This page concerns running scans and managing scan engines.
Nexpose is sending out hundreds of e-mails during a scan. Why is it doing this, and what can I do to stop it?
The Web spider performs a number of tests, such as SQL injection tests, which involve constantly submitting Web application forms. After Nexpose submits a form, it no longer can get information about what is happening on the target server or database. Without that feedback, Nexpose simply continues its testing process. If a target application does have not mechanisms for limiting excessive submissions or for scrubbing submissions with inappropriate characters, such as special characters or symbols, it will simply keep posting the submissions. If the posting method is e-mail, these tests can trigger a high volume of e-mails in a short period.
An excessive number of postings can result in a denial of service. You can configure the Web spider to avoid pages that are susceptible to this problem. Specify these pages in the robots.txt file or modify the scan template to exclude certain paths. See Configuring Web spidering.
Note also that allowing a user to submit a form approximately 100 times within a short time span is a vulnerability in and of itself.
You should also contact your Web administrator to set up controls for scrubbing form data and limiting submissions.
How does Nexpose perform discovery scans?
Discovery scans occur in two sequential phases: device discovery and service discovery.
Device, or asset discovery
During this initial phase, Nexpose sends connection requests to target assets to verify that they are alive and available for scanning. Nexpose uses any of three methods to contact these assets:
Service discovery
Nexpose also uses different methods for performing TCP service discovery. It can send packets with the SYN flag, or SYN+RST, or SYN+FIN, or SYN+ECE. If it receives a SYN response, the port is open. If it receives an RST response, Nexpose considers the port closed.
You can configure which methods Nexpose uses for discovery scan phases. See
Configuring asset discovery and Configuring service discovery.
What are the network and port requirements for Nexpose to function properly?
The Nexpose Security Console communicates over the network to perform four major activities:
Activity | Type of communication |
---|---|
manage scan activity on Nexpose Scan Engines and pull scan data from them | outbound; scan engines listen on 40814 |
download vulnerability checks and feature updates from a server at updates.rapid7.com | outbound; server listens on port 80 |
upload PGP-encrypted diagnostic information to a server at support.rapid7.com | outbound; server listens on port 443 |
provide Web interface access to Nexpose users | inbound; console accepts HTTPS requests over port 3780 |
Nexpose Scan Engines contact target assets using TCP, UDP, and ICMP to perform scans. Scan engines do not initiate outbound communication with the Nexpose Security Console.
Ideally there should be no firewalls or similar devices between a scan engine and its target assets. See the following topic.
Scanning may also require some flexibility in security policies. For more information, see the administrator's guide. You can download this document from the Support page.
What changes do I need to make on my Windows firewall to allow Nexpose to scan accurately?
In a domain-joined environment, you must enable two group policy settings :
In a standalone environment, you must start Remote Registry to allow Nexpose to fingerprint remote scan targets accurately.
You must also enable two standard profile settings:
Windows Vista requires additional steps:
For detailed instructions on how to perform these steps, consult appropriate Microsoft documentation.
When I run the Linux top command, why does it appear that Nexpose using all available memory even after the scan is complete?
The host that is running Nexpose uses all memory allocated to the Java Virtual Machine (JVM) for scanning and for any Nexpose system functions. This is important to keep in mind when using RAM to optimize scan performance. The allocated memory is not released unless Nexpose restarts. The top
command is not a reliable way to monitor memory use in Nexpose.
How do I create a scan template that checks for only one vulnerability?*
When you are creating or modifying a scan template, go the Vulnerabilities page of the configuration wizard, and enable the vulnerability that you want Nexpose to check. When you enable a specific vulnerability check, you are disabling all other checks.
What does it mean when I see the messages "Paused by System" and "Not enough memory to complete scan" during a scan?*
Nexpose pauses scans and stops report generation when the memory on the Security Console host server is dangerously low. This reduces the possibility of the server failing. However, it may cause the Security Console to stop scans or reporting activities before they are complete. If you are seeing these messages, then your host system is running low on memory.
To lower the likelihood of scans being paused for this reason, try running fewer simultaneous scans or lowering the number of scan threads allocated by your scan template.
If these changes do not help you complete your scans, contact Rapid7 Technical Support.
Why are my scans hanging or causing printers to crash during vulnerability checks on printers?*
Printers are known to have HTTP services that may freeze scans or cause other unwanted results during scans. You can mitigate this problem with two steps:
Why can't I see incremental scan data for a current scan job?
By default, Nexpose only retrieves incremental results from a local scan engine, which runs on the same host as the Nexpose Security Console; and it displays the full set of scan results from a remote engine after the scan has been completed. You can configure Nexpose to retrieve incremental scan results from remote scan engines
Why are my scan results showing all devices as "Alive" or all devices as "Dead"?
In security-conscious environments, it's not uncommon to have a firewall that provides SYN flood protection to prevent devices like Nexpose from performing accurate port scanning and host discovery. One way to mitigate this problem is to reduce port scanning speed in the scan template to avoid triggering the SYN flood protection. The drawback is that scanning will take much longer. If this works, then scanning will become much slower than expected. A better solution is to configure the firewall to "whitelist" Nexpose. This makes it possible for Nexpose to scan reliably at normal speeds.
Note: This topic involves features that are only available in the Enterprise version of Nexpose.