Sign in
Follow

Customer Portal - Vulnerability Scanner

NetWatcher uses the popular Open Source “OpenVAS” Vulnerability Scanner.   The security scanner is accompanied with a regularly updated feed of Network Vulnerability Tests (NVTs).

The OpenVAS project maintains a public feed of Network Vulnerability Tests (NVTs). It contains more than 47,000 NVTs, growing on a permanent basis. This feed is configured as the default for OpenVAS.  You can find the feed here along with an NVT OID lookup tool.

There are several types of scan configs you can choose from (and you can also add your own). The scan config determines how thorough the scan will be and how long the scan will take. The scan configs are as follows:

  • Discovery - Only NVTs are used that provide the most possible information of the target system. No vulnerabilities are being detected.
  • Host Discovery - Only NVTs are used that discover target systems. This scan only reports the list of systems discovered.
  • System Discovery - Only NVTs are used that discover target systems including installed operating systems and hardware in use.
  • Full and Fast - This is the default and for many environments the best option to start with. This configuration is based on the information gathered in the prior port scan and uses almost all NVTs. Only NVTs are used that will not damage the target system. Plugins are optimized in the best possible way to keep the potential false negative rate especially low. The other configurations only provide more value only in rare cases but with much more required effort.
  • Full and fast ultimate - This configuration expands the first configuration with NVTs that could disrupt services or systems or even cause shut downs.
  • Full and very deep - This configuration differs from the Full and Fast configuration in the results of the port scan not having an impact on the selection of the NVTs. Therefore NVTs will be used that will have to wait for a timeout. This scan is very slow.
  • Full and very deep ultimate - This configuration adds the dangerous NVTs that could cause possible service or system disruptions to the Full and very deep configuration.

Note on destructive tests: The difference between passive/active, non-destructive/destructive testing is typically illustrated by comparing the concepts of "vulnerability assessment" to "penetration testing": http://seclists.org/pen-test/2006/Aug/91 Unfortunately, as you'll read about in the above discussion, there is sometimes overlap in whether an activity is considered destructive. This overlap is why these profiles differentiate destructive/non-destructive tests.


Scheduling a Scan

In the Customer Portal go to the "Advanced" tab and select the "Scanning" button and then choose "Create Scan Job"

scan1.png

Creating a new scan job

When you create a scan give it a Name and a Description so you remember why you ran it and you can also rerun the scan in the future.   When you create a scan you need to choose the sensor that will run the scan, the scan config, scheduling and then choose a target.  In the example below we scanned a range of IP addresses using the "Full and Fast" scan (note CIDR notation). Also, note that you can choose credentials for the scan if required.  For this scan we won't need credentials.  Also note the Scan Now checkbox--if you un-check this box you can schedule a future scan.

scan2.png

Once the scan starts running you can see it's progress under the "Scan jobs" tab.  Once the scan is complete "Status = Done" you can View the scan under the "Actions".

scan3.png

scan4.png

If you click on the number of vulnerabilities you can see a list of the issues.  Also note the action to Generate a PDF Report.

scan5.png

Event Detail

If you click on a vulnerability you will see the detail like the following:

scan6.png

You can see the details of the vulnerability by taking the CVE referenced above and checking the MITRE database found here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0482

You can see the OID reference here.  For the old Nessus ID's you can search their plugs via this URL: https://www.tenable.com/plugins/index.php?view=single&id=11902 where (11902 is the reference to the NVT in the OID).

Create a scan job report

On the scan job details page if you choose the "Generate PDF" of the scan you can see all the vulnerabilities in a report.   You will find the report under the "Reports" tab.

scan7.png

If you download the report it will look like the following:

scan8.png

 

 

Add credentials for scanning

If you want to add credentials to login to an asset and scan it with authentication you can go to your user profile (choose your name in the upper right hand corner).  Add the login username, password, choose the asset to assign the credentials to in one of the asset choices and save the record.

scan9.png

 

Viewing scan vulnerabilities as events

Each vulnerability found also creates an event that can be searched and also used for alarm correlation.  To view the vulnerably events found by the scan do a simple search under the "Advanced" tab like the following:

scan10.png

 

Comments

Powered by Zendesk