration with Tenable.sc or Tenable.io.
3. Follow the installation steps for your operating system:
l Linux
l Windows
l macOS
4. (Optional)Configure Virtual Switches for use with NNM.
5. Perform the initial configuration steps for NNM in theweb interface.
After configuration, NNM begins monitoring incoming traffic immediately.
Note: If you wish to register NNM offline or run NNM in High Performancemode, you must follow sev-eral additional configuration steps.
6. Create users in NNM and set administrative privileges as necessary.
7. You can viewmonitored traffic results in dashboards on theMonitoring page and historical data insnapshots and reports on theResults page.
For moreNNM deployment information, see theNNM Deployment Guide.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 9 -
System Requirements
This section describes the following system requirements for NNM:
l NNM Hardware Requirements
l NNM Software Requirements
l NNM Licensing Requirements
To seewhich versions of NNM work with Industrial Security, see IS Pairing with NNM.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 10 -
NNM Hardware Requirements
Enterprise networks can vary in performance, capacity, protocols, and overall activity. Resource require-ments to consider for NNM deployments include raw network speed, the size of the network beingmonitored,and the configuration of NNM.
The following chart outlines somebasic hardware requirements for operatingNNM:
VersionInstallationscenario
RAM Processor Hard Disk
All Versions
NNMmanagingup to 50,000hosts * (**)
2GBRAM (4GBRAM recom-mended)
2 2GHz cores 20GBHDDminimum
NNMmanagingmore than50,000 hosts **
4GBRAM (8GBRAM recom-mended)
4 2GHz cores 20GBHDDminimum
NNM running inHighPer-formancemode
16GBRAM(HugePagesmemory: 2GB)
10 2GHz cores withhyper-threading enabled
20GBHDDminimum
*The ability tomonitor a given number of hosts depends on the bandwidth, memory, and processing poweravailable to the system runningNNM.
**For optimal data collection, NNMmust be connected to the network segment via a hub, spanned port, or net-work tap to have a full, continuous view of network traffic.
Note: Please research your VM software vendor for comparative recommendations, as VMs typically see upto a 30% loss in efficiency compared to dedicated servers.
High PerformanceMode
To runNNM inHighPerformancemode, aminimum of two of the following types of Intel NICs are required;one as amanagement interface and at least one as amonitoring interface:
l e1000 (82540, 82545, 82546)
l e1000e (82571, 82574, 82583, ICH8.ICH10, PCH.PCH2)
l igb (82575, 82576, 82580, I210, I211, I350, I354, DH89xx)
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 11 -
l ixgbe (82598, 82599, X540, X550)
l i40e (X710, XL710)
l NT40A01-4x1
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 12 -
NNM Software Requirements
TheNessus Network Monitor is available for the following platforms:
Version Software Requirements
Previous Versions
5.6.x-5.7.x
l RedHat Linux ES 5 / CentOS 564-bit
l RedHat Linux ES 6 / CentOS 664-bit
l RedHat Linux ES 7 / CentOS 764-bit (through 7.6 kernel version 3.10.0)
l Mac OSX 10.9-10.12 64-bit
l MicrosoftWindows 7, 8, 10, Server 2008, Server 2012, andServer 2016 64-bit OS
l Microsoft Visual C++ 2010RedistributablePackage
High Performance mode only available on:
l RH6/CentOS6 (RH6.0 thruRH6.9) : 2.6.32-696
l RH7/CentOS7 (RH7.0 thruRH7.4) : 3.10.0-693cc
l RH7/CentOS7 (RH7.5): 3.10.0-862
5.5.x
l RedHat Linux ES 5 / CentOS 564-bit
l RedHat Linux ES 6 / CentOS 664-bit
l RedHat Linux ES 7 / CentOS 764-bit (through 7.6 kernel version 3.10.0)
l Mac OSX 10.9-10.12 64-bit
l MicrosoftWindows 7, 8, Server 2008, andServer 2012
l Microsoft Visual C++ 2010RedistributablePackage
High Performance mode only available on:
l RH6/CentOS6 (RH6.0 thruRH6.9) : 2.6.32-696
l RH7/CentOS7 (RH7.0 thruRH7.4) : 3.10.0-693cc
l RH7/CentOS7 (RH7.5): 3.10.0-862
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 13 -
Version Software Requirements
5.4.x
l RedHat Linux ES 5 / CentOS 564-bit
l RedHat Linux ES 6 / CentOS 664-bit
l RedHat Linux ES 7 / CentOS 764-bit (through 7.6 kernel version 3.10.0)
l Mac OSX 10.9-10.12 64-bit
l MicrosoftWindows 7, 8, Server 2008, andServer 2012
l Microsoft Visual C++ 2010RedistributablePackage
High Performance mode only available on:
l RH6/CentOS6 (RH6.0 thrueRH6.9) : 2.6.32-696
l RH7/CentOS7 (RH7.0 thruRH7.4) : 3.10.0-693cc
You can useERSPAN tomirror traffic from oneor more source ports on a virtual switch, physical switch, orrouter and send the traffic to a destination IP host runningNNM.NNM supports the followingERSPAN virtualenvironments:
l VMwareERSPAN (Transparent Ethernet Bridging)
l CiscoERSPAN (ERSPAN Type II)
Tip:Refer to the Configuring Virtual Switches for Use with NNM document for details on configuring yourvirtual environment.
High PerformanceMode
To runNNM inHighPerformancemode, youmust enableHugePages support. HugePages is a performancefeature of the Linux kernel and is necessary for the largememory pool allocation used for packet buffers. Ifyour Linux kernel does not haveHugePages configured, NNM automatically configures HugePages per theappropriate settings. Otherwise, if your Linux kernel has definedHugePages, refer to theConfiguringHugePages instructions in theLinux Command Line Operations section.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 14 -
NNM Licensing Requirements
NNM Subscription
AnNNM subscriptionActivationCode is available that enables NNM to operate inStandalonemode. Use thismode to view results from anHTML interface enabled on theNNM server.
Activation Code
Toobtain a Trial ActivationCode for NNM, contact [email protected]. Trial ActivationCodes are handledthe sameway by NNM as full ActivationCodes, except that Trial ActivationCodes allowmonitoring for only 30days. During a trial of NNM, all features are available.
Tenable.sc Continuous View
Tenable.sc CV includes NNM as part of a bundled license packagewith Tenable.sc. This license allows anunlimited number of NNM deployments tomonitor an unlimited number of networks. Tenable.sc CV’s IP viewis constrained by the licensewithwhich it is purchased.
Tenable.io
Tenable.io Vulnerability Management includes NNM as part of a bundled license packagewith Tenable.io.This license allows an unlimited number of NNM deployments tomonitor an unlimited number of networks.Tenable.io's Asset view is constrained by the licensewithwhich it is purchased.
High PerformanceMode
NNM inHighPerformanceMode can be licensed inStandalonemodeor bundledwith Tenable.sc.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 15 -
Download NNM
To download NNM:
1. Access theTenable Downloads page.
2. ClickNessus Network Monitor.
3. Select the correct version for your operating system.
After you accept the license agreement, a download begins.
Note: To ensure binary compatibility, be sure to download the correct build for your operating envir-onment.
4. Confirm the integrity of the installation package by comparing the download checksum with the check-sum on theTenable downloads page, as described in the knowledge base article.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 16 -
Install NNM
Before You Begin
l Download theNNM package.
l Ensure you can run the following commands with administrative or root privileges.
LinuxToensure audit record time stamp consistency betweenNNM andTenable.sc, ensure the underlyingOS makes use of NTP as described in theRed Hat documentation.
The software license agreement for NNM is located in the/opt/NNM/docs directory.
Tip: Ensure that organizational and OS firewall rules permit access to port 8835 on the NNM server.
To install NNM on Linux:
1. Install theNNM .rpm file downloaded from theTenable Downloads page inRedHat or CentOSwiththe following command. The specific filename varies depending on your platform and version.
# rpm –ivh NNM-5.x.x-esx.x86_64.rpmPreparing... ########################################### [100%]1:NNM ########################################### [100%][*] NNM installation completed.#
The installation creates the/opt/nnm directory, which contains theNNM software, default plugins, anddirectory structure.
2. Start NNM for RedHat andCentOS systems using the following command:
# service nnm start
3. Navigate tohttps://<IP address or hostname>:8835, which displays theNNM web frontend to log in for the first time.
Refer toConfigure NNM to complete the initial login.
Windows
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 17 -
Youmust ensure the latest version ofMicrosoft Visual C++ 2010RedistributablePackage is installed for your64-bit platform andarchitecture. Be sure to stop any other programs on your system that utilizeWinPcap.
To install NNM on Windows:
1. Double-click the.exe file downloaded from theTenable Downloads page. The specific filename var-ies depending on your version.
The InstallShieldWizard launches, whichwalks you through the installation process and required con-figuration steps.
2. Click theNext button.
TheLicense Agreement screen appears.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 18 -
3. Agree to the terms to continue the installation process and useNNM.
Tip: You can copy the text of the agreement into a separate document for reference, or you can clickthe Print button to print the agreement directly from this screen.
4. Click theNext button.
TheCustomer Information screen appears. TheUser Name andCompany Name boxes are usedto customize the installation, but are not related to any configuration options (e.g., for interfacingwith Ten-able.sc).
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 19 -
5. Click theNext button.
TheChoose Program Location screen appears, where you can verify the location inwhich theNNM binaries are installed.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 20 -
6. Click theChange button to specify a custom path.
7. Click theNext button.
TheChoose Data Location screen appears, where you can verify the location inwhich user data gen-erated by NNM is stored.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 21 -
8. Click theChange button to specify a custom path.
Tip: If you connect NNM to Tenable.sc, altering the data path disables Tenable.sc from retrievingreports.
9. Click theNext button.
TheReady to Install the Program screen appears, where you can review and edit the informationsupplied on previous screens.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 22 -
10. Click the Install button.
TheSetup Status screen appears. If themost recent version ofWinPcap is already installed on thesystem, theNNM installation process asks if youwant to force or cancel installation ofWinPcap. If itdoes not detectWinPcap, or detects and older version, a second installer launches to install or upgradethe software.
Tip:Use the provided version of WinPcap or newer. NNM has been designed and tested using the sup-plied version of WinPcap.
11. Start NNM.
Mac OS X
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 23 -
1. Double-click the.dmg file downloaded from theTenable Downloads page tomount the disk imageNNM Install. The specific filename varies depending on your version.
2. Double-click theInstall NNM.pkg file.
The Install Tenable NNM window appears, whichwalks you through the installation process and anyrequired configuration steps.
3. Click theContinue button.
TheSoftware License Agreement screen appears.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 24 -
4. Agree to the terms to continue the installation process and useNNM.
Tip: You can copy the text of the agreement into a separate document for reference, or you can clickthe Print button to print the agreement directly from this screen.
4. Click Install to begin the installation.
A window appears asking for authentication permission to install the software.
5. Click the Install Software button.
A window appears, requesting permission to allow NNM to accept incoming network connections. If thisoption is denied, NNM is installed but functionality is severely reduced.
6. When the identity dialog box appears, clickContinue.
Tip:Once the installation process is complete, eject the NNM install volume.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 25 -
Upgrade NNM
This section describes how to upgrade an existingNNM instance on the following platforms:
l Linux
l Windows
l macOS
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 26 -
Upgrade NNM on Linux
Before You Begin
These steps assumeyou have backed up your custom SSL certificates. They also assume that you are run-ning all commands with root privileges.
Additionally, if you have used anNNMRPM to install NNM previously, an upgrade retains configuration set-tings. Youmust transfer theNNMRPM package to the system onwhich it is being installed. Confirm the integ-rity of the installation package by comparing the downloadMD5checksum with the one listed in the productrelease notes.
To upgrate NNM on Linux:
1. StopNNM with the following command:
# service nnm stop
2. Install theNNM .rpm file downloaded from theTenable Downloads pagewith the following com-mand. The specific filename varies depending on your version:
# rpm -Uvh NNM-5.x.x-esx.x86_64.rpmPreparing... ########################################### [100%]1:NNM ########################################### [100%][*] NNM installation completed.#
3. Once the upgrade is complete, start NNM with the following command:
# service nnm start
4. Navigate tohttps://<ip address or hostname>:8835, which displays theNNM web frontend to log in.
Tip: Ensure that organizational firewall rules permit access to port 8835 on the NNM server.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 27 -
Upgrade NNM on Windows
Before You Begin
These steps assumeyou have backed up your custom SSL certificates. They also assume that you are run-ning all programs as a local user with administrative privileges. To do so, whenUAC is enabled, right-click onthe installer program and selectRun as Administrator.
Additionally, youmust ensure the latest version of theMicrosoft Visual C++ 2010RedistributablePackage isinstalled for your 64-bit platform andarchitecture. Be sure to stop any other programs on your system that areutilizingWinPcap.
To upgrade NNM on Windows:
1. Stop theTenableNNM Proxy Service from theWindows Services control panel.
2. Double-click the.exe file downloaded from theTenable Downloads page. The specific filename var-ies depending on your platform and/or version.
The InstallShieldWizard launches and begins the upgrade process.
3. Click theNext button.
The automated upgrade process begins.
Note: If the version of WinPcap is not at the appropriate level during the upgrade process, an upgradewindow appears and begins the process of upgrading WinPcap. Failure to install the recommendedversion of WinPcap may result in errors with NNM monitoring.
4. When the upgrade is complete, start NNM.
5. Navigate tohttps://<ip address or hostname>:8835 to display theNNM web front end to login.
Tip: Ensure that organizational firewall rules permit access to port 8835 on the NNM server.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 28 -
Upgrade NNM on macOS
Before You Begin
These steps assume that you have backed up your custom SSL certificates and are running all programs withroot privileges.
To upgrade NNM on macOS:
1. Stop NNM.
2. Double-click the.dmg file downloaded from theTenable Downloads page tomount the disk imageNNM Install. The specific filename varies depending on your version.
3. Double-click theInstall NNM.pkg file.
The Install TenableNNM window appears, whichwalks you through the upgrade process and anyrequired configuration steps.
4. Click theContinue button.
TheSoftware LicenseAgreement screen appears.
5. Agree to the terms to continue the installation process and useNNM.
Tip: You can copy the text of the agreement into a separate document for reference, or you can clickthe Print button to print the agreement directly from this screen.
6. Click the Install button.
A window appears asking for authentication permission to install the software.
7. Click the Install Software button.
A window appears requesting permission to allow NNM to accept incoming network connections. If thisoption is denied, NNM is installed but functionality is severely reduced.
8. Click theAllow button.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 29 -
Set up NNM
NNM configuration follows the samesteps for all operating systems. This section provides instructions for thefollowing:
l Configure NNM
l Register NNM Offline via the NNM Interface
l Register NNM Offline via the CLI
l Configure High Performance Mode
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 30 -
Configure NNM
To configure NNM:
1. In awebbrowser, navigate tohttps://<ip address or hostname>:8835.
2. Type the default usernameandpassword, which are bothadmin.
3. Click Sign In To Continue.
4. TheChange Default Password screen of theQuick Setupwindow appears, where you can changethe default password. The new passwordmustmeet the followingminimum requirements:
l Minimum 5characters long
l One capital letter
l One lowercase letter
l Onenumeric digit
l One special character from the following list: !@#$%^&*()
5. ClickNext Step.
TheSet Activation Code screen appears.
6. To register NNM offline, select theRegister Offline check box and seeRegister NNM Offline viathe CLI.
7. In theActivation Code box, type the appropriate text based on your setup:
l If NNM is acting as a standalone device, type anActivationCode.
l If NNM is managed by Industrial Security, type IndustrialSecurity.
Industrial Security is end-of-life (EOL). For information about EOL dates and policies for Ten-able products, see the Tenable Software Release LifecycleMatrix and Policy.
a. In the Industrial Security Host box, type the IP address of the Industrial Securityinstance.
b. In the Industrial Security Port box, type the port of the Industrial Security instance.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 31 -
c. In the Industrial Security Key box, type the key copied from the Industrial Security
instance. See the Industrial Security User Guide for more information.
d. In theNNM Name box, type a name for theNNM instance. This nameappears in theIndustrial Security interface.
l If NNM is managed by Tenable.io, typeCloud.
Four configuration options appear:Cloud Host,Cloud Port,Cloud Key, andNNM Name.See theCloud Settings section for more information.
l If NNM is managed by Tenable.sc, typeSecurityCenter. See theTenable.sc User Guide formore information.
In all cases, a valid ActivationCodemust be typed in theActivation Code box.
8. ClickNext Step.
TheMonitoring Configuration screen appears.
l TheMonitored Network Interfaces box displays themonitored interfaces identified by NNM.You can select one or more of the defined interfaces. The caret icon displays additional inform-ation about each interface.
l TheMonitored Network IP Addresses and Ranges box displays the IP address rangesNNMmonitors.
l TheExcluded Network IP Addresses and Ranges box displays the IP address ranges NNMdoes notmonitor.
TheMonitored Network IP Addresses and Ranges andExcluded Network IP Addresses andRanges boxes accept both IPv4 and IPv6CIDR address definitions.Whenusingmultiple addresses,separate the entries using commas or new lines.
Note: Tenable Network Security does not recommend typing large ranges such as 0.0.0.0/0.Because this indicates to NNM that any and all network addresses belong in the network, per-formance may be severely impacted. Please only include addresses in your network, as eachaddress undergoes in-depth processing.
9. Click Finish.
TheMonitoring page appears. OnceNNM starts monitoring traffic, the page displays various high-level charts about the vulnerabilities, assets, connections, and bandwidth usage that NNM has detec-ted, as well as real-time events that NNM has triggered.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 32 -
Register NNM Offline via the NNM Interface
To register NNM offline via the NNM interface:
1. During the Initial Configuration, on theQuick Setupwindow, select theRegister Offline checkbox.
A challenge code and theActivation Key box appear.
2. Copy the challenge code and, in awebbrowser, navigate tohttps://plugins.nessus.org/v2/offline-NNM.php.
3. In the appropriate boxes, paste your challenge code and type theActivationCode you received fromTenable.
4. Click Submit.
The page generates aURL to download theNNM plugins tarball. Save this URL, as it is used every timeyou update your plugins. Additionally, a license key appears.
5. Copy the license key.
6. Navigate to theNNM interface.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 33 -
7. Paste the license key into theActivation Key box on theQuick Setupwindow.
8. Click theNext Step button.
9. ContinuewithStep 5 of the Initial Configuration instructions.
Note: After configuring NNM, upload the plugins tarball in theOffline Update area of the Feed Set-tings section.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 34 -
Register NNM Offline via the CLI
If your NNM installation cannot reach the Internet directly, use the following procedure to register and updateplugins:
1. On the system runningNNM, type the following command:
Platform Command to Run
RedHat Linux / CentOS # /opt/nnm/bin/nnm --challenge
Windows C:\Program Files\Tenable\NNM\nnm --challenge
macOS # /Library/NNM/bin/nnm --challenge
This produces a challenge code similar to the following:
569ccd9ac72ab3a62a3115a945ef8e710c0d73b8
2. Go tohttps://plugins.nessus.org/v2/offline-NNM.php.
3. Paste the challenge code as well as theActivationCode you received previously from Tenable into theappropriate text boxes.
This produces aURL that gives you direct access to theNNM plugins.
4. Save theURLas it is used every time you update your plugins.
Additionally, a license key and the associatedNNM.license file are produced.
5. Copy this file to the host runningNNM in the appropriate directory.
6. Once theNNM.license file is copied, run theNNM --register-offline command to install thefile:
Platform Directory
RedHat Linux /CentOS
# /opt/nnm/bin/nnm --register-offline /path/to/NNM.li-cense
Windows C:\Program Files\Tenable\NNM\nnm --register-offline"C:\path\to\NNM.license"
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 35 -
Platform Directory
macOS # /Library/NNM/bin/nnm --register-offline/path/to/NNM.license
7. Toobtain the newest plugins, navigate to theURLprovided in the previous step.
You receive aTAR file (e.g., sc-passive.tar.gz).
8. Copy the file toNNM and then type the appropriate command for your platform:
Platform Command
RedHat Linux /CentOS
# /opt/nnm/bin/nnm --update-plugins /path/to/sc-pass-ive.tar.gz
Windows C:\Program Files\Tenable\NNM\nnm --update-pluginsC:\path\to\sc-passive.tar.gz
macOS # /Library/NNM/bin/nnm --update-plugins /path/to/sc-passive.tar.gz
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 36 -
Register High Performance Mode NNM for Tenable.sc in an Air-gapped Environment
To register NNM for Tenable.sc in an air-gapped environment, youmust either update your current install orconfigure a fresh install of NNM
Note: These steps apply to High Performance, 10G mode.
Update the Current Install
From NNM:
1. From aCLI onNNM, stop theNNM service.
2. Run the following command:
/opt/nnm/bin/nnm --config "Enable High Performance Mode" "1"
3. Start theNNM service.
4. In a browser, openNNM.
5. ClickConfiguration > Feed Settings.
6. In theActivation Code box type ‘XXXX’.
Note: This allows the (required) High Performance license to persist and enables the Fetch PluginsFrom drop-down box.
7. From theFetch Plugins From drop-downbox, selectSecurityCenter.
8. ClickUpdate.
From Tenable.sc:
1. Openabrowser and connect to Tenable.sc.
2. AddNNM, as described in theAdd a Nessus Network Monitor in theTenable.sc User Guide.
3. Click Submit.
The system adds NNM toTenable.sc.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 37 -
Note: The NNM status changes to Plugins Out of Sync while the plugins are first downloaded toNNM from Tenable.sc. The next time Tenable.sc polls NNM, the status updates toWorking.
Configure a Fresh Install
From NNM:
1. From aCLI onNNM, run the following command:
/opt/nnm/bin/nnm --config "Enable High Performance Mode" "1"
2. Start theNNM service.
3. In a browser, openNNM.
4. In Step 2 of theQuick Setup steps, check theRegister Offline check box.
5. In a browser, navigate tohttps://plugins.nessus.org/v2/offline.php .
6. Type theNNM challenge code.
7. Type the activation code.
8. InNNM complete theQuick Setup steps.
9. ClickConfiguration > Feed Settings.
10. In theActivation Code box type ‘XXXX’.
Note: This allows the (required) High Performance license to persist and enables the Fetch PluginsFrom drop-down box.
11. From theFetch Plugins From drop-downbox, selectSecurityCenter.
12. ClickUpdate.
From Tenable.sc:
1. Openabrowser and connect to Tenable.sc.
2. AddNNM, as described in theAdd a Nessus Network Monitor in theTenable.sc User Guide.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 38 -
3. Click Submit.
The system adds NNM toTenable.sc.
Note: The NNM status changes to Plugins Out of Sync while the plugins are first downloaded toNNM from Tenable.sc. The next time Tenable.sc polls NNM, the status updates toWorking.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 39 -
Configure High Performance Mode
Before You Begin
The following steps are required to operateNNM inHighPerformancemode. Alternatively, a user with admin-istrative privileges can enableHigh Performance mode via the UI.
Youmust have aHighPerformanceActivationCode in order to runNNM inHighPerformancemode.
NNM uses multiple cores to process packets received frommonitored interfaces. These are knownasworker cores. The default number of worker cores is 8. This number can be changed using the configurationparameterNumber Of Worker Cores.
Note:NNM supports a maximum number of 16 cores.
Note: If you set the Number Of Worker Cores parameter to 0, NNM automatically changes the value to theminimum number of worker cores needed to run NNM in High Performance mode.
For example, suppose you have 20 available logical cores. Four of those cores are used by the system forinternal processing and the kernel. If youwant to use the 16 available cores for NNM, then youmay changethe value for the parameterNumber Of Worker Cores to 16.
To configure High Performance Mode:
1. StopNNM with the following command:
# service nnm stop
2. EnableHighPerformancemodewith the following command:
/opt/nnm/bin/nnm --config "Enable High Performance Mode" "1"
3. Confirm that themanagement network interface is different from themonitoring network interface thatyou configured initially.
Note: If the configured monitored interface has bound IPv4 addresses, you cannot complete theQuick Setup Wizard to configure NNM because no usable NICs appear in theMonitored NetworkInterfaces list.
4. Start NNM with the following command:
# service nnm start
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 40 -
Configure NNM in High Performance Mode on Hyper-V
To configure NNM in High Performance Mode on Hyper-V:
1. Install theCentOSVM.
2. Shut down theVM after install completes.
3. Right click theVM andnavigate toSettings.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 41 -
4. In theMemory section, check theEnable Dynamic Memory check box.
5. Set theMinimum RAM to the startupRAM setting.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 42 -
6. In theAutomatic Stop Action section, select theTurn off the virtual machine radio button.
7. ClickOK.
8. OpenDevice Manager.
9. Right click on the device youwant to configure for passthrough.
10. In theProperties dialog, click theDetails tab.
11. In theProperty drop-downbox, selectDevice instance path.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 43 -
12. Copy the value from theValue box.
13. In Powershell, use the following commands to perform theDDA configuration:
# Setting up environment# Configure VMName
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 44 -
$vmName = '10GNNM'
# Configure Instance ID$instanceId = 'PCI\VEN_8086&DEV_1563&SUBSYS_001D8086&REV_01\9126D1FFFF74000000'
# Configure Extra variable$vm = Get-VM -Name $vmName$dev = (Get-PnpDevice -PresentOnly).Where{ $_.InstanceId -like $instanceId }
# Disable device from hostsDisable-PnpDevice -InstanceId $dev.InstanceId -Confirm:$false
# Setup location path and dismount the device from hosts$locationPath = (Get-PnpDeviceProperty -KeyName DEVPKEY_Device_LocationPaths -InstanceId$dev.InstanceId).Data[0]echo $locationPath
# Dismount device from the hostDismount-VmHostAssignableDevice -LocationPath $locationPath -Force -Verbose
# Assign the device to our VMAdd-VMAssignableDevice -VM $vm -LocationPath $locationPath -Verbose
Use the following commands if you do not intend to use the devicewithNNM in theVM:
# Roll back, shutdown the VM first
# Remove the device from the VMRemove-VMAssignableDevice -VMName $vmName -Verbose
# Return the device to hostGet-VMHostAssignableDevice | Mount-VmHostAssignableDevice -Verbose
# Enable it in devmgmt.msc(Get-PnpDevice -PresentOnly).Where{ $_.InstanceId -like $instanceId }| Enable-
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 45 -
PnpDevice -Confirm:$false -Verbose
14. Turn on theVM.
15. Install NNM.
16. Configure huge pages with the commands listed in theLinux Command Line Operations doc-umentation.
17. Enable High Performance Mode.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 46 -
Configure Hyper-V NIC in Promiscuous Mode
Hyper-V NIC configured in promiscuous modeallows you tomonitor external traffic.
1. OpenPowershell.
2. Run the following command to add aVMSwitchPort Feature, where "LAN2" is your virtual switch name.
SettingData.MonitorMode = 2)$A=Get-VMSystemSwitchExtensionPortFeature -FeatureName "Ethernet Switch PortSecurity Settings"(OR $A = Get-VMSystemSwitchExtensionPortFeature -FeatureId 776e0ba7-94a1-41c8-8f28-951f524251b5)$A.SettingData.MonitorMode = 2Add-VMSwitchExtensionPortFeature -ExternalPort -SwitchName LAN2 -VMSwitchExtensionFeature $A
3. Run the following command to change thePortMirroringAttribute of theVM Networkdevice, where"VMName06_WinXPMonitor" is your VM nameand "00155D016612" is theMAC address of youradapter.
Get-VMNetworkAdapter -VMName 06_WinXPMonitor | ? MacAddress -eq '00155D016612'| Set-VMNetworkAdapter -PortMirroring Destination
SeeHow to Expand the Size of Disk Volume for more information.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 47 -
Remove NNM
The following instructions describe how to removeNNM from the following platforms:
l Linux
l Windows
l macOS
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 48 -
Remove NNM from Linux
To remove NNM from Linux:
1. StopNNMwith the following command:
# service nnm stop
2. Determine the nameof theRPM filewith the following command:
# rpm -qa | grep nnm
Thenameof theRPM file appears.
3. Remove theNNM RPM with the following command:
# rpm -e <RPM name>
4. Someuser-created and user-modified files are not removedwith the-e command. Remove anyremaining files with the following command:
# rm -rf /opt/nnm
NNM is removed.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 49 -
Remove NNM from Windows
To remove NNM from Windows:
1. Depending on your version ofWindows, in theControl Panel, underPrograms, click one of the fol-lowing:
l Programs and Features
l Add or Remove Programs
2. SelectTenable Nessus Network Monitor.
3. ClickChange/Remove.
The InstallShieldWizard appears.
4. Follow the directions in this wizard to completely removeNNM.
5. SelectYes to remove theNNM program andall its files, folders, and features from the system.
-or-
SelectNo to remove only theNNM program. All user-created files and relevant file folders remain on thesystem.
6. Restart your machine to complete the removal.
7. Follow the same instructions to removeWinPcap.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 50 -
Remove NNM from macOS
To remove NNM from macOS:
1. Stop NNM.
2. Delete the following directories (including subdirectories) and files with either sudo root or root privilegesusing the command line:
# rm /Library/LaunchDaemons/com.tenablesecurity.nnm*# rm -r /Library/NNM# rm -r /Library/PreferencePanes/NNM*# rm -r /Applications/NNM
NNM is removed from your macOS system.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 51 -
NNM Navigation
The top navigationmenudisplays twomain pages:Monitoring andResults. All of NNM’s primary analysistasks can be performedusing these two pages. Click a page name to open that page.
From the right side of the top navigationmenu, you can access settings ( ), current user settings (usernameof the currently logged-in user), and notifications ( ).
l Click the icon to display theUsers andConfiguration options, where you canmake administrativechanges toNNM.
Note: The Users and Configuration pages are available only to users with administrative privileges.
l Click your username to display a drop-downbox with the following options:
l Change Password - Change password for the current user.
l Help & Support -View NNM Information and documentation.
l Sign Out - Log out as the current user.
l Thebell ( ) icon toggles theNotification History box, which displays a list of notifications, successfulor unsuccessful login attempts, errors, and system information generated by NNM. The color of the bellchanges based on the nature of the notifications in the list. If there are no alerts, or all notifications areinformation alerts, then the bell is blue ( ). If there are error alerts in the notification list, then the bell is
red ( ). TheNotification History box displays up to 1,000 alerts. Once the limit is reached, no newalerts can be listed until old ones are cleared.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 52 -
To remove notifications individually, click the button to the right of the description of each event. Altern-atively, click theClear History button in the bottom right corner of the box to delete the entire noti-fication history.
Note:Notifications are not preserved between sessions. Unread notifications are removed from thelist when the user logs out.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 53 -
Monitoring Page
TheMonitoring page provides a centralized view of vulnerabilities discovered by NNM.On this page, vul-
nerabilities may be viewed in several categories, includingDashboards,Hosts,Vulnerabilities,Applic-ations,Operating Systems,Connections, andMobile Devices. The results may also be exported indifferent formats for use in other programs.
Across all of the viewablemethods available on theMonitoring page, filter options are available to increasegranularity when viewing results. Click the heading of a column to sort items within that section of theMon-itoring page in ascending or descending order.
TheActions drop-downbox allows you to export results, delete results, or launch aNessus scan.
Note: After deleting results, you must restart NNM to see the most up-to-date information.
TheFilter <section name> box allows for quick filtering of theMonitoring page. To view a list of filterable
plugin attributes, click the downarrow for any quick filter box. Results appear based on amatch ofAny orAll fil-ters. The search box contains example hints when empty, but if an incorrect filter value is introduced, the boxdisplays a red border.
Note: The Filter <section name> box is not available in the Dashboards section.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 54 -
Filter Text
Name Description
Bugtraq ID Filter the results of discovered vulnerabilities based on their Bugtraq iden-tifications.
CPE Filter the results of discovered vulnerabilities based on their CPE identifiers.
CVE Filter the results of discovered vulnerabilities based on their CVE identifiers.
CVSS Base Score Filter the results of discovered vulnerabilities based on the baseCVSS score as reported by vulnerability plugins.
CVSS TemporalScore
Filter the results of discovered vulnerabilities based on the temporalCVSS score as reported by vulnerability plugins.
CVSS TemporalVector
Filter the results of discovered vulnerabilities based on theCVSS temporalvector as reported by vulnerability plugins.
CVSS Vector Filter the results of discovered vulnerabilities based on theCVSS vector asreported by vulnerability plugins.
CVSS v3.0 BaseScore
Filter the results of discovered vulnerabilities based on theCVSS v3.0 basescore as reported by vulnerability plugins.
CVSS v3.0 Tem-poral Score
Filter the results of discovered vulnerabilities based on the temporal CVSSv3.0 score as reported by vulnerability plugins.
CVSS v3.0 Tem-poral Vector
Filter the results of discovered vulnerabilities based on the temporal CVSSv3.0 vector as reported by vulnerability plugins.
CVSS v3.0 Vector Filter the results of discovered vulnerabilities based on theCVSS v3.0 vec-tor as reported by vulnerability plugins.
Host Filter the results of discovered vulnerabilities based on the discovered IPaddress of the device.
IAVA ID Filter the results of discovered vulnerabilities based on the IAVA IDs of thevulnerabilities.
IAVB ID Filter the results of discovered vulnerabilities based on the IAVB IDs of thevulnerabilities.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 55 -
Name Description
IAVT ID Filter the results of discovered vulnerabilities based on the IAVT IDs of thevulnerabilities.
OSVDB ID Filter the results of discovered vulnerabilities based on the discoveredOSVDB identifiers.
Plugin Description Filter the results of discovered vulnerabilities based on text available in thedescriptions of the vulnerabilities.
Plugin Family Filter the results of discovered vulnerabilities based on a family of dis-covered vulnerabilities.
Plugin ID Filter the results of discovered vulnerabilities based on the IDs of the pluginsthat identified the vulnerabilities.
Plugin Name Filter the results of discovered vulnerabilities based on text available in thenames of the plugins that identified the vulnerabilities.
Plugin Output Filter the results of discovered vulnerabilities based on text contained in theoutput of the plugin that discovered the vulnerability.
Port Filter the results of discovered vulnerabilities based on the port onwhich thevulnerability was discovered.
Protocol Filter the results of discovered vulnerabilities based on the detected pro-tocol: tcp, udp, or icmp.
STIG Severity Filter the results of discovered vulnerabilities based onSTIG severity levelof the plugin.
See Also Filter the results of discovered vulnerabilities based on the text available intheSee Also box of the plugin.
Severity Filter the results of discovered vulnerabilities based on the identified sever-ity.
Solution Filter the results of discovered vulnerabilities based on text available in thesolution section of the plugin.
Synopsis Filter the results of discovered vulnerabilities based on text available in thesynopsis section of the plugin.
System Type Filter the results of discovered vulnerabilities based on the system type of
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 56 -
Name Description
the device.
VLAN ID Filter the results of discovered vulnerabilities based on theVLAN ID of thedevice.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 57 -
Dashboards Section
TheDashboards section displays the contents of the vulnerability tab in a graphical layout. The default dash-board layout displays the following charts:
l Top10Hosts
l Top10Vulnerabilities
l Top5Applications
l Distribution by OperatingSystem
l Top10Talkers
Note: The 10 Top Talkers chart only lists client machines that call or talk to the servers. If you are inter-ested in viewing both servers and clients, enable the Enable Connection Analysis Module setting inthe NNMSettings Section.
l Top10MobileDevices
l Distribution ofMobileDevices by OperatingSystem
l Top10MobileDevices by Hardware
l Distribution ofMobile Applications by Application
l SCADAVulnerability Distribution by Severity
l Top10SCADAHosts
l SCADAHost Distribution by Protocol
l SCADAHost Distribution by System Type
l Client Connections
l Network Bandwidth by ByteCount
l Event Trending
Note: Your NNM configuration determines which charts appear in the Dashboards section.
Click on the datawithin a chart to seemore information about the data. Additionally, you can drag-and-dropcharts to rearrange them on the dashboard for the duration of your session. TheClient Connections,Net-work Bandwidth by Byte Count, andEvent Trending charts cannot bemoved. For more information, seeRearrange Charts.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 58 -
The following table describes the options available in theDashboards section:
Option Description
<click on thechart>
Opens aDetails sectionwithmore information about the data displayed in achart.
Note: You cannot click on the Top 10 Mobile Devices by Hardware chart.
button Removes the chart from theDashboards section for the duration of your ses-sion.
button Refreshes the chart.
button Provides options toExport Results,Delete Results, or Launch Scan.
button Provides options to filter chart data based on a specified date range.
Events Dashboard
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 59 -
Click on theEvent Trending chart to Access theEvents dashboard. TheEvents dashboard displays agraphical representation of the number ofmaximum viewable real-time events as defined in theRealtimeEvents setting type in theNNM Settings section.
TheEvent Details table can be customized by sorting columns, showing or hiding columns, filtering contentby clickingView Active Filters, or by clicking underlined columns in the table.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 60 -
Rearrange Charts
To rearrange charts on the Dashboard:
1. In theDashboards section, select the heading of the chart youwant to reposition.
2. Drag the chart to a different location on the dashboard.
3. Release the pointer.
The chart moves and the dashboard configuration saves for the duration of your session.
Note: You cannot move the Client Connections,Network Bandwidth by Byte Count, or EventTrending charts.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 61 -
Refresh a Chart
To refresh a chart on the Dashboard:
1. In theDashboards section, in the upper right corner of the chart youwant to refresh, click the button.
The selected chart refreshes.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 62 -
Set a Date Range for the Dashboards Section
To set a date range for the charts on the Dashboard:
1. In theDashboards section, in the upper right corner, click the drop-downbox.
2. Dooneof the following:
l Select one of the preset time intervals.
l Select a start and end date from the available calendars and specify a timeassociatedwith eachdate.
l Manually type dates in the two text boxes inYYYY/MM/DD format and specify a timeassociatedwith each date.
All the charts on the page refresh to reflect the selected time interval.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 63 -
Remove a Chart from a Dashboard
To remove a chart from a dashboard:
In theDashboards section, in the upper right corner of the chart youwant to remove, click the button.
The selected chart is removed from the dashboard for the duration of your session.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 64 -
Hosts Section
TheHosts section of theMonitoring page displays a list of the discovered hosts, the system type of thehosts, and a stacked bar chart. The chart is labeled and color-coded to indicate both the number and severitylevel of vulnerabilities detected on the host.
Select a host from the list to display the host’s attributes and discovered vulnerabilities. In the drop-downboxat the top of the section, select one of the following options to view relevant information.
Vulnerabilities
Vulnerabilities detected on this host appear in descending order of severity. TheVulnerabilities list displaysthe nameof each vulnerability, the vulnerability family, and the number of vulnerabilities discovered. Select avulnerability from the list to display vulnerability details including a synopsis, a description, a solution, plugindetails, risk information, reference information, and affected hosts and services for the host.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 65 -
Applications
Applications appear in descending order of severity. TheApplications list displays the nameandnumber ofeach application. Select an application from the list to display information about the application observed onthis host. The list includes the nameandnumber of discoveries, the affected port and protocol, the softwareand version, and the services available.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 66 -
Client Connections
Hosts towhich the selected host has connected are grouped by port. TheClient Connections list displaysinformation about connections from the selected host to other hosts, which port(s) were used, and, if known,the services. Click on a client connection to display aConnections sidebar that displaysHost Details, aCli-ent Connections diagram, and, where applicable, aRecent Sessions table.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 67 -
Server Connections
Hosts that have connected to the selected host are grouped by port. TheServer Connections list displaysinformation about connections to the selected host from other hosts, which port(s) were used, and, if known,the services. Click on a server connection to display aConnections sidebar that displaysHost Details, aServer Connections diagram, and, where applicable, aRecent Sessions table.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 68 -Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 69 -
Vulnerabilities Section
TheVulnerabilities section of theMonitoring page provides a list of the vulnerabilities detected by NNM.Additionally, you can view a vulnerability's plugin family and the number of detected vulnerabilities.
Select a vulnerability from the list to to view the following vulnerability details:
l ASynopsis of the vulnerability.
l ADescription of the vulnerability.
l ASolution for the vulnerability.
l ASee Also section that features additional referencematerial about the vulnerability.
l A list ofAffected Hosts.
l The vulnerability's Plugin Details.
l Risk Information about the vulnerability.
l Reference Information about the vulnerability.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 70 -
Delete a Vulnerability
To delete a vulnerability:
To delete one vulnerability:
1. In theVulnerabilities section, hover over the vulnerability youwant to delete.
2. On the right side of the row, click the button.
The vulnerability is deleted.
To delete multiple vulnerabilities:
1. On theVulnerabilities page, on the left side of the row for the vulnerability youwant to delete, select thecheck box. Repeat this step for each vulnerability youwant to delete.
2. Click Actions >Delete Vulerabilities.
The vulnerabilities are deleted.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 71 -
Applications Section
TheApplications section displays a list of discovered applications. Click an application to display a list ofaffected hosts. The list includes the nameandnumber of discoveries, the affected port and protocol, the soft-ware and version, and the services available.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 72 -
Operating Systems Section
TheOperating Systems section displays a list of discovered operating systems. This section lists the sever-ity, operating system nameas detected, and the number of discoveries.
Click an operating system to display a list of affected hosts. The list includes the severity, the version of theoperating system, and the services available.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 73 -
Connections Section
TheConnections section displays information in two tabs:
l TheClient Connections tab displays a list of hosts. Click on a host to display connections from the
selected host to other hosts, the port(s) used, and, if known, the services. Additionally, theCon-nections sidebar displaysHost Details, aClient Connections diagram, and, where applicable, aRecent Sessions table.
l TheServer Connections tab displays a list of hosts. Click on a host to display connections to theselected host from other hosts, the port(s) used, and, if known, the services. Additionally, theCon-nections sidebar displaysHost Details, aServer Connections diagram, and, where applicable, aRecent Sessions table.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 74 -
Mobile Devices Section
TheMobile Devices section displays a list of discoveredmobile devices. The summary page displays the IPaddress, model, operating system, and last seen timestamp for eachmobile devicewithin themonitored net-work range. Select a device name from the list to display the device’s list of vulnerabilities and a list of applic-ations for themobile device.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 75 -
Filter Monitoring Results
To filter monitoring results:
1. In theHosts,Vulnerabilities,Applications,Operating Systems,Connections, orMobileDevices section, in the upper right corner, click theFilter <section name> drop-downbox.
2. Type the criteria by which youwant to filter results directly into the box.
-or-
Click the button in the box.
TheFilter Resultswindow appears.
3. Configure the filter options as necessary.
4. Click theApply Filters button.
Note:On-the-fly filter results cannot be exported. If you want to export filter results, you must con-figure the filter(s) in the Filter Results window. Additionally, on-the-fly filter results are not storedwhen a user navigates to another page in NNM.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 76 -
Export Monitoring Results
To export monitoring results:
1. ClickMonitoring >Actions >Export Results.
TheExport Results screen appears.
2. Select the export format and chapter layout.
3. Click theExport button.
An automatic download begins. You can save the report from thewebbrowser.
Note:On-the-fly filter results cannot be exported. If you want to export filter results, you must con-figure the filter(s) in the Filter Results window.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 77 -
Launch a Nessus Scan
To launch a Nessus scan:
1. Dooneof the following:
l ClickMonitoring >Actions > Launch Scan.
l Click Assets orVulnerabilites > select the check boxes for the assets youwant to scan>Actions > Launch Scan.
TheLaunch Basic Nessus Scanwindow appears.
2. Configure the scan options as necessary.
3. Click theLaunch button.
The scan opens in theNessus interface. Refer to theNessus user guide for further instructions.
Note: To launch scans on Nessus 6.8.x or higher, NNM must be configured to restrict access to TLS 1.2 orhigher. See the NNMSettings Section for more information.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 78 -
Results Page
TheResults page contains snapshots ofmonitored data, results from Pcap files enteredmanually via the
command line or the client UI, and uploadedNNM reports. TheMonitoring Snapshots generate regularlybased on theReport Frequency setting. They are stored until deleted or theReport Lifetime settingremoves them. Select a result grouping to view it using the sameanalysis tools described in theMonitoringsection of this user guide:
l Hosts
l Vulnerabilities
l Applications
l Operating Systems
l Connections
l Mobile Devices
Additionally, to compare two snapshots, check the desired snapshot results and select theDiff Snapshotsoption from theActions drop-downbox.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 79 -
Upload a Report
To upload a report:
1. ClickResults >Upload >Report.
TheUpload Resultswindow appears.
2. Select a file to upload.
3. Click theUpload Results button.
The report appears in a new row at the top of theListing Results list on theResults page.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 80 -
Upload a Pcap
Before You Begin
Themaximum total file size for uploadedPcaps is 100MB. Running aPcap pauses livemonitoring.
To upload a Pcap:
1. ClickResults >Upload >Pcaps.
TheUpload Pcapswindow appears.
2. Select one or more files to upload.
3. Click theUpload Pcap(s) button.
A new row for thePcap(s) appears at the top of theListing Results list on theResults page.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 81 -
Filter Results
To filter results:
1. On theResults page, in the upper right corner, click theFilter Results drop-downbox.
2. SelectSnapshot,Manual, orPcap.
TheListing Results list filters by the selected report type. ClickClear Filter to remove the filter fromthe list.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 82 -
Delete Results
To delete one result:
1. On theResults page, hover over the result youwish to delete.
2. Click the button.
A dialog box appears confirming your selection to delete the result.
3. Click theDelete button.
The result is deleted.
To delete multiple results:
1. On the left side of the row for the result youwant to delete, select the check box. Repeat this step foreach result youwant to delete.
2. Click Actions >Delete Result.
A dialog box appears confirming your selection to delete the results.
3. Click theDelete button.
The resultss are deleted.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 83 -
Users Page
TheUsers page lists the available users on theNNM server. Additionally, you can view account configurationoptions for each user. This page is visible only to users with administrative privileges.
To access the Users page:
1. In the top navigation bar, click the icon.
2. In the drop-downbox, clickUsers.
TheUsers page appears.
Click on a user modify the user's account. For more information, seeModify a User Account.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 84 -
Create a New User
To create a new user:
1. On theUsers page, in the upper right corner, click theNew User button.
TheNew User window appears.
2. In theUsername box, type a username for the user.
3. In thePassword box, type a password for the user.
Note: The username is case sensitive and the password must conform to the NNM password policy.
4. In theConfirm Password box, type the password for the user a second time.
5. If the new user should have administrative privileges, select theAdministrator check box.
Tip:When a user is created it authenticates with SSL Client Certificates. The user name must matchthe Common Name in the certificate.
6. Click theCreate User button.
The user saves and appears in theUsers list.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 85 -
Modify a User Account
To modify a user account:
1. On theUsers page, select a user from the list.
TheEdit User <username> window appears.
2. Modify the properties as needed.
3. ClickUpdate.
Tip: To reset user account passwords via the command line, use the following command from the NNM bin-ary directory:/opt/NNM/bin/nnm --users --chpasswd <username>
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 86 -
Reset a Locked Account
To reset a locked account:
1. In the command line interface, use the appropriate command for your operating system to delete thehash.lockedout file:
OperatingSystem
Command
Linux # rm /opt/nnm/var/nnm/users/<locked accountname>/hash.lockedout
Windows del C:\ProgramData\Tenable\NNM\nnm\users\<locked_account_name>\hash.lockedout
macOS # rm /Library/NNM/var/nnm/users/<locked accountname>/hash.lockedout
Tip: Alternatively, a user with administrative privileges can navigate to this directory and manuallydelete the hash.lockedout file.
2. After deleting the hash.lockedout file, if needed, a user with administrative privileges can follow the stepsunderModify a User Account to reset the user's password.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 87 -
Delete a User
To delete a user:
To delete one user:
1. On theUsers page, hover over the user youwant to delete.
On the right side of the row, the button appears.
2. Click the button.
A dialog box appears confirming your selection to delete the user.
3. ClickDelete.
The user is deleted.
To delete multiple users:
1. On theUsers page, on the left side of the row for the user youwant to delete, select the check box.Repeat this step for each user youwant to delete.
2. Click Actions >Delete Users.
A dialog box appears confirming your selection to delete the user.
3. ClickDelete.
The users are deleted.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 88 -
Configuration Page
TheConfiguration page allows users with administrative privileges to configureNNM for their local envir-onment.
NNM Settings Section
Feed Settings Section
Cloud Settings Section
Industrial Security Settings Section
Web Proxy Settings Section
Chart Settings Section
Email Settings Section
Plugin Settings Section
Nessus Scanner Settings Section
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 89 -
NNM Settings Section
TheNNM Settings section provides options for configuring the network settings for NNM. This includes whatnetwork(s) aremonitored or excluded, how tomonitor those networks, andwhat network interfaces NNM hasidentified for monitoring. If your NNM is licensed to run inHighPerformancemode, you can alsoConfigurethe Performance Mode.
Note:While you can configure many advanced settings via the command line using custom parameters, oth-ers use standard parameters. For example, while the ACAS Classification setting uses the custom --addparameter, the Login Banner setting does not require the --add parameter.
Note: The Network Interfaces Settings view only shows network interfaces that don't have IP addressesassigned to them. As a result, if all interfaces have assigned IP addresses, in High Performance mode, thelist is empty.
Name Description
ACAS Classification
ACAS Support for ACAS banners may be enabled from the command line of theNNM server service using the/opt/nnm/bin/nnm --config --add"ACAS Classification" "SECRET" command. SECRETmay bereplaced by UNCLASSIFIED, CONFIDENTIAL, TOP SECRET, or NOFORN.Once enabled, a drop-downbox for theACAS option appears in theUI frontend.
Support for ACAS banners may be disabled from the command line of theNNM server using the/opt/nnm/bin/nnm --config --delete"ACAS Classification" command from the binary directory on theserver.
Advanced
Maximum PluginsUpdate Frequency
Specifies themaximum frequency withwhich plugins update.
LoginBanner Specifies a login banner.
Note: Login banners can also be configured via the command line using
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 90 -
Name Description
the /opt/nnm/bin/nnm --config "Login Banner" "NNM BannerText" command.
EnablePII Obfuscation
Specifies whether or not tomask data from plugins that are expected to con-tain sensitive information (likePersonally Identifiable Information [PII]).Whenenabled, the sensitive data is maskedwith asterisks.Whendisabled, thesensitive information appears in cleartext in plugin output and logs. Type 0 todisable and 1 to enable the obfuscation.
Note: By default, this option is enabled. This option cannot be disabled ifyour NNM is connected to another application (i.e. Industrial Security, Ten-able.io, Tenable.sc).
Analysis Modules
EnableSCADA/ICSAnalysis Module
Enables theSCADA/ICSAnalysis Module. Click the caret button to the left ofthe setting name to display a list of individualmodule detections within themodule. Click on individualmodule detections within the list to disable/enablethem. Disabling aSCADA/ICSmodule detection enables the legacy PASL.See theSCADA/ICSAnalysis Module for more information.
EnableConnectionAnalysis Module
Enables theConnectionAnalysis Module. Click the caret button to the left ofthe setting name to display a list of individualmodule detections within themodule. Click on individualmodule detections within the list to disable/enablethem. See theConnection Analysis Module for more information.
Enable IoTAnalysisModule
Whenenabled, NNM detects plugins in the IoT family. By default, this optionis enabled.
DNS Query
DNSCache LifetimeAnalysis Module
Specifies the amount of timeNNM retains and stores a given host’s DNSrecord, in seconds. By default, this option is set to 43200 (12 hours), but canbe set to any value between 3600 and 172800 (48 hours).
DNSQuery TimeInterval
Specifies the delay between sets of DNS queries, in seconds. By default, thisoption is set to 5, but can be set to any value between 1 and 120.
DNSQueries per Specifies themaximum number of concurrent DNS requests madeat the
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 91 -
Name Description
Interval time of theDNS Query, in seconds. By default, this option is set to 5, but canbe set to any value between 0 and 1000. Setting this value to 0 disables thisfeature and prevents further DNS queries from beingmade.
Database
EnableMalformedDatabaseRecovery
Whenenabled, allows NNM to recover amalformeddatabase.
Memory
Sessions CacheSize
Specifies the size, inmegabytes, of the session table. Adjust the session sizeas needed for the local network. By default, this option is set to 50.
Packet CacheSize Specifies themaximum size, inmegabytes, of the cache used to store thecontents of the packets collected before processing. By default, this option isset to 128MBwith amaximum size of 512MB.When the cache is full, anysubsequent packets captured are dropped until space in the cache becomesavailable.
Monitoring
MonitoredNetworkInterfaces
A list of the network device(s) used for sniffing packets. Devices may beselected individually or inmultiples. At least one interfacemust be selectedfrom the list of available devices.
Note:High Performance mode does not support e1000 NICs as monitoredinterfaces on VMs. If you are running NNM on a VM in High Performancemode and select an e1000 monitored interface, NNM automatically revertsto Standard mode.
MonitoredNetworkIP Addresses andRanges
Specifies the network(s) monitored. The default setting is 0.0.0.0/0, whichinstructs NNM tomonitor all IPv4 addresses. This should be changed tomon-itor only target networks; otherwiseNNMmay quickly becomeoverwhelmed.Separatemultiple addresses by commas.WhenmonitoringVLAN networks,youmust use the syntax vlan ipaddress/subnet.
Example: 192.168.1.0/24,2001:DB8::/64,10.2.3.0/22,vlan172.16.0.0/16,192.168.3.123/32
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 92 -
Name Description
Note: The syntax is case sensitive.
ExcludedNetworkIP Addresses andRanges
Specifies, inCIDR notation, any network(s) to specifically exclude from NNMmonitoring. This option accepts both IPv4 and IPv6 addresses. Separatemul-tiple addresses by commas.WhenexcludingVLAN networks, youmust usethe syntax vlan ipaddress/subnet. If this box is left blank, noaddresses are excluded.
Note: You can exclude up to 128 CIDR entries at one time.
Example: 192.168.1.0/24,2001:DB8::/64,10.2.3.0/22,vlan172.16.0.0/16,192.168.3.123/32
ExtendedPacket Fil-ter
Specifies aBPF primitive.
The net, IP, IPv6, and VLAN primitives are not supported by this feature.Additionally, the protochain primitive is not supported on Windows plat-forms.
Click here for further information about the available primitives.
NNM Proxy
NNM RestartAttempts
The number of times theNNM proxy attempts to restart theNNM engine inthe event the engine stops running. By default, this option is set to 10, but canbe set to any value between 1 and 15. Once the restart attempt limit isreached, the proxy stops trying for 30minutes.
NNM Restart Inter-val
The amount of time, inminutes, betweenNNM restart attempts. By default,this option is set to 10, but can be set to any value between 1 and 3600.
NNM Web Server
EnableSSL forWebServer
When selected, enables SSLprotection for connections to theweb server.This check box is selected by default. Clearing the check box is not recom-mended, as it allows unencrypted traffic to be sent between awebbrowserandNNM.Custom SSL certificates may be installed in the/opt/NNM/var/NNM/ssl directory. Changes to this setting require thatNNM be restarted.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 93 -
Name Description
Note:Changing this option while NNM is running makes communicationbetween the client and server either encrypted or unencrypted. If youselect or clear the Enable SSL for Web Server check box, the WebServer automatically ends your current NNM session.
Minimum PasswordLength
Specifies the lowest number of characters a passwordmay contain. Bydefault, this option is set to 5, but can be set to any value between 5 and 32.
NNMWebServerAddress
Specifies the IPv4 or IPv6 address onwhich theNNMweb server listens.The default setting is 0.0.0.0, which instructs theweb server to listen on allavailable IPv4 and 1Pv6 addresses.
Note: Link-local addresses are not supported for IPv6 addresses.
NNMWebServerPort
Specifies theNNMweb server listening port. The default setting is 8835, butcan be changed as appropriate for the local environment.
Note: If you change the value in this box, the Web Server automaticallyends your current NNM session.
NNMWebServerIdle SessionTimeout
Specifies the number ofminutes of inactivity before aweb session becomesidle. By default, this option is set to 30, but can be set to any value between 5and 60.
EnableSSLClientCertificateAuthentic-ation
Whenenabled, allows theweb server to accept only SSL client certificates foruser authentication.
EnableDebug Log-ging for NNMWebServer
Whenenabled, allows theweb server to include debug information in the logsfor troubleshooting issues related to theweb server. The logs becomeverylarge if this option is routinely enabled.
Maximum UserLoginAttempts
Specifies the number of times a user can type an incorrect password in a 24hour period before the user’s account is locked.
Max Sessions perUser
Specifies the number of concurrent sessions a user can have running at onetime.
EnforceComplexPasswords
Whenenabled, forces the user’s passwords to contain at least one upper-case character, one lowercase character, one digit, and one special char-
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 94 -
Name Description
acter from the following: !@#$%^&*().
Restrict Access toTLS 1.2 or higher
Whenenabled, forces theNNMweb server to useTLS 1.2 or higher com-munications. By default, this option is enabled.
Note: If you disable this option, you must enable the use of TLS < 1.2.
Plugins
Process HighSpeedPlugins Only
NNM is designed to find various protocols on non-standard ports. Forexample, NNM caneasily find anApache server running on a port other than80. However, on a high traffic network, NNM canbe run inHighPerformancemode, which allows it to focus certain plugins on specific ports.WhenHighPerformance mode is enabled and this check box is selected, any pluginthat utilizes the keywords hs_dport or hs_sport are executed only ontraffic traversing the specified ports.
Realtime Events
RealtimeEvents FileSize
Specifies themaximum amount of data from real-time events that is stored inone text file. The optionmust be specified in kilobytes, megabytes, or giga-bytes by appending aK,M, orG, respectively, to the value.
LogRealtimeEventstoRealtime LogFile
Whenenabled, allows NNM detected real-time events to be recorded to a logfile in the following location:
/opt/NNM/var/NNM/logs/realtime-logs-##.txt
This option can be configured via theCLI.
EnableRealtimeEvent Analysis
Whenenabled, allows NNM to analyze real-time events.
Maximum ViewableRealtimeEvents
Specifies themaximum number ofmost recent events cached by theNNMengine. This setting is in effect only whenRealtimeEvent Analysis is enabled.
Maximum RealtimeLogFiles
Specifies themaximum number of realtime log files written to the disk.
Reports
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 95 -
Name Description
Report Threshold Specifies the number of times the encryption detection algorithm executesduring a session. Once the threshold is reached, the algorithm no longerexecutes during the session. By default, this option is set to 3.
Report Lifetime Specifies, in days, how long vulnerabilities and snapshot reports are cached.After the configured number of days is met, discovered vulnerabilities andsnapshot reports are removed. This option can be set to amaximum value of90 days. By default, this option is set to 7 and cannot be set higher than theHost Lifetime value.
Host Lifetime Specifies, in days, how long hosts are cached. After the configured number ofdays is met, discovered hosts are removed. This option can be set to amax-imum value of 365 days. By default, this option is set to 7 and cannot be setlower than theReport Lifetime value.
Report Frequency Specifies, inminutes, how oftenNNMwrites a report. By default, this option isset to 15. Tenable.sc retrieves theNNM report every 15minutes.
Knowledgebase Life-time
Specifies, in seconds, themaximum length of time that a knowledgebaseentry remains valid after its addition. By default, this option is set to 864000.
New Asset Dis-covery Interval
Specifies, in days, how longNNMmonitors traffic before detecting new hosts.NNM listens to network traffic and attempts to discover when a new host hasbeen added. To do this, NNM constantly compares a list of hosts that havegenerated traffic in the past to those currently generating traffic. If it finds anew host generating traffic, it issues a “new host alert” via the real-time log.For large networks, NNM canbe configured to run for several days to gainknowledge about which hosts are active. This prevents NNM from issuing analert for hosts that already exist. For large networks, Tenable® recommendsthat NNM operate for at least two days before detecting new hosts. Bydefault, this option is set to 2.
Connections toSer-vices
Whenenabled, allows NNM to logwhich clients attempt to connect to serverson the network and towhat port they attempt to connect. They indicate onlythat an attempt to connect was made, not whether the connectionwas suc-cessful. Events detected by NNM of this type are logged as NNM internal plu-gin ID 2.
ShowConnections Whenenabled, instructs NNM to record clients in the focus network that
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 96 -
Name Description
attempt to connect to a server IP address and port and receive a positiveresponse. The record contains the client IP address, the server IP address,and the server port that the client attempted to connect to. For example, if fourdifferent hosts within the focus network attempt to connect with a server IPover port 80 and received a positive response, then a list of those hosts arereported under NNM internal plugin ID 3 and port 80.
KnownHosts FileNote: You can only configure this feature via the command line interface.
A configuration parameter inwhich you can type the location of theknown-hosts.txt file. Youmustmanually create theKnownHosts file.
This feature supports a single row for each IP (IPv4 or IPv6). Hyphenatedranges andCIDR notation are not supported. New host alerts no longerappear for the hosts listed in this file.
Note: Blank rows are ignored, and invalid entries are noted in the NNM logfile. If you make any changes to the Known Hosts file, you must restartNNM .
Session Analysis
EncryptedSessionsDependency Plugins
Specifies thePlugin IDs, separated by commas, used to detect encryptedtraffic.
EncryptedSessionsExcludedNetworkRanges
Specifies the IPv4 and IPv6 addresses and ports, inCIDR notation, excludedfrommonitoring for encrypted traffic.
Example: 192.168.1.0/24,2001:DB8::/64,10.2.3.0/22,vlan172.16.0.0/16,192.168.3.123/32
InteractiveSessionsDependency Plugins
Specifies the plugin IDs, separated by commas, used to detect interactivesessions.
InteractiveSessionsExcludedNetworkRanges
Specifies the IPv4 and IPv6 addresses and ports, inCIDR notation, excludedfrommonitoring for interactive sessions.
Example: 192.168.1.0/24,2001:DB8::/64,10.2.3.0/22,vlan172.16.0.0/16,192.168.3.123/32
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 97 -
Name Description
Syslog
RealtimeSyslogServer List
Specifies the IPv4 or IPv6 address and port of aSyslog server to receive real-time events from NNM.Click Add to save the address. A local Syslog dae-mon is not required. Syslog items can be specified toStandard or CEFformats as well as UDP or TCP protocols.
Example: 192.168.1.12:4567,10.10.10.10:514,[2001:DB8::23B4]:514
Vulnerability SyslogServer List
Specifies the IPv4 or IPv6 address and port of aSyslog server to receive vul-nerability data from NNM.Click Add to save the address. A local Syslog dae-mon is not required. Syslog items can be specified toStandard or CEFformats as well as UDP or TCP protocols.
Example: 192.168.1.12:4567,10.10.10.10:514,[2001:DB8::23B4]:514
Note:While NNM may display multiple log events related to one con-nection, it sends only a single event to the remote Syslog server(s).
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 98 -
Configure the Performance Mode
Before You Begin
This option appears only whenNNM is licensed to run inHighPerformancemodeand themachine runningNNM meets thehardware and software requirements for HighPerformancemode. By default, all instancesof NNM run inStandardmode.
NNMmust restart when switching between performancemodes.
To configure the performance mode:
1. ClickConfiguration >NNM Settings.
2. Under thePerformance Mode heading, click theEnable High Performance Mode box to togglebetweenYes andNo. If you selectYes, continue to step 3. If you selectNo, continue to step 4.
3. In theNumber of Worker Cores drop-downbox, select the appropriate number of worker cores.
Note: This option cannot be changed when NNM is already running in High Performance mode.
4. Click theUpdate button.
A dialog box appears confirming your selection to change the performancemode.
5. Click theConfirm button.
NNM restarts and the login screen appears.When theNNM server resumes, a notification appearsindicatingwhether the configuration changewas successful.
Note:NNMmay use a different number of cores than the number you select. Based on system con-straints and your selection, NNM selects the closest number of worker cores that it can feasibly sup-port.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 99 -
6. Log in toNNM.
The performancemodeupdates.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 100 -
Feed Settings Section
TheFeed Settings section allows you to:
Name Description
Register Offline check box A check box that allows offline registration of NNM.
Activation Code box Updates the activation code. TheActivationCodeonly needs tobe updatedwhen it expires.
Fetch Plugins From drop-downbox
A drop-downbox from which you can specify where youwish tofetch plugins. ClickUpdate to fetch the plugins.
Offline Plugin Archive Uploads plugins to perform offline updates. Choose File toselect the file to upload, then clickUpload Archive to upload thearchive.
Host Address box A box inwhich you can specify a custom plugin feed host. ClickUpdate to save the host.
Offline Update
TheOffline Update allows a user with administrative privileges tomanually update plugins when theNNMhost cannot connect to the Internet.
1. Download the plugin update archive from Tenable®.
2. ClickChoose File.
3. Select the archive tarball to upload.
4. Click theUpload Archive button to send the file to theNNM host.
5. Click theUpload Archive button again to update the plugins.
6. If a new client is part of the update, youmust refresh thewebbrowser to see the updated client.
The Custom Plugin Feed host is an alternate feed host. These are typically hosted on a local net-work to provide custom NNM plugins.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 101 -
When runningStandaloneNNM or NNM inHighPerformancemodeasManaged by Tenable.sc orMan-aged by Tenable.io, youmust type anActivationCodebefore clicking theUpdate button. The button
schedules a plugin updatewhenNNM is running inStandalonemode. Additionally, when registeringNNM in
Offlinemode, you need theActivationCode to obtain theActivationKey.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 102 -
Download New Vulnerability Plugins
Before You Begin
WhenNNM is registered inStandalonemodeusing anActivation code, plugins are updated automaticallyevery 24 hours after the service is started.
If Tenable.sc or Tenable.io is used tomanageNNM, new plugins for NNM are automatically sent at scheduledintervals.
To manually download new vulnerability plugins:
1. ClickConfiguration > Feed Settings.
2. Next to theFetch Plugins From drop-downbox, click the button.
Tip: The plugins can also be updated by using the following command:# /opt/nnm/bin/nnm --update-plugins
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 103 -
Updating the NNM Management Interface
Onoccasion, theNNMmanagement interfacemust be updated to provide new or updated features.
Tomanually update the plugins:
1. Download the latest plugins using theURL created during the offline registration process.
2. Log in to theNNM interface as a user with administrative privileges.
3. ClickConfiguration > Feed Settings.
4. In theOffline Update section, clickChoose File.
A dialog box appears.
5. Select the archive file to upload.
6. ClickUpload Archive to send the file to theNNM host, which updates the plugins.
7. StopNNM on the host.
8. Restart NNM on the host.
The new interface is available for use.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 104 -
Cloud Settings Section
TheCloud Settings section provides options for configuringNNM to communicatewith Tenable.io.
Note: Any web proxies configured do not apply to Tenable.io connections.
Name Description
CloudHost The domain nameor IP address of the Tenable.io server: cloud.tenable.com.
CloudPort The port of the Tenable.io server: 443.
CloudKey TheTenable.io key used to link this instance of NNM to aTenable.io account. SeeLink a Scanner in the Tenable.ioUser Guide for more information.
Polling Fre-quency
The frequency, in seconds, withwhichNNM updates its status with Tenable.io andasks for a list of jobs.
NNM Name Theunique nameused to identify this instance of NNM inTenable.io.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 105 -
By default, Tenable.io pulls data from theNNM scanner every 60minutes. This is determined by theReportFrequency setting in Tenable.io. Once the linkedNNM scanner is added to Tenable.io, a scan is auto-
matically created and results are collected from NNM. If theReport Frequency setting is changed, thescans adjust automatically.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 106 -
Industrial Security Settings Section
Industrial Security is end-of-life (EOL). For information about EOL dates and policies for Tenable products,see the Tenable Software Release LifecycleMatrix and Policy.
The Industrial Security Settings section provides options for configuring Industrial Security withNNM. Formore information, seeConfigure NNM for use with Industrial Security.
Name Description
Industrial Secur-ity Host
The domain nameor IP address of the Industrial Security server.
Industrial Secur-ity Port
The port of the Industrial Security server.
Industrial Secur-ity Key
The key used to link this instance of NNM to a Industrial Security account.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 107 -
Name Description
Polling Fre-quency
The frequency, in seconds, withwhichNNM updates its status with IndustrialSecurity and asks for a list of jobs.
NNM Name Theunique nameused to identify this instance of NNM on Industrial Security.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 108 -
Web Proxy Settings Section
TheWeb Proxy Settings section configures the settings for awebproxy if one is needed for plugin updates.These settings include the proxy host IP address, port, username, password, and, if a custom agent string isneeded, a user-agent box.
Note: Any web proxies configured do not apply to Tenable.io connections.
Name Description
Host Address The host address of thewebproxy server.
Port The port of thewebproxy server.
Username Theusername for thewebproxy server.
Password The password for thewebproxy server.
User-Agent String The user-agent string for thewebproxy server.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 109 -
Chart Settings Section
TheChart Settings section displays all charts available, provides options for creating and configuringcharts, and allows the user to add or remove charts in theDashboards section.
In theChart Settings section you can view:
l The chartType.
l TheName of the chart.
l ADescription of the chart.
l The chart'sDashboard Family.
l A toggle that determines if the chart appears in theDashboard. Click the option to toggle betweenYesand No.
Click on a chart to edit the chart.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 110 -
Create a Custom Chart
To create a custom chart:
1. ClickConfiguration >Chart Settings >Create Chart.
TheCreate Chart window appears.
2. In theName box, type a name for the chart.
Note: In this example, we are creating a chart that displays the top vulnerabilities for machines report-ing associated BitTorrent activity.
3. In theDescription box, type a description for the chart.
4. In theChart Type section, select the type of chart youwant to create.
5. In theDashboard Family section, type a numeric value between 1 and 20 that represents the numberof items returned for this chart.
6. Click Top to add the value to theCurrent Chart Query section.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 111 -
7. In theCategory section, select a chart category. The selected category determines the type of itemsdisplayed on the chart, such as hosts, vulnerabilities, applications, operating systems, or connections.
8. In theFilters section, configure the options by which youwant to filter the results.
Note: In this example, we are creating a filter based on the Plugin ID 3920. This triggers when BitTor-rent client activity is detected.
9. Click the+ button to apply the rule to the chart.
10. In theViewable section, select whether youwant the chart to appear on themain dashboard.
11. Click theCreate Chart button. The chart appears in theDashboards section of theMonitoring page.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 112 -
Delete a Chart
Note: You cannot delete default charts.
To delete a chart:
To delete one chart:
1. ClickConfiguration > Chart Settings.
2. Hover over the chart youwant to delete.
3. On the right side of the row, click the button.
A dialog box appears confirming your selection to delete the chart.
4. ClickDelete.
The chart is deleted.
To delete multiple charts:
1. ClickConfiguration >Chart Settings.
2. On the left side of the row for the chart youwant to delete, select the check box.
3. Repeat step 2 for each chart youwant to delete.
4. Click Actions >Delete Charts.
A dialog box appears confirming your selection to delete the charts.
5. ClickDelete.
The charts are deleted.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 113 -
Email Settings Section
TheEmail Settings section allows you toCreate an Email Notification for NNM. You can specify the recip-ients of the email notifications, what charts appear in email notifications, and the timeand frequency withwhichemail notifications are sent. To send a report immediately, in theEmail Settings section, hover over an exist-ing email notification and click the paper airplane icon.
When you selectSMTP Server in theSetting Type drop-downbox, the following options for configuring theSMTP server appear:
Name Description
Host The host or IP of theSMTP server (e.g., smtp.example.com).
Port The port of theSMTP server (e.g., 25).
From Thename that appears in the "From" line of the email report.
NNM Location The IP address or hostnameof your NNM server. This works only if the user thatreceives the email report can reach theNNM host.
AuthMethod Themethod by which theSMTP server is authenticated. Supportedmethods areNone,Plain,NTLM, Login, andCRAM-MD5.
Note: If this option is set to None, the Username and Password boxes are hid-den.
Username Theusernameused to authenticate to theSMTP server.
Password The password associatedwith the username, provided that a password is required
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 114 -
Name Description
by theSMTP server.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 115 -
Create an Email Notification
To create an email notification:
1. Click Email Settings >Create Email Notification.
TheCreate Email Notificationwindow appears.
2. In theName box, type a name for the email notification.
3. In theDescription box, type a description for the email notification.
4. ClickNext Step.
TheAdd Charts screen appears.
5. Select the check boxes that correspond to the charts youwant to add to the email notification.
6. Reorder the charts by clicking and dragging the appropriate button.
7. ClickNext Step.
TheSchedule Email Notification screen appears.
8. Select the frequency, date, and timeat which youwant the email notification to be sent. Depending onthe option you select in theFrequency box, the following additional options appear:
Frequency Options
Once None
Hourly Repeat Every - a drop-downbox that includes options from 1 to 20 hours.
Daily Repeat Every - a drop-downbox that includes options from 1 to 20 days.
Weekly Repeat Every - a drop-downbox that includes options from 1 to 20weeks.
Repeat On - amulti-selectable list of the days of theweek.
Monthly Repeat Every - a drop-downbox that includes options from 1 to 20months.
Repeat By - a drop-downbox that includes the options Week ofMonth andDay ofMonth.
Yearly Repeat Every - a drop-downbox that includes options from 1 to 20 years.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 116 -
TheSummary box updates automatically depending on your selection.
9. ClickNext Step.
TheAdd Recipients screen appears.
10. In theRecipients box, type an email address and click the button until you have added all desiredrecipients.
11. ClickNext Step.
TheReview Email Notification screen appears, which displays a summary of your email notificationconfiguration.
12. Review the notification details.
13. Click Finish.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 117 -
Delete an Email Notification
To delete an email notification:
To delete one email notification:
1. ClickConfiguration > Email Settings.
2. Hover over the email notification youwant to delete.
3. On the right side of the row, click the button.
A dialog box appears confirming your selection to delete the email notification.
4. Click theDelete button.
The email notification is deleted and the corresponding notifications are no longer sent.
To delete multiple email notifications:
1. ClickConfiguration > Email Settings section.
2. On the left side of the row for the email notification youwant to delete, select the check box.
3. Repeat step 2 for each email notification youwant to delete.
4. Click Actions >Delete Notifications.
A dialog box appears confirming your selection to delete the email notifications.
5. Click theDelete button.
The email notifications are deleted and the corresponding notifications are no longer sent.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 118 -
Plugin Settings Section
ThePlugin Settings section allows you to create custom plugins and also to enable and disable existing plu-gins andPASLs.
ThePlugin Settings section contains the following subsections:
l Plugin Management: displays a list of enabled and disabled plugins, respectively, the options tomoveplugins between those lists, and the option to delete custom plugins.
l PASL Management: displays a list of enabled and disabledPASLs, respectively, and the options tomovePASLs between those lists.
l Create Custom Plugin: displays options for creating custom plugins and creating new plugin fields.
The following table provides a brief summary of each option available in theCreate Custom Plugins sub-section:
Custom Plu-gin Option
Purpose
ID The unique numeric ID of the plugin.
Name Thenameof the plugin. The plugin nameshould start with the vendor name.
Description The full text description of the vulnerability.
Synopsis A brief description of the plugin or vulnerability.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 119 -
Custom Plu-gin Option
Purpose
Solution Remediation information for the vulnerability.
SeeAlso External references to additional information regarding the vulnerability.
Risk Info, Low,Medium,High, orCritical risk factor.
PluginOutput Displays dynamic data inNNM plugin reports.
Family The family towhich the plugin belongs.
Dependency Other dependencies required to trigger the custom plugin.
NoPlugin Prevents a plugin from being evaluated if another plugin has already matched. Forexample, it may make sense towrite a plugin that looks for a specific anonymousFTP vulnerability, but to disable it if another plugin that checked for anonymousFTP hadalready failed.
NoOutput For plugins that arewritten specifically to be used as part of a dependency withanother plugin.Whenenabled, this keyword causes NNM not to report anythingfor any plugin.
Client Issue Indicates the vulnerability is located on the client side.
Plugin Type Vuln, realtime, or realtimeonly plugin type.
cve TheCVE reference.
bid TheBugtraq ID (BID) reference.
osvdb The external reference (e.g., OSVDB, Secunie, MS Advisory).
nid To track compatibility with theNessus vulnerability scanner, Tenable® asso-ciates NNM vulnerability checks with relevant Nessus vulnerability checks. Mul-tipleNessus IDs can be listed under onenid entry such as nid=10222,10223.
cpe Filters the result of discovered vulnerabilities based on their CPE identifier.
Match This keyword specifies a set of one or more simpleASCII patterns thatmust bepresent in order for themore complex pattern analysis to take place. Thematchkeyword gives NNM significant performance and functionality.
Regex Specifies a complex regular expression search rule applied to the network ses-
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 120 -
Custom Plu-gin Option
Purpose
sion.
Revision The revision number associatedwith custom plugin.
Raw Text Pre-view
A preview of the custom plugin in raw text. An xample of a custom plugin createdto find a IMAPBanner of TenableRocks is:
id=79000name=IMAP Bannerdescription=An IMAP server is running on this port. Itsbanner is Tenable Rocksrisk=NONEmatch=OKmatch=IMAPmatch=server readyregex=^.*OK.*IMAP.*Tenable Rocks
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 121 -
Add a Plugin Field
1. ClickConfiguration >Plugin Settings >Setting Type >Create Custom Plugin >Add PluginField.
TheAdd Plugin Fieldwindow appears.
2. In theName box, type a name for the plugin.
3. From theValue Type drop-downbox, select a value type for the plugin.
4. If youwish to allow duplicates of this plugin, select theAllow Duplicates check box.
5. If youwish to replaceXMLspecial characters, select theReplace XML Special Characters checkbox.
6. Click Add.
The new plugin fields appear below theNo Output check box.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 122 -
Delete a Custom Plugin
1. ClickConfiguration >Plugin Settings.
2. Select the custom plugin(s) that youwant to delete.
3. Click Actions >Delete Custom Plugins.
A dialog box appears confirming your selection to delete the custom plugins. You can delete only user-created plugins.
4. ClickDelete.
The custom plugins are deleted.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 123 -
Nessus Scanner Settings Section
TheNessus Scanner Settings section provides a list of the availableNessus 6.4+ scanners and the abilityto add, edit, or remove aNessus scanner.
Note:Nessus Professional 7 is not supported.
EachNessus scanner must be configuredwith the following parameters:
Name Description
ScannerHost
The domain nameor IP address of theNessus server.
ScannerPort
The port of theNessus server.
Access Key The first half of aNessus API Key, which is used to authenticatewith theNessusRESTAPI.
Secret Key The second half of aNessus API Key, which is used to authenticatewith theNessusRESTAPI.
Note: For details on how to obtain an API Key (Access Key and Secret Key), refer to the Nessus user guide.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 124 -
Add a Nessus Scanner
To add a Nessus Scanner:
1. ClickConfiguration > Nessus Scanner Settings >Add Nessus Scanner.
TheAdd Nessus Scanner window appears.
2. In theScanner Host box, type the domain nameor IP address of theNessus server.
3. In theScanner Port box, type the port of theNessus server.
4. In theAccess Key box, type the first half of aNessus API Key, which is used to authenticatewith theNessus RESTAPI.
5. In theSecret Key box, type the second half of aNessus API Key, which is used to authenticatewith theNessus RESTAPI.
6. Click theAdd Nessus Scanner button.
TheNessus scanner appears in theNessus Scanner Settings section.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 125 -
Delete a Nessus Scanner
To delete a Nessus scanner:
To delete one Nessus Scanner:
1. ClickConfiguration >Nessus Scanner Settings.
2. Hover over the scanner youwant to delete.
3. Click the button.
A dialog box appears confirming your selection to delete the scanner.
4. ClickDelete.
The scanner is deleted.
To delete multiple Nessus Scanners:
1. ClickConfiguration > Nessus Scanner Settings section.
2. On the left side of the row for the scanner youwant to delete, select the check box
3. Repeat step 2 for each scanner youwant to delete.
4. Click Actions >Delete Nessus Scanners.
A dialog box appears confirming your selection to delete the scanners.
5. ClickDelete.
The scanners are deleted.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 126 -
Additional Resources
This section describes the following information about NNM that is not included in theFeatures andHow Tosections:
l Command Line Operations
l Unknown or Customized Ports
l Real-Time Traffic Analysis Configuration Theory
l Modules
l Internal NNM Plugin IDs
l NNM Plugins
l Working with Tenable.sc
l Syslog Message Formats
l Custom SSL Certificates
l Configure NNM for Certificates
FormoreNNM deployment information, see theNNM Deployment Guide.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 127 -
Command Line Operations
TheNNM engine provides many options to update and configureNNM from the command line in Linux,Win-dows, andmacOS. All command lines should be run by users with root or administrative privileges.
l Common Command Line Operations
l Linux Command Line Operations
l Windows Command Line Operations
l macOS Command Line Operations
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 128 -
Common Command Line Operations
NNM canbe run from the command line to update plugins, perform configuration tasks, and analyzePcapfiles to generate a report file for usewith Tenable.sc or other programs. Running theNNM binary with the–hoption displays a list of available options.
Note: You must stop NNM before running command line operations.
NNM Binary Locations
TheNNM binary for Linux can be found in the following location:
# /opt/nnm/bin/nnm
TheNNM binary forWindows can be found in the following location:
C:\Program Files\Tenable\NNM\nnm.exe
TheNNM binary for macOS canbe found in the following location:
# /Library/NNM/bin/nnm
NNM Command Line Options
Note:While you can configure many advanced settings via the command line using custom parameters, oth-ers use standard parameters. For example, while the ACAS Classification setting uses the custom --addparameter, the Login Banner setting does not require the --add parameter.
Option Purpose
-a<activationcode>
Type theActivationCode to activateNNM in standalonemode to enable pluginupdates andmonitoring functions.
If your NNM system is managed by Tenable.sc and is running inStandardmode, you can use the following command: -a SecurityCenter
If your NNM system is managed by Tenable.sc and is running inHighPer-formancemode, you can use the following command: -a SecurityCenter<activation code>
If your NNM system is managed by Tenable.io and is running inStandard
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 129 -
Option Purpose
mode, you can use the following command: -a Cloud
If your NNM system is managed by Tenable.io and is running inHighPer-formancemode, you can use the following command: -a Cloud<activation code>
Before running the -a command for NNM that is managed by Tenable.io, youshould first configure the Cloud Host, Cloud Port, Cloud Key, andNNM Name parameters.
--config --add "custom_paramatername""parametervalue"
Adda custom configuration parameter for NNM or anNNM Proxy. The doublequote characters are required, although single quotes may be usedwhen spe-cial characters are required.
--config --delete"custom_parametername"
Thedelete commandmay be used to remove custom configuration para-meters.
--config --list
Lists the current NNM andNNM Proxy configuration parameters. Parametervalues are listed to the left of the colon character and are case sensitive. Thevalue of the parameter displays to the right of the colon character.
--config"parametername"["parametervalue"]
Displays the defined parameter value. If a value is added at the end of the com-mand, the parameter updates with the new setting. The double quote char-acters are required, although single quotes may be usedwhen specialcharacters are required.
Note:While CLI changes to some parameters do not require restarting NNMfor the change to take effect, you must restart NNM after changing the loc-ation of the realtime log file.
-d debug mode Runs NNM in debugmode for troubleshooting purposes. This option causes
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 130 -
Option Purpose
the system to usemore resources and should be enabled only when directedby aTenableSupport Technician.
-f packet_dump_file
Replaces packet_dump_filewith the path to the .pcap or .pcapng file youwant NNM to process.
Note:Windows does not support the pcapng format.
-h Displays the command line options help file.
-k Displays theNNM activation status.
-L Displays a list of the license declarations.
-l Displays a list of the plugin IDs that are loaded by NNM.
--list-interfaces
Displays the interfaces that NNM canaccess for packet collection. Useful todisplay interfaces to 10Gb cards running in high performancemode.
-m Shows various aspects of memory usage during the processing of theNNMcommand.
-p packet_dump_file
Dumps payload packet data inHex andASCII to the specified packet_dump_file. This commanddumps internal data from packet and plugins processing.This can be useful for debugging plugin issues.
NNM --users --add
Adds a new user toNNMwith the expected values of: ["username" "password"admin]: add new user. Expected values for “admin” flag are either: 1 - grant useradministrative privileges, or 0 - don’t grant user administrative privileges.
Adds a new user toNNM.Optionally, you can add the following arguments:
NNM --users --add ["username" "password" admin]
Expected values for “admin” flag are:
l 1 - grant user administrative privileges
l 0 - don’t grant user administrative privileges
NNM --users --chpasswd
Changes anNNM user's password.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 131 -
Option Purpose
NNM --users --delete"user"
Removes a user from NNM,where "user" is the username to be deleted.
--register-offline<licensefile>
Registers NNM in offlinemodewhen you insert the license file obtained fromTenable®.
--config'SoftwareUpdate Type'<0-3>
Configures the type of software update that runs whenNNM updates.
0 - Disables all updates.
1 - Updates only plugins.
2 - Updates web server, HTMLclient, and plugins.
3 - Updates all components (web server, HTML client, plugins, and engine).
--update-soft-ware <updatepackage tar-ball>
Runs a software update using the setting you configured for SoftwareUpdate Type. Optionally, if you are runningNNM in offlinemodeand have acustom update package, append the update package tarball name.
-v Shows the version information about the installed instance of NNM.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 132 -
Linux Command Line Operations
Youmust run all commands with root privileges.
Start, Stop, or Restart NNM
Action Command to Manage NNM
Start # service nnm start
then
# ps aux|grep nnm
Stop # service nnm stop
Restart # service nnm restart
Onceaday, as scheduled, if Tenable.sc has received newNNM plugins from Tenable®, it installs them in theNNM plugin directory. NNM detects the change, automatically reloads, and begins using the new plugins.
Real-timeNNM data is communicated to the configured LCE server or Syslog server(s) in real-time.
Configure HugePages
Before You Begin
These steps assume that your systemmeets theSystem Requirements necessary for runningNNM inHighPerformancemode.
To configure HugePages:
1. Ensure your HugePages settings are correct by using the following command:
# grep Huge /proc/meminfoAnonHugePages: 0kBHugePages_Total: 1024HugePages_Free: 1024HugePages_Rsvd: 0
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 133 -
HugePages_Surp: 0Hugepagesize: 2048kB
TheHugepagesize parameter is set to 2048 kB by default, but this option is configurable. NNMrequires aminimum of 1024HugePages that are at least 2048 kB in size.
Note: In some cases, the HugePages_Free parameter may be set to 0, however, this does not neces-sarily indicate insufficient HugePage memory.
2. Reserve a certain amount of memory to be used as HugePages by using the following command toupdate the kernel parameter manually:
/bin/echo 1024 > /sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages
Thenumber of HugePages reserved by the kernel changes to 1024, andHugePages becomeavailable.
Note: If the kernel does not have enough memory available to satisfy this request, the command mayfail without notifying the user. After running this command, the HugePages configuration should bechecked again using the command in step 1.
3. Toensure that your HugePages configuration persists across system reboots, refer to the following sec-tion that corresponds to your Linux kernel version.
CentOS 6
Update the persistent kernel configuration files using one of the following commands:
In the/etc/sysctl.conf file, add thevm.nr_hugepages=1024 parameter and reload the kernelconfigurationwith thesysctl -p command. Alternatively, you can reboot the system.
-or-
In the/etc/grub.conf file, on the kernel startup line, add thehugepages=1024 parameter andreboot the system.
CentOS 7
Update the persistent kernel configuration files using one of the following commands:
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 134 -
In the/etc/sysctl.conf file, add thevm.nr_hugepages=1024 parameter and reload the kernelconfigurationwith thesysctl -p command. Alternatively, you can reboot the system.
-or-
In the/etc/sysconfig/grub file, on the kernel startup command(GRUB_CMDLINE_LINUX), addthehugepages=1024 parameter. Reload the kernel configurationwith thegrub2-mkconfig -o/etc/grub2 commandand reboot the system.
4. Connect the file system to theHugePages subsystem using the following steps:
a. Execute the/bin/mkdir -p /mnt/nnm_huge command.
b. Execute the/bin/mount -t hugetlbfs nodev /mnt/nnm_huge command.
c. Additionally, open the/etc/fstab file location and add the following record:
nodev /mnt/nnm_huge hugetlbfs rw 0 0
File Locations
NNM installs its files in the following locations:
Path Purpose
/opt/nnm Base directory.
/opt/nnm/bin Location of theNNM andNNM Proxy executables, plus several helpertools for theNNM Proxy daemon.
/opt/nnm/docs Contains the software license agreement for NNM.
/opt/nnm/var Contains the folders for NNM and theNNM-Proxy.
/opt/nnm/var/nnm Contains plugins, discovered vulnerabilities, log files, keys, and othermiscellaneous items.
db Contains the database files related to the configuration, reports, andusers for NNM.
kb Stores theNNM knowledge base, if used.
logs Contains NNM logs.
plugins Contains theNNM plugins delivered via Tenable.sc, Tenable.io, the
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 135 -
Path Purpose
NNM Feed, or updated via the command line or web interface ifNNM is running inOfflinemode.
Note: If Tenable.sc is used to manage the plugins, do not changethis path from the default /opt/nnm/var/nnm.
nnm-services A fileNNM uses tomap service names to ports. This filemay be editedby the user. Plugin updates do not overwritemodifications to the file.
reports Contains reports generated by NNM. This folder contains the.nes-sus file generated by default.
scripts Contains the files for theNNMWebserver.
ssl Contains SSL certificates used by the proxy andweb server for theSSL connection between itself andTenable.sc or thewebbrowser.
users Contains folders for user files and reports.
www Contains the files for theNNMweb front-end.
/opt/nnm/var/nnm-proxy
Parent folder for files used/created by theNNM proxy.
logs Contains theNNM proxy andNNM proxy service logs.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 136 -
Windows Command Line Operations
Youmust run all programs as a local user with administrative privileges. To do so, whenUAC is enabled, right-click on the installer program and selectRun as Administrator.
Start or Stop NNM
Action Command to Manage NNM
Start net start "Tenable NNM Proxy"
Stop net stop "Tenable NNM Proxy"
Alternatively, NNM canbemanaged via theServices control panel utility. Under the list of services, findTen-able NNM Proxy Service. Right click on the service to provide a list of options for the services, including theability to start or stop theTenable NNM or Tenable NNM Proxy service.
File Locations
NNM installs its files in the following locations:
Path Purpose
C:\Program Files\Tenable\NNM Contains NNM binaries and dependent libraries.
C:\ProgramData\Tenable\NNM Contains all data files consumedand output by NNM andNNMProxy (e.g., configuration, plugins, logs, and reports).
Note: This directory does not appear unless the WindowsHidden Files and Folders option is enabled.
The following table contains the folder layout under C:\ProgramData\Tenable\NNM:
Folder Purpose
docs Contains the software license agreement for NNM.
NNM Parent folder for NNM logs, reports, plugins, and scripts directories. Also containstheNNM-services file.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 137 -
Folder Purpose
db Contains the database files relating to the configuration, reports, and users forNNM.
kb Stores theNNM knowledge base, if used.
logs Contains NNM logs.
plugins Contains theNNM plugins delivered via Tenable.sc, Tenable.io, theNNM Feed, orupdated via the command line or web interface if NNM is running inOfflinemode.
Note:Do not change this path from the defaultC:\ProgramData\Tenable\NNM\nnm if Tenable.sc is used to manage the plu-gins.
nnm-ser-vices
A fileNNM uses tomap service names to ports. This filemay be edited by the user.Plugin updates do not overwritemodifications to the file.
reports Contains reports generated by NNM . This folder contains the.nessus file gen-erated by default.
scripts Contains the files for theNNMWebserver.
ssl Contains SSL certificates used by the proxy andweb server for theSSL connectionbetween itself andTenable.sc or thewebbrowser.
users Contains folders for user files and reports.
www Contains the files for theNNMweb front-end.
nnm-proxy Parent folder for files used/created by theNNM proxy.
logs Contains NNM proxy andNNM proxy service logs.
run Contains process ID temporary files.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 138 -
macOS Command Line Operations
Youmust run all programs as a root user or with equivalent privileges.
Start or Stop NNM
Action Command to Manage NNM
Start # launchctl load -w /Library/LaunchDae-mons/com.tenablesecurity.nnm-proxy.plist
Stop # launchctl unload -w /Library/LaunchDae-mons/com.tenablesecurity.nnm-proxy.plist
File Locations
NNM installs its files in the following locations:
Path Purpose
/Library/NNM Base directory.
/Library/NNM/docs Contains theNNM license agreement in various file formats.
/Library/NNM/bin Location of theNNM andNNM Proxy executables, plus severalhelper tools for theNNM Proxy daemon.
/Library/NNM/var/nnm Contains plugins, discovered vulnerabilities, log files, keys, andother miscellaneous items.
db Contains the database files related to the configuration, reports,and users for NNM.
kb Stores theNNM knowledge base, if used.
logs Contains NNM logs.
plugins Contains theNNM plugins delivered via Tenable.sc, Tenable.io,theNNM Feed, or updated via the command line or web interfaceif NNM is running inOfflinemode.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 139 -
Path Purpose
Note:Do not change this path from the default/Library/NNM/var/nnm if Tenable.sc is used to manage theplugins.
nnm-services A fileNNM uses tomap service names to ports. This filemay beedited by the user. Plugin updates do not overwritemodificationsto the file.
reports Contains reports generated by NNM . This folder contains the.nessus file generated by default.
scripts Contains the files for theNNMWebserver.
ssl Contains SSL certificates used by the proxy andweb server fortheSSL connection between itself andTenable.sc or thewebbrowser.
users Contains files and reports for NNM users.
www Contains the files for theNNMweb front-end.
/Library/NNM/var/nnm-proxy
Parent folder for files used/created by theNNM proxy.
logs Contains theNNM proxy andNNM proxy service logs.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 140 -
Unknown or Customized Ports
Many networks contain traffic on ports NNM defines as different traffic types or alternate ports. If the port is notdefined, it displays asUnknown. TheNNM-services filemay be edited to either customize or add the portinformation to provide accurate reporting for ports on the network.
For example, by default, there are two lines in theNNM-services file that defineSMTP traffic. They readsmtp 25/tcp andsmtp 25/udp. If the organization routinely sends SMTP data over port 2525 those linescan be updated to readsmtp 2525/tcp andsmtp 2525/udp.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 141 -
Real-Time Traffic Analysis Configuration Theory
This section describes how configuration options affect NNM operation and provides the following details onNNM architecture:
l Focus Network
l Detecting Server and Client Ports
l Detecting Specific Server and Client Port Usage
l Firewall Rules
l Working with Tenable.sc
l Selecting Rule Libraries and Filtering Rules
l Detecting Encrypted and Interactive Sessions
l Routes and Hop Distance
l Alerting
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 142 -
Focus Network
Whena focus network is specified via theMonitored Networks IP Addresses and Ranges con-figuration parameter, only one side of a sessionmustmatch in the list. For example, if you have aDMZ that ispart of the focus network list, NNM reports on vulnerabilities of theweb server there, but not onweb clients vis-iting from outside the network. However, awebbrowser within theDMZ visiting the sameweb server is repor-ted.
In the diagram above, three sessions labeledA, B, andC are shown communicating to, from, and inside afocus network. In sessionA, NNM analyzes only those vulnerabilities observed on the server inside the focusnetwork and does not report client side vulnerabilities. In sessionB, NNM ignores vulnerabilities on the des-tination server, but reports client side vulnerabilities. In sessionC, both client and server vulnerabilities arereported.
There is another filter that NNM uses while looking for unique sessions. This is a dependency that requires thehost to run amajor service. These dependencies are defined by a list of NNM plugin IDs that identify SSL,FTP, and several dozen other services.
Finally, the entire process of detecting these sessions can be filtered by specific network ranges and ports.For example, if aUniversity ran a public FTP server that had thousands of downloads each hour, they maywant to disable interactive sessions on port 21 on that FTP server. Similarly, disabling encryption detection onports such as 22 and 443 also eliminates somenoise for NNM.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 143 -
Detecting Server and Client Ports
Themethod used by TCP connections to initiate communication is knownas the “three-way handshake.” Thismethod can be compared to how a common telephone conversation is initiated. If Bob calls Alice, he haseffectively sent her, in TCP terms, a “SYN” packet. Shemay or may not answer. If Alice answers, she haseffectively sent a “SYN-ACK” packet. The communication is still not established, sinceBobmay have hung upas shewas answering. The communication is establishedwhenBob replies toAlice, sending her an “ACK.”
TheNNM configuration option “connections to services” enables NNM to log network client to server activity.
Whenever a system within themonitored network range tries to connect to a server over TCP, the connectingsystem emits a TCP “SYN” packet. If the port the client connects on is open, then the server responds with aTCP “SYN/ACK” packet. At this point, NNM records both the client address and the server port the client con-nects to. If the port on the server is not open, then the server does not respondwith a TCP “SYN/ACK” packet.In this case, sinceNNM never sees aTCP “SYN/ACK” response from the server, NNM does not record thefact that the client tried to connect to the server port, since the port is not available to that client.
TheConnections to Services configuration parameter does not track howmany times the connectionwasmade. If the samehost browses the sameweb server amillion times, or browses amillion different web serv-ers once, the host is still marked as having browsed on port 80. This data is logged as NNM internal plugin ID2.
NNM detects many applications through plugin and protocol analysis. At a lower level, NNM also detects openports and outbound ports in use on themonitored networks. By default, NNM detects any TCP server on theprotected network if it sees aTCP “SYN-ACK” packet.
In combination, the detection of server ports and client destination ports allows a network administrator to seewhoon their network is serving a particular protocol andwhoon their network is speaking that protocol.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 144 -
Detecting Specific Server and Client Port Usage
TheShow Connections configuration parameter keeps track of host communicationwithin the focus net-work.When theShow Connections configuration parameter is enabled, if one of the hosts is in the definedfocus network, NNM records the client, server, and server port every time a host connects to another host. Itdoes not track the frequency or time stampof the connections – just that a connectionwas made.
TheShow Connections configuration parameter provides a greater level of detail than theConnections toServices configuration parameter. For example, if your IPv4 address is 1.1.1.1 or your IPv6 address is2001:DB8::AE59:3FC2and you use theSSH service to connect to “some_company.com”, then the use ofthese options records the following:
Show Connections
some_company.com:SSH
2001:DB8::AE59:3FC2 -> some_company.com
Connections to Services
SSH
2001:DB8::AE59:3FC2 -> SSH
Using theConnections to Services configuration parameter lets you know that the system at 1.1.1.1 and2001:DB8::AE59:3FC2uses theSSH protocol. This informationmay be useful regardless of where the ser-vice is used.
NNM does not log a session-by-session list of communications. Instead, it logs the relationship between thesystems. For example, if system A is detected using theSSH protocol on port 22 connecting to system B, andboth systems arewithin the focus network, NNM would log:
l System A browses on port 22
l System B offers a service (listens) on port 22
l System A communicates with System B onport 22
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 145 -
If system Bwere outside of the focus network, NNM would not record anything about the service system Boffers, andwould also log that system A browses outside of the focus network on port 22. NNM does not loghow often a connection occurs, only that it occurred at least once. For connections outside of the focus net-work, NNM logs only which ports are browsed, not the actual destinations.
Note: If logging session-by-session network events is a requirement for your network analysis, Tenableoffers the LCE product, which can log firewall, web server, router, and sniffer logs.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 146 -
Firewall Rules
If NNM is placed immediately behind a firewall such that all of the traffic presented toNNM flows through thefirewall, then the list of served ports, client side ports, and the respective IP addresses of the users are readilyavailable.
Tools such as theTenable.sc Vulnerability Analysis page allow information about these ports (both client andserver) to be browsed, sorted, and reported on. You can also view lists of IP addresses and networks usingthese client and server ports.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 147 -
Working with Tenable.sc
WhenTenable.sc manages multipleNNM sensors, users of Tenable.sc can analyze the aggregate types ofopen ports, browsed ports, and communication activity that occurs on the focus network. SinceTenable.schas several different types of users and privileges,many different IT and network engineering accounts can becreated across an enterprise so they can share and benefit from the information detected by NNM.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 148 -
Selecting Rule Libraries and Filtering Rules
Tenable ships an encrypted library of passive vulnerability detection scripts. This file cannot bemodified by theend users of NNM.However, if certain scripts must be disabled, they can be specified by thePASL ID and“.pasl” appended. For example, 1234.pasl, disables thePASLwith the ID of 1234 on a single line in the
disabled-scripts.txt file.
If a pluginmust be disabled, type its ID on a single line in thedisabled-plugins.txt file. If a pluginmustbe real-time enabled, type its ID on a single line in therealtime-plugins.txt file.
When adding NNM plugins to the disabled plugin list, be sure to leave an empty blank line after typing thelast plugin to be disabled. Failure to return to the next line can result in a non-functional disabled plugin list.
Example: 1234 [return]
If any of the referenced files do not exist, create them using the appropriatemethod for the operating system.The file locations are as follows:
Operating System File Path
Linux /opt/nnm/var/nnm
Windows C:\ProgramData\Tenable\NNM\nnm
macOS /Library/NNM/var/nnm
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 149 -
Detecting Encrypted and Interactive Sessions
NNM canbe configured to detect both encrypted and interactive sessions. An encrypted session is a TCP orUDP session that contains sufficiently random payloads. An interactive session uses timing and statistical pro-filing of the packets in a session to determine if the session involves human input at a command line prompt.
In both cases, NNM identifies these sessions for the given port and IP protocol. It then lists the detected inter-active or encrypted session as vulnerabilities.
NNM has a variety of plugins to recognize telnet, SecureShell (SSH), SecureSocket Layer (SSL), and otherprotocols. Combinedwith the detection of the interactive and encryption algorithms, NNMmay logmultipleforms of identification for the detected sessions.
For example, NNMmay recognize not only anSSH service running on a high port as an encrypted session,but also recognize the version of SSH anddetermine any vulnerabilities associatedwith it.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 150 -
Routes and Hop Distance
For active scans, one host can find the default route and an actual list of all routers between it and a target plat-form. To do this, it sends one packet after another with a slightly larger TTL (time to live) value. Each timearouter receives a packet, it decrements theTTL value and sends it on. If a router receives a packet with a TTLvalue of one, it sends amessage back to the originating server stating that the TTLhas expired. The serversends packets to the target host with greater and greater TTL values and collects the IP addresses of therouters sending expirationmessages in-between.
SinceNNM is entirely passive, it cannot send or elicit packets from the routers or target computers. It can how-ever, record theTTL value of a targetmachine. TheTTL value is an 8-bit field, whichmeans it can contain avalue between 0 and 255.Mostmachines use an initial TTL value of 32, 64, 128, or 255. Since there is amax-imum of 16 hops between your host and any other host on the internet, NNM uses an algorithm tomapanyTTL to the number of hops.
For example, if NNM sniffed a server sending a packet with a TTLof 126, it detects that 128 is two hops away.NNM does not know the IP address of the in-between routers.
Note:Modern networks have many devices such as NAT firewalls, proxies, load balancers, intrusion pre-vention, routers, and VPNs that rewrite or reset the TTL value. In these cases, NNM may report inconsistenthop counts.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 151 -
Alerting
WhenNNM detects a real-time event, it can:
l Send the event to a local log file.
l Send the event via Syslog to a log aggregator such as Tenable LCE, an internal log aggregation server.
l Send the event to a third party security eventmanagement vendor.
New Host Alerting
You can configureNNM to detect when a new host has been added to the network. By default, NNM has noknowledge of your network’s active hosts, so the first packets NNM sniffs trigger an alert. To avoid this, youcan configureNNM to learn the network over a period of days. Once this period is over, any “new” traffic mustbe from ahost that has not communicated during the initial training.
To prevent NNM from triggering new host alerts on knownhosts, you can create a knownhosts file in the loc-ation towhich theKnownHosts File configuration parameter is set. Each line of theKnown
Hosts File supports a single IPv4 or IPv6 address. Hyphenated ranges andCIDR notation are not supported.NNMmust be restarted after creating or making any changes to theKnownHosts File.
When NNM logs a new host, the Ethernet address saves in the message. When NNM is more than one hopaway from the sniffed traffic, the Ethernet address is that of the local switch and not the actual host. If thescanner is deployed in the same collision domain as the sniffed server, then the Ethernet address is accur-ate.
For DHCP networks, NNM often detects a “new” host. Tenable® recommends deploying this feature onnon-volatile networks such as DMZ. Users should also consider analyzing NNM “new” host alerts with Ten-able.sc, which can sort real-time NNM events by networks.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 152 -
Modules
NNM includes analysis modules that analyze network traffic based on certain criteria. Thesemodules mod-ularizeNNM detection capabilities and provide users the ability to enable or disable them. There are two ana-lysis modules:
l SCADA/ICS Analysis Module
lNote: This module is only available for Industrial Security customers.
Industrial Security is end-of-life (EOL). For information about EOL dates and policies for Tenableproducts, see the Tenable Software Release LifecycleMatrix and Policy.
This module analyzes SCADA network traffic to discover SCADA assets and their vulnerabilities. Inaddition, themodule provides deep visibility into the type of SCADA devices discovered. This module isenabled by default and can be disabled in environments that do not containSCADA devices. You canuse theTenable Search page to search for specific device detection information. This module is onlyavailable for Industrial Security customers.
l Connection Analysis Module
This module reports connection duration and bandwidth information including for IPv6 and tunneledtraffic. This module is disabled by default.
Note: You must restart NNM after enabling a module for the module to function correctly within NNM.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 153 -
Connection Analysis Module
Module Detec-tion ID
Module Detec-tion Name
Module Detection Descrip-tion
Risk Factor
97 TCPSessionBandwidth (1 - 10MB)
NNM computes the bytesexchanged between eachTCP endpoint when the ses-sion ends. The total bytesexchanged during the lifetimeof this session is between 1and 10MB.
INFO
98 TCPSessionBandwidth (10 -100MB)
NNM computes the bytesexchanged between eachTCP endpoint when the ses-sion ends. The total bytesexchanged during the lifetimeof this session is more than 10MB but less than or equal to100MB.
INFO
99 TCPSessionBandwidth (10 -100MB)
NNM computes the bytesexchanged between eachTCP endpoint when the ses-sion ends. The total bytesexchanged during the lifetimeof this session is more than100MB but less than or equalto 1GB.
INFO
100 TCPSessionBandwidth (> 1GB)
NNM computes the bytesexchanged between eachTCP endpoint when the ses-sion ends. The total bytesexchanged during the lifetimeof this session is more than 1GB.
INFO
101 TCPSessionDur- NNM computes the duration of INFO
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 154 -
Module Detec-tion ID
Module Detec-tion Name
Module Detection Descrip-tion
Risk Factor
ation (< 1minute) eachTCP sessionwhen thesession ends. This TCP ses-sion duration is less than 1minute.
102 TCPSessionDur-ation (1 - 15minutes
NNM computes the duration ofeachTCP sessionwhen thesession ends. This TCP ses-sion duration is between 1minute and 15minutes.
INFO
103 TCPSessionDur-ation (15 - 25minutes)
NNM computes the duration ofeachTCP sessionwhen thesession ends. This TCP ses-sion duration is more than 15but less than or equal to 25minutes.
INFO
104 TCPSessionDur-ation (25 - 40minutes)
NNM computes the duration ofeachTCP sessionwhen thesession ends. This TCP ses-sion duration is more than 25but less than or equal to 40minutes.
INFO
105 TCPSessionDur-ation (40 - 55minutes)
NNM computes the duration ofeachTCP sessionwhen thesession ends. This TCP ses-sion duration is more than 40but less than or equal to 55minutes.
INFO
106 TCPSessionDur-ation (55 - 100minutes)
NNM computes the duration ofeachTCP sessionwhen thesession ends. This TCP ses-sion duration is more than 55but less than or equal to 100minutes.
INFO
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 155 -
Module Detec-tion ID
Module Detec-tion Name
Module Detection Descrip-tion
Risk Factor
107 TCPSessionDur-ation (100minutes- 24 hours)
NNM computes the duration ofeachTCP sessionwhen thesession ends. This TCP ses-sion duration is more than 100minutes but less than or equalto 24 hours.
INFO
108 TCPSessionDur-ation (24 - 47hours)
NNM computes the duration ofeachTCP sessionwhen thesession ends. This TCP ses-sion duration is more than 24hours but less than or equal to47 hours.
INFO
109 TCPSessionDur-ation (> 47 hours)
NNM computes the duration ofeachTCP sessionwhen thesession ends. This TCP ses-sion duration is more than 47hours.
INFO
110 UDPActivity UDP activity observed INFO
111 ICMPActivity ICMP activity observed INFO
112 IGMPActivity IGMP activity observed INFO
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 156 -
Configure NNM for use with Industrial Security
Industrial Security is end-of-life (EOL). For information about EOL dates and policies for Tenable products,see the Tenable Software Release LifecycleMatrix and Policy.
1. Install Industrial Security using the following command:
$ rpm -ivh /root/is-1.0.0.rpm
2. In your browser, navigate to either of the followingURLs and follow the prompts:
l https://localhost:8837
l https://127.0.0.1:8837
3. Log in to Industrial Security with the default credentials (admin/admin)
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 157 -
4. In theQuick Setup dialog, change your password.
5. ClickNext Step.
6. Register your copy of Industrial Security using theActivationCode you received from Tenable, Inc..
Tip: Alternatively, this can be done from the command line by using $ /opt/industrial-secur-ity/bin/industrial-security -a <ActivationCode> in Linux or C:> cd "C:\Program Files\Ten-able\Industrial Security\" C:> industrial-security.exe -a <ActivationCode> in Windows.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 158 -
7. Onceactivated, locate the LinkingKey to connect one or moreNNM sensors to Industrial Security.
8. On the Industrial Security homepage, click Settings.
9. Click theSensor Configuration tab.
10. Locate and copy the IS Linking Key. The IS Linking Key is a 64-character hex string used to connectanNNM sensor to this Industrial Security host.
11. Install theNNM application using the following command:
$ rpm -ivh /root/nnm-5.4.0.rpm
12. In your browser, navigate to either of the followingURLs and follow the prompts:
l https://localhost:8835
l https://127.0.0.1:8835
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 159 -
13. Log in toNNM using the default credentials (admin/admin).
14. In theQuick Setup dialog, change your password.
15. ClickNext Step.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 160 -
16. In theActivation Code box, type IndustrialSecurity.
Additional options appear.
17. In the Industrial Security Host box, type the IP address of themachinewhere you installed the Indus-trial Security application.
18. In the Industrial Security Key box, type the Industrial Security LinkingKey you located above.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 161 -
19. In theNNM Name box, type a name for theNNM host you're setting up.
Tip: This is the name that appears in IS once a connection is established and identifies this specificsensor to differentiate between this host and other NNM sensors you may install elsewhere on yournetwork.
20. ClickNext Step.
21. Click on the network interfaces youwish tomonitor.
22. Type the network ranges youwish tomonitor on those interfaces.
Note: To monitor all network ranges including VLAN support, type 0.0.0.0/0, vlan 0.0.0.0/0, 0::/0,vlan 0::/0
23. Click Finish.
ASetup Completed Succesfully notification appears and you return to theNNMMonitoringDash-board.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 162 -
Note: You must restart NNM after enabling a module for the connection to function correctly withinNNM.
Tip: To validate your NNM sensor host and your Industrial Security application connection, return tothe Industrial Security application, click Settings >Sensor Configuration and verify that the NNMHost is in the Sensors List.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 163 -
Internal NNM Plugin IDs
Each vulnerability and real-time check NNM performs has a unique associated ID. NNM IDs arewithin therange 0 to 10000.
Internal NNM IDs
Someof NNM’s checks, such as detecting open ports, are built in. The following chart lists someof themorecommonly encountered internal checks and describes what they mean:
NNM ID Name Description
0 Detection of OpenPort NNM has observed aSYN-ACK leave from a server.
1 OperatingSystemFingerprint
NNM has observed enough traffic about a server toguess the operating system.
2 ServiceConnection NNM has observed browsing traffic from ahost.
3 Internal Client TrustedConnections
NNM has logged a unique network session of source IP,destination IP, and destination port.
4 Internal InteractiveSes-sion
NNM has detected one or more interactive network ses-sions between twohosts within your focus network.
5 Outbound InteractiveSessions
NNM has detected one or more interactive network ses-sions originating from within your focus network anddestined for one or more addresses on the Internet.
6 Inbound InteractiveSes-sions
NNM has detected one or more interactive network ses-sions originating from oneor more addresses on theInternet to this address within your focus network.
7 Internal EncryptedSes-sion
NNM has detected one or more encrypted network ses-sions between twohosts within your focus network.
8 OutboundEncryptedSession
NNM has detected one or more encrypted network ses-sions originating from within your focus network anddestined for one or more addresses on the Internet.
9 InboundEncryptedSes-sion
NNM has detected one or more encrypted network ses-sions originating from oneor more addresses on theInternet to this address within your focus network.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 164 -
NNM ID Name Description
12 Number of Hops NNM logs the number of hops away each host is loc-ated.
14 Accepts External Con-nections
NNM detects an external connection to this host. Spe-cific IP addresses are not reported by this plugin, but itdoes track the destination port and protocol used. Youcan view full connection details in the real-time event log.This is the opposite of plugin 16, which reports on out-bound connections.
15 Internal Server TrustedConnections
NNM has logged a unique network session of source IP,destination IP, and destination port. Specific IPaddresses are not reported by this plugin, but it doestrack which destination port and protocol was used. Youcan view full connection details in the real-time event log.This is the opposite of plugin 14, which reports oninbound connections.
16 OutboundExternal Con-nection
NNM has detected an external connection from thishost.
17 TCPSession NNM identifies TCP sessions and reports the start time,number of bytes of data downloaded during, and endtimeof these sessions. This plugin is reported at the endof eachTCP session.
18 IP Protocol Detection NNM detects all IP protocols.
19 VLAN ID Reporting NNM reports all observedVLAN tags per host.
20 IPv6Tunneling NNM identifies and processes tunneled IPv6 traffic.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 165 -
NNM Plugins
This section provides the following information about NNM plugins:
l Vulnerability and Passive Fingerprinting
l NNM Fingerprinting
l NNM Plugin Syntax
l NNM Real-Time Plugin Syntax andExamples
l NNM Corporate Policy Plugins
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 166 -
About NNM Plugins
NNM has two sources of plugin information: the.prmx and.prm plugin libraries in theplugins directory.
Tenable distributes its passive vulnerability plugin database in an encrypted format. The encrypted file isnamedtenable_plugins.prmx and, if necessary, can be updated daily. NNM plugins written by the cus-
tomer or third parties have the.prm extension.
Tenable has also implemented passive fingerprinting technology based on the open-sourceSinFP tool.Withpermission from the author, Tenable includes the database of passive operating system fingerprints for the fin-gerprinting technology in this distribution of NNM.
Writing Custom Plugins
NNM customers canwrite their ownpassive plugins, which are added into theplugins directory in theNNMinstallation directory. The pluginmust endwith a.prm extension to be visible by NNM.
You must restart NNM if:
l You add a new custom plugin to the plugins directory. NNM does not fire the plugin until you restart.
l You delete a .prm file manually from the plugins directory. NNM continues to fire the plugin until yourestart.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 167 -
NNM Fingerprinting
Tenable uses a hybrid approach to operating system fingerprinting. Primarily, plugins are used to detect andidentify theOS of a host. If this is not possible, NNM uses detected packets to identify theOS.
NNM has the ability to guess the operating system of a host by looking at the packets it generates. Specificcombinations of TCP packet entries, such as thewindow size and initial time-to-live (TTL) values, allow NNMto predict the operating system generating the traffic.
These uniqueTCP values are present when a server makes or responds to aTCP request. All TCP traffic isinitiatedwith a “SYN” packet. If the server accepts the connection, it sends a response knownas a “SYN-ACK” packet. If the server cannot or will not communicate, it sends a reset (RST) packet.Whena serversends a “SYN” packet, NNM applies these list of operating system fingerprints and attempts to determine theoperating system type.
TenableNetwork Security has permission to re-distribute the passive operating fingerprints from the author ofSinFP open source project.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 168 -
NNM Plugin Syntax
Plugins
NNM plugins allow spaces and comment fields that start with a number (#) sign. Each pluginmust be sep-aratedwith theword “NEXT” on a single line. Create a.prm file in theplugins directory tomake it availablefor use. Youmust restart NNM to use new custom plugins.
Plugin Keywords
There are several keywords available for writing passive vulnerability plugins for NNM. Someof thesekeywords aremandatory and someare optional. In the table below,mandatory keywords are highlighted inblue.
Name Description
bid Tenable assigns SecurityFocus Bugtraq IDs (BID) toNNM plugins. Thisallows a user reading a report generated by NNM to link tomore inform-ation available at http://www.securityfocus.com/bid. Multiple Bugtraqentries can be typed on one line if separated by commas.
bmatch This is the sameas match but can look for any type of data. A bmatchmust always have an even number of alphanumeric characters.
clientissue If a vulnerability is determined in a network client such as awebbrowseror an email tool, a server port is associatedwith the reported vul-nerability.
cve Tenable also assigns CommonVulnerability andExposure (CVE) tags toeachNNM plugin. This allows a user reading a report generated by NNMto link tomore information available at http://cve.mitre.org/. MultipleCVEentries can be typed on one line if separated by commas.
dependency This is the opposite of noplugin. Instead of specifying another pluginthat has failed, this keyword specifies which pluginmust succeed. Thiskeyword specifies aNNM ID that should exist to evaluate the plugin. Inaddition, this plugin can take the form of dependency=ephemeral-server-port, whichmeans the evaluated server must have an openport above port 1024.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 169 -
Name Description
dport This is the sameas sport, but for destination ports.
Exploitability:
canvas
core
cvsstemporal
metasploit
Displays exploitability factors for the selected vulnerability. For example,if the vulnerability is exploitable via bothCanvas andCore and has auniqueCVSS temporal score, the following tags may be displayed in theplugin output:
CANVAS : D2ExploitPack
CORE : true
CVSSTEMPORAL : CVSS2#E:F/RL:OF/RC:C
family EachTenable plugin for NNM is included in a family. This designationallows Tenable to groupNNM plugins into easily managed sets that canbe reported on individually.
hs_dport This is the sameas hs_sport except for destination ports.
hs_sport Normally, whenNNM runs its plugins, they are either free ranging lookingfor matches on any port, or fixed to specific ports with thesport ordport keywords. In very high speed networks, many plugins have a fall-back port, knownas a high-speed port, which focuses the plugin only onone specific port. InHighPerformancemode, the performance of aNNMpluginwith anhs_sport keyword is exactly the sameas if the pluginwas writtenwith thesport keyword.
id EachNNM plugin needs a unique rule ID. Tenable assigns these 16 bitnumbers within the overall NNM range of valid entries. A list of the currentNNM plugin IDs can be found on theTenable website.
match This keyword specifies a set of one or more simpleASCII patterns thatmust be present in order for themore complex pattern analysis to takeplace. Thematch keyword gives NNM a lot of its performance and func-tionality.With this keyword, if it does not see a simple pattern, the entireplugin does notmatch.
name This is the nameof the vulnerability NNM has detected. ThoughmultipleNNM plugins can have the samename, it is not encouraged.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 170 -
Name Description
nid To track compatibility with theNessus vulnerability scanner, Tenableassociates NNM vulnerability checks with relevant Nessus vulnerabilitychecks. MultipleNessus IDs can be listed under onenid entry such asnid=10222,10223.
nooutput For plugins that arewritten specifically to be used as part of a dependencywith another plugin, thenooutput keyword causes NNM not to reportanything for any pluginwith this keyword enabled.
noplugin This keyword prevents a plugin from being evaluated if another plugin hasalready matched. For example, it may make sense towrite a plugin thatlooks for a specific anonymous FTP vulnerability, but disable it if anotherplugin that checked for anonymous FTP has already failed.
pbmatch This is the sameas bmatch except for binary data on the previous side ofthe reconstructed network session.
plugin_output This keyword displays dynamic data for a given vulnerability or event.The dynamic data is usually represented using%Lor%P, and its value isobtained from the regular expressions defined using regex, regexi,pregex, or pregexi.
pmatch This keyword is the sameas match but is applied against the previouspacket on the other side of the reconstructed network session.
pregex This is the sameas regex except the regular expression is applied to theprevious side of the reconstructed network session.
pregexi This is the sameas pregex except the patternmatching is not case sens-itive.
protocol_id This keyword is used to specify the protocol number of the protocol caus-ing the plugin to fire.
regex This keyword specifies a complex regular expression search rule appliedto the network session.
regexi This is the sameas regex except the patternmatching is not case sens-itive.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 171 -
Name Description
risk All NNM plugins need a risk setting. Risks are classified as INFO, LOW,MEDIUM, HIGH, andCRITICAL. An INFO risk is an informational vul-nerability such as client or server detection. A LOW risk is an inform-ational vulnerability such as an active port or service. AMEDIUM risk issomething thatmay be exploitable or discloses information. A HIGH riskis something that is easily exploitable. A CRITICAL risk is something thatis very easily exploitable and allows for malicious attacks.
seealso If one or moreURLs are available, this keyword can be used to displaythem.MultipleURLs can be specified on one line if separated by com-mas. Example entries for this includeCERTadvisories and vendor inform-ationwebsites.
solution If a solution is available, it can be described here. The report section high-lights the solutionwith different text.
sport This setting applies theNNM plugin to just one port. For example, youmay wish towrite aSNMP plugin that just looks for activity on port 162.However, for detection of off-port services like aweb server running onport 8080, asport field is not used in the plugin.
stripped_descrip-tion
This field describes on one line the nature of the detected vulnerability.This data is printed out by NNMwhenprinting the vulnerability report. Mac-ros are available that allow the printing ofmatched network traffic such asbanner information and are discussed in the examples below. For linebreaks, the characters “\n” can be used to invoke a new line.
timed-dependency This keyword slightly modifies the functionality of thenoplugin anddependency keywords such that the evaluationmust have occurredwithin the lastN seconds.
udp This keyword specifies that plugins are to be based on theUDP protocolrather thanTCP protocol.
Tip: In addition to tcp or udp, the following protocols are supported: sctp, icmp, igmp, ipip, egp, pup, idp, tp,rsvp, gre, pim, esp, ah, mtp, encap, comp, ipv6, ospf, eigrp, isis, raw, or other.
Related Information
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 172 -
l Network Client Detection
l Pattern Matching
l Time Dependent Plugins
l Plugin Examples
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 173 -
Network Client Detection
Match patterns that beginwith the ^ symbolmeanat least one line in the packet payloadmust beginwith the fol-lowing pattern. Match patterns that beginwith the ! symbol indicate that the stringmust NOTmatch anything inthe packet payload. In this case, the ! and ^ symbols are combined to indicate that NNM should not evaluate
any packet whose payload contains a line startingwith the patternReceived:.
The ^ is more expensive to evaluate than the> symbol. So, while bothmatch patterns ^<pattern> and><pattern>would find<pattern> at the beginning of a packet payload, the use of> is more desirable as itis less costly. Use ^ when looking for the occurrence of a string at the beginning of a line, but not at the begin-ning of the packet payload. In the latter case, use the> character instead.
id=79526hs_dport=25clientissuename=Buffer overflow in multiple IMAP clientsdescription=The remote e-mail client is Mozilla 1.3 or 1.4a which is vulnerable to aboundary condition error whereby a malicious IMAP server may be able to crash orexecute code on the client.solution=Upgrade to either 1.3.1 or 1.4arisk=HIGHmatch=^From:match=^To:match=^Date:match=^User-Agent: Mozillamatch=!^Received:regex=^User-Agent: Mozilla/.* \(.*rv:(1\.3|1\.4a)
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 174 -
Pattern Matching
NNM CanMatch "Previous" Packets
NNM allows matching on patterns in the current packet as well as patterns in the previous packet in the cur-rent session. This plugin shows howwecanmake use of this feature to determine if aUnix password file issent by aweb server:
id=79175name=Password file obtained by HTTP (GET)family=Genericsport=80description=It seems that a Unix password file was sent by the remote web serverwhen the following request was made :\n%P\nWe saw : \n%Lpmatch=>GET /pmatch=HTTP/1.match=rootmatch=daemonmatch=binregex=root:.*:0:0:.*:.*
Herewe seematch patterns for a root entry in aUnix password file.Wealso seepmatch patterns thatmatchagainst a packet that makes anHTTPGET request to aweb server. Thematch patterns apply the currentpacket in a session and thepmatch patterns apply to the packet that was captured immediately before theone in the current session. To explain this visually, we are looking for occurrences of the following:
GET / HTTP/1.*
1) client -------------------------> server:port 80
Contents of password file:
root:.*:0:0:.*:.*
2) client <------------------------- server:port 80
Our match patternwould focus on the contents in packet 2) and our pmatch patternwould focus on packet1) payload contents.
NNM CanMatch Binary Data
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 175 -
NNM also allows matching against binary patterns. Here is an example plugin thatmakes use of binary pat-ternmatching to detect the usage of thewell-known community string “public” in SNMPv1 response packets(The “#” is used to denote a comment):
#### SNMPv1 response## Matches on the following:# 0x30 - ASN.1 header# 0x02 0x01 0x00 - (integer) (byte length) (SNMP version - 1)# 0x04 0x06 public - (string) (byte length) (community string - "public")# 0xa2 - message type - RESPONSE# 0x02 0x01 0x00 - (integer) (byte length) (error status - 0)# 0x02 0x01 0x00 - (integer) (byte length) (error index - 0)###id=71975udpsport=161name=SNMP public community stringdescription=The remote host is running an SNMPv1 server that uses a well-knowncommunity string - publicbmatch=>0:30bmatch=>2:020100bmatch=>5:04067075626c6963a2bmatch=020100020100
Binary match patterns take the following form:
bmatch=[<>[off]:]<hex>
Binary match starts at <off>’th offset of the packet or at the last <offset> of the packet, depending on the use of> (start) or < (end). <hex> is a hex stringwe look for.
bmatch=<:ffffffff
This matches any packet whose last four bytes are set to 0xFFFFFFFF.
bmatch=>4:41414141
This matches any packet that contains the string “AAAA” (0x41414141 in hex) starting at its fourth byte.
bmatch=123456789ABCDEF5
This matches any packet that contains the hex string above.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 176 -
Negative Matches
NNM plugins can also be negated. Here are two examples:
pmatch=!pattern
pbmatch=>0:!414141
In each of these cases, the plugin does notmatch if the patterns contained in these “not” statements arepresent. For example, in the first pmatch statement, if the pattern named “pattern” is present, then the plugindoes notmatch. In the second statement, the binary pattern of “AAA” (the letter “A” in ASCII hex is 0x41) onlymatches if it does not present the first three characters.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 177 -
Time Dependent Plugins
The last plugin example shows somemore advanced features of theNNM plugin language that allows a pluginto be timedependent as well as make use of the evaluation of other plugins. The plugin shows howNNMdetects an anonymous FTP server. Use theNEXT keyword to separate plugins in the plugin file.
id=79200nooutpuths_sport=21name=Anonymous FTP (login: ftp)pmatch=^USER ftpmatch=^331NEXT #-----------------------------------------------------------id=79201dependency=79200timed-dependency=5hs_sport=21name=Anonymous FTP enableddescription=The remote FTP server has anonymous access enabled.risk=LOWpmatch=^PASSmatch=^230
Sincewewant to detect an anonymous FTP server, wemust look for the following traffic pattern:
USER ftp
1) FTP client -----------------------> FTP server
331 Guest login ok, ...
2) FTP client <----------------------- FTP server
PASS [email protected]
3) FTP client -----------------------> FTP server
230 Logged in
4) FTP client <----------------------- FTP server
Herewe cannot use a single plugin to detect this entire session. So, insteadweuse two plugins: the first pluginlooks for packets 1) and 2) and the second plugin looks for packets 3) and 4).
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 178 -
A review of the above plugin shows that plugin 79200matches 1) and 2) in the session by keying on the pat-terns “USER ftp” and the 331 return code. Plugin 79201matches on 3) and 4) by keying on the patterns“PASS” and the 230 return code.
Notice that plugin 79201 contains the following field: dependency=79200. This field indicates the plugin79200must evaluate successfully before plugin 79201may be evaluated.
To complete the plugin for the anonymous FTP session, wemust ensure both plugins are evaluating the sameFTP session. To do this, we attach a timedependency to plugin 79201. The fieldtime-dependency=5 indic-ates that plugin 79200must evaluate successfully in the last five seconds for 79201 to evaluate. This way, wecan ensure that both plugins evaluate the sameFTP session.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 179 -
Plugin Examples
Basic Example
This plugin illustrates the basic concepts of NNM pluginwriting:
id=79873nid=11414hs_sport=143name=IMAP Bannerdescription=An IMAP server is running on this port. Its banner is :\n %Lrisk=NONEmatch=OKmatch=IMAPmatch=server readyregex=^.*OK.*IMAP.*server ready
This example uses the following fields:
l id - A unique number assigned to this plugin.
l nid - TheNessus ID of the correspondingNessus NASL script.
l hs_sport - The source port to key on if HighPerformancemode is enabled.
l name - The nameof the plugin.
l description - A description of the problem or service.
l match - The set of match patterns thatmust be found in the payload of the packet before the regularexpression can be evaluated.
l regex - The regular expression to apply to the packet payload.
Tip: The description contains the %L macro. If this plugin evaluates successfully, then the string pattern inthe payload that matched the regular expression is stored in %L and prints out at report time.
Complex Example
id=79004nid=10382
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 180 -
cve=CVE-2000-0318bid=1144hs_sport=143name=Atrium Mercur Mailserverdescription=The remote imap server is Mercur Mailserver 3.20. There is a flaw inthis server (present up to version 3.20.02) which allow any authenticated user toread any file on the system. This includes other user mailboxes, or any system file.Warning : this flaw has not been actually checked but was deduced from the serverbannersolution=There was no solution ready when this vulnerability was written; Pleasecontact the vendor for updates that address this vulnerability.risk=HIGHmatch=>* OKmatch=MERCURmatch=IMAP4-Serverregex=^\* OK.*MERCUR IMAP4-Server.*v3\.20\..*$
Tip: The first match pattern makes use of the > symbol. The > symbol indicates that the subsequent stringmust be at the beginning of the packet payload. Use of the > symbol is encouraged where possible as it is aninexpensive operation.
Case-Insensitive Example
There is a tool calledSmartDownLoader that uploads and downloads large files. Unfortunately, versions 0.1through 1.3 use the capitalizationSmartDownloader, versions 1.4 through 2.7 use smartdownloader andversions 2.8 through current useSMARTdownloader. Searching for the various combinations of this textwith purely theregex commandwould cause us to use a statement that looks like this:
regex=[sS][mM][aA][rR][tT][dD]own[lL]oader
However, with theregexi command, the search string is much less complex and less prone to creating anerror:
regexi=smartdownloader
By usingregexi, we canmore quickly match on all three versions as well as future permutations of the stringsmartdownloader. In a case such as this, regexi is the logical choice.
id=79910
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 181 -
dependency=1442hs_sport=6789name=SmartDownLoader Detectiondescription=The remote host is running SmartDownLoader, a tool for performingrudimentary uploads and downloads of large binary files.solution=Ensure that this application is in keeping with Corporate policies andguidelinesrisk=MEDIUMfamily=PeerToPeermatch=ownloaderregexi=smartdownloader
Above is a complete exampleNNM plugin using theregexi keyword. The use of thematch keyword search-ing for the stringownloader is not a typo. By searching for network sessions that have this string in them first,
NNM canavoid invoking the expensiveregexi search algorithm unless theownloader pattern is present.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 182 -
NNM Real-Time Plugin Syntax
Real-Time Plugin Model
NNM real-time plugins are exactly the sameas NNM vulnerability plugins with two exceptions:
l They can occur multiple times.
l Their occurrencemay not be recorded as a vulnerability.
For example, an attacker may attempt to retrieve the source code for aPerl script from anApacheweb server.If NNM observes this event, it would be logical to send a real-time alert. It would also be logical tomark that theApache server is potentially vulnerable to some sort of Perl script source code download. In other cases, itmay bemore logical to just log the attempt as an event, but not a vulnerability. For example, a login failure overFTP is an event that may beworth logging, but does not indicate a vulnerability.
As the real-time plugins arewritten, there are two keywords that indicate toNNM that these are not regular vul-nerability plugins. These are thereal-time andrealtimeonly keywords.
In the previous example, the FTP user login failurewould bemarked as arealtimeonly event becausewewould like real-time alerting, but not a new entry into the vulnerability database.
Real-Time Plugin Keywords
Name Description
real-time If a plugin has this keyword, thenNNMwill generate aSYSLOGmessage orreal-time log file entry the first time this pluginmatches. This prevents vul-nerabilities that areworm related from causingmillions of events. Forexample, the plugins for theSasser worm generate only one event. Outputfrom plugins with this keywordwill show up in the vulnerability report.
realtimeonly If a plugin has this keyword, thenNNMwill generate aSYSLOGmessage orreal-time log file entry each time the plugin evaluates successfully. These plu-gins never show up in the report file.
track-session This keywordwill cause the contents of a session to be reported (viaSYSLOG or the real-time log file) a specified number of times after the plugincontaining this keywordwas matched. This is an excellent way to discoverwhat a hacker “did next” or possibly what the contents of a retrieved filewerereal-time.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 183 -
Name Description
trigger-depend-ency
Normally if a plugin has multiple dependencies, then all of those dependenciesmust be successful for the current plugin to evaluate. However, thetrigger-dependency keyword allows a plugin to be evaluated as long asat least one of its dependencies is successful.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 184 -
Real-Time Plugin Examples
Failed Telnet Login Plugin
Theeasiest way to learn about NNM real-time plugins is to evaluate someof those included by Tenable. Belowis a plugin that detects a failed Telnet login to aFreeBSD server.
# Look for failed logins into an FreeBSD telnet serverid=79400hs_sport=23dependency=1903realtimeonlyname=Failed login attemptdescription=NNM detected a failed login attempt to a telnet serverrisk=LOWmatch=Login incorrect
This plugin has many of the same features as a vulnerability plugin. The ID of the plugin is 79400. The high-speed port is 23.Weneed to be dependent on plugin 1903 (which detects a Telnet service). Therealtimeonly keyword tells NNM that if it observes this pattern, then it should alert on the activity, but notrecord any vulnerability.
In Tenable.sc, events from NNM are recorded alongside other IDS tools.
Finger User List Enumeration Plugin
Thefinger daemon is an older Internet protocol that allowed system users to query remote servers to getinformation about a user on that box. There have been several security holes in this protocol that allowed anattacker to elicit user and system information that could be useful to attackers.
id=79500dependency=1277hs_sport=79track-session=10realtimeonlyname=App Subversion - Successful finger query to multiple usersdescription=A response from a known finger daemon was observed which indicated thatthe attacker was able to retrieve a list of three or more valid user names.risk=HIGH
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 185 -
match=Directory:match=Directory:match=Directory:
This plugin looks for these patterns only on systems where aworkingfinger daemonhas been identified(dependency #1277). However, the addition of thetrack-session keywordmeans that if this plugin islaunchedwith a value of 10, the session data from the next 10 packets is tracked and logged in either theSYSLOG or real-time log file.
During a normal finger query, if only one valid user is queried, then only one homedirectory is returned.However, many of the exploits for finger involve querying for users such asNULL, .., or 0. This causes vul-nerablefinger daemons to return a listing of all users. In that case, this pluginwould be activated because ofthemultiple “Directory:” matches.
Unix Password File DownloadWeb Server Plugin
This plugin below looks for any download from aweb server that does not look likeHTML traffic, but does looklike the contents of a generic Unix password file.
id=79300dependency=1442hs_sport=80track-session=10realtimeonlyname=Web Subversion - /etc/passwd file obtaineddescription=A file which looks like a Linux /etc/passwd file was downloaded from aweb server.risk=HIGHmatch=!<HTML>match=!<html>match=^root:x:0:0:root:/root:/bin/bashmatch=^bin:x:1:1:bin:match=^daemon:x:2:2:daemon:
Theplugin is dependent onNNM ID 1442, which detects web servers. In thematch statements, we attempt toignore any traffic that contains validHTML tags, but also has lines that start with commonUnix password fileentries.
Generic Buffer Overflow Detection onWindows Plugin
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 186 -
Oneof NNM’s strongest intrusion detection features is its ability to recognize specific services, and then tolook for traffic occurring on those services that should never occur unless they have been compromised.SinceNNM can keep track of both sides of a conversation andmake decisions based on the content of each,it is ideal to look for Unix andWindows command shells occurring in services that should not have those com-mand shells in them. Here is an example plugin:
# look for Windows error when a user tries to# switch to a drive that doesn't existid=79201include=services.inctrigger-dependencytrack-session=10realtimeonlyname=Successful shell attack detected - Failed cd commanddescription=The results of an unsuccessful attempt to change drives on a Windowsmachine occurred in a TCP session normally used for a standard service. This mayindicate a successful compromise of this service has occurred.risk=HIGHpmatch=!>GETpregexi=cdmatch=!>550match=^The system cannot find thematch=specified.
This plugin uses theinclude keyword that identifies a file that lists several dozenNNM IDs, which identifywell known services such as HTTP, DNS, andNTP. The plugin is not evaluated unless the target host is run-ning one of those services.
The keywordtrigger-dependency is needed to ensure the plugin is evaluated even if there is only onematch in theservices.inc file. Otherwise, NNM evaluates this plugin only if the target host was running all
NNM IDs present in theservices.inc file. Thetrigger-dependency keyword says that at least oneNNM IDmust be specified by one or more dependency or include rules must be present.
Finally, the logic of plugin detection looks for the following type of response on aWindows system:
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 187 -
In this case, a user has attempted to use the cd command to change directories within a file system and theattempt was not allowed. This is a commonevent that occurs when a remote hacker compromises aWin-dows 2000 orWindows 2003 server with a buffer overflow. TheNNM plugin looks for a network session thatshould not be there.
In the plugin logic, there arepmatch andpregexi statements that attempt to ensure that the session is notanHTTP session, and that the previous side of the session contains the stringcd.
Tip: The pregexi statement could be expanded to include the trailing space after the “d” character and alsothe first character.
Theplugin then looks for the expected results of the failed cd command. The first match statementmakessure this pattern is not part of the FTP protocol. Looking for “cd” in one side of a session and the error ofattempting to change to a directory in anFTP session causes false positives for this plugin. Adding a rule toignore if a line starts with “550” avoids this.Whilewriting and testing this plugin, Tenable considered having adifferent set of plugins just for FTP, but the additional filter statement took care of any false positives. Finally,the last twomatch statements look for the results of the failed change directory attempt. They are spreadacross twomatch statements and could have been combined into one regular expression statement, but therewas enough content in the basic message to split them into higher-speedmatching.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 188 -
NNM Corporate Policy Plugins
Most companies have an “AcceptableUsePolicy” that defines appropriate use of the company’s IT facilities.Often, this policy is abused to someextent since detecting abuse can be difficult.
NNM canhelp in this regard through use of NNM CorporatePolicy plugins. These plugins can be used to lookfor policy violations and items such as credit card numbers, Social Security numbers, and other sensitive con-tent inmotion.
Tenable ships NNMwith a large number of plugins that are frequently updated. The primary focus of these plu-gins is to discover hosts, applications and their related client/server vulnerabilities. To search for a specific plu-gin, visit http://www.tenable.com/NNM-plugins.
Many of the available plugins already detect activities that would fall into the “InappropriateUse” category inmost companies. Someof the activities that are detected through these plugins include (but are not limited to):
l Gameservers
l Botnet clients and servers
l Peer to peer file sharing
l IRC clients and servers
l Chat clients
l Tunneling software or applications like Tor, GoToMyPC, and LogMeIn
Related Information
l Detecting Custom Activity Prohibited by Policy
l Detecting Confidential Data in Motion
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 189 -
Detecting Custom Activity Prohibited by Policy
Theplugins providedwithNNM are useful for detecting generally inappropriate activities, but theremay betimes whenmore specific activities need to be detected. For example, a company may want to generate analert when email is sent to a competitor’s mail service or if users aremanaging their Facebook accounts fromthe corporate network.
Tenable provides the ability for users towrite their own custom plugins, as documented inNNM Plugin Syn-tax. These plugins are saved as prm files.
The following example shows how to create a custom plugin to detect users logging into their Facebookaccounts. First, a unique plugin ID is assigned, in this case79420. So, the first line of our plugin is:
id=79420
Next, wewant a description of what the vulnerability detects:
description=The remote client was observed logging into a Facebook account.You should ensure that such behavior is in alignment with corporate policiesand guidelines. For your information, the user account was logged as:\n %L
The%L is the results of our regular expression statement that is created later.Wewant to log the sourceaddress of the offending computer as well as the user ID that was used to log in. Next, we create a distinctname for our plugin.
name=POLICY - Facebook usage detection
Note that the namebegins with the stringPOLICY. This makes all POLICY violations easily searchable fromtheTenable.sc interface.
You can also define aTenable.sc dynamic asset that contains only POLICY violators.
The next field defines a family. For this example, the application is awebbrowser, so the family ID is definedas follows:
family=Web Clients
Since this is awebbrowser, a dependency can be assigned that tells NNM to look at only those clients thathave been observed surfing theweb:
dependency=1735
Furthermore, sinceweare looking at client traffic, we define:
clientissue
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 190 -
Next, we assign a risk rating for the observed behavior:
risk=MEDIUM
In the final sectionwe creatematch andregex statements that NNM looks for passively.Wewant all ofthese statements to be true before the client is flagged for inappropriate usage:
match=>POST /
Theweb requestmust beginwith aPOST verb. This weeds out all “GET” requests.
match=^Host: *.facebook.com
The statement above ensures that they are posting a host with a domain of *.facebook.com.
Finally, we have amatch andregex statement that detects the user’s login credentials:
match=email=
regex=email=.*%40[^&]+
Altogether, we have a single plugin as follows:
id=79420family=Web Clientsclientissuedependency=1735name=Facebook_Usagedescription=The remote client was observed logging into a Facebook account.You should ensure that such behavior is in alignment withCorporate Policies and guidelines. For your information, the user accountwas logged as:risk=MEDIUMsolution=Stay off of Facebook.match=>POST /match=^Host: *.facebook.commatch=email=regex=email=.*%40[^&]+
This plugin could be namedFacebook.prm and added into the/opt/NNM/var/nnm/plugins/ directory.If Tenable.sc is used tomanage one or moreNNM systems, use the plugin upload dialog to add the new .prmfile.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 191 -
If youwish to create a policy file that includes multiple checks, use the reservedwordNEXTwithin the policyfile. For example:
id=79420…rest of plugin…NEXTid=79421…etc.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 192 -
Detecting Confidential Data in Motion
Many organizations want to ensure that confidential data does not leave the network. NNM canaid in this bylooking at binary patterns within observed network traffic. If critical documents or data can be taggedwith a bin-ary string, such as anMD5checksum, NNM has the ability to detect these files being passed outside the net-work. For example:
Create a document that has a binary string of:
0xde1d7f362734c4d71ecc93a23bb5dd4c and 0x747f029fbf8f7e0ade2a6198560c3278
ANNM plugin can then be created to look for this pattern as follows:
id=79580trigger-dependencydependency=2004dependency=2005hs_dport=25description=POLICY - Confidential data passed outside thecorporate network. The Confidential file don'tshare.doc wasjust observed leaving the network via email.name=Confidential file misusefamily=Genericclientissuerisk=HIGHbmatch=de1d7f362734c4d71ecc93a23bb5dd4cbmatch=747f029fbf8f7e0ade2a6198560c3278
These binary codes were created by simply generatingmd5hashes of the following strings:
"Copyright 2006 BigCorp, file: don'tshare.doc"
"file: don'tshare.doc"
The security compliance groupmaintains the list of mappings (confidential file tomd5hash). Themd5hashcan be embeddedwithin the binary file and can then be tracked as it traverses the network.
Similar checks can be performedagainst ASCII strings to detect, for example, if confidential datawas cut-and-pasted into an email. Simply create text watermarks that appear benign to the casual observer andmap to aspecific file name. For example:
"Reference data at \\192.168.0.2\c$\shares\employmentfiles for HR data regard-ing Jane Mcintyre" could be a string which maps to a file named Finances.xls.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 193 -
ANNM plugin can look for the string as follows:
id=79581trigger-dependencydependency=2004dependency=2005hs_dport=25description=POLICY - Confidential data passed outside thecorporate network. Data from the confidential file Finances.xls was justobserved leaving the network via email.name=Confidential file misusefamily=Genericclientissuerisk=HIGHmatch=Reference data atmatch=192.168.0.2\c$\shares\employmentfilesmatch=for HR data regarding Jane Mcintyre
The twoexample plugins above (IDs 79580 and 79581) detect files leaving the network via email. Most cor-porations have a list of ports that are allowed outbound access. SMTP is typically one of these ports. Otherports may includeFTP,Messenger client ports (e.g., AIM, Yahoo and ICQ), or Peer2Peer (e.g., GNUTELLAandBitTorrent). Depending on your specific network policy, youmay wish to clone plugins 79580 and 79581 todetect these strings on other outbound protocols.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 194 -
Working with Tenable.sc
NNM canoperate under the control of Tenable.sc, which provides NNMwith passive vulnerability data andretrieves scanned data. Tenable.sc has a variety of reporting, remediation, and notificationmechanisms to effi-ciently distribute vulnerability information across large enterprises. In addition, it can also control a distributedset of Nessus active vulnerability scanners. By combining active and passive vulnerability scanning, Ten-able.sc can be used to efficiently and accurately manage security across large networks.
This section contains the following information about NNM integrationwith Tenable.sc.
l Managing Vulnerabilities
l Updating the NNM Management Interface
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 195 -
Managing Vulnerabilities
Tenable.sc displays a summary of vulnerabilities detected by NNM. These vulnerabilities can be inde-pendently viewedby many different users with different access control. Tenable.sc also allows security man-agers to issue recommendations that help guide network administrators as towhich vulnerabilities should bemitigated.
For more information, see theTenable.sc User Guide.
NNM is Real-Time
SinceNNM’s vulnerability data is constantly fed into Tenable.sc andNNM’s plugins are updated by Tenable®,the accuracy of the passive vulnerability data in Tenable.sc greatly enhances the quality of the security inform-ation available to Tenable.sc users.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 196 -
Offline NNM Plugin Update in Tenable.sc
To perform an offline NNM plugin update:
1. If not already in place, install aNNM scanner on the samehost as Tenable.sc. It does not need to be star-ted or otherwise configured.
2. Toprevent theNNM scanner from starting automatically upon restarting the system, run the followingcommand:
# /sbin/systemctl is-enabled nnm off
3. Run the following commandand save the challenge string that is displayed:
# /opt/nnm/bin/nnm –challenge
4. Dooneof the following:
l If you are usingPVS versions 4.2.1 to 5.3.x, in your browser, navigate tohttps://plu-gins.nessus.org/v2/offline-pvs.php.
l If you are usingNNM versions 5.4.x or later, in your browser, navigate tohttps://plu-gins.nessus.org/v2/offline-nnm.php.
5. Paste the challenge string from Step 3 and your ActivationCode in the appropriate boxes on thewebpage.
6. Click Submit.
7. On the next page, copy the link that starts withhttps://plugins.nessus.org/v2/... and bookmark it inyour browser. The other information on the page is not relevant for usewith Tenable.sc.
8. Click the bookmarked link.
The page prompts you to download a file.
9. Download the file, which is calledsc-passive.tar.gz.
10. Save thesc-passive.tar.gz on the system used to access your Tenable.sc GUI.
Note: Access the NNM feed setting and change the activation from offline to Tenable.sc.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 197 -
11. (missing or bad snippet)
12. Click System > Configuration.
TheConfiguration page appears.
13. Click Plugins/Feed.
ThePlugins/Feed Configuration page appears.
14. In theSchedules section, expand thePassive Plugins options.
15. ClickChoose File and browse to the savedsc-passive.tar.gz file.
16. Click Submit.
After severalminutes, the plugin update finishes and the page updates theLast Updated date andtime.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 198 -
Tenable.sc Troubleshooting
NNM server does not appear to be operational
1. (missing or bad snippet)
2. Verify that theNNM server appears asUnable to Connect underStatus.
3. SSH to the remoteNNM host tomake sure the underlying operating system is operational.
4. Confirm that theNNM is running (Linux example below):
# service nnm status
NNM is stoppedNNM Proxy (pid 3142) is running#
5. If theNNM service is not running, start the service:
# service nnm startStarting NNM Proxy [ OK ]Starting NNM [ OK ]#
Cannot add an NNM server
1. Confirm that theNNM proxy is listening on the sameport as Tenable.sc (port 8835 by default):
# ss -pan | grep 8835tcp 0 0 0.0.0.0:8835 0.0.0.0:* LISTEN 406/nnm
2. Check connectivity by telnetting from theTenable.sc console into theNNM server on port 8835 (theNNM listening port). If successful, the response includes: Escape character is '^]'.
No vulnerabilities are being received from the NNM server
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 199 -
1. Ensure that theNNM service is running on theNNM host.
2. Ensure that theNNM appears in Tenable.sc underResources > Passive Scanners and that thestatus of theNNM appears asWorking.
3. Click Edit to ensure that the IP address or hostname, port, username, password, and selected repos-itories for theNNM are correct.
4. Edit any incorrect entries to their correct state.
5. Click Submit to attempt to reinitialize theNNM scanning interface.
NNM plugins fail to update
1. Manually test a plugin update underPluginswithUpdate Plugins.
If successful,Passive Plugins Last Updated updates to the current date and time.
2. Ensure that the Tenable.sc host allows outboundHTTPS connectivity to theNNM PluginUpdateSite.
3. For all other NNM plugin update issues, contact TenableSupport.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 200 -
Syslog Messages
NNM provides options to send real-time and vulnerability data as Syslogmessages. This section describesthe availableSyslogmessage types:
l Standard Syslog Message Types
l CEF Syslog Message Types
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 201 -
Standard Syslog Message Types
Message Types
l Syslogmessage format for real-timeSyslog entries generated by realtimeonly PRMs:
<priority>timestamp nnm: src_ip:src_port|dst_ip:dst_port|protocol|plugin_id|plugin_name|matched_text_current_packet|matched_text_previous_packet|risk
l Syslogmessage format for vulnerability and real-timeSyslog entries generated by PASLs, PRMs, andinternal plugins:
<priority>timestamp nnm: src_ip:src_port|dst_ip:dst_port|protocol|plugin_id|plugin_name|plugin_description|plugin_output|risk
Message Fields
Name Description
dst_ip Displays the destination IP address for reported traffic.
dst_port Displays the destination port for reported traffic.
matched_text_current_packet
Reports the payload, causing amatch in the packet to trigger theNNM event.
matched_text_previous_packet
Reports the payload that was observed prior to the payload in thematched_text_current_packet field.
plugin_id Displays the reportedNNM plugin or PASL ID triggered by reported traffic.
plugin_name Displays the nameof theNNM plugin or PASL ID triggered by reportedtraffic.
plugin_output Displays dynamic data for a given vulnerability or event. This fieldmay beempty if there is no plugin-specific data.
priority Displays theSyslog facility level of themessage.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 202 -
Name Description
protocol Reports the integer value for the protocol used for the reported traffic.
risk Displays the associated risk level of the reported vulnerability. This can beNONE, LOW,MEDIUM,HIGH,CRITICAL, or INFO.
src_ip Displays the source IP address reported for the traffic.
src_port Displays the source port for the reported traffic.
timestamp Displays the date and timeof theSyslogmessage.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 203 -
CEF Syslog Message Types
Message Type
Syslogmessage format for vulnerability and real-timeSyslog entries generated by PASLs, PRMs, andinternal plugins:
timestamp CEF: Version|Device Vendor|Device Product|Device Version|SignatureID|Name|Severity|Extension
Message Fields
Name Description
DeviceProduct
Displays the nameof the product on the detected sending device.
DeviceVendor
Displays the vendor of the product on the detected sending device.
Device Ver-sion
Displays the version of the product on the detected sending device.
Extension Displays key-value pairs for one or more of the following additional fields: src, dst,spt, dpt, proto, andmsg.
Name Displays the nameof theNNM plugin or PASL ID triggered by the reported traffic.
Severity Displays the associated severity level of the reported vulnerability.
SignatureID
Displays the reportedNNM plugin or PASL ID triggered by the reported traffic.
timestamp Displays the date and timeof theSyslogmessage.
Version Displays the version of theCEF format version.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 204 -
Custom SSL Certificates
By default, NNM is installed andmanaged usingHTTPS andSSL support and uses port 8835. Default install-ations of NNM usea self-signedSSL certificate.
To avoid browser warnings, use a custom SSL certificate specific to your organization. During the installation,NNM creates two files thatmake up the certificate: servercert.pem and serverkey.pem. Youmust replacethese files with certificate files generated by your organization or a trustedCA.
Before replacing the certificate files, stop theNNM server. Replace the two files and re-start theNNM server.If the certificatewas generated by a trustedCA, subsequent connections to the scanner do not display anerror.
Certificate File Locations
Operating System Directory
Linux /opt/nnm/var/nnm/ssl/servercert.pem
/opt/nnm/var/nnm/ssl/serverkey.pem
Windows C:\ProgramData\Tenable\NNM\nnm\ssl\servercert.pem
C:\ProgramData\Tenable\NNM\nnm\ssl\serverkey.pem
macOS /Library/NNM/var/nnm/ssl/servercert.pem
/Library/NNM/var/nnm/ssl/serverkey.pem
Optionally, you can use the /getcert switch to install the root CA in your browser, which removes the warning:
https://<IP address>:8835/getcert
To set up an intermediate certificate chain, place a file namedserverchain.pem in the samedirectory astheservercert.pem file.
This filemust contain the 1-n intermediate certificates (concatenated public certificates) necessary to con-struct the full certificate chain from theNNM server to its ultimate root certificate (one trusted by the user’sbrowser).
SSL Client Certificate Authentication
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 205 -
NNM supports use of SSL client certificate authentication.When the browser is configured for this method, theuse of SSL client certificates is allowed.
NNM allows for password-based or SSLCertificate authenticationmethods for user accounts.When creatinga user for SSL certificate authentication, use theNNM-make-cert-client utility through the command line on theNNM server.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 206 -
Configure NNM for Certificates
Toallow SSL certificate authentication, youmust first configure theNNMweb server with a server certificateandCA.
This process allows theweb server to trust certificates created by theCA for authentication purposes. Gen-erated files related to certificates must be ownedby root:root and, by default, have the correct permissions.
This section contains the following instructions:
l Create a Custom CA and Server Certificate
l Create NNM SSL Certificates for Login
l Connect to NNM with a User Certificate
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 207 -
Create a Custom CA and Server Certificate
To create a custom CA and server certificate:
1. Optionally, create a new custom CA and server certificate for theNNM server using theNNM-make-cert command. This places the certificates in the correct directories.
2. Whenprompted for the host name, type theDNS nameor IP address of the server in the browser (eg.,https://hostname:8835/ or https://ipaddress:8835/). The default certificate uses the host name.
3. If youwish to use aCA certificate instead of theNNM generated one,make a copy of the self-signedCA certificate using the appropriate command for your OS:
OperatingSystem
Command
Linux # cp /opt/nnm/var/nnm/ssl/cacert.pem/opt/nnm/var/nnm/ssl/ORIGcacert.pem
Windows copy \ProgramData\Tenable\NNM\nnm\ssl\cacert.pemC:\ProgramData\Tenable\NNM\nnm\ssl\ORIGcacert.pem
macOS # cp /Library/NNM/var/nnm/ssl/cacert.pem/Library/NNM/var/nnm/ssl/ORIGcacert.pem
4. If the authentication certificates are created by aCA other than theNNM server, theCA certificatemustbe installed on theNNM server. Copy the organization's CA certificate to the appropriate location foryour OS:
Operating System File Location
Linux /opt/nnm/var/nnm/ssl/cacert.pem
Windows C:\ProgramData\Tenable\NNM\nnm\ssl\cacert.pem
macOS /Library/NNM/var/nnm/ssl/cacert.pem
5. Once theCA is in place, restart theNNM services.
6. After NNM is configuredwith the proper CA certificate(s), users may log in toNNM usingSSL client cer-tificates.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 208 -
Create NNM SSL Certificates for Login
You can log in to anNNM server with SSL certificates. Once certificate authentication is enabled, usernameandpassword login is disabled. Youmust create the certificates using thennm-make-cert command.
Note:When asked if you want to create a server certificate, select no to be prompted for the user certificateinformation.
To create NNM SSL certificates for login:
1. On theNNM server, run thennm-make-cert command.
Operating System Command
Linux # /opt/nnm/bin/nnm-make-cert
Windows C:\Program Files\Tenable\NNM\nnm-make-cert
macOS # /Library/NNM/bin/nnm-make-cert
2. Configure the client certificate by answering the various questions.
Two files, the certificate and the key, are created in the temporary directory.
OperatingSystem
Directory
Linux /tmp/
Windows C:\users\<username>\AppData\Local\Temp, where <username>is the user currently logged in.
macOS /tmp/
3. Combine and export the certificate and key file into a format that can be imported into thewebbrowser,such as .pfx.
In the following examplewhere the username is admin, the files cert_admin.pem andkey_admin.pem are combined into the filecombined_admin.pfx .
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 209 -
Note: The username you type must correspond with an existing username in NNM. By default,NNM has only one administrative user. If you add another administrative user, then you can use morethan one certificate.
openssl pkcs12 -export -out combined_admin.pfx -inkey key_admin.pem -in cert_admin.pem -chain -CAfile /opt/nnm/var/nnm/ssl/cacert.pem -passout'pass:password' -name 'NNM User Certificate for: admin'
The resulting file is created in the directory from which the commandwas launched.
4. Import the combined file into thewebbrowser's personal certificate store.
5. Configure theNNM server for certificate authentication using the appropriate command for your oper-ating system.
Once certificate authentication is enabled, usernameandpassword login is disabled.
OperatingSystem
Command
Linux # /opt/nnm/bin/nnm --config "Enable SSL ClientCertificate Authentication" "1"
Windows C:\Program Files\Tenable\NNM\nnm --config "EnableSSL Client Certificate Authentication" "1"
macOS # /Library/NNM/bin/nnm --config "Enable SSL ClientCertificate Authentication" "1"
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.
- 210 -
Connect to NNM with a User Certificate
To connect to NNM with a user certificate:
1. In awebbrowser, navigate tohttps://<ip address or hostname>:8835.
The browser displays a list of available certificates.
2. Select the appropriate certificate.
The certificate becomes available for the current NNM session.
3. Click theSign In button.
You are automatically logged in as the designated user andNNM can be used normally.
Note: If you log out of NNM, the standard NNM login screen appears. If you want to log in with thesame certificate, refresh your browser. If you want to use a different certificate, restart your browsersession.
Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered
trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their
respective owners.