NNM 5.7 User Guide · NessusNetworkMonitor5.7.xUser Guide LastUpdated:July01,2020. TableofContents WelcometoNessusNetworkMonitor 7 GetStartedwithNNM 8 SystemRequirements 9

Nessus Network Monitor 5.7.x UserGuide

Last Updated: January 14, 2021

Table of Contents

Welcome to Nessus Network Monitor 7

Get Started with NNM 8

System Requirements 9

NNM Hardware Requirements 10

NNM Software Requirements 12

NNM Licensing Requirements 14

Download NNM 15

Install NNM 16

Upgrade NNM 25

Upgrade NNM on Linux 26

Upgrade NNM on Windows 27

Upgrade NNM on macOS 28

Set up NNM 29

Configure NNM 30

Register NNM Offline via the NNM Interface 32

Register NNM Offline via the CLI 34

Register High Performance Mode NNM for Tenable.sc in an Air-gapped Environment 36

Configure High Performance Mode 39

Configure NNM in High Performance Mode on Hyper-V 40

Configure Hyper-V NIC in Promiscuous Mode 46

Remove NNM 47

Remove NNM from Linux 48

Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of

Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.

Remove NNM fromWindows 49

Remove NNM from macOS 50

NNM Navigation 51

Monitoring Page 53

Dashboards Section 57

Rearrange Charts 60

Refresh a Chart 61

Set a Date Range for the Dashboards Section 62

Remove a Chart from a Dashboard 63

Hosts Section 64

Vulnerabilities Section 69

Delete a Vulnerability 70

Applications Section 71

Operating Systems Section 72

Connections Section 73

Mobile Devices Section 74

Filter Monitoring Results 75

Export Monitoring Results 76

Launch a Nessus Scan 77

Results Page 78

Upload a Report 79

Upload a Pcap 80

Filter Results 81

Delete Results 82



Users Page 83

Create a New User 84

Modify a User Account 85

Reset a Locked Account 86

Delete a User 87

Configuration Page 88

NNM Settings Section 89

Configure the Performance Mode 98

Feed Settings Section 100

Download New Vulnerability Plugins 102

Updating the NNMManagement Interface 103

Cloud Settings Section 104

Industrial Security Settings Section 106

Web Proxy Settings Section 108

Chart Settings Section 109

Create a Custom Chart 110

Delete a Chart 112

Email Settings Section 113

Create an Email Notification 115

Delete an Email Notification 117

Plugin Settings Section 118

Add a Plugin Field 121

Delete a Custom Plugin 122

Nessus Scanner Settings Section 123



Add a Nessus Scanner 124

Delete a Nessus Scanner 125

Additional Resources 126

Command Line Operations 127

Common Command Line Operations 128

Linux Command Line Operations 132

Windows Command Line Operations 136

macOS Command Line Operations 138

Unknown or Customized Ports 140

Real-Time Traffic Analysis Configuration Theory 141

Focus Network 142

Detecting Server and Client Ports 143

Detecting Specific Server and Client Port Usage 144

Firewall Rules 146

Working with Tenable.sc 147

Selecting Rule Libraries and Filtering Rules 148

Detecting Encrypted and Interactive Sessions 149

Routes and Hop Distance 150

Alerting 151

Modules 152

Connection Analysis Module 153

Configure NNM for use with Industrial Security 156

Internal NNM Plugin IDs 163

NNM Plugins 165



About NNM Plugins 166

NNM Fingerprinting 167

NNM Plugin Syntax 168

Network Client Detection 173

Pattern Matching 174

Time Dependent Plugins 177

Plugin Examples 179

NNM Real-Time Plugin Syntax 182

Real-Time Plugin Examples 184

NNM Corporate Policy Plugins 188

Detecting Custom Activity Prohibited by Policy 189

Detecting Confidential Data in Motion 192

Working with Tenable.sc 194

Managing Vulnerabilities 195

Offline NNM Plugin Update in Tenable.sc 196

Tenable.sc Troubleshooting 198

Syslog Messages 200

Standard Syslog Message Types 201

CEF Syslog Message Types 203

Custom SSL Certificates 204

Configure NNM for Certificates 206

Create a Custom CA and Server Certificate 207

Create NNM SSL Certificates for Login 208

Connect to NNM with a User Certificate 210



- 7 -

Welcome to Nessus Network Monitor

This user guide describes theTenable®Nessus Network Monitor® 5.7.x (Patent 7,761,918B2) architecture,installation, operation, and integrationwith Tenable.sc andTenable.io, and export of data to third parties. Forassistance, contact TenableSupport.

Tip: If you are new to NNM, see theWorkflow.

Passive vulnerability scanning is the process ofmonitoring network traffic at the packet layer to determinetopology, clients, applications, and related security issues. NNM also profiles traffic and detects compromisedsystems.

NNM can:

l Detect when systems are compromisedwith application intrusion detection.

l Highlight all interactive and encrypted network sessions.

l Detect when new hosts are added to a network.

l Track which systems are communicating onwhich ports.

l Detect which ports are served andwhich are browsed by each system.

l Detect the number of hops to eachmonitored host.

Note: For security purposes, Tenable® does not recommend configuring NNM as internet facing software.

Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered

trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their

respective owners.

- 8 -

Get Started with NNM

1. Ensure that your setupmeets theminimum system requirements:

l Hardware requirements

l Software requirements

2. Obtain the proper license or Activation Code for NNM for your configuration.

Note: See special activation code instructions for integration with Tenable.sc or Tenable.io.

3. Follow the installation steps for your operating system:

l Linux

l Windows

l macOS

4. (Optional)Configure Virtual Switches for use with NNM.

5. Perform the initial configuration steps for NNM in theweb interface.

After configuration, NNM begins monitoring incoming traffic immediately.

Note: If you wish to register NNM offline or run NNM in High Performancemode, you must follow sev-eral additional configuration steps.

6. Create users in NNM and set administrative privileges as necessary.

7. You can viewmonitored traffic results in dashboards on theMonitoring page and historical data insnapshots and reports on theResults page.

For moreNNM deployment information, see theNNM Deployment Guide.



respective owners.

https://docs.tenable.com/nnm/deployment/Content/VM/Virtual_Switches_for_Use_with_NNM.htm

https://docs.tenable.com/nnm/deployment/Content/WelcomeTo.htm

- 9 -

System Requirements

This section describes the following system requirements for NNM:

l NNM Hardware Requirements

l NNM Software Requirements

l NNM Licensing Requirements

To seewhich versions of NNM work with Industrial Security, see IS Pairing with NNM.



respective owners.

https://docs.tenable.com/industrialsecurity/Content/ISwithNNM.htm

- 10 -

NNM Hardware Requirements

Enterprise networks can vary in performance, capacity, protocols, and overall activity. Resource require-ments to consider for NNM deployments include raw network speed, the size of the network beingmonitored,and the configuration of NNM.

The following chart outlines somebasic hardware requirements for operatingNNM:

VersionInstallationscenario

RAM Processor Hard Disk

All Versions

NNMmanagingup to 50,000hosts * (**)

2GBRAM (4GBRAM recom-mended)

2 2GHz cores 20GBHDDminimum

NNMmanagingmore than50,000 hosts **

4GBRAM (8GBRAM recom-mended)

4 2GHz cores 20GBHDDminimum

NNM running inHighPer-formancemode

16GBRAM(HugePagesmemory: 2GB)

10 2GHz cores withhyper-threading enabled

20GBHDDminimum

*The ability tomonitor a given number of hosts depends on the bandwidth, memory, and processing poweravailable to the system runningNNM.

**For optimal data collection, NNMmust be connected to the network segment via a hub, spanned port, or net-work tap to have a full, continuous view of network traffic.

Note: Please research your VM software vendor for comparative recommendations, as VMs typically see upto a 30% loss in efficiency compared to dedicated servers.

High PerformanceMode

To runNNM inHighPerformancemode, aminimum of two of the following types of Intel NICs are required;one as amanagement interface and at least one as amonitoring interface:

l e1000 (82540, 82545, 82546)

l e1000e (82571, 82574, 82583, ICH8.ICH10, PCH.PCH2)

l igb (82575, 82576, 82580, I210, I211, I350, I354, DH89xx)



respective owners.

- 11 -

l ixgbe (82598, 82599, X540, X550)

l i40e (X710, XL710)

l NT40A01-4x1



respective owners.

- 12 -

NNM Software Requirements

TheNessus Network Monitor is available for the following platforms:

Version Software Requirements

Previous Versions

5.6.x-5.7.x

l RedHat Linux ES 5 / CentOS 564-bit


l RedHat Linux ES 7 / CentOS 764-bit (through 7.6 kernel version 3.10.0)

l Mac OSX 10.9-10.12 64-bit

l MicrosoftWindows 7, 8, 10, Server 2008, Server 2012, andServer 2016 64-bit OS

l Microsoft Visual C++ 2010RedistributablePackage

High Performance mode only available on:

l RH6/CentOS6 (RH6.0 thruRH6.9) : 2.6.32-696

l RH7/CentOS7 (RH7.0 thruRH7.4) : 3.10.0-693cc

l RH7/CentOS7 (RH7.5): 3.10.0-862

5.5.x




l Mac OSX 10.9-10.12 64-bit

l MicrosoftWindows 7, 8, Server 2008, andServer 2012



l RH6/CentOS6 (RH6.0 thruRH6.9) : 2.6.32-696


l RH7/CentOS7 (RH7.5): 3.10.0-862



respective owners.

- 13 -

Version Software Requirements

5.4.x




l Mac OSX 10.9-10.12 64-bit

l MicrosoftWindows 7, 8, Server 2008, andServer 2012



l RH6/CentOS6 (RH6.0 thrueRH6.9) : 2.6.32-696


You can useERSPAN tomirror traffic from oneor more source ports on a virtual switch, physical switch, orrouter and send the traffic to a destination IP host runningNNM.NNM supports the followingERSPAN virtualenvironments:

l VMwareERSPAN (Transparent Ethernet Bridging)

l CiscoERSPAN (ERSPAN Type II)

Tip:Refer to the Configuring Virtual Switches for Use with NNM document for details on configuring yourvirtual environment.


To runNNM inHighPerformancemode, youmust enableHugePages support. HugePages is a performancefeature of the Linux kernel and is necessary for the largememory pool allocation used for packet buffers. Ifyour Linux kernel does not haveHugePages configured, NNM automatically configures HugePages per theappropriate settings. Otherwise, if your Linux kernel has definedHugePages, refer to theConfiguringHugePages instructions in theLinux Command Line Operations section.



respective owners.

https://docs.tenable.com/nnm/deployment/Content/VM/Virtual_Switches_for_Use_with_NNM.htm

https://docs.tenable.com/nnm/Content/LinuxCommandLineOperations.htm

- 14 -

NNM Licensing Requirements

NNM Subscription

AnNNM subscriptionActivationCode is available that enables NNM to operate inStandalonemode. Use thismode to view results from anHTML interface enabled on theNNM server.

Activation Code

Toobtain a Trial ActivationCode for NNM, contact [email protected]. Trial ActivationCodes are handledthe sameway by NNM as full ActivationCodes, except that Trial ActivationCodes allowmonitoring for only 30days. During a trial of NNM, all features are available.

Tenable.sc Continuous View

Tenable.sc CV includes NNM as part of a bundled license packagewith Tenable.sc. This license allows anunlimited number of NNM deployments tomonitor an unlimited number of networks. Tenable.sc CV’s IP viewis constrained by the licensewithwhich it is purchased.

Tenable.io

Tenable.io Vulnerability Management includes NNM as part of a bundled license packagewith Tenable.io.This license allows an unlimited number of NNM deployments tomonitor an unlimited number of networks.Tenable.io's Asset view is constrained by the licensewithwhich it is purchased.


NNM inHighPerformanceMode can be licensed inStandalonemodeor bundledwith Tenable.sc.



respective owners.

mailto:[email protected]

- 15 -

Download NNM

To download NNM:

1. Access theTenable Downloads page.

2. ClickNessus Network Monitor.

3. Select the correct version for your operating system.

After you accept the license agreement, a download begins.

Note: To ensure binary compatibility, be sure to download the correct build for your operating envir-onment.

4. Confirm the integrity of the installation package by comparing the download checksum with the check-sum on theTenable downloads page, as described in the knowledge base article.



respective owners.

https://www.tenable.com/downloads

https://www.tenable.com/downloads/nessus-network-monitor

https://community.tenable.com/s/article/Verify-package-file-checksums

- 16 -

Install NNM

Before You Begin

l Download theNNM package.

l Ensure you can run the following commands with administrative or root privileges.

LinuxToensure audit record time stamp consistency betweenNNM andTenable.sc, ensure the underlyingOS makes use of NTP as described in theRed Hat documentation.

The software license agreement for NNM is located in the/opt/NNM/docs directory.

Tip: Ensure that organizational and OS firewall rules permit access to port 8835 on the NNM server.

To install NNM on Linux:

1. Install theNNM .rpm file downloaded from theTenable Downloads page inRedHat or CentOSwiththe following command. The specific filename varies depending on your platform and version.

# rpm –ivh NNM-5.x.x-esx.x86_64.rpmPreparing... ########################################### [100%]1:NNM ########################################### [100%][*] NNM installation completed.#

The installation creates the/opt/nnm directory, which contains theNNM software, default plugins, anddirectory structure.

2. Start NNM for RedHat andCentOS systems using the following command:

# service nnm start

3. Navigate tohttps://<IP address or hostname>:8835, which displays theNNM web frontend to log in for the first time.

Refer toConfigure NNM to complete the initial login.

Windows



respective owners.

https://docs.tenable.com/nnm/Content/DownloadNNM.htm

http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sect-Date_and_Time_Configuration-Command_Line_Configuration-Network_Time_Protocol.html

https://static.tenable.com/prod_docs/tenable_slas.html


https://docs.tenable.com/nnm/Content/SetUpNNM.htm

- 17 -

Youmust ensure the latest version ofMicrosoft Visual C++ 2010RedistributablePackage is installed for your64-bit platform andarchitecture. Be sure to stop any other programs on your system that utilizeWinPcap.

To install NNM on Windows:

1. Double-click the.exe file downloaded from theTenable Downloads page. The specific filename var-ies depending on your version.

The InstallShieldWizard launches, whichwalks you through the installation process and required con-figuration steps.

2. Click theNext button.

TheLicense Agreement screen appears.



respective owners.


- 18 -

3. Agree to the terms to continue the installation process and useNNM.

Tip: You can copy the text of the agreement into a separate document for reference, or you can clickthe Print button to print the agreement directly from this screen.


TheCustomer Information screen appears. TheUser Name andCompany Name boxes are usedto customize the installation, but are not related to any configuration options (e.g., for interfacingwith Ten-able.sc).



respective owners.

- 19 -


TheChoose Program Location screen appears, where you can verify the location inwhich theNNM binaries are installed.



respective owners.

- 20 -

6. Click theChange button to specify a custom path.


TheChoose Data Location screen appears, where you can verify the location inwhich user data gen-erated by NNM is stored.



respective owners.

- 21 -

8. Click theChange button to specify a custom path.

Tip: If you connect NNM to Tenable.sc, altering the data path disables Tenable.sc from retrievingreports.


TheReady to Install the Program screen appears, where you can review and edit the informationsupplied on previous screens.



respective owners.

- 22 -

10. Click the Install button.

TheSetup Status screen appears. If themost recent version ofWinPcap is already installed on thesystem, theNNM installation process asks if youwant to force or cancel installation ofWinPcap. If itdoes not detectWinPcap, or detects and older version, a second installer launches to install or upgradethe software.

Tip:Use the provided version of WinPcap or newer. NNM has been designed and tested using the sup-plied version of WinPcap.

11. Start NNM.

Mac OS X



respective owners.

https://docs.tenable.com/nnm/Content/WindowsCommandLineOperations.htm

- 23 -

1. Double-click the.dmg file downloaded from theTenable Downloads page tomount the disk imageNNM Install. The specific filename varies depending on your version.

2. Double-click theInstall NNM.pkg file.

The Install Tenable NNM window appears, whichwalks you through the installation process and anyrequired configuration steps.

3. Click theContinue button.

TheSoftware License Agreement screen appears.



respective owners.


- 24 -



4. Click Install to begin the installation.

A window appears asking for authentication permission to install the software.

5. Click the Install Software button.

A window appears, requesting permission to allow NNM to accept incoming network connections. If thisoption is denied, NNM is installed but functionality is severely reduced.

6. When the identity dialog box appears, clickContinue.

Tip:Once the installation process is complete, eject the NNM install volume.



respective owners.

- 25 -

Upgrade NNM

This section describes how to upgrade an existingNNM instance on the following platforms:

l Linux

l Windows

l macOS



respective owners.

- 26 -

Upgrade NNM on Linux

Before You Begin

These steps assumeyou have backed up your custom SSL certificates. They also assume that you are run-ning all commands with root privileges.

Additionally, if you have used anNNMRPM to install NNM previously, an upgrade retains configuration set-tings. Youmust transfer theNNMRPM package to the system onwhich it is being installed. Confirm the integ-rity of the installation package by comparing the downloadMD5checksum with the one listed in the productrelease notes.

To upgrate NNM on Linux:

1. StopNNM with the following command:

# service nnm stop

2. Install theNNM .rpm file downloaded from theTenable Downloads pagewith the following com-mand. The specific filename varies depending on your version:

# rpm -Uvh NNM-5.x.x-esx.x86_64.rpmPreparing... ########################################### [100%]1:NNM ########################################### [100%][*] NNM installation completed.#

3. Once the upgrade is complete, start NNM with the following command:

# service nnm start

4. Navigate tohttps://<ip address or hostname>:8835, which displays theNNM web frontend to log in.

Tip: Ensure that organizational firewall rules permit access to port 8835 on the NNM server.



respective owners.

https://docs.tenable.com/releasenotes/Content/nnm/


- 27 -

Upgrade NNM on Windows

Before You Begin

These steps assumeyou have backed up your custom SSL certificates. They also assume that you are run-ning all programs as a local user with administrative privileges. To do so, whenUAC is enabled, right-click onthe installer program and selectRun as Administrator.

Additionally, youmust ensure the latest version of theMicrosoft Visual C++ 2010RedistributablePackage isinstalled for your 64-bit platform andarchitecture. Be sure to stop any other programs on your system that areutilizingWinPcap.

To upgrade NNM on Windows:

1. Stop theTenableNNM Proxy Service from theWindows Services control panel.

2. Double-click the.exe file downloaded from theTenable Downloads page. The specific filename var-ies depending on your platform and/or version.

The InstallShieldWizard launches and begins the upgrade process.


The automated upgrade process begins.

Note: If the version of WinPcap is not at the appropriate level during the upgrade process, an upgradewindow appears and begins the process of upgrading WinPcap. Failure to install the recommendedversion of WinPcap may result in errors with NNM monitoring.

4. When the upgrade is complete, start NNM.

5. Navigate tohttps://<ip address or hostname>:8835 to display theNNM web front end to login.

Tip: Ensure that organizational firewall rules permit access to port 8835 on the NNM server.



respective owners.


- 28 -

Upgrade NNM on macOS

Before You Begin

These steps assume that you have backed up your custom SSL certificates and are running all programs withroot privileges.

To upgrade NNM on macOS:

1. Stop NNM.

2. Double-click the.dmg file downloaded from theTenable Downloads page tomount the disk imageNNM Install. The specific filename varies depending on your version.

3. Double-click theInstall NNM.pkg file.

The Install TenableNNM window appears, whichwalks you through the upgrade process and anyrequired configuration steps.

4. Click theContinue button.

TheSoftware LicenseAgreement screen appears.



6. Click the Install button.

A window appears asking for authentication permission to install the software.

7. Click the Install Software button.

A window appears requesting permission to allow NNM to accept incoming network connections. If thisoption is denied, NNM is installed but functionality is severely reduced.

8. Click theAllow button.



respective owners.


- 29 -

Set up NNM

NNM configuration follows the samesteps for all operating systems. This section provides instructions for thefollowing:

l Configure NNM

l Register NNM Offline via the NNM Interface

l Register NNM Offline via the CLI

l Configure High Performance Mode



respective owners.

- 30 -

Configure NNM

To configure NNM:

1. In awebbrowser, navigate tohttps://<ip address or hostname>:8835.

2. Type the default usernameandpassword, which are bothadmin.

3. Click Sign In To Continue.

4. TheChange Default Password screen of theQuick Setupwindow appears, where you can changethe default password. The new passwordmustmeet the followingminimum requirements:

l Minimum 5characters long

l One capital letter

l One lowercase letter

l Onenumeric digit

l One special character from the following list: !@#$%^&*()

5. ClickNext Step.

TheSet Activation Code screen appears.

6. To register NNM offline, select theRegister Offline check box and seeRegister NNM Offline viathe CLI.

7. In theActivation Code box, type the appropriate text based on your setup:

l If NNM is acting as a standalone device, type anActivationCode.

l If NNM is managed by Industrial Security, type IndustrialSecurity.

Industrial Security is end-of-life (EOL). For information about EOL dates and policies for Ten-able products, see the Tenable Software Release LifecycleMatrix and Policy.

a. In the Industrial Security Host box, type the IP address of the Industrial Securityinstance.

b. In the Industrial Security Port box, type the port of the Industrial Security instance.



respective owners.

https://tenable.my.salesforce.com/sfc/p/#300000000pZp/a/3a000000gPnK/Gu5PvUfKyV_gL0LdpNGgSdJ0PLKk15KPFcucY_BGlek

https://tenable.my.salesforce.com/sfc/p/#300000000pZp/a/3a000000gPnP/Nsu5CYOutF3_TxRdnC6e3Yco2gC5RV6bCgpf9vEXaUs

- 31 -

c. In the Industrial Security Key box, type the key copied from the Industrial Security

instance. See the Industrial Security User Guide for more information.

d. In theNNM Name box, type a name for theNNM instance. This nameappears in theIndustrial Security interface.

l If NNM is managed by Tenable.io, typeCloud.

Four configuration options appear:Cloud Host,Cloud Port,Cloud Key, andNNM Name.See theCloud Settings section for more information.

l If NNM is managed by Tenable.sc, typeSecurityCenter. See theTenable.sc User Guide formore information.

In all cases, a valid ActivationCodemust be typed in theActivation Code box.

8. ClickNext Step.

TheMonitoring Configuration screen appears.

l TheMonitored Network Interfaces box displays themonitored interfaces identified by NNM.You can select one or more of the defined interfaces. The caret icon displays additional inform-ation about each interface.

l TheMonitored Network IP Addresses and Ranges box displays the IP address rangesNNMmonitors.

l TheExcluded Network IP Addresses and Ranges box displays the IP address ranges NNMdoes notmonitor.

TheMonitored Network IP Addresses and Ranges andExcluded Network IP Addresses andRanges boxes accept both IPv4 and IPv6CIDR address definitions.Whenusingmultiple addresses,separate the entries using commas or new lines.

Note: Tenable Network Security does not recommend typing large ranges such as 0.0.0.0/0.Because this indicates to NNM that any and all network addresses belong in the network, per-formance may be severely impacted. Please only include addresses in your network, as eachaddress undergoes in-depth processing.

9. Click Finish.

TheMonitoring page appears. OnceNNM starts monitoring traffic, the page displays various high-level charts about the vulnerabilities, assets, connections, and bandwidth usage that NNM has detec-ted, as well as real-time events that NNM has triggered.



respective owners.

https://docs.tenable.com/industrialsecurity/1_4/Content/ConfigureIndustrialSecurityforusewithNNM.htm?Highlight=NNM

https://docs.tenable.com/tenablesc/5_11/Content/AddNNM.htm?Highlight=NNM

- 32 -

Register NNM Offline via the NNM Interface

To register NNM offline via the NNM interface:

1. During the Initial Configuration, on theQuick Setupwindow, select theRegister Offline checkbox.

A challenge code and theActivation Key box appear.

2. Copy the challenge code and, in awebbrowser, navigate tohttps://plugins.nessus.org/v2/offline-NNM.php.

3. In the appropriate boxes, paste your challenge code and type theActivationCode you received fromTenable.

4. Click Submit.

The page generates aURL to download theNNM plugins tarball. Save this URL, as it is used every timeyou update your plugins. Additionally, a license key appears.

5. Copy the license key.

6. Navigate to theNNM interface.



respective owners.

https://plugins.nessus.org/v2/offline-pvs.php


- 33 -

7. Paste the license key into theActivation Key box on theQuick Setupwindow.

8. Click theNext Step button.

9. ContinuewithStep 5 of the Initial Configuration instructions.

Note: After configuring NNM, upload the plugins tarball in theOffline Update area of the Feed Set-tings section.



respective owners.

- 34 -

Register NNM Offline via the CLI

If your NNM installation cannot reach the Internet directly, use the following procedure to register and updateplugins:

1. On the system runningNNM, type the following command:

Platform Command to Run

RedHat Linux / CentOS # /opt/nnm/bin/nnm --challenge

Windows C:\Program Files\Tenable\NNM\nnm --challenge

macOS # /Library/NNM/bin/nnm --challenge

This produces a challenge code similar to the following:

569ccd9ac72ab3a62a3115a945ef8e710c0d73b8

2. Go tohttps://plugins.nessus.org/v2/offline-NNM.php.

3. Paste the challenge code as well as theActivationCode you received previously from Tenable into theappropriate text boxes.

This produces aURL that gives you direct access to theNNM plugins.

4. Save theURLas it is used every time you update your plugins.

Additionally, a license key and the associatedNNM.license file are produced.

5. Copy this file to the host runningNNM in the appropriate directory.

6. Once theNNM.license file is copied, run theNNM --register-offline command to install thefile:

Platform Directory

RedHat Linux /CentOS

# /opt/nnm/bin/nnm --register-offline /path/to/NNM.li-cense

Windows C:\Program Files\Tenable\NNM\nnm --register-offline"C:\path\to\NNM.license"



respective owners.


- 35 -

Platform Directory

macOS # /Library/NNM/bin/nnm --register-offline/path/to/NNM.license

7. Toobtain the newest plugins, navigate to theURLprovided in the previous step.

You receive aTAR file (e.g., sc-passive.tar.gz).

8. Copy the file toNNM and then type the appropriate command for your platform:

Platform Command

RedHat Linux /CentOS

# /opt/nnm/bin/nnm --update-plugins /path/to/sc-pass-ive.tar.gz

Windows C:\Program Files\Tenable\NNM\nnm --update-pluginsC:\path\to\sc-passive.tar.gz

macOS # /Library/NNM/bin/nnm --update-plugins /path/to/sc-passive.tar.gz



respective owners.

- 36 -

Register High Performance Mode NNM for Tenable.sc in an Air-gapped Environment

To register NNM for Tenable.sc in an air-gapped environment, youmust either update your current install orconfigure a fresh install of NNM

Note: These steps apply to High Performance, 10G mode.

Update the Current Install

From NNM:

1. From aCLI onNNM, stop theNNM service.

2. Run the following command:

/opt/nnm/bin/nnm --config "Enable High Performance Mode" "1"

3. Start theNNM service.

4. In a browser, openNNM.

5. ClickConfiguration > Feed Settings.

6. In theActivation Code box type ‘XXXX’.

Note: This allows the (required) High Performance license to persist and enables the Fetch PluginsFrom drop-down box.

7. From theFetch Plugins From drop-downbox, selectSecurityCenter.

8. ClickUpdate.

From Tenable.sc:

1. Openabrowser and connect to Tenable.sc.

2. AddNNM, as described in theAdd a Nessus Network Monitor in theTenable.sc User Guide.

3. Click Submit.

The system adds NNM toTenable.sc.



respective owners.

https://docs.tenable.com/tenablesc/Content/LaunchWebInterface.htm

https://docs.tenable.com/tenablesc/Content/AddNNM.htm

- 37 -

Note: The NNM status changes to Plugins Out of Sync while the plugins are first downloaded toNNM from Tenable.sc. The next time Tenable.sc polls NNM, the status updates toWorking.

Configure a Fresh Install

From NNM:

1. From aCLI onNNM, run the following command:


2. Start theNNM service.

3. In a browser, openNNM.

4. In Step 2 of theQuick Setup steps, check theRegister Offline check box.

5. In a browser, navigate tohttps://plugins.nessus.org/v2/offline.php .

6. Type theNNM challenge code.

7. Type the activation code.

8. InNNM complete theQuick Setup steps.


10. In theActivation Code box type ‘XXXX’.

Note: This allows the (required) High Performance license to persist and enables the Fetch PluginsFrom drop-down box.

11. From theFetch Plugins From drop-downbox, selectSecurityCenter.

12. ClickUpdate.

From Tenable.sc:

1. Openabrowser and connect to Tenable.sc.

2. AddNNM, as described in theAdd a Nessus Network Monitor in theTenable.sc User Guide.



respective owners.

https://plugins.nessus.org/v2/offline.php

https://docs.tenable.com/tenablesc/Content/LaunchWebInterface.htm

https://docs.tenable.com/tenablesc/Content/AddNNM.htm

- 38 -

3. Click Submit.

The system adds NNM toTenable.sc.

Note: The NNM status changes to Plugins Out of Sync while the plugins are first downloaded toNNM from Tenable.sc. The next time Tenable.sc polls NNM, the status updates toWorking.



respective owners.

- 39 -

Configure High Performance Mode

Before You Begin

The following steps are required to operateNNM inHighPerformancemode. Alternatively, a user with admin-istrative privileges can enableHigh Performance mode via the UI.

Youmust have aHighPerformanceActivationCode in order to runNNM inHighPerformancemode.

NNM uses multiple cores to process packets received frommonitored interfaces. These are knownasworker cores. The default number of worker cores is 8. This number can be changed using the configurationparameterNumber Of Worker Cores.

Note:NNM supports a maximum number of 16 cores.

Note: If you set the Number Of Worker Cores parameter to 0, NNM automatically changes the value to theminimum number of worker cores needed to run NNM in High Performance mode.

For example, suppose you have 20 available logical cores. Four of those cores are used by the system forinternal processing and the kernel. If youwant to use the 16 available cores for NNM, then youmay changethe value for the parameterNumber Of Worker Cores to 16.

To configure High Performance Mode:

1. StopNNM with the following command:

# service nnm stop

2. EnableHighPerformancemodewith the following command:


3. Confirm that themanagement network interface is different from themonitoring network interface thatyou configured initially.

Note: If the configured monitored interface has bound IPv4 addresses, you cannot complete theQuick Setup Wizard to configure NNM because no usable NICs appear in theMonitored NetworkInterfaces list.

4. Start NNM with the following command:

# service nnm start



respective owners.

- 40 -

Configure NNM in High Performance Mode on Hyper-V

To configure NNM in High Performance Mode on Hyper-V:

1. Install theCentOSVM.

2. Shut down theVM after install completes.

3. Right click theVM andnavigate toSettings.



respective owners.

- 41 -

4. In theMemory section, check theEnable Dynamic Memory check box.

5. Set theMinimum RAM to the startupRAM setting.



respective owners.

- 42 -

6. In theAutomatic Stop Action section, select theTurn off the virtual machine radio button.

7. ClickOK.

8. OpenDevice Manager.

9. Right click on the device youwant to configure for passthrough.

10. In theProperties dialog, click theDetails tab.

11. In theProperty drop-downbox, selectDevice instance path.



respective owners.

- 43 -

12. Copy the value from theValue box.

13. In Powershell, use the following commands to perform theDDA configuration:

# Setting up environment# Configure VMName



respective owners.

- 44 -

$vmName = '10GNNM'

# Configure Instance ID$instanceId = 'PCI\VEN_8086&DEV_1563&SUBSYS_001D8086&REV_01\9126D1FFFF74000000'

# Configure Extra variable$vm = Get-VM -Name $vmName$dev = (Get-PnpDevice -PresentOnly).Where{ $_.InstanceId -like $instanceId }

# Disable device from hostsDisable-PnpDevice -InstanceId $dev.InstanceId -Confirm:$false

# Setup location path and dismount the device from hosts$locationPath = (Get-PnpDeviceProperty -KeyName DEVPKEY_Device_LocationPaths -InstanceId$dev.InstanceId).Data[0]echo $locationPath

# Dismount device from the hostDismount-VmHostAssignableDevice -LocationPath $locationPath -Force -Verbose

# Assign the device to our VMAdd-VMAssignableDevice -VM $vm -LocationPath $locationPath -Verbose

Use the following commands if you do not intend to use the devicewithNNM in theVM:

# Roll back, shutdown the VM first

# Remove the device from the VMRemove-VMAssignableDevice -VMName $vmName -Verbose

# Return the device to hostGet-VMHostAssignableDevice | Mount-VmHostAssignableDevice -Verbose

# Enable it in devmgmt.msc(Get-PnpDevice -PresentOnly).Where{ $_.InstanceId -like $instanceId }| Enable-



respective owners.

- 45 -

PnpDevice -Confirm:$false -Verbose

14. Turn on theVM.

15. Install NNM.

16. Configure huge pages with the commands listed in theLinux Command Line Operations doc-umentation.

17. Enable High Performance Mode.



respective owners.

- 46 -

Configure Hyper-V NIC in Promiscuous Mode

Hyper-V NIC configured in promiscuous modeallows you tomonitor external traffic.

1. OpenPowershell.

2. Run the following command to add aVMSwitchPort Feature, where "LAN2" is your virtual switch name.

SettingData.MonitorMode = 2)$A=Get-VMSystemSwitchExtensionPortFeature -FeatureName "Ethernet Switch PortSecurity Settings"(OR $A = Get-VMSystemSwitchExtensionPortFeature -FeatureId 776e0ba7-94a1-41c8-8f28-951f524251b5)$A.SettingData.MonitorMode = 2Add-VMSwitchExtensionPortFeature -ExternalPort -SwitchName LAN2 -VMSwitchExtensionFeature $A

3. Run the following command to change thePortMirroringAttribute of theVM Networkdevice, where"VMName06_WinXPMonitor" is your VM nameand "00155D016612" is theMAC address of youradapter.

Get-VMNetworkAdapter -VMName 06_WinXPMonitor | ? MacAddress -eq '00155D016612'| Set-VMNetworkAdapter -PortMirroring Destination

SeeHow to Expand the Size of Disk Volume for more information.



respective owners.

https://community.tenable.com/s/article/How-to-Expand-the-Size-of-Disk-Volume-on-a-LCE-Virtual-Appliance-HyperV

- 47 -

Remove NNM

The following instructions describe how to removeNNM from the following platforms:

l Linux

l Windows

l macOS



respective owners.

- 48 -

Remove NNM from Linux

To remove NNM from Linux:

1. StopNNMwith the following command:

# service nnm stop

2. Determine the nameof theRPM filewith the following command:

# rpm -qa | grep nnm

Thenameof theRPM file appears.

3. Remove theNNM RPM with the following command:

# rpm -e <RPM name>

4. Someuser-created and user-modified files are not removedwith the-e command. Remove anyremaining files with the following command:

# rm -rf /opt/nnm

NNM is removed.



respective owners.

- 49 -

Remove NNM from Windows

To remove NNM from Windows:

1. Depending on your version ofWindows, in theControl Panel, underPrograms, click one of the fol-lowing:

l Programs and Features

l Add or Remove Programs

2. SelectTenable Nessus Network Monitor.

3. ClickChange/Remove.

The InstallShieldWizard appears.

4. Follow the directions in this wizard to completely removeNNM.

5. SelectYes to remove theNNM program andall its files, folders, and features from the system.

-or-

SelectNo to remove only theNNM program. All user-created files and relevant file folders remain on thesystem.

6. Restart your machine to complete the removal.

7. Follow the same instructions to removeWinPcap.



respective owners.

- 50 -

Remove NNM from macOS

To remove NNM from macOS:

1. Stop NNM.

2. Delete the following directories (including subdirectories) and files with either sudo root or root privilegesusing the command line:

# rm /Library/LaunchDaemons/com.tenablesecurity.nnm*# rm -r /Library/NNM# rm -r /Library/PreferencePanes/NNM*# rm -r /Applications/NNM

NNM is removed from your macOS system.



respective owners.

- 51 -

NNM Navigation

The top navigationmenudisplays twomain pages:Monitoring andResults. All of NNM’s primary analysistasks can be performedusing these two pages. Click a page name to open that page.

From the right side of the top navigationmenu, you can access settings ( ), current user settings (usernameof the currently logged-in user), and notifications ( ).

l Click the icon to display theUsers andConfiguration options, where you canmake administrativechanges toNNM.

Note: The Users and Configuration pages are available only to users with administrative privileges.

l Click your username to display a drop-downbox with the following options:

l Change Password - Change password for the current user.

l Help & Support -View NNM Information and documentation.

l Sign Out - Log out as the current user.

l Thebell ( ) icon toggles theNotification History box, which displays a list of notifications, successfulor unsuccessful login attempts, errors, and system information generated by NNM. The color of the bellchanges based on the nature of the notifications in the list. If there are no alerts, or all notifications areinformation alerts, then the bell is blue ( ). If there are error alerts in the notification list, then the bell is

red ( ). TheNotification History box displays up to 1,000 alerts. Once the limit is reached, no newalerts can be listed until old ones are cleared.



respective owners.

- 52 -

To remove notifications individually, click the button to the right of the description of each event. Altern-atively, click theClear History button in the bottom right corner of the box to delete the entire noti-fication history.

Note:Notifications are not preserved between sessions. Unread notifications are removed from thelist when the user logs out.



respective owners.

- 53 -

Monitoring Page

TheMonitoring page provides a centralized view of vulnerabilities discovered by NNM.On this page, vul-

nerabilities may be viewed in several categories, includingDashboards,Hosts,Vulnerabilities,Applic-ations,Operating Systems,Connections, andMobile Devices. The results may also be exported indifferent formats for use in other programs.

Across all of the viewablemethods available on theMonitoring page, filter options are available to increasegranularity when viewing results. Click the heading of a column to sort items within that section of theMon-itoring page in ascending or descending order.

TheActions drop-downbox allows you to export results, delete results, or launch aNessus scan.

Note: After deleting results, you must restart NNM to see the most up-to-date information.

TheFilter <section name> box allows for quick filtering of theMonitoring page. To view a list of filterable

plugin attributes, click the downarrow for any quick filter box. Results appear based on amatch ofAny orAll fil-ters. The search box contains example hints when empty, but if an incorrect filter value is introduced, the boxdisplays a red border.

Note: The Filter <section name> box is not available in the Dashboards section.



respective owners.

- 54 -

Filter Text

Name Description

Bugtraq ID Filter the results of discovered vulnerabilities based on their Bugtraq iden-tifications.

CPE Filter the results of discovered vulnerabilities based on their CPE identifiers.

CVE Filter the results of discovered vulnerabilities based on their CVE identifiers.

CVSS Base Score Filter the results of discovered vulnerabilities based on the baseCVSS score as reported by vulnerability plugins.

CVSS TemporalScore

Filter the results of discovered vulnerabilities based on the temporalCVSS score as reported by vulnerability plugins.

CVSS TemporalVector

Filter the results of discovered vulnerabilities based on theCVSS temporalvector as reported by vulnerability plugins.

CVSS Vector Filter the results of discovered vulnerabilities based on theCVSS vector asreported by vulnerability plugins.

CVSS v3.0 BaseScore

Filter the results of discovered vulnerabilities based on theCVSS v3.0 basescore as reported by vulnerability plugins.

CVSS v3.0 Tem-poral Score

Filter the results of discovered vulnerabilities based on the temporal CVSSv3.0 score as reported by vulnerability plugins.

CVSS v3.0 Tem-poral Vector

Filter the results of discovered vulnerabilities based on the temporal CVSSv3.0 vector as reported by vulnerability plugins.

CVSS v3.0 Vector Filter the results of discovered vulnerabilities based on theCVSS v3.0 vec-tor as reported by vulnerability plugins.

Host Filter the results of discovered vulnerabilities based on the discovered IPaddress of the device.

IAVA ID Filter the results of discovered vulnerabilities based on the IAVA IDs of thevulnerabilities.

IAVB ID Filter the results of discovered vulnerabilities based on the IAVB IDs of thevulnerabilities.



respective owners.

- 55 -

Name Description

IAVT ID Filter the results of discovered vulnerabilities based on the IAVT IDs of thevulnerabilities.

OSVDB ID Filter the results of discovered vulnerabilities based on the discoveredOSVDB identifiers.

Plugin Description Filter the results of discovered vulnerabilities based on text available in thedescriptions of the vulnerabilities.

Plugin Family Filter the results of discovered vulnerabilities based on a family of dis-covered vulnerabilities.

Plugin ID Filter the results of discovered vulnerabilities based on the IDs of the pluginsthat identified the vulnerabilities.

Plugin Name Filter the results of discovered vulnerabilities based on text available in thenames of the plugins that identified the vulnerabilities.

Plugin Output Filter the results of discovered vulnerabilities based on text contained in theoutput of the plugin that discovered the vulnerability.

Port Filter the results of discovered vulnerabilities based on the port onwhich thevulnerability was discovered.

Protocol Filter the results of discovered vulnerabilities based on the detected pro-tocol: tcp, udp, or icmp.

STIG Severity Filter the results of discovered vulnerabilities based onSTIG severity levelof the plugin.

See Also Filter the results of discovered vulnerabilities based on the text available intheSee Also box of the plugin.

Severity Filter the results of discovered vulnerabilities based on the identified sever-ity.

Solution Filter the results of discovered vulnerabilities based on text available in thesolution section of the plugin.

Synopsis Filter the results of discovered vulnerabilities based on text available in thesynopsis section of the plugin.

System Type Filter the results of discovered vulnerabilities based on the system type of



respective owners.

- 56 -

Name Description

the device.

VLAN ID Filter the results of discovered vulnerabilities based on theVLAN ID of thedevice.



respective owners.

- 57 -

Dashboards Section

TheDashboards section displays the contents of the vulnerability tab in a graphical layout. The default dash-board layout displays the following charts:

l Top10Hosts

l Top10Vulnerabilities

l Top5Applications

l Distribution by OperatingSystem

l Top10Talkers

Note: The 10 Top Talkers chart only lists client machines that call or talk to the servers. If you are inter-ested in viewing both servers and clients, enable the Enable Connection Analysis Module setting inthe NNMSettings Section.

l Top10MobileDevices

l Distribution ofMobileDevices by OperatingSystem

l Top10MobileDevices by Hardware

l Distribution ofMobile Applications by Application

l SCADAVulnerability Distribution by Severity

l Top10SCADAHosts

l SCADAHost Distribution by Protocol

l SCADAHost Distribution by System Type

l Client Connections

l Network Bandwidth by ByteCount

l Event Trending

Note: Your NNM configuration determines which charts appear in the Dashboards section.

Click on the datawithin a chart to seemore information about the data. Additionally, you can drag-and-dropcharts to rearrange them on the dashboard for the duration of your session. TheClient Connections,Net-work Bandwidth by Byte Count, andEvent Trending charts cannot bemoved. For more information, seeRearrange Charts.



respective owners.

- 58 -

The following table describes the options available in theDashboards section:

Option Description

<click on thechart>

Opens aDetails sectionwithmore information about the data displayed in achart.

Note: You cannot click on the Top 10 Mobile Devices by Hardware chart.

button Removes the chart from theDashboards section for the duration of your ses-sion.

button Refreshes the chart.

button Provides options toExport Results,Delete Results, or Launch Scan.

button Provides options to filter chart data based on a specified date range.

Events Dashboard



respective owners.

- 59 -

Click on theEvent Trending chart to Access theEvents dashboard. TheEvents dashboard displays agraphical representation of the number ofmaximum viewable real-time events as defined in theRealtimeEvents setting type in theNNM Settings section.

TheEvent Details table can be customized by sorting columns, showing or hiding columns, filtering contentby clickingView Active Filters, or by clicking underlined columns in the table.



respective owners.

- 60 -

Rearrange Charts

To rearrange charts on the Dashboard:

1. In theDashboards section, select the heading of the chart youwant to reposition.

2. Drag the chart to a different location on the dashboard.

3. Release the pointer.

The chart moves and the dashboard configuration saves for the duration of your session.

Note: You cannot move the Client Connections,Network Bandwidth by Byte Count, or EventTrending charts.



respective owners.

- 61 -

Refresh a Chart

To refresh a chart on the Dashboard:

1. In theDashboards section, in the upper right corner of the chart youwant to refresh, click the button.

The selected chart refreshes.



respective owners.

- 62 -

Set a Date Range for the Dashboards Section

To set a date range for the charts on the Dashboard:

1. In theDashboards section, in the upper right corner, click the drop-downbox.

2. Dooneof the following:

l Select one of the preset time intervals.

l Select a start and end date from the available calendars and specify a timeassociatedwith eachdate.

l Manually type dates in the two text boxes inYYYY/MM/DD format and specify a timeassociatedwith each date.

All the charts on the page refresh to reflect the selected time interval.



respective owners.

- 63 -

Remove a Chart from a Dashboard

To remove a chart from a dashboard:

In theDashboards section, in the upper right corner of the chart youwant to remove, click the button.

The selected chart is removed from the dashboard for the duration of your session.



respective owners.

- 64 -

Hosts Section

TheHosts section of theMonitoring page displays a list of the discovered hosts, the system type of thehosts, and a stacked bar chart. The chart is labeled and color-coded to indicate both the number and severitylevel of vulnerabilities detected on the host.

Select a host from the list to display the host’s attributes and discovered vulnerabilities. In the drop-downboxat the top of the section, select one of the following options to view relevant information.

Vulnerabilities

Vulnerabilities detected on this host appear in descending order of severity. TheVulnerabilities list displaysthe nameof each vulnerability, the vulnerability family, and the number of vulnerabilities discovered. Select avulnerability from the list to display vulnerability details including a synopsis, a description, a solution, plugindetails, risk information, reference information, and affected hosts and services for the host.



respective owners.

- 65 -

Applications

Applications appear in descending order of severity. TheApplications list displays the nameandnumber ofeach application. Select an application from the list to display information about the application observed onthis host. The list includes the nameandnumber of discoveries, the affected port and protocol, the softwareand version, and the services available.



respective owners.

- 66 -

Client Connections

Hosts towhich the selected host has connected are grouped by port. TheClient Connections list displaysinformation about connections from the selected host to other hosts, which port(s) were used, and, if known,the services. Click on a client connection to display aConnections sidebar that displaysHost Details, aCli-ent Connections diagram, and, where applicable, aRecent Sessions table.



respective owners.

- 67 -

Server Connections

Hosts that have connected to the selected host are grouped by port. TheServer Connections list displaysinformation about connections to the selected host from other hosts, which port(s) were used, and, if known,the services. Click on a server connection to display aConnections sidebar that displaysHost Details, aServer Connections diagram, and, where applicable, aRecent Sessions table.



respective owners.

- 68 -Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered


respective owners.

- 69 -

Vulnerabilities Section

TheVulnerabilities section of theMonitoring page provides a list of the vulnerabilities detected by NNM.Additionally, you can view a vulnerability's plugin family and the number of detected vulnerabilities.

Select a vulnerability from the list to to view the following vulnerability details:

l ASynopsis of the vulnerability.

l ADescription of the vulnerability.

l ASolution for the vulnerability.

l ASee Also section that features additional referencematerial about the vulnerability.

l A list ofAffected Hosts.

l The vulnerability's Plugin Details.

l Risk Information about the vulnerability.

l Reference Information about the vulnerability.



respective owners.

- 70 -

Delete a Vulnerability

To delete a vulnerability:

To delete one vulnerability:

1. In theVulnerabilities section, hover over the vulnerability youwant to delete.

2. On the right side of the row, click the button.

The vulnerability is deleted.

To delete multiple vulnerabilities:

1. On theVulnerabilities page, on the left side of the row for the vulnerability youwant to delete, select thecheck box. Repeat this step for each vulnerability youwant to delete.

2. Click Actions >Delete Vulerabilities.

The vulnerabilities are deleted.



respective owners.

- 71 -

Applications Section

TheApplications section displays a list of discovered applications. Click an application to display a list ofaffected hosts. The list includes the nameandnumber of discoveries, the affected port and protocol, the soft-ware and version, and the services available.



respective owners.

- 72 -

Operating Systems Section

TheOperating Systems section displays a list of discovered operating systems. This section lists the sever-ity, operating system nameas detected, and the number of discoveries.

Click an operating system to display a list of affected hosts. The list includes the severity, the version of theoperating system, and the services available.



respective owners.

- 73 -

Connections Section

TheConnections section displays information in two tabs:

l TheClient Connections tab displays a list of hosts. Click on a host to display connections from the

selected host to other hosts, the port(s) used, and, if known, the services. Additionally, theCon-nections sidebar displaysHost Details, aClient Connections diagram, and, where applicable, aRecent Sessions table.

l TheServer Connections tab displays a list of hosts. Click on a host to display connections to theselected host from other hosts, the port(s) used, and, if known, the services. Additionally, theCon-nections sidebar displaysHost Details, aServer Connections diagram, and, where applicable, aRecent Sessions table.



respective owners.

- 74 -

Mobile Devices Section

TheMobile Devices section displays a list of discoveredmobile devices. The summary page displays the IPaddress, model, operating system, and last seen timestamp for eachmobile devicewithin themonitored net-work range. Select a device name from the list to display the device’s list of vulnerabilities and a list of applic-ations for themobile device.



respective owners.

- 75 -

Filter Monitoring Results

To filter monitoring results:

1. In theHosts,Vulnerabilities,Applications,Operating Systems,Connections, orMobileDevices section, in the upper right corner, click theFilter <section name> drop-downbox.

2. Type the criteria by which youwant to filter results directly into the box.

-or-

Click the button in the box.

TheFilter Resultswindow appears.

3. Configure the filter options as necessary.

4. Click theApply Filters button.

Note:On-the-fly filter results cannot be exported. If you want to export filter results, you must con-figure the filter(s) in the Filter Results window. Additionally, on-the-fly filter results are not storedwhen a user navigates to another page in NNM.



respective owners.

- 76 -

Export Monitoring Results

To export monitoring results:

1. ClickMonitoring >Actions >Export Results.

TheExport Results screen appears.

2. Select the export format and chapter layout.

3. Click theExport button.

An automatic download begins. You can save the report from thewebbrowser.

Note:On-the-fly filter results cannot be exported. If you want to export filter results, you must con-figure the filter(s) in the Filter Results window.



respective owners.

- 77 -

Launch a Nessus Scan

To launch a Nessus scan:


l ClickMonitoring >Actions > Launch Scan.

l Click Assets orVulnerabilites > select the check boxes for the assets youwant to scan>Actions > Launch Scan.

TheLaunch Basic Nessus Scanwindow appears.

2. Configure the scan options as necessary.

3. Click theLaunch button.

The scan opens in theNessus interface. Refer to theNessus user guide for further instructions.

Note: To launch scans on Nessus 6.8.x or higher, NNM must be configured to restrict access to TLS 1.2 orhigher. See the NNMSettings Section for more information.



respective owners.

http://www.tenable.com/documentation/nessus/

- 78 -

Results Page

TheResults page contains snapshots ofmonitored data, results from Pcap files enteredmanually via the

command line or the client UI, and uploadedNNM reports. TheMonitoring Snapshots generate regularlybased on theReport Frequency setting. They are stored until deleted or theReport Lifetime settingremoves them. Select a result grouping to view it using the sameanalysis tools described in theMonitoringsection of this user guide:

l Hosts

l Vulnerabilities

l Applications

l Operating Systems

l Connections

l Mobile Devices

Additionally, to compare two snapshots, check the desired snapshot results and select theDiff Snapshotsoption from theActions drop-downbox.



respective owners.

- 79 -

Upload a Report

To upload a report:

1. ClickResults >Upload >Report.

TheUpload Resultswindow appears.

2. Select a file to upload.

3. Click theUpload Results button.

The report appears in a new row at the top of theListing Results list on theResults page.



respective owners.

- 80 -

Upload a Pcap

Before You Begin

Themaximum total file size for uploadedPcaps is 100MB. Running aPcap pauses livemonitoring.

To upload a Pcap:

1. ClickResults >Upload >Pcaps.

TheUpload Pcapswindow appears.

2. Select one or more files to upload.

3. Click theUpload Pcap(s) button.

A new row for thePcap(s) appears at the top of theListing Results list on theResults page.



respective owners.

- 81 -

Filter Results

To filter results:

1. On theResults page, in the upper right corner, click theFilter Results drop-downbox.

2. SelectSnapshot,Manual, orPcap.

TheListing Results list filters by the selected report type. ClickClear Filter to remove the filter fromthe list.



respective owners.

- 82 -

Delete Results

To delete one result:

1. On theResults page, hover over the result youwish to delete.

2. Click the button.

A dialog box appears confirming your selection to delete the result.

3. Click theDelete button.

The result is deleted.

To delete multiple results:

1. On the left side of the row for the result youwant to delete, select the check box. Repeat this step foreach result youwant to delete.

2. Click Actions >Delete Result.

A dialog box appears confirming your selection to delete the results.


The resultss are deleted.



respective owners.

- 83 -

Users Page

TheUsers page lists the available users on theNNM server. Additionally, you can view account configurationoptions for each user. This page is visible only to users with administrative privileges.

To access the Users page:

1. In the top navigation bar, click the icon.

2. In the drop-downbox, clickUsers.

TheUsers page appears.

Click on a user modify the user's account. For more information, seeModify a User Account.



respective owners.

- 84 -

Create a New User

To create a new user:

1. On theUsers page, in the upper right corner, click theNew User button.

TheNew User window appears.

2. In theUsername box, type a username for the user.

3. In thePassword box, type a password for the user.

Note: The username is case sensitive and the password must conform to the NNM password policy.

4. In theConfirm Password box, type the password for the user a second time.

5. If the new user should have administrative privileges, select theAdministrator check box.

Tip:When a user is created it authenticates with SSL Client Certificates. The user name must matchthe Common Name in the certificate.

6. Click theCreate User button.

The user saves and appears in theUsers list.



respective owners.

- 85 -

Modify a User Account

To modify a user account:

1. On theUsers page, select a user from the list.

TheEdit User <username> window appears.

2. Modify the properties as needed.

3. ClickUpdate.

Tip: To reset user account passwords via the command line, use the following command from the NNM bin-ary directory:/opt/NNM/bin/nnm --users --chpasswd <username>



respective owners.

- 86 -

Reset a Locked Account

To reset a locked account:

1. In the command line interface, use the appropriate command for your operating system to delete thehash.lockedout file:

OperatingSystem

Command

Linux # rm /opt/nnm/var/nnm/users/<locked accountname>/hash.lockedout

Windows del C:\ProgramData\Tenable\NNM\nnm\users\<locked_account_name>\hash.lockedout

macOS # rm /Library/NNM/var/nnm/users/<locked accountname>/hash.lockedout

Tip: Alternatively, a user with administrative privileges can navigate to this directory and manuallydelete the hash.lockedout file.

2. After deleting the hash.lockedout file, if needed, a user with administrative privileges can follow the stepsunderModify a User Account to reset the user's password.



respective owners.

- 87 -

Delete a User

To delete a user:

To delete one user:

1. On theUsers page, hover over the user youwant to delete.

On the right side of the row, the button appears.


A dialog box appears confirming your selection to delete the user.

3. ClickDelete.

The user is deleted.

To delete multiple users:

1. On theUsers page, on the left side of the row for the user youwant to delete, select the check box.Repeat this step for each user youwant to delete.

2. Click Actions >Delete Users.

A dialog box appears confirming your selection to delete the user.

3. ClickDelete.

The users are deleted.



respective owners.

- 88 -

Configuration Page

TheConfiguration page allows users with administrative privileges to configureNNM for their local envir-onment.

NNM Settings Section

Feed Settings Section

Cloud Settings Section

Industrial Security Settings Section

Web Proxy Settings Section

Chart Settings Section

Email Settings Section

Plugin Settings Section

Nessus Scanner Settings Section



respective owners.

- 89 -

NNM Settings Section

TheNNM Settings section provides options for configuring the network settings for NNM. This includes whatnetwork(s) aremonitored or excluded, how tomonitor those networks, andwhat network interfaces NNM hasidentified for monitoring. If your NNM is licensed to run inHighPerformancemode, you can alsoConfigurethe Performance Mode.

Note:While you can configure many advanced settings via the command line using custom parameters, oth-ers use standard parameters. For example, while the ACAS Classification setting uses the custom --addparameter, the Login Banner setting does not require the --add parameter.

Note: The Network Interfaces Settings view only shows network interfaces that don't have IP addressesassigned to them. As a result, if all interfaces have assigned IP addresses, in High Performance mode, thelist is empty.

Name Description

ACAS Classification

ACAS Support for ACAS banners may be enabled from the command line of theNNM server service using the/opt/nnm/bin/nnm --config --add"ACAS Classification" "SECRET" command. SECRETmay bereplaced by UNCLASSIFIED, CONFIDENTIAL, TOP SECRET, or NOFORN.Once enabled, a drop-downbox for theACAS option appears in theUI frontend.

Support for ACAS banners may be disabled from the command line of theNNM server using the/opt/nnm/bin/nnm --config --delete"ACAS Classification" command from the binary directory on theserver.

Advanced

Maximum PluginsUpdate Frequency

Specifies themaximum frequency withwhich plugins update.

LoginBanner Specifies a login banner.

Note: Login banners can also be configured via the command line using



respective owners.

- 90 -

Name Description

the /opt/nnm/bin/nnm --config "Login Banner" "NNM BannerText" command.

EnablePII Obfuscation

Specifies whether or not tomask data from plugins that are expected to con-tain sensitive information (likePersonally Identifiable Information [PII]).Whenenabled, the sensitive data is maskedwith asterisks.Whendisabled, thesensitive information appears in cleartext in plugin output and logs. Type 0 todisable and 1 to enable the obfuscation.

Note: By default, this option is enabled. This option cannot be disabled ifyour NNM is connected to another application (i.e. Industrial Security, Ten-able.io, Tenable.sc).

Analysis Modules

EnableSCADA/ICSAnalysis Module

Enables theSCADA/ICSAnalysis Module. Click the caret button to the left ofthe setting name to display a list of individualmodule detections within themodule. Click on individualmodule detections within the list to disable/enablethem. Disabling aSCADA/ICSmodule detection enables the legacy PASL.See theSCADA/ICSAnalysis Module for more information.

EnableConnectionAnalysis Module

Enables theConnectionAnalysis Module. Click the caret button to the left ofthe setting name to display a list of individualmodule detections within themodule. Click on individualmodule detections within the list to disable/enablethem. See theConnection Analysis Module for more information.

Enable IoTAnalysisModule

Whenenabled, NNM detects plugins in the IoT family. By default, this optionis enabled.

DNS Query

DNSCache LifetimeAnalysis Module

Specifies the amount of timeNNM retains and stores a given host’s DNSrecord, in seconds. By default, this option is set to 43200 (12 hours), but canbe set to any value between 3600 and 172800 (48 hours).

DNSQuery TimeInterval

Specifies the delay between sets of DNS queries, in seconds. By default, thisoption is set to 5, but can be set to any value between 1 and 120.

DNSQueries per Specifies themaximum number of concurrent DNS requests madeat the



respective owners.

- 91 -

Name Description

Interval time of theDNS Query, in seconds. By default, this option is set to 5, but canbe set to any value between 0 and 1000. Setting this value to 0 disables thisfeature and prevents further DNS queries from beingmade.

Database

EnableMalformedDatabaseRecovery

Whenenabled, allows NNM to recover amalformeddatabase.

Memory

Sessions CacheSize

Specifies the size, inmegabytes, of the session table. Adjust the session sizeas needed for the local network. By default, this option is set to 50.

Packet CacheSize Specifies themaximum size, inmegabytes, of the cache used to store thecontents of the packets collected before processing. By default, this option isset to 128MBwith amaximum size of 512MB.When the cache is full, anysubsequent packets captured are dropped until space in the cache becomesavailable.

Monitoring

MonitoredNetworkInterfaces

A list of the network device(s) used for sniffing packets. Devices may beselected individually or inmultiples. At least one interfacemust be selectedfrom the list of available devices.

Note:High Performance mode does not support e1000 NICs as monitoredinterfaces on VMs. If you are running NNM on a VM in High Performancemode and select an e1000 monitored interface, NNM automatically revertsto Standard mode.

MonitoredNetworkIP Addresses andRanges

Specifies the network(s) monitored. The default setting is 0.0.0.0/0, whichinstructs NNM tomonitor all IPv4 addresses. This should be changed tomon-itor only target networks; otherwiseNNMmay quickly becomeoverwhelmed.Separatemultiple addresses by commas.WhenmonitoringVLAN networks,youmust use the syntax vlan ipaddress/subnet.

Example: 192.168.1.0/24,2001:DB8::/64,10.2.3.0/22,vlan172.16.0.0/16,192.168.3.123/32



respective owners.

- 92 -

Name Description

Note: The syntax is case sensitive.

ExcludedNetworkIP Addresses andRanges

Specifies, inCIDR notation, any network(s) to specifically exclude from NNMmonitoring. This option accepts both IPv4 and IPv6 addresses. Separatemul-tiple addresses by commas.WhenexcludingVLAN networks, youmust usethe syntax vlan ipaddress/subnet. If this box is left blank, noaddresses are excluded.

Note: You can exclude up to 128 CIDR entries at one time.

Example: 192.168.1.0/24,2001:DB8::/64,10.2.3.0/22,vlan172.16.0.0/16,192.168.3.123/32

ExtendedPacket Fil-ter

Specifies aBPF primitive.

The net, IP, IPv6, and VLAN primitives are not supported by this feature.Additionally, the protochain primitive is not supported on Windows plat-forms.

Click here for further information about the available primitives.

NNM Proxy

NNM RestartAttempts

The number of times theNNM proxy attempts to restart theNNM engine inthe event the engine stops running. By default, this option is set to 10, but canbe set to any value between 1 and 15. Once the restart attempt limit isreached, the proxy stops trying for 30minutes.

NNM Restart Inter-val

The amount of time, inminutes, betweenNNM restart attempts. By default,this option is set to 10, but can be set to any value between 1 and 3600.

NNM Web Server

EnableSSL forWebServer

When selected, enables SSLprotection for connections to theweb server.This check box is selected by default. Clearing the check box is not recom-mended, as it allows unencrypted traffic to be sent between awebbrowserandNNM.Custom SSL certificates may be installed in the/opt/NNM/var/NNM/ssl directory. Changes to this setting require thatNNM be restarted.



respective owners.

http://www.tcpdump.org/manpages/pcap-filter.7.html

- 93 -

Name Description

Note:Changing this option while NNM is running makes communicationbetween the client and server either encrypted or unencrypted. If youselect or clear the Enable SSL for Web Server check box, the WebServer automatically ends your current NNM session.

Minimum PasswordLength

Specifies the lowest number of characters a passwordmay contain. Bydefault, this option is set to 5, but can be set to any value between 5 and 32.

NNMWebServerAddress

Specifies the IPv4 or IPv6 address onwhich theNNMweb server listens.The default setting is 0.0.0.0, which instructs theweb server to listen on allavailable IPv4 and 1Pv6 addresses.

Note: Link-local addresses are not supported for IPv6 addresses.

NNMWebServerPort

Specifies theNNMweb server listening port. The default setting is 8835, butcan be changed as appropriate for the local environment.

Note: If you change the value in this box, the Web Server automaticallyends your current NNM session.

NNMWebServerIdle SessionTimeout

Specifies the number ofminutes of inactivity before aweb session becomesidle. By default, this option is set to 30, but can be set to any value between 5and 60.

EnableSSLClientCertificateAuthentic-ation

Whenenabled, allows theweb server to accept only SSL client certificates foruser authentication.

EnableDebug Log-ging for NNMWebServer

Whenenabled, allows theweb server to include debug information in the logsfor troubleshooting issues related to theweb server. The logs becomeverylarge if this option is routinely enabled.

Maximum UserLoginAttempts

Specifies the number of times a user can type an incorrect password in a 24hour period before the user’s account is locked.

Max Sessions perUser

Specifies the number of concurrent sessions a user can have running at onetime.

EnforceComplexPasswords

Whenenabled, forces the user’s passwords to contain at least one upper-case character, one lowercase character, one digit, and one special char-



respective owners.

- 94 -

Name Description

acter from the following: !@#$%^&*().

Restrict Access toTLS 1.2 or higher

Whenenabled, forces theNNMweb server to useTLS 1.2 or higher com-munications. By default, this option is enabled.

Note: If you disable this option, you must enable the use of TLS < 1.2.

Plugins

Process HighSpeedPlugins Only

NNM is designed to find various protocols on non-standard ports. Forexample, NNM caneasily find anApache server running on a port other than80. However, on a high traffic network, NNM canbe run inHighPerformancemode, which allows it to focus certain plugins on specific ports.WhenHighPerformance mode is enabled and this check box is selected, any pluginthat utilizes the keywords hs_dport or hs_sport are executed only ontraffic traversing the specified ports.

Realtime Events

RealtimeEvents FileSize

Specifies themaximum amount of data from real-time events that is stored inone text file. The optionmust be specified in kilobytes, megabytes, or giga-bytes by appending aK,M, orG, respectively, to the value.

LogRealtimeEventstoRealtime LogFile

Whenenabled, allows NNM detected real-time events to be recorded to a logfile in the following location:

/opt/NNM/var/NNM/logs/realtime-logs-##.txt

This option can be configured via theCLI.

EnableRealtimeEvent Analysis

Whenenabled, allows NNM to analyze real-time events.

Maximum ViewableRealtimeEvents

Specifies themaximum number ofmost recent events cached by theNNMengine. This setting is in effect only whenRealtimeEvent Analysis is enabled.

Maximum RealtimeLogFiles

Specifies themaximum number of realtime log files written to the disk.

Reports



respective owners.

- 95 -

Name Description

Report Threshold Specifies the number of times the encryption detection algorithm executesduring a session. Once the threshold is reached, the algorithm no longerexecutes during the session. By default, this option is set to 3.

Report Lifetime Specifies, in days, how long vulnerabilities and snapshot reports are cached.After the configured number of days is met, discovered vulnerabilities andsnapshot reports are removed. This option can be set to amaximum value of90 days. By default, this option is set to 7 and cannot be set higher than theHost Lifetime value.

Host Lifetime Specifies, in days, how long hosts are cached. After the configured number ofdays is met, discovered hosts are removed. This option can be set to amax-imum value of 365 days. By default, this option is set to 7 and cannot be setlower than theReport Lifetime value.

Report Frequency Specifies, inminutes, how oftenNNMwrites a report. By default, this option isset to 15. Tenable.sc retrieves theNNM report every 15minutes.

Knowledgebase Life-time

Specifies, in seconds, themaximum length of time that a knowledgebaseentry remains valid after its addition. By default, this option is set to 864000.

New Asset Dis-covery Interval

Specifies, in days, how longNNMmonitors traffic before detecting new hosts.NNM listens to network traffic and attempts to discover when a new host hasbeen added. To do this, NNM constantly compares a list of hosts that havegenerated traffic in the past to those currently generating traffic. If it finds anew host generating traffic, it issues a “new host alert” via the real-time log.For large networks, NNM canbe configured to run for several days to gainknowledge about which hosts are active. This prevents NNM from issuing analert for hosts that already exist. For large networks, Tenable® recommendsthat NNM operate for at least two days before detecting new hosts. Bydefault, this option is set to 2.

Connections toSer-vices

Whenenabled, allows NNM to logwhich clients attempt to connect to serverson the network and towhat port they attempt to connect. They indicate onlythat an attempt to connect was made, not whether the connectionwas suc-cessful. Events detected by NNM of this type are logged as NNM internal plu-gin ID 2.

ShowConnections Whenenabled, instructs NNM to record clients in the focus network that



respective owners.

- 96 -

Name Description

attempt to connect to a server IP address and port and receive a positiveresponse. The record contains the client IP address, the server IP address,and the server port that the client attempted to connect to. For example, if fourdifferent hosts within the focus network attempt to connect with a server IPover port 80 and received a positive response, then a list of those hosts arereported under NNM internal plugin ID 3 and port 80.

KnownHosts FileNote: You can only configure this feature via the command line interface.

A configuration parameter inwhich you can type the location of theknown-hosts.txt file. Youmustmanually create theKnownHosts file.

This feature supports a single row for each IP (IPv4 or IPv6). Hyphenatedranges andCIDR notation are not supported. New host alerts no longerappear for the hosts listed in this file.

Note: Blank rows are ignored, and invalid entries are noted in the NNM logfile. If you make any changes to the Known Hosts file, you must restartNNM .

Session Analysis

EncryptedSessionsDependency Plugins

Specifies thePlugin IDs, separated by commas, used to detect encryptedtraffic.

EncryptedSessionsExcludedNetworkRanges

Specifies the IPv4 and IPv6 addresses and ports, inCIDR notation, excludedfrommonitoring for encrypted traffic.

Example: 192.168.1.0/24,2001:DB8::/64,10.2.3.0/22,vlan172.16.0.0/16,192.168.3.123/32

InteractiveSessionsDependency Plugins

Specifies the plugin IDs, separated by commas, used to detect interactivesessions.

InteractiveSessionsExcludedNetworkRanges

Specifies the IPv4 and IPv6 addresses and ports, inCIDR notation, excludedfrommonitoring for interactive sessions.

Example: 192.168.1.0/24,2001:DB8::/64,10.2.3.0/22,vlan172.16.0.0/16,192.168.3.123/32



respective owners.

- 97 -

Name Description

Syslog

RealtimeSyslogServer List

Specifies the IPv4 or IPv6 address and port of aSyslog server to receive real-time events from NNM.Click Add to save the address. A local Syslog dae-mon is not required. Syslog items can be specified toStandard or CEFformats as well as UDP or TCP protocols.

Example: 192.168.1.12:4567,10.10.10.10:514,[2001:DB8::23B4]:514

Vulnerability SyslogServer List

Specifies the IPv4 or IPv6 address and port of aSyslog server to receive vul-nerability data from NNM.Click Add to save the address. A local Syslog dae-mon is not required. Syslog items can be specified toStandard or CEFformats as well as UDP or TCP protocols.

Example: 192.168.1.12:4567,10.10.10.10:514,[2001:DB8::23B4]:514

Note:While NNM may display multiple log events related to one con-nection, it sends only a single event to the remote Syslog server(s).



respective owners.

- 98 -

Configure the Performance Mode

Before You Begin

This option appears only whenNNM is licensed to run inHighPerformancemodeand themachine runningNNM meets thehardware and software requirements for HighPerformancemode. By default, all instancesof NNM run inStandardmode.

NNMmust restart when switching between performancemodes.

To configure the performance mode:

1. ClickConfiguration >NNM Settings.

2. Under thePerformance Mode heading, click theEnable High Performance Mode box to togglebetweenYes andNo. If you selectYes, continue to step 3. If you selectNo, continue to step 4.

3. In theNumber of Worker Cores drop-downbox, select the appropriate number of worker cores.

Note: This option cannot be changed when NNM is already running in High Performance mode.

4. Click theUpdate button.

A dialog box appears confirming your selection to change the performancemode.

5. Click theConfirm button.

NNM restarts and the login screen appears.When theNNM server resumes, a notification appearsindicatingwhether the configuration changewas successful.

Note:NNMmay use a different number of cores than the number you select. Based on system con-straints and your selection, NNM selects the closest number of worker cores that it can feasibly sup-port.



respective owners.

- 99 -

6. Log in toNNM.

The performancemodeupdates.



respective owners.

- 100 -

Feed Settings Section

TheFeed Settings section allows you to:

Name Description

Register Offline check box A check box that allows offline registration of NNM.

Activation Code box Updates the activation code. TheActivationCodeonly needs tobe updatedwhen it expires.

Fetch Plugins From drop-downbox

A drop-downbox from which you can specify where youwish tofetch plugins. ClickUpdate to fetch the plugins.

Offline Plugin Archive Uploads plugins to perform offline updates. Choose File toselect the file to upload, then clickUpload Archive to upload thearchive.

Host Address box A box inwhich you can specify a custom plugin feed host. ClickUpdate to save the host.

Offline Update

TheOffline Update allows a user with administrative privileges tomanually update plugins when theNNMhost cannot connect to the Internet.

1. Download the plugin update archive from Tenable®.

2. ClickChoose File.

3. Select the archive tarball to upload.

4. Click theUpload Archive button to send the file to theNNM host.

5. Click theUpload Archive button again to update the plugins.

6. If a new client is part of the update, youmust refresh thewebbrowser to see the updated client.

The Custom Plugin Feed host is an alternate feed host. These are typically hosted on a local net-work to provide custom NNM plugins.



respective owners.

- 101 -

When runningStandaloneNNM or NNM inHighPerformancemodeasManaged by Tenable.sc orMan-aged by Tenable.io, youmust type anActivationCodebefore clicking theUpdate button. The button

schedules a plugin updatewhenNNM is running inStandalonemode. Additionally, when registeringNNM in

Offlinemode, you need theActivationCode to obtain theActivationKey.



respective owners.

- 102 -

Download New Vulnerability Plugins

Before You Begin

WhenNNM is registered inStandalonemodeusing anActivation code, plugins are updated automaticallyevery 24 hours after the service is started.

If Tenable.sc or Tenable.io is used tomanageNNM, new plugins for NNM are automatically sent at scheduledintervals.

To manually download new vulnerability plugins:


2. Next to theFetch Plugins From drop-downbox, click the button.

Tip: The plugins can also be updated by using the following command:# /opt/nnm/bin/nnm --update-plugins



respective owners.

- 103 -

Updating the NNM Management Interface

Onoccasion, theNNMmanagement interfacemust be updated to provide new or updated features.

Tomanually update the plugins:

1. Download the latest plugins using theURL created during the offline registration process.

2. Log in to theNNM interface as a user with administrative privileges.


4. In theOffline Update section, clickChoose File.

A dialog box appears.

5. Select the archive file to upload.

6. ClickUpload Archive to send the file to theNNM host, which updates the plugins.

7. StopNNM on the host.

8. Restart NNM on the host.

The new interface is available for use.



respective owners.

- 104 -

Cloud Settings Section

TheCloud Settings section provides options for configuringNNM to communicatewith Tenable.io.

Note: Any web proxies configured do not apply to Tenable.io connections.

Name Description

CloudHost The domain nameor IP address of the Tenable.io server: cloud.tenable.com.

CloudPort The port of the Tenable.io server: 443.

CloudKey TheTenable.io key used to link this instance of NNM to aTenable.io account. SeeLink a Scanner in the Tenable.ioUser Guide for more information.

Polling Fre-quency

The frequency, in seconds, withwhichNNM updates its status with Tenable.io andasks for a list of jobs.

NNM Name Theunique nameused to identify this instance of NNM inTenable.io.



respective owners.

https://docs.tenable.com/tenableio/vulnerabilitymanagement/Content/Scans/LinkAScanner.htm

- 105 -

By default, Tenable.io pulls data from theNNM scanner every 60minutes. This is determined by theReportFrequency setting in Tenable.io. Once the linkedNNM scanner is added to Tenable.io, a scan is auto-

matically created and results are collected from NNM. If theReport Frequency setting is changed, thescans adjust automatically.



respective owners.

- 106 -

Industrial Security Settings Section

Industrial Security is end-of-life (EOL). For information about EOL dates and policies for Tenable products,see the Tenable Software Release LifecycleMatrix and Policy.

The Industrial Security Settings section provides options for configuring Industrial Security withNNM. Formore information, seeConfigure NNM for use with Industrial Security.

Name Description

Industrial Secur-ity Host

The domain nameor IP address of the Industrial Security server.

Industrial Secur-ity Port

The port of the Industrial Security server.

Industrial Secur-ity Key

The key used to link this instance of NNM to a Industrial Security account.



respective owners.



- 107 -

Name Description

Polling Fre-quency

The frequency, in seconds, withwhichNNM updates its status with IndustrialSecurity and asks for a list of jobs.

NNM Name Theunique nameused to identify this instance of NNM on Industrial Security.



respective owners.

- 108 -

Web Proxy Settings Section

TheWeb Proxy Settings section configures the settings for awebproxy if one is needed for plugin updates.These settings include the proxy host IP address, port, username, password, and, if a custom agent string isneeded, a user-agent box.

Note: Any web proxies configured do not apply to Tenable.io connections.

Name Description

Host Address The host address of thewebproxy server.

Port The port of thewebproxy server.

Username Theusername for thewebproxy server.

Password The password for thewebproxy server.

User-Agent String The user-agent string for thewebproxy server.



respective owners.

- 109 -

Chart Settings Section

TheChart Settings section displays all charts available, provides options for creating and configuringcharts, and allows the user to add or remove charts in theDashboards section.

In theChart Settings section you can view:

l The chartType.

l TheName of the chart.

l ADescription of the chart.

l The chart'sDashboard Family.

l A toggle that determines if the chart appears in theDashboard. Click the option to toggle betweenYesand No.

Click on a chart to edit the chart.



respective owners.

- 110 -

Create a Custom Chart

To create a custom chart:

1. ClickConfiguration >Chart Settings >Create Chart.

TheCreate Chart window appears.

2. In theName box, type a name for the chart.

Note: In this example, we are creating a chart that displays the top vulnerabilities for machines report-ing associated BitTorrent activity.

3. In theDescription box, type a description for the chart.

4. In theChart Type section, select the type of chart youwant to create.

5. In theDashboard Family section, type a numeric value between 1 and 20 that represents the numberof items returned for this chart.

6. Click Top to add the value to theCurrent Chart Query section.



respective owners.

- 111 -

7. In theCategory section, select a chart category. The selected category determines the type of itemsdisplayed on the chart, such as hosts, vulnerabilities, applications, operating systems, or connections.

8. In theFilters section, configure the options by which youwant to filter the results.

Note: In this example, we are creating a filter based on the Plugin ID 3920. This triggers when BitTor-rent client activity is detected.

9. Click the+ button to apply the rule to the chart.

10. In theViewable section, select whether youwant the chart to appear on themain dashboard.

11. Click theCreate Chart button. The chart appears in theDashboards section of theMonitoring page.



respective owners.

- 112 -

Delete a Chart

Note: You cannot delete default charts.

To delete a chart:

To delete one chart:

1. ClickConfiguration > Chart Settings.

2. Hover over the chart youwant to delete.


A dialog box appears confirming your selection to delete the chart.

4. ClickDelete.

The chart is deleted.

To delete multiple charts:

1. ClickConfiguration >Chart Settings.

2. On the left side of the row for the chart youwant to delete, select the check box.

3. Repeat step 2 for each chart youwant to delete.

4. Click Actions >Delete Charts.

A dialog box appears confirming your selection to delete the charts.

5. ClickDelete.

The charts are deleted.



respective owners.

- 113 -

Email Settings Section

TheEmail Settings section allows you toCreate an Email Notification for NNM. You can specify the recip-ients of the email notifications, what charts appear in email notifications, and the timeand frequency withwhichemail notifications are sent. To send a report immediately, in theEmail Settings section, hover over an exist-ing email notification and click the paper airplane icon.

When you selectSMTP Server in theSetting Type drop-downbox, the following options for configuring theSMTP server appear:

Name Description

Host The host or IP of theSMTP server (e.g., smtp.example.com).

Port The port of theSMTP server (e.g., 25).

From Thename that appears in the "From" line of the email report.

NNM Location The IP address or hostnameof your NNM server. This works only if the user thatreceives the email report can reach theNNM host.

AuthMethod Themethod by which theSMTP server is authenticated. Supportedmethods areNone,Plain,NTLM, Login, andCRAM-MD5.

Note: If this option is set to None, the Username and Password boxes are hid-den.

Username Theusernameused to authenticate to theSMTP server.

Password The password associatedwith the username, provided that a password is required



respective owners.

- 114 -

Name Description

by theSMTP server.



respective owners.

- 115 -

Create an Email Notification

To create an email notification:

1. Click Email Settings >Create Email Notification.

TheCreate Email Notificationwindow appears.

2. In theName box, type a name for the email notification.

3. In theDescription box, type a description for the email notification.

4. ClickNext Step.

TheAdd Charts screen appears.

5. Select the check boxes that correspond to the charts youwant to add to the email notification.

6. Reorder the charts by clicking and dragging the appropriate button.

7. ClickNext Step.

TheSchedule Email Notification screen appears.

8. Select the frequency, date, and timeat which youwant the email notification to be sent. Depending onthe option you select in theFrequency box, the following additional options appear:

Frequency Options

Once None

Hourly Repeat Every - a drop-downbox that includes options from 1 to 20 hours.

Daily Repeat Every - a drop-downbox that includes options from 1 to 20 days.

Weekly Repeat Every - a drop-downbox that includes options from 1 to 20weeks.

Repeat On - amulti-selectable list of the days of theweek.

Monthly Repeat Every - a drop-downbox that includes options from 1 to 20months.

Repeat By - a drop-downbox that includes the options Week ofMonth andDay ofMonth.

Yearly Repeat Every - a drop-downbox that includes options from 1 to 20 years.



respective owners.

- 116 -

TheSummary box updates automatically depending on your selection.

9. ClickNext Step.

TheAdd Recipients screen appears.

10. In theRecipients box, type an email address and click the button until you have added all desiredrecipients.

11. ClickNext Step.

TheReview Email Notification screen appears, which displays a summary of your email notificationconfiguration.

12. Review the notification details.

13. Click Finish.



respective owners.

- 117 -

Delete an Email Notification

To delete an email notification:

To delete one email notification:

1. ClickConfiguration > Email Settings.

2. Hover over the email notification youwant to delete.


A dialog box appears confirming your selection to delete the email notification.


The email notification is deleted and the corresponding notifications are no longer sent.

To delete multiple email notifications:

1. ClickConfiguration > Email Settings section.

2. On the left side of the row for the email notification youwant to delete, select the check box.

3. Repeat step 2 for each email notification youwant to delete.

4. Click Actions >Delete Notifications.

A dialog box appears confirming your selection to delete the email notifications.


The email notifications are deleted and the corresponding notifications are no longer sent.



respective owners.

- 118 -

Plugin Settings Section

ThePlugin Settings section allows you to create custom plugins and also to enable and disable existing plu-gins andPASLs.

ThePlugin Settings section contains the following subsections:

l Plugin Management: displays a list of enabled and disabled plugins, respectively, the options tomoveplugins between those lists, and the option to delete custom plugins.

l PASL Management: displays a list of enabled and disabledPASLs, respectively, and the options tomovePASLs between those lists.

l Create Custom Plugin: displays options for creating custom plugins and creating new plugin fields.

The following table provides a brief summary of each option available in theCreate Custom Plugins sub-section:

Custom Plu-gin Option

Purpose

ID The unique numeric ID of the plugin.

Name Thenameof the plugin. The plugin nameshould start with the vendor name.

Description The full text description of the vulnerability.

Synopsis A brief description of the plugin or vulnerability.



respective owners.

- 119 -


Purpose

Solution Remediation information for the vulnerability.

SeeAlso External references to additional information regarding the vulnerability.

Risk Info, Low,Medium,High, orCritical risk factor.

PluginOutput Displays dynamic data inNNM plugin reports.

Family The family towhich the plugin belongs.

Dependency Other dependencies required to trigger the custom plugin.

NoPlugin Prevents a plugin from being evaluated if another plugin has already matched. Forexample, it may make sense towrite a plugin that looks for a specific anonymousFTP vulnerability, but to disable it if another plugin that checked for anonymousFTP hadalready failed.

NoOutput For plugins that arewritten specifically to be used as part of a dependency withanother plugin.Whenenabled, this keyword causes NNM not to report anythingfor any plugin.

Client Issue Indicates the vulnerability is located on the client side.

Plugin Type Vuln, realtime, or realtimeonly plugin type.

cve TheCVE reference.

bid TheBugtraq ID (BID) reference.

osvdb The external reference (e.g., OSVDB, Secunie, MS Advisory).

nid To track compatibility with theNessus vulnerability scanner, Tenable® asso-ciates NNM vulnerability checks with relevant Nessus vulnerability checks. Mul-tipleNessus IDs can be listed under onenid entry such as nid=10222,10223.

cpe Filters the result of discovered vulnerabilities based on their CPE identifier.

Match This keyword specifies a set of one or more simpleASCII patterns thatmust bepresent in order for themore complex pattern analysis to take place. Thematchkeyword gives NNM significant performance and functionality.

Regex Specifies a complex regular expression search rule applied to the network ses-



respective owners.

- 120 -


Purpose

sion.

Revision The revision number associatedwith custom plugin.

Raw Text Pre-view

A preview of the custom plugin in raw text. An xample of a custom plugin createdto find a IMAPBanner of TenableRocks is:

id=79000name=IMAP Bannerdescription=An IMAP server is running on this port. Itsbanner is Tenable Rocksrisk=NONEmatch=OKmatch=IMAPmatch=server readyregex=^.*OK.*IMAP.*Tenable Rocks



respective owners.

- 121 -

Add a Plugin Field

1. ClickConfiguration >Plugin Settings >Setting Type >Create Custom Plugin >Add PluginField.

TheAdd Plugin Fieldwindow appears.

2. In theName box, type a name for the plugin.

3. From theValue Type drop-downbox, select a value type for the plugin.

4. If youwish to allow duplicates of this plugin, select theAllow Duplicates check box.

5. If youwish to replaceXMLspecial characters, select theReplace XML Special Characters checkbox.

6. Click Add.

The new plugin fields appear below theNo Output check box.



respective owners.

- 122 -

Delete a Custom Plugin

1. ClickConfiguration >Plugin Settings.

2. Select the custom plugin(s) that youwant to delete.

3. Click Actions >Delete Custom Plugins.

A dialog box appears confirming your selection to delete the custom plugins. You can delete only user-created plugins.

4. ClickDelete.

The custom plugins are deleted.



respective owners.

- 123 -

Nessus Scanner Settings Section

TheNessus Scanner Settings section provides a list of the availableNessus 6.4+ scanners and the abilityto add, edit, or remove aNessus scanner.

Note:Nessus Professional 7 is not supported.

EachNessus scanner must be configuredwith the following parameters:

Name Description

ScannerHost

The domain nameor IP address of theNessus server.

ScannerPort

The port of theNessus server.

Access Key The first half of aNessus API Key, which is used to authenticatewith theNessusRESTAPI.

Secret Key The second half of aNessus API Key, which is used to authenticatewith theNessusRESTAPI.

Note: For details on how to obtain an API Key (Access Key and Secret Key), refer to the Nessus user guide.



respective owners.

https://docs.tenable.com/nessus/

- 124 -

Add a Nessus Scanner

To add a Nessus Scanner:

1. ClickConfiguration > Nessus Scanner Settings >Add Nessus Scanner.

TheAdd Nessus Scanner window appears.

2. In theScanner Host box, type the domain nameor IP address of theNessus server.

3. In theScanner Port box, type the port of theNessus server.

4. In theAccess Key box, type the first half of aNessus API Key, which is used to authenticatewith theNessus RESTAPI.

5. In theSecret Key box, type the second half of aNessus API Key, which is used to authenticatewith theNessus RESTAPI.

6. Click theAdd Nessus Scanner button.

TheNessus scanner appears in theNessus Scanner Settings section.



respective owners.

- 125 -

Delete a Nessus Scanner

To delete a Nessus scanner:

To delete one Nessus Scanner:

1. ClickConfiguration >Nessus Scanner Settings.

2. Hover over the scanner youwant to delete.


A dialog box appears confirming your selection to delete the scanner.

4. ClickDelete.

The scanner is deleted.

To delete multiple Nessus Scanners:

1. ClickConfiguration > Nessus Scanner Settings section.

2. On the left side of the row for the scanner youwant to delete, select the check box

3. Repeat step 2 for each scanner youwant to delete.

4. Click Actions >Delete Nessus Scanners.

A dialog box appears confirming your selection to delete the scanners.

5. ClickDelete.

The scanners are deleted.



respective owners.

- 126 -

Additional Resources

This section describes the following information about NNM that is not included in theFeatures andHow Tosections:

l Command Line Operations

l Unknown or Customized Ports

l Real-Time Traffic Analysis Configuration Theory

l Modules

l Internal NNM Plugin IDs

l NNM Plugins

l Working with Tenable.sc

l Syslog Message Formats

l Custom SSL Certificates

l Configure NNM for Certificates

FormoreNNM deployment information, see theNNM Deployment Guide.



respective owners.

https://docs.tenable.com/nnm/deployment/Content/WelcomeTo.htm

- 127 -

Command Line Operations

TheNNM engine provides many options to update and configureNNM from the command line in Linux,Win-dows, andmacOS. All command lines should be run by users with root or administrative privileges.

l Common Command Line Operations

l Linux Command Line Operations

l Windows Command Line Operations

l macOS Command Line Operations



respective owners.

- 128 -

Common Command Line Operations

NNM canbe run from the command line to update plugins, perform configuration tasks, and analyzePcapfiles to generate a report file for usewith Tenable.sc or other programs. Running theNNM binary with the–hoption displays a list of available options.

Note: You must stop NNM before running command line operations.

NNM Binary Locations

TheNNM binary for Linux can be found in the following location:

# /opt/nnm/bin/nnm

TheNNM binary forWindows can be found in the following location:

C:\Program Files\Tenable\NNM\nnm.exe

TheNNM binary for macOS canbe found in the following location:

# /Library/NNM/bin/nnm

NNM Command Line Options

Note:While you can configure many advanced settings via the command line using custom parameters, oth-ers use standard parameters. For example, while the ACAS Classification setting uses the custom --addparameter, the Login Banner setting does not require the --add parameter.

Option Purpose

-a<activationcode>

Type theActivationCode to activateNNM in standalonemode to enable pluginupdates andmonitoring functions.

If your NNM system is managed by Tenable.sc and is running inStandardmode, you can use the following command: -a SecurityCenter

If your NNM system is managed by Tenable.sc and is running inHighPer-formancemode, you can use the following command: -a SecurityCenter<activation code>

If your NNM system is managed by Tenable.io and is running inStandard



respective owners.

- 129 -

Option Purpose

mode, you can use the following command: -a Cloud

If your NNM system is managed by Tenable.io and is running inHighPer-formancemode, you can use the following command: -a Cloud<activation code>

Before running the -a command for NNM that is managed by Tenable.io, youshould first configure the Cloud Host, Cloud Port, Cloud Key, andNNM Name parameters.

--config --add "custom_paramatername""parametervalue"

Adda custom configuration parameter for NNM or anNNM Proxy. The doublequote characters are required, although single quotes may be usedwhen spe-cial characters are required.

--config --delete"custom_parametername"

Thedelete commandmay be used to remove custom configuration para-meters.

--config --list

Lists the current NNM andNNM Proxy configuration parameters. Parametervalues are listed to the left of the colon character and are case sensitive. Thevalue of the parameter displays to the right of the colon character.

--config"parametername"["parametervalue"]

Displays the defined parameter value. If a value is added at the end of the com-mand, the parameter updates with the new setting. The double quote char-acters are required, although single quotes may be usedwhen specialcharacters are required.

Note:While CLI changes to some parameters do not require restarting NNMfor the change to take effect, you must restart NNM after changing the loc-ation of the realtime log file.

-d debug mode Runs NNM in debugmode for troubleshooting purposes. This option causes



respective owners.

- 130 -

Option Purpose

the system to usemore resources and should be enabled only when directedby aTenableSupport Technician.

-f packet_dump_file

Replaces packet_dump_filewith the path to the .pcap or .pcapng file youwant NNM to process.

Note:Windows does not support the pcapng format.

-h Displays the command line options help file.

-k Displays theNNM activation status.

-L Displays a list of the license declarations.

-l Displays a list of the plugin IDs that are loaded by NNM.

--list-interfaces

Displays the interfaces that NNM canaccess for packet collection. Useful todisplay interfaces to 10Gb cards running in high performancemode.

-m Shows various aspects of memory usage during the processing of theNNMcommand.

-p packet_dump_file

Dumps payload packet data inHex andASCII to the specified packet_dump_file. This commanddumps internal data from packet and plugins processing.This can be useful for debugging plugin issues.

NNM --users --add

Adds a new user toNNMwith the expected values of: ["username" "password"admin]: add new user. Expected values for “admin” flag are either: 1 - grant useradministrative privileges, or 0 - don’t grant user administrative privileges.

Adds a new user toNNM.Optionally, you can add the following arguments:

NNM --users --add ["username" "password" admin]

Expected values for “admin” flag are:

l 1 - grant user administrative privileges

l 0 - don’t grant user administrative privileges

NNM --users --chpasswd

Changes anNNM user's password.



respective owners.

- 131 -

Option Purpose

NNM --users --delete"user"

Removes a user from NNM,where "user" is the username to be deleted.

--register-offline<licensefile>

Registers NNM in offlinemodewhen you insert the license file obtained fromTenable®.

--config'SoftwareUpdate Type'<0-3>

Configures the type of software update that runs whenNNM updates.

0 - Disables all updates.

1 - Updates only plugins.

2 - Updates web server, HTMLclient, and plugins.

3 - Updates all components (web server, HTML client, plugins, and engine).

--update-soft-ware <updatepackage tar-ball>

Runs a software update using the setting you configured for SoftwareUpdate Type. Optionally, if you are runningNNM in offlinemodeand have acustom update package, append the update package tarball name.

-v Shows the version information about the installed instance of NNM.



respective owners.

- 132 -

Linux Command Line Operations

Youmust run all commands with root privileges.

Start, Stop, or Restart NNM

Action Command to Manage NNM

Start # service nnm start

then

# ps aux|grep nnm

Stop # service nnm stop

Restart # service nnm restart

Onceaday, as scheduled, if Tenable.sc has received newNNM plugins from Tenable®, it installs them in theNNM plugin directory. NNM detects the change, automatically reloads, and begins using the new plugins.

Real-timeNNM data is communicated to the configured LCE server or Syslog server(s) in real-time.

Configure HugePages

Before You Begin

These steps assume that your systemmeets theSystem Requirements necessary for runningNNM inHighPerformancemode.

To configure HugePages:

1. Ensure your HugePages settings are correct by using the following command:

# grep Huge /proc/meminfoAnonHugePages: 0kBHugePages_Total: 1024HugePages_Free: 1024HugePages_Rsvd: 0



respective owners.

- 133 -

HugePages_Surp: 0Hugepagesize: 2048kB

TheHugepagesize parameter is set to 2048 kB by default, but this option is configurable. NNMrequires aminimum of 1024HugePages that are at least 2048 kB in size.

Note: In some cases, the HugePages_Free parameter may be set to 0, however, this does not neces-sarily indicate insufficient HugePage memory.

2. Reserve a certain amount of memory to be used as HugePages by using the following command toupdate the kernel parameter manually:

/bin/echo 1024 > /sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages

Thenumber of HugePages reserved by the kernel changes to 1024, andHugePages becomeavailable.

Note: If the kernel does not have enough memory available to satisfy this request, the command mayfail without notifying the user. After running this command, the HugePages configuration should bechecked again using the command in step 1.

3. Toensure that your HugePages configuration persists across system reboots, refer to the following sec-tion that corresponds to your Linux kernel version.

CentOS 6

Update the persistent kernel configuration files using one of the following commands:

In the/etc/sysctl.conf file, add thevm.nr_hugepages=1024 parameter and reload the kernelconfigurationwith thesysctl -p command. Alternatively, you can reboot the system.

-or-

In the/etc/grub.conf file, on the kernel startup line, add thehugepages=1024 parameter andreboot the system.

CentOS 7

Update the persistent kernel configuration files using one of the following commands:



respective owners.

- 134 -

In the/etc/sysctl.conf file, add thevm.nr_hugepages=1024 parameter and reload the kernelconfigurationwith thesysctl -p command. Alternatively, you can reboot the system.

-or-

In the/etc/sysconfig/grub file, on the kernel startup command(GRUB_CMDLINE_LINUX), addthehugepages=1024 parameter. Reload the kernel configurationwith thegrub2-mkconfig -o/etc/grub2 commandand reboot the system.

4. Connect the file system to theHugePages subsystem using the following steps:

a. Execute the/bin/mkdir -p /mnt/nnm_huge command.

b. Execute the/bin/mount -t hugetlbfs nodev /mnt/nnm_huge command.

c. Additionally, open the/etc/fstab file location and add the following record:

nodev /mnt/nnm_huge hugetlbfs rw 0 0

File Locations

NNM installs its files in the following locations:

Path Purpose

/opt/nnm Base directory.

/opt/nnm/bin Location of theNNM andNNM Proxy executables, plus several helpertools for theNNM Proxy daemon.

/opt/nnm/docs Contains the software license agreement for NNM.

/opt/nnm/var Contains the folders for NNM and theNNM-Proxy.

/opt/nnm/var/nnm Contains plugins, discovered vulnerabilities, log files, keys, and othermiscellaneous items.

db Contains the database files related to the configuration, reports, andusers for NNM.

kb Stores theNNM knowledge base, if used.

logs Contains NNM logs.

plugins Contains theNNM plugins delivered via Tenable.sc, Tenable.io, the



respective owners.

- 135 -

Path Purpose

NNM Feed, or updated via the command line or web interface ifNNM is running inOfflinemode.

Note: If Tenable.sc is used to manage the plugins, do not changethis path from the default /opt/nnm/var/nnm.

nnm-services A fileNNM uses tomap service names to ports. This filemay be editedby the user. Plugin updates do not overwritemodifications to the file.

reports Contains reports generated by NNM. This folder contains the.nes-sus file generated by default.

scripts Contains the files for theNNMWebserver.

ssl Contains SSL certificates used by the proxy andweb server for theSSL connection between itself andTenable.sc or thewebbrowser.

users Contains folders for user files and reports.

www Contains the files for theNNMweb front-end.

/opt/nnm/var/nnm-proxy

Parent folder for files used/created by theNNM proxy.

logs Contains theNNM proxy andNNM proxy service logs.



respective owners.

- 136 -

Windows Command Line Operations

Youmust run all programs as a local user with administrative privileges. To do so, whenUAC is enabled, right-click on the installer program and selectRun as Administrator.

Start or Stop NNM


Start net start "Tenable NNM Proxy"

Stop net stop "Tenable NNM Proxy"

Alternatively, NNM canbemanaged via theServices control panel utility. Under the list of services, findTen-able NNM Proxy Service. Right click on the service to provide a list of options for the services, including theability to start or stop theTenable NNM or Tenable NNM Proxy service.

File Locations


Path Purpose

C:\Program Files\Tenable\NNM Contains NNM binaries and dependent libraries.

C:\ProgramData\Tenable\NNM Contains all data files consumedand output by NNM andNNMProxy (e.g., configuration, plugins, logs, and reports).

Note: This directory does not appear unless the WindowsHidden Files and Folders option is enabled.

The following table contains the folder layout under C:\ProgramData\Tenable\NNM:

Folder Purpose

docs Contains the software license agreement for NNM.

NNM Parent folder for NNM logs, reports, plugins, and scripts directories. Also containstheNNM-services file.



respective owners.

- 137 -

Folder Purpose

db Contains the database files relating to the configuration, reports, and users forNNM.



plugins Contains theNNM plugins delivered via Tenable.sc, Tenable.io, theNNM Feed, orupdated via the command line or web interface if NNM is running inOfflinemode.

Note:Do not change this path from the defaultC:\ProgramData\Tenable\NNM\nnm if Tenable.sc is used to manage the plu-gins.

nnm-ser-vices

A fileNNM uses tomap service names to ports. This filemay be edited by the user.Plugin updates do not overwritemodifications to the file.

reports Contains reports generated by NNM . This folder contains the.nessus file gen-erated by default.


ssl Contains SSL certificates used by the proxy andweb server for theSSL connectionbetween itself andTenable.sc or thewebbrowser.

users Contains folders for user files and reports.


nnm-proxy Parent folder for files used/created by theNNM proxy.

logs Contains NNM proxy andNNM proxy service logs.

run Contains process ID temporary files.



respective owners.

- 138 -

macOS Command Line Operations

Youmust run all programs as a root user or with equivalent privileges.

Start or Stop NNM


Start # launchctl load -w /Library/LaunchDae-mons/com.tenablesecurity.nnm-proxy.plist

Stop # launchctl unload -w /Library/LaunchDae-mons/com.tenablesecurity.nnm-proxy.plist

File Locations


Path Purpose

/Library/NNM Base directory.

/Library/NNM/docs Contains theNNM license agreement in various file formats.

/Library/NNM/bin Location of theNNM andNNM Proxy executables, plus severalhelper tools for theNNM Proxy daemon.

/Library/NNM/var/nnm Contains plugins, discovered vulnerabilities, log files, keys, andother miscellaneous items.

db Contains the database files related to the configuration, reports,and users for NNM.



plugins Contains theNNM plugins delivered via Tenable.sc, Tenable.io,theNNM Feed, or updated via the command line or web interfaceif NNM is running inOfflinemode.



respective owners.

- 139 -

Path Purpose

Note:Do not change this path from the default/Library/NNM/var/nnm if Tenable.sc is used to manage theplugins.

nnm-services A fileNNM uses tomap service names to ports. This filemay beedited by the user. Plugin updates do not overwritemodificationsto the file.

reports Contains reports generated by NNM . This folder contains the.nessus file generated by default.


ssl Contains SSL certificates used by the proxy andweb server fortheSSL connection between itself andTenable.sc or thewebbrowser.

users Contains files and reports for NNM users.


/Library/NNM/var/nnm-proxy

Parent folder for files used/created by theNNM proxy.

logs Contains theNNM proxy andNNM proxy service logs.



respective owners.

- 140 -

Unknown or Customized Ports

Many networks contain traffic on ports NNM defines as different traffic types or alternate ports. If the port is notdefined, it displays asUnknown. TheNNM-services filemay be edited to either customize or add the portinformation to provide accurate reporting for ports on the network.

For example, by default, there are two lines in theNNM-services file that defineSMTP traffic. They readsmtp 25/tcp andsmtp 25/udp. If the organization routinely sends SMTP data over port 2525 those linescan be updated to readsmtp 2525/tcp andsmtp 2525/udp.



respective owners.

- 141 -

Real-Time Traffic Analysis Configuration Theory

This section describes how configuration options affect NNM operation and provides the following details onNNM architecture:

l Focus Network

l Detecting Server and Client Ports

l Detecting Specific Server and Client Port Usage

l Firewall Rules

l Working with Tenable.sc

l Selecting Rule Libraries and Filtering Rules

l Detecting Encrypted and Interactive Sessions

l Routes and Hop Distance

l Alerting



respective owners.

- 142 -

Focus Network

Whena focus network is specified via theMonitored Networks IP Addresses and Ranges con-figuration parameter, only one side of a sessionmustmatch in the list. For example, if you have aDMZ that ispart of the focus network list, NNM reports on vulnerabilities of theweb server there, but not onweb clients vis-iting from outside the network. However, awebbrowser within theDMZ visiting the sameweb server is repor-ted.

In the diagram above, three sessions labeledA, B, andC are shown communicating to, from, and inside afocus network. In sessionA, NNM analyzes only those vulnerabilities observed on the server inside the focusnetwork and does not report client side vulnerabilities. In sessionB, NNM ignores vulnerabilities on the des-tination server, but reports client side vulnerabilities. In sessionC, both client and server vulnerabilities arereported.

There is another filter that NNM uses while looking for unique sessions. This is a dependency that requires thehost to run amajor service. These dependencies are defined by a list of NNM plugin IDs that identify SSL,FTP, and several dozen other services.

Finally, the entire process of detecting these sessions can be filtered by specific network ranges and ports.For example, if aUniversity ran a public FTP server that had thousands of downloads each hour, they maywant to disable interactive sessions on port 21 on that FTP server. Similarly, disabling encryption detection onports such as 22 and 443 also eliminates somenoise for NNM.



respective owners.

- 143 -

Detecting Server and Client Ports

Themethod used by TCP connections to initiate communication is knownas the “three-way handshake.” Thismethod can be compared to how a common telephone conversation is initiated. If Bob calls Alice, he haseffectively sent her, in TCP terms, a “SYN” packet. Shemay or may not answer. If Alice answers, she haseffectively sent a “SYN-ACK” packet. The communication is still not established, sinceBobmay have hung upas shewas answering. The communication is establishedwhenBob replies toAlice, sending her an “ACK.”

TheNNM configuration option “connections to services” enables NNM to log network client to server activity.

Whenever a system within themonitored network range tries to connect to a server over TCP, the connectingsystem emits a TCP “SYN” packet. If the port the client connects on is open, then the server responds with aTCP “SYN/ACK” packet. At this point, NNM records both the client address and the server port the client con-nects to. If the port on the server is not open, then the server does not respondwith a TCP “SYN/ACK” packet.In this case, sinceNNM never sees aTCP “SYN/ACK” response from the server, NNM does not record thefact that the client tried to connect to the server port, since the port is not available to that client.

TheConnections to Services configuration parameter does not track howmany times the connectionwasmade. If the samehost browses the sameweb server amillion times, or browses amillion different web serv-ers once, the host is still marked as having browsed on port 80. This data is logged as NNM internal plugin ID2.

NNM detects many applications through plugin and protocol analysis. At a lower level, NNM also detects openports and outbound ports in use on themonitored networks. By default, NNM detects any TCP server on theprotected network if it sees aTCP “SYN-ACK” packet.

In combination, the detection of server ports and client destination ports allows a network administrator to seewhoon their network is serving a particular protocol andwhoon their network is speaking that protocol.



respective owners.

- 144 -

Detecting Specific Server and Client Port Usage

TheShow Connections configuration parameter keeps track of host communicationwithin the focus net-work.When theShow Connections configuration parameter is enabled, if one of the hosts is in the definedfocus network, NNM records the client, server, and server port every time a host connects to another host. Itdoes not track the frequency or time stampof the connections – just that a connectionwas made.

TheShow Connections configuration parameter provides a greater level of detail than theConnections toServices configuration parameter. For example, if your IPv4 address is 1.1.1.1 or your IPv6 address is2001:DB8::AE59:3FC2and you use theSSH service to connect to “some_company.com”, then the use ofthese options records the following:

Show Connections

some_company.com:SSH

2001:DB8::AE59:3FC2 -> some_company.com

Connections to Services

SSH

2001:DB8::AE59:3FC2 -> SSH

Using theConnections to Services configuration parameter lets you know that the system at 1.1.1.1 and2001:DB8::AE59:3FC2uses theSSH protocol. This informationmay be useful regardless of where the ser-vice is used.

NNM does not log a session-by-session list of communications. Instead, it logs the relationship between thesystems. For example, if system A is detected using theSSH protocol on port 22 connecting to system B, andboth systems arewithin the focus network, NNM would log:

l System A browses on port 22

l System B offers a service (listens) on port 22

l System A communicates with System B onport 22



respective owners.

- 145 -

If system Bwere outside of the focus network, NNM would not record anything about the service system Boffers, andwould also log that system A browses outside of the focus network on port 22. NNM does not loghow often a connection occurs, only that it occurred at least once. For connections outside of the focus net-work, NNM logs only which ports are browsed, not the actual destinations.

Note: If logging session-by-session network events is a requirement for your network analysis, Tenableoffers the LCE product, which can log firewall, web server, router, and sniffer logs.



respective owners.

- 146 -

Firewall Rules

If NNM is placed immediately behind a firewall such that all of the traffic presented toNNM flows through thefirewall, then the list of served ports, client side ports, and the respective IP addresses of the users are readilyavailable.

Tools such as theTenable.sc Vulnerability Analysis page allow information about these ports (both client andserver) to be browsed, sorted, and reported on. You can also view lists of IP addresses and networks usingthese client and server ports.



respective owners.

- 147 -

Working with Tenable.sc

WhenTenable.sc manages multipleNNM sensors, users of Tenable.sc can analyze the aggregate types ofopen ports, browsed ports, and communication activity that occurs on the focus network. SinceTenable.schas several different types of users and privileges,many different IT and network engineering accounts can becreated across an enterprise so they can share and benefit from the information detected by NNM.



respective owners.

- 148 -

Selecting Rule Libraries and Filtering Rules

Tenable ships an encrypted library of passive vulnerability detection scripts. This file cannot bemodified by theend users of NNM.However, if certain scripts must be disabled, they can be specified by thePASL ID and“.pasl” appended. For example, 1234.pasl, disables thePASLwith the ID of 1234 on a single line in the

disabled-scripts.txt file.

If a pluginmust be disabled, type its ID on a single line in thedisabled-plugins.txt file. If a pluginmustbe real-time enabled, type its ID on a single line in therealtime-plugins.txt file.

When adding NNM plugins to the disabled plugin list, be sure to leave an empty blank line after typing thelast plugin to be disabled. Failure to return to the next line can result in a non-functional disabled plugin list.

Example: 1234 [return]

If any of the referenced files do not exist, create them using the appropriatemethod for the operating system.The file locations are as follows:

Operating System File Path

Linux /opt/nnm/var/nnm

Windows C:\ProgramData\Tenable\NNM\nnm

macOS /Library/NNM/var/nnm



respective owners.

- 149 -

Detecting Encrypted and Interactive Sessions

NNM canbe configured to detect both encrypted and interactive sessions. An encrypted session is a TCP orUDP session that contains sufficiently random payloads. An interactive session uses timing and statistical pro-filing of the packets in a session to determine if the session involves human input at a command line prompt.

In both cases, NNM identifies these sessions for the given port and IP protocol. It then lists the detected inter-active or encrypted session as vulnerabilities.

NNM has a variety of plugins to recognize telnet, SecureShell (SSH), SecureSocket Layer (SSL), and otherprotocols. Combinedwith the detection of the interactive and encryption algorithms, NNMmay logmultipleforms of identification for the detected sessions.

For example, NNMmay recognize not only anSSH service running on a high port as an encrypted session,but also recognize the version of SSH anddetermine any vulnerabilities associatedwith it.



respective owners.

- 150 -

Routes and Hop Distance

For active scans, one host can find the default route and an actual list of all routers between it and a target plat-form. To do this, it sends one packet after another with a slightly larger TTL (time to live) value. Each timearouter receives a packet, it decrements theTTL value and sends it on. If a router receives a packet with a TTLvalue of one, it sends amessage back to the originating server stating that the TTLhas expired. The serversends packets to the target host with greater and greater TTL values and collects the IP addresses of therouters sending expirationmessages in-between.

SinceNNM is entirely passive, it cannot send or elicit packets from the routers or target computers. It can how-ever, record theTTL value of a targetmachine. TheTTL value is an 8-bit field, whichmeans it can contain avalue between 0 and 255.Mostmachines use an initial TTL value of 32, 64, 128, or 255. Since there is amax-imum of 16 hops between your host and any other host on the internet, NNM uses an algorithm tomapanyTTL to the number of hops.

For example, if NNM sniffed a server sending a packet with a TTLof 126, it detects that 128 is two hops away.NNM does not know the IP address of the in-between routers.

Note:Modern networks have many devices such as NAT firewalls, proxies, load balancers, intrusion pre-vention, routers, and VPNs that rewrite or reset the TTL value. In these cases, NNM may report inconsistenthop counts.



respective owners.

- 151 -

Alerting

WhenNNM detects a real-time event, it can:

l Send the event to a local log file.

l Send the event via Syslog to a log aggregator such as Tenable LCE, an internal log aggregation server.

l Send the event to a third party security eventmanagement vendor.

New Host Alerting

You can configureNNM to detect when a new host has been added to the network. By default, NNM has noknowledge of your network’s active hosts, so the first packets NNM sniffs trigger an alert. To avoid this, youcan configureNNM to learn the network over a period of days. Once this period is over, any “new” traffic mustbe from ahost that has not communicated during the initial training.

To prevent NNM from triggering new host alerts on knownhosts, you can create a knownhosts file in the loc-ation towhich theKnownHosts File configuration parameter is set. Each line of theKnown

Hosts File supports a single IPv4 or IPv6 address. Hyphenated ranges andCIDR notation are not supported.NNMmust be restarted after creating or making any changes to theKnownHosts File.

When NNM logs a new host, the Ethernet address saves in the message. When NNM is more than one hopaway from the sniffed traffic, the Ethernet address is that of the local switch and not the actual host. If thescanner is deployed in the same collision domain as the sniffed server, then the Ethernet address is accur-ate.

For DHCP networks, NNM often detects a “new” host. Tenable® recommends deploying this feature onnon-volatile networks such as DMZ. Users should also consider analyzing NNM “new” host alerts with Ten-able.sc, which can sort real-time NNM events by networks.



respective owners.

- 152 -

Modules

NNM includes analysis modules that analyze network traffic based on certain criteria. Thesemodules mod-ularizeNNM detection capabilities and provide users the ability to enable or disable them. There are two ana-lysis modules:

l SCADA/ICS Analysis Module

lNote: This module is only available for Industrial Security customers.

Industrial Security is end-of-life (EOL). For information about EOL dates and policies for Tenableproducts, see the Tenable Software Release LifecycleMatrix and Policy.

This module analyzes SCADA network traffic to discover SCADA assets and their vulnerabilities. Inaddition, themodule provides deep visibility into the type of SCADA devices discovered. This module isenabled by default and can be disabled in environments that do not containSCADA devices. You canuse theTenable Search page to search for specific device detection information. This module is onlyavailable for Industrial Security customers.

l Connection Analysis Module

This module reports connection duration and bandwidth information including for IPv6 and tunneledtraffic. This module is disabled by default.

Note: You must restart NNM after enabling a module for the module to function correctly within NNM.



respective owners.



https://www.tenable.com/search/node

- 153 -

Connection Analysis Module

Module Detec-tion ID

Module Detec-tion Name

Module Detection Descrip-tion

Risk Factor

97 TCPSessionBandwidth (1 - 10MB)

NNM computes the bytesexchanged between eachTCP endpoint when the ses-sion ends. The total bytesexchanged during the lifetimeof this session is between 1and 10MB.

INFO

98 TCPSessionBandwidth (10 -100MB)

NNM computes the bytesexchanged between eachTCP endpoint when the ses-sion ends. The total bytesexchanged during the lifetimeof this session is more than 10MB but less than or equal to100MB.

INFO

99 TCPSessionBandwidth (10 -100MB)

NNM computes the bytesexchanged between eachTCP endpoint when the ses-sion ends. The total bytesexchanged during the lifetimeof this session is more than100MB but less than or equalto 1GB.

INFO

100 TCPSessionBandwidth (> 1GB)

NNM computes the bytesexchanged between eachTCP endpoint when the ses-sion ends. The total bytesexchanged during the lifetimeof this session is more than 1GB.

INFO

101 TCPSessionDur- NNM computes the duration of INFO



respective owners.

- 154 -




Risk Factor

ation (< 1minute) eachTCP sessionwhen thesession ends. This TCP ses-sion duration is less than 1minute.

102 TCPSessionDur-ation (1 - 15minutes

NNM computes the duration ofeachTCP sessionwhen thesession ends. This TCP ses-sion duration is between 1minute and 15minutes.

INFO

103 TCPSessionDur-ation (15 - 25minutes)

NNM computes the duration ofeachTCP sessionwhen thesession ends. This TCP ses-sion duration is more than 15but less than or equal to 25minutes.

INFO



INFO



INFO



INFO



respective owners.

- 155 -




Risk Factor

107 TCPSessionDur-ation (100minutes- 24 hours)

NNM computes the duration ofeachTCP sessionwhen thesession ends. This TCP ses-sion duration is more than 100minutes but less than or equalto 24 hours.

INFO

108 TCPSessionDur-ation (24 - 47hours)

NNM computes the duration ofeachTCP sessionwhen thesession ends. This TCP ses-sion duration is more than 24hours but less than or equal to47 hours.

INFO

109 TCPSessionDur-ation (> 47 hours)

NNM computes the duration ofeachTCP sessionwhen thesession ends. This TCP ses-sion duration is more than 47hours.

INFO

110 UDPActivity UDP activity observed INFO

111 ICMPActivity ICMP activity observed INFO

112 IGMPActivity IGMP activity observed INFO



respective owners.

- 156 -

Configure NNM for use with Industrial Security

Industrial Security is end-of-life (EOL). For information about EOL dates and policies for Tenable products,see the Tenable Software Release LifecycleMatrix and Policy.

1. Install Industrial Security using the following command:

$ rpm -ivh /root/is-1.0.0.rpm

2. In your browser, navigate to either of the followingURLs and follow the prompts:

l https://localhost:8837

l https://127.0.0.1:8837

3. Log in to Industrial Security with the default credentials (admin/admin)



respective owners.



- 157 -

4. In theQuick Setup dialog, change your password.

5. ClickNext Step.

6. Register your copy of Industrial Security using theActivationCode you received from Tenable, Inc..

Tip: Alternatively, this can be done from the command line by using $ /opt/industrial-secur-ity/bin/industrial-security -a <ActivationCode> in Linux or C:> cd "C:\Program Files\Ten-able\Industrial Security\" C:> industrial-security.exe -a <ActivationCode> in Windows.



respective owners.

- 158 -

7. Onceactivated, locate the LinkingKey to connect one or moreNNM sensors to Industrial Security.

8. On the Industrial Security homepage, click Settings.

9. Click theSensor Configuration tab.

10. Locate and copy the IS Linking Key. The IS Linking Key is a 64-character hex string used to connectanNNM sensor to this Industrial Security host.

11. Install theNNM application using the following command:

$ rpm -ivh /root/nnm-5.4.0.rpm

12. In your browser, navigate to either of the followingURLs and follow the prompts:

l https://localhost:8835

l https://127.0.0.1:8835



respective owners.

- 159 -

13. Log in toNNM using the default credentials (admin/admin).

14. In theQuick Setup dialog, change your password.

15. ClickNext Step.



respective owners.

- 160 -

16. In theActivation Code box, type IndustrialSecurity.

Additional options appear.

17. In the Industrial Security Host box, type the IP address of themachinewhere you installed the Indus-trial Security application.

18. In the Industrial Security Key box, type the Industrial Security LinkingKey you located above.



respective owners.

- 161 -

19. In theNNM Name box, type a name for theNNM host you're setting up.

Tip: This is the name that appears in IS once a connection is established and identifies this specificsensor to differentiate between this host and other NNM sensors you may install elsewhere on yournetwork.

20. ClickNext Step.

21. Click on the network interfaces youwish tomonitor.

22. Type the network ranges youwish tomonitor on those interfaces.

Note: To monitor all network ranges including VLAN support, type 0.0.0.0/0, vlan 0.0.0.0/0, 0::/0,vlan 0::/0

23. Click Finish.

ASetup Completed Succesfully notification appears and you return to theNNMMonitoringDash-board.



respective owners.

- 162 -

Note: You must restart NNM after enabling a module for the connection to function correctly withinNNM.

Tip: To validate your NNM sensor host and your Industrial Security application connection, return tothe Industrial Security application, click Settings >Sensor Configuration and verify that the NNMHost is in the Sensors List.



respective owners.

- 163 -

Internal NNM Plugin IDs

Each vulnerability and real-time check NNM performs has a unique associated ID. NNM IDs arewithin therange 0 to 10000.

Internal NNM IDs

Someof NNM’s checks, such as detecting open ports, are built in. The following chart lists someof themorecommonly encountered internal checks and describes what they mean:

NNM ID Name Description

0 Detection of OpenPort NNM has observed aSYN-ACK leave from a server.

1 OperatingSystemFingerprint

NNM has observed enough traffic about a server toguess the operating system.

2 ServiceConnection NNM has observed browsing traffic from ahost.

3 Internal Client TrustedConnections

NNM has logged a unique network session of source IP,destination IP, and destination port.

4 Internal InteractiveSes-sion

NNM has detected one or more interactive network ses-sions between twohosts within your focus network.

5 Outbound InteractiveSessions

NNM has detected one or more interactive network ses-sions originating from within your focus network anddestined for one or more addresses on the Internet.

6 Inbound InteractiveSes-sions

NNM has detected one or more interactive network ses-sions originating from oneor more addresses on theInternet to this address within your focus network.

7 Internal EncryptedSes-sion

NNM has detected one or more encrypted network ses-sions between twohosts within your focus network.

8 OutboundEncryptedSession

NNM has detected one or more encrypted network ses-sions originating from within your focus network anddestined for one or more addresses on the Internet.

9 InboundEncryptedSes-sion

NNM has detected one or more encrypted network ses-sions originating from oneor more addresses on theInternet to this address within your focus network.



respective owners.

- 164 -

NNM ID Name Description

12 Number of Hops NNM logs the number of hops away each host is loc-ated.

14 Accepts External Con-nections

NNM detects an external connection to this host. Spe-cific IP addresses are not reported by this plugin, but itdoes track the destination port and protocol used. Youcan view full connection details in the real-time event log.This is the opposite of plugin 16, which reports on out-bound connections.

15 Internal Server TrustedConnections

NNM has logged a unique network session of source IP,destination IP, and destination port. Specific IPaddresses are not reported by this plugin, but it doestrack which destination port and protocol was used. Youcan view full connection details in the real-time event log.This is the opposite of plugin 14, which reports oninbound connections.

16 OutboundExternal Con-nection

NNM has detected an external connection from thishost.

17 TCPSession NNM identifies TCP sessions and reports the start time,number of bytes of data downloaded during, and endtimeof these sessions. This plugin is reported at the endof eachTCP session.

18 IP Protocol Detection NNM detects all IP protocols.

19 VLAN ID Reporting NNM reports all observedVLAN tags per host.

20 IPv6Tunneling NNM identifies and processes tunneled IPv6 traffic.



respective owners.

- 165 -

NNM Plugins

This section provides the following information about NNM plugins:

l Vulnerability and Passive Fingerprinting

l NNM Fingerprinting

l NNM Plugin Syntax

l NNM Real-Time Plugin Syntax andExamples

l NNM Corporate Policy Plugins



respective owners.

- 166 -

About NNM Plugins

NNM has two sources of plugin information: the.prmx and.prm plugin libraries in theplugins directory.

Tenable distributes its passive vulnerability plugin database in an encrypted format. The encrypted file isnamedtenable_plugins.prmx and, if necessary, can be updated daily. NNM plugins written by the cus-

tomer or third parties have the.prm extension.

Tenable has also implemented passive fingerprinting technology based on the open-sourceSinFP tool.Withpermission from the author, Tenable includes the database of passive operating system fingerprints for the fin-gerprinting technology in this distribution of NNM.

Writing Custom Plugins

NNM customers canwrite their ownpassive plugins, which are added into theplugins directory in theNNMinstallation directory. The pluginmust endwith a.prm extension to be visible by NNM.

You must restart NNM if:

l You add a new custom plugin to the plugins directory. NNM does not fire the plugin until you restart.

l You delete a .prm file manually from the plugins directory. NNM continues to fire the plugin until yourestart.



respective owners.

- 167 -

NNM Fingerprinting

Tenable uses a hybrid approach to operating system fingerprinting. Primarily, plugins are used to detect andidentify theOS of a host. If this is not possible, NNM uses detected packets to identify theOS.

NNM has the ability to guess the operating system of a host by looking at the packets it generates. Specificcombinations of TCP packet entries, such as thewindow size and initial time-to-live (TTL) values, allow NNMto predict the operating system generating the traffic.

These uniqueTCP values are present when a server makes or responds to aTCP request. All TCP traffic isinitiatedwith a “SYN” packet. If the server accepts the connection, it sends a response knownas a “SYN-ACK” packet. If the server cannot or will not communicate, it sends a reset (RST) packet.Whena serversends a “SYN” packet, NNM applies these list of operating system fingerprints and attempts to determine theoperating system type.

TenableNetwork Security has permission to re-distribute the passive operating fingerprints from the author ofSinFP open source project.



respective owners.

https://www.metabrik.org/blog/2012/09/21/sinfp3-operating-system-fingerprinting-tool-released/

- 168 -

NNM Plugin Syntax

Plugins

NNM plugins allow spaces and comment fields that start with a number (#) sign. Each pluginmust be sep-aratedwith theword “NEXT” on a single line. Create a.prm file in theplugins directory tomake it availablefor use. Youmust restart NNM to use new custom plugins.

Plugin Keywords

There are several keywords available for writing passive vulnerability plugins for NNM. Someof thesekeywords aremandatory and someare optional. In the table below,mandatory keywords are highlighted inblue.

Name Description

bid Tenable assigns SecurityFocus Bugtraq IDs (BID) toNNM plugins. Thisallows a user reading a report generated by NNM to link tomore inform-ation available at http://www.securityfocus.com/bid. Multiple Bugtraqentries can be typed on one line if separated by commas.

bmatch This is the sameas match but can look for any type of data. A bmatchmust always have an even number of alphanumeric characters.

clientissue If a vulnerability is determined in a network client such as awebbrowseror an email tool, a server port is associatedwith the reported vul-nerability.

cve Tenable also assigns CommonVulnerability andExposure (CVE) tags toeachNNM plugin. This allows a user reading a report generated by NNMto link tomore information available at http://cve.mitre.org/. MultipleCVEentries can be typed on one line if separated by commas.

dependency This is the opposite of noplugin. Instead of specifying another pluginthat has failed, this keyword specifies which pluginmust succeed. Thiskeyword specifies aNNM ID that should exist to evaluate the plugin. Inaddition, this plugin can take the form of dependency=ephemeral-server-port, whichmeans the evaluated server must have an openport above port 1024.



respective owners.

http://www.securityfocus.com/bid

http://cve.mitre.org/

- 169 -

Name Description

dport This is the sameas sport, but for destination ports.

Exploitability:

canvas

core

cvsstemporal

metasploit

Displays exploitability factors for the selected vulnerability. For example,if the vulnerability is exploitable via bothCanvas andCore and has auniqueCVSS temporal score, the following tags may be displayed in theplugin output:

CANVAS : D2ExploitPack

CORE : true

CVSSTEMPORAL : CVSS2#E:F/RL:OF/RC:C

family EachTenable plugin for NNM is included in a family. This designationallows Tenable to groupNNM plugins into easily managed sets that canbe reported on individually.

hs_dport This is the sameas hs_sport except for destination ports.

hs_sport Normally, whenNNM runs its plugins, they are either free ranging lookingfor matches on any port, or fixed to specific ports with thesport ordport keywords. In very high speed networks, many plugins have a fall-back port, knownas a high-speed port, which focuses the plugin only onone specific port. InHighPerformancemode, the performance of aNNMpluginwith anhs_sport keyword is exactly the sameas if the pluginwas writtenwith thesport keyword.

id EachNNM plugin needs a unique rule ID. Tenable assigns these 16 bitnumbers within the overall NNM range of valid entries. A list of the currentNNM plugin IDs can be found on theTenable website.

match This keyword specifies a set of one or more simpleASCII patterns thatmust be present in order for themore complex pattern analysis to takeplace. Thematch keyword gives NNM a lot of its performance and func-tionality.With this keyword, if it does not see a simple pattern, the entireplugin does notmatch.

name This is the nameof the vulnerability NNM has detected. ThoughmultipleNNM plugins can have the samename, it is not encouraged.



respective owners.

http://www.tenable.com/pvs-plugins/

- 170 -

Name Description

nid To track compatibility with theNessus vulnerability scanner, Tenableassociates NNM vulnerability checks with relevant Nessus vulnerabilitychecks. MultipleNessus IDs can be listed under onenid entry such asnid=10222,10223.

nooutput For plugins that arewritten specifically to be used as part of a dependencywith another plugin, thenooutput keyword causes NNM not to reportanything for any pluginwith this keyword enabled.

noplugin This keyword prevents a plugin from being evaluated if another plugin hasalready matched. For example, it may make sense towrite a plugin thatlooks for a specific anonymous FTP vulnerability, but disable it if anotherplugin that checked for anonymous FTP has already failed.

pbmatch This is the sameas bmatch except for binary data on the previous side ofthe reconstructed network session.

plugin_output This keyword displays dynamic data for a given vulnerability or event.The dynamic data is usually represented using%Lor%P, and its value isobtained from the regular expressions defined using regex, regexi,pregex, or pregexi.

pmatch This keyword is the sameas match but is applied against the previouspacket on the other side of the reconstructed network session.

pregex This is the sameas regex except the regular expression is applied to theprevious side of the reconstructed network session.

pregexi This is the sameas pregex except the patternmatching is not case sens-itive.

protocol_id This keyword is used to specify the protocol number of the protocol caus-ing the plugin to fire.

regex This keyword specifies a complex regular expression search rule appliedto the network session.

regexi This is the sameas regex except the patternmatching is not case sens-itive.



respective owners.

- 171 -

Name Description

risk All NNM plugins need a risk setting. Risks are classified as INFO, LOW,MEDIUM, HIGH, andCRITICAL. An INFO risk is an informational vul-nerability such as client or server detection. A LOW risk is an inform-ational vulnerability such as an active port or service. AMEDIUM risk issomething thatmay be exploitable or discloses information. A HIGH riskis something that is easily exploitable. A CRITICAL risk is something thatis very easily exploitable and allows for malicious attacks.

seealso If one or moreURLs are available, this keyword can be used to displaythem.MultipleURLs can be specified on one line if separated by com-mas. Example entries for this includeCERTadvisories and vendor inform-ationwebsites.

solution If a solution is available, it can be described here. The report section high-lights the solutionwith different text.

sport This setting applies theNNM plugin to just one port. For example, youmay wish towrite aSNMP plugin that just looks for activity on port 162.However, for detection of off-port services like aweb server running onport 8080, asport field is not used in the plugin.

stripped_descrip-tion

This field describes on one line the nature of the detected vulnerability.This data is printed out by NNMwhenprinting the vulnerability report. Mac-ros are available that allow the printing ofmatched network traffic such asbanner information and are discussed in the examples below. For linebreaks, the characters “\n” can be used to invoke a new line.

timed-dependency This keyword slightly modifies the functionality of thenoplugin anddependency keywords such that the evaluationmust have occurredwithin the lastN seconds.

udp This keyword specifies that plugins are to be based on theUDP protocolrather thanTCP protocol.

Tip: In addition to tcp or udp, the following protocols are supported: sctp, icmp, igmp, ipip, egp, pup, idp, tp,rsvp, gre, pim, esp, ah, mtp, encap, comp, ipv6, ospf, eigrp, isis, raw, or other.

Related Information



respective owners.

- 172 -

l Network Client Detection

l Pattern Matching

l Time Dependent Plugins

l Plugin Examples



respective owners.

- 173 -

Network Client Detection

Match patterns that beginwith the ^ symbolmeanat least one line in the packet payloadmust beginwith the fol-lowing pattern. Match patterns that beginwith the ! symbol indicate that the stringmust NOTmatch anything inthe packet payload. In this case, the ! and ^ symbols are combined to indicate that NNM should not evaluate

any packet whose payload contains a line startingwith the patternReceived:.

The ^ is more expensive to evaluate than the> symbol. So, while bothmatch patterns ^<pattern> and><pattern>would find<pattern> at the beginning of a packet payload, the use of> is more desirable as itis less costly. Use ^ when looking for the occurrence of a string at the beginning of a line, but not at the begin-ning of the packet payload. In the latter case, use the> character instead.

id=79526hs_dport=25clientissuename=Buffer overflow in multiple IMAP clientsdescription=The remote e-mail client is Mozilla 1.3 or 1.4a which is vulnerable to aboundary condition error whereby a malicious IMAP server may be able to crash orexecute code on the client.solution=Upgrade to either 1.3.1 or 1.4arisk=HIGHmatch=^From:match=^To:match=^Date:match=Ûser-Agent: Mozillamatch=!^Received:regex=Ûser-Agent: Mozilla/.* \(.*rv:(1\.3|1\.4a)



respective owners.

- 174 -

Pattern Matching

NNM CanMatch "Previous" Packets

NNM allows matching on patterns in the current packet as well as patterns in the previous packet in the cur-rent session. This plugin shows howwecanmake use of this feature to determine if aUnix password file issent by aweb server:

id=79175name=Password file obtained by HTTP (GET)family=Genericsport=80description=It seems that a Unix password file was sent by the remote web serverwhen the following request was made :\n%P\nWe saw : \n%Lpmatch=>GET /pmatch=HTTP/1.match=rootmatch=daemonmatch=binregex=root:.*:0:0:.*:.*

Herewe seematch patterns for a root entry in aUnix password file.Wealso seepmatch patterns thatmatchagainst a packet that makes anHTTPGET request to aweb server. Thematch patterns apply the currentpacket in a session and thepmatch patterns apply to the packet that was captured immediately before theone in the current session. To explain this visually, we are looking for occurrences of the following:

GET / HTTP/1.*

1) client -------------------------> server:port 80

Contents of password file:

root:.*:0:0:.*:.*

2) client <------------------------- server:port 80

Our match patternwould focus on the contents in packet 2) and our pmatch patternwould focus on packet1) payload contents.

NNM CanMatch Binary Data



respective owners.

- 175 -

NNM also allows matching against binary patterns. Here is an example plugin thatmakes use of binary pat-ternmatching to detect the usage of thewell-known community string “public” in SNMPv1 response packets(The “#” is used to denote a comment):

#### SNMPv1 response## Matches on the following:# 0x30 - ASN.1 header# 0x02 0x01 0x00 - (integer) (byte length) (SNMP version - 1)# 0x04 0x06 public - (string) (byte length) (community string - "public")# 0xa2 - message type - RESPONSE# 0x02 0x01 0x00 - (integer) (byte length) (error status - 0)# 0x02 0x01 0x00 - (integer) (byte length) (error index - 0)###id=71975udpsport=161name=SNMP public community stringdescription=The remote host is running an SNMPv1 server that uses a well-knowncommunity string - publicbmatch=>0:30bmatch=>2:020100bmatch=>5:04067075626c6963a2bmatch=020100020100

Binary match patterns take the following form:

bmatch=[<>[off]:]<hex>

Binary match starts at <off>’th offset of the packet or at the last <offset> of the packet, depending on the use of> (start) or < (end). <hex> is a hex stringwe look for.

bmatch=<:ffffffff

This matches any packet whose last four bytes are set to 0xFFFFFFFF.

bmatch=>4:41414141

This matches any packet that contains the string “AAAA” (0x41414141 in hex) starting at its fourth byte.

bmatch=123456789ABCDEF5

This matches any packet that contains the hex string above.



respective owners.

- 176 -

Negative Matches

NNM plugins can also be negated. Here are two examples:

pmatch=!pattern

pbmatch=>0:!414141

In each of these cases, the plugin does notmatch if the patterns contained in these “not” statements arepresent. For example, in the first pmatch statement, if the pattern named “pattern” is present, then the plugindoes notmatch. In the second statement, the binary pattern of “AAA” (the letter “A” in ASCII hex is 0x41) onlymatches if it does not present the first three characters.



respective owners.

- 177 -

Time Dependent Plugins

The last plugin example shows somemore advanced features of theNNM plugin language that allows a pluginto be timedependent as well as make use of the evaluation of other plugins. The plugin shows howNNMdetects an anonymous FTP server. Use theNEXT keyword to separate plugins in the plugin file.

id=79200nooutpuths_sport=21name=Anonymous FTP (login: ftp)pmatch=ÛSER ftpmatch=^331NEXT #-----------------------------------------------------------id=79201dependency=79200timed-dependency=5hs_sport=21name=Anonymous FTP enableddescription=The remote FTP server has anonymous access enabled.risk=LOWpmatch=^PASSmatch=^230

Sincewewant to detect an anonymous FTP server, wemust look for the following traffic pattern:

USER ftp

1) FTP client -----------------------> FTP server

331 Guest login ok, ...

2) FTP client <----------------------- FTP server

PASS [email protected]

3) FTP client -----------------------> FTP server

230 Logged in

4) FTP client <----------------------- FTP server

Herewe cannot use a single plugin to detect this entire session. So, insteadweuse two plugins: the first pluginlooks for packets 1) and 2) and the second plugin looks for packets 3) and 4).



respective owners.

- 178 -

A review of the above plugin shows that plugin 79200matches 1) and 2) in the session by keying on the pat-terns “USER ftp” and the 331 return code. Plugin 79201matches on 3) and 4) by keying on the patterns“PASS” and the 230 return code.

Notice that plugin 79201 contains the following field: dependency=79200. This field indicates the plugin79200must evaluate successfully before plugin 79201may be evaluated.

To complete the plugin for the anonymous FTP session, wemust ensure both plugins are evaluating the sameFTP session. To do this, we attach a timedependency to plugin 79201. The fieldtime-dependency=5 indic-ates that plugin 79200must evaluate successfully in the last five seconds for 79201 to evaluate. This way, wecan ensure that both plugins evaluate the sameFTP session.



respective owners.

- 179 -

Plugin Examples

Basic Example

This plugin illustrates the basic concepts of NNM pluginwriting:

id=79873nid=11414hs_sport=143name=IMAP Bannerdescription=An IMAP server is running on this port. Its banner is :\n %Lrisk=NONEmatch=OKmatch=IMAPmatch=server readyregex=^.*OK.*IMAP.*server ready

This example uses the following fields:

l id - A unique number assigned to this plugin.

l nid - TheNessus ID of the correspondingNessus NASL script.

l hs_sport - The source port to key on if HighPerformancemode is enabled.

l name - The nameof the plugin.

l description - A description of the problem or service.

l match - The set of match patterns thatmust be found in the payload of the packet before the regularexpression can be evaluated.

l regex - The regular expression to apply to the packet payload.

Tip: The description contains the %L macro. If this plugin evaluates successfully, then the string pattern inthe payload that matched the regular expression is stored in %L and prints out at report time.

Complex Example

id=79004nid=10382



respective owners.

- 180 -

cve=CVE-2000-0318bid=1144hs_sport=143name=Atrium Mercur Mailserverdescription=The remote imap server is Mercur Mailserver 3.20. There is a flaw inthis server (present up to version 3.20.02) which allow any authenticated user toread any file on the system. This includes other user mailboxes, or any system file.Warning : this flaw has not been actually checked but was deduced from the serverbannersolution=There was no solution ready when this vulnerability was written; Pleasecontact the vendor for updates that address this vulnerability.risk=HIGHmatch=>* OKmatch=MERCURmatch=IMAP4-Serverregex=^\* OK.*MERCUR IMAP4-Server.*v3\.20\..*$

Tip: The first match pattern makes use of the > symbol. The > symbol indicates that the subsequent stringmust be at the beginning of the packet payload. Use of the > symbol is encouraged where possible as it is aninexpensive operation.

Case-Insensitive Example

There is a tool calledSmartDownLoader that uploads and downloads large files. Unfortunately, versions 0.1through 1.3 use the capitalizationSmartDownloader, versions 1.4 through 2.7 use smartdownloader andversions 2.8 through current useSMARTdownloader. Searching for the various combinations of this textwith purely theregex commandwould cause us to use a statement that looks like this:

regex=[sS][mM][aA][rR][tT][dD]own[lL]oader

However, with theregexi command, the search string is much less complex and less prone to creating anerror:

regexi=smartdownloader

By usingregexi, we canmore quickly match on all three versions as well as future permutations of the stringsmartdownloader. In a case such as this, regexi is the logical choice.

id=79910



respective owners.

- 181 -

dependency=1442hs_sport=6789name=SmartDownLoader Detectiondescription=The remote host is running SmartDownLoader, a tool for performingrudimentary uploads and downloads of large binary files.solution=Ensure that this application is in keeping with Corporate policies andguidelinesrisk=MEDIUMfamily=PeerToPeermatch=ownloaderregexi=smartdownloader

Above is a complete exampleNNM plugin using theregexi keyword. The use of thematch keyword search-ing for the stringownloader is not a typo. By searching for network sessions that have this string in them first,

NNM canavoid invoking the expensiveregexi search algorithm unless theownloader pattern is present.



respective owners.

- 182 -

NNM Real-Time Plugin Syntax

Real-Time Plugin Model

NNM real-time plugins are exactly the sameas NNM vulnerability plugins with two exceptions:

l They can occur multiple times.

l Their occurrencemay not be recorded as a vulnerability.

For example, an attacker may attempt to retrieve the source code for aPerl script from anApacheweb server.If NNM observes this event, it would be logical to send a real-time alert. It would also be logical tomark that theApache server is potentially vulnerable to some sort of Perl script source code download. In other cases, itmay bemore logical to just log the attempt as an event, but not a vulnerability. For example, a login failure overFTP is an event that may beworth logging, but does not indicate a vulnerability.

As the real-time plugins arewritten, there are two keywords that indicate toNNM that these are not regular vul-nerability plugins. These are thereal-time andrealtimeonly keywords.

In the previous example, the FTP user login failurewould bemarked as arealtimeonly event becausewewould like real-time alerting, but not a new entry into the vulnerability database.

Real-Time Plugin Keywords

Name Description

real-time If a plugin has this keyword, thenNNMwill generate aSYSLOGmessage orreal-time log file entry the first time this pluginmatches. This prevents vul-nerabilities that areworm related from causingmillions of events. Forexample, the plugins for theSasser worm generate only one event. Outputfrom plugins with this keywordwill show up in the vulnerability report.

realtimeonly If a plugin has this keyword, thenNNMwill generate aSYSLOGmessage orreal-time log file entry each time the plugin evaluates successfully. These plu-gins never show up in the report file.

track-session This keywordwill cause the contents of a session to be reported (viaSYSLOG or the real-time log file) a specified number of times after the plugincontaining this keywordwas matched. This is an excellent way to discoverwhat a hacker “did next” or possibly what the contents of a retrieved filewerereal-time.



respective owners.

- 183 -

Name Description

trigger-depend-ency

Normally if a plugin has multiple dependencies, then all of those dependenciesmust be successful for the current plugin to evaluate. However, thetrigger-dependency keyword allows a plugin to be evaluated as long asat least one of its dependencies is successful.



respective owners.

- 184 -

Real-Time Plugin Examples

Failed Telnet Login Plugin

Theeasiest way to learn about NNM real-time plugins is to evaluate someof those included by Tenable. Belowis a plugin that detects a failed Telnet login to aFreeBSD server.

# Look for failed logins into an FreeBSD telnet serverid=79400hs_sport=23dependency=1903realtimeonlyname=Failed login attemptdescription=NNM detected a failed login attempt to a telnet serverrisk=LOWmatch=Login incorrect

This plugin has many of the same features as a vulnerability plugin. The ID of the plugin is 79400. The high-speed port is 23.Weneed to be dependent on plugin 1903 (which detects a Telnet service). Therealtimeonly keyword tells NNM that if it observes this pattern, then it should alert on the activity, but notrecord any vulnerability.

In Tenable.sc, events from NNM are recorded alongside other IDS tools.

Finger User List Enumeration Plugin

Thefinger daemon is an older Internet protocol that allowed system users to query remote servers to getinformation about a user on that box. There have been several security holes in this protocol that allowed anattacker to elicit user and system information that could be useful to attackers.

id=79500dependency=1277hs_sport=79track-session=10realtimeonlyname=App Subversion - Successful finger query to multiple usersdescription=A response from a known finger daemon was observed which indicated thatthe attacker was able to retrieve a list of three or more valid user names.risk=HIGH



respective owners.

- 185 -

match=Directory:match=Directory:match=Directory:

This plugin looks for these patterns only on systems where aworkingfinger daemonhas been identified(dependency #1277). However, the addition of thetrack-session keywordmeans that if this plugin islaunchedwith a value of 10, the session data from the next 10 packets is tracked and logged in either theSYSLOG or real-time log file.

During a normal finger query, if only one valid user is queried, then only one homedirectory is returned.However, many of the exploits for finger involve querying for users such asNULL, .., or 0. This causes vul-nerablefinger daemons to return a listing of all users. In that case, this pluginwould be activated because ofthemultiple “Directory:” matches.

Unix Password File DownloadWeb Server Plugin

This plugin below looks for any download from aweb server that does not look likeHTML traffic, but does looklike the contents of a generic Unix password file.

id=79300dependency=1442hs_sport=80track-session=10realtimeonlyname=Web Subversion - /etc/passwd file obtaineddescription=A file which looks like a Linux /etc/passwd file was downloaded from aweb server.risk=HIGHmatch=!<HTML>match=!<html>match=^root:x:0:0:root:/root:/bin/bashmatch=^bin:x:1:1:bin:match=^daemon:x:2:2:daemon:

Theplugin is dependent onNNM ID 1442, which detects web servers. In thematch statements, we attempt toignore any traffic that contains validHTML tags, but also has lines that start with commonUnix password fileentries.

Generic Buffer Overflow Detection onWindows Plugin



respective owners.

- 186 -

Oneof NNM’s strongest intrusion detection features is its ability to recognize specific services, and then tolook for traffic occurring on those services that should never occur unless they have been compromised.SinceNNM can keep track of both sides of a conversation andmake decisions based on the content of each,it is ideal to look for Unix andWindows command shells occurring in services that should not have those com-mand shells in them. Here is an example plugin:

# look for Windows error when a user tries to# switch to a drive that doesn't existid=79201include=services.inctrigger-dependencytrack-session=10realtimeonlyname=Successful shell attack detected - Failed cd commanddescription=The results of an unsuccessful attempt to change drives on a Windowsmachine occurred in a TCP session normally used for a standard service. This mayindicate a successful compromise of this service has occurred.risk=HIGHpmatch=!>GETpregexi=cdmatch=!>550match=^The system cannot find thematch=specified.

This plugin uses theinclude keyword that identifies a file that lists several dozenNNM IDs, which identifywell known services such as HTTP, DNS, andNTP. The plugin is not evaluated unless the target host is run-ning one of those services.

The keywordtrigger-dependency is needed to ensure the plugin is evaluated even if there is only onematch in theservices.inc file. Otherwise, NNM evaluates this plugin only if the target host was running all

NNM IDs present in theservices.inc file. Thetrigger-dependency keyword says that at least oneNNM IDmust be specified by one or more dependency or include rules must be present.

Finally, the logic of plugin detection looks for the following type of response on aWindows system:



respective owners.

- 187 -

In this case, a user has attempted to use the cd command to change directories within a file system and theattempt was not allowed. This is a commonevent that occurs when a remote hacker compromises aWin-dows 2000 orWindows 2003 server with a buffer overflow. TheNNM plugin looks for a network session thatshould not be there.

In the plugin logic, there arepmatch andpregexi statements that attempt to ensure that the session is notanHTTP session, and that the previous side of the session contains the stringcd.

Tip: The pregexi statement could be expanded to include the trailing space after the “d” character and alsothe first character.

Theplugin then looks for the expected results of the failed cd command. The first match statementmakessure this pattern is not part of the FTP protocol. Looking for “cd” in one side of a session and the error ofattempting to change to a directory in anFTP session causes false positives for this plugin. Adding a rule toignore if a line starts with “550” avoids this.Whilewriting and testing this plugin, Tenable considered having adifferent set of plugins just for FTP, but the additional filter statement took care of any false positives. Finally,the last twomatch statements look for the results of the failed change directory attempt. They are spreadacross twomatch statements and could have been combined into one regular expression statement, but therewas enough content in the basic message to split them into higher-speedmatching.



respective owners.

- 188 -

NNM Corporate Policy Plugins

Most companies have an “AcceptableUsePolicy” that defines appropriate use of the company’s IT facilities.Often, this policy is abused to someextent since detecting abuse can be difficult.

NNM canhelp in this regard through use of NNM CorporatePolicy plugins. These plugins can be used to lookfor policy violations and items such as credit card numbers, Social Security numbers, and other sensitive con-tent inmotion.

Tenable ships NNMwith a large number of plugins that are frequently updated. The primary focus of these plu-gins is to discover hosts, applications and their related client/server vulnerabilities. To search for a specific plu-gin, visit http://www.tenable.com/NNM-plugins.

Many of the available plugins already detect activities that would fall into the “InappropriateUse” category inmost companies. Someof the activities that are detected through these plugins include (but are not limited to):

l Gameservers

l Botnet clients and servers

l Peer to peer file sharing

l IRC clients and servers

l Chat clients

l Tunneling software or applications like Tor, GoToMyPC, and LogMeIn

Related Information

l Detecting Custom Activity Prohibited by Policy

l Detecting Confidential Data in Motion



respective owners.

http://www.tenable.com/pvs-plugins

- 189 -

Detecting Custom Activity Prohibited by Policy

Theplugins providedwithNNM are useful for detecting generally inappropriate activities, but theremay betimes whenmore specific activities need to be detected. For example, a company may want to generate analert when email is sent to a competitor’s mail service or if users aremanaging their Facebook accounts fromthe corporate network.

Tenable provides the ability for users towrite their own custom plugins, as documented inNNM Plugin Syn-tax. These plugins are saved as prm files.

The following example shows how to create a custom plugin to detect users logging into their Facebookaccounts. First, a unique plugin ID is assigned, in this case79420. So, the first line of our plugin is:

id=79420

Next, wewant a description of what the vulnerability detects:

description=The remote client was observed logging into a Facebook account.You should ensure that such behavior is in alignment with corporate policiesand guidelines. For your information, the user account was logged as:\n %L

The%L is the results of our regular expression statement that is created later.Wewant to log the sourceaddress of the offending computer as well as the user ID that was used to log in. Next, we create a distinctname for our plugin.

name=POLICY - Facebook usage detection

Note that the namebegins with the stringPOLICY. This makes all POLICY violations easily searchable fromtheTenable.sc interface.

You can also define aTenable.sc dynamic asset that contains only POLICY violators.

The next field defines a family. For this example, the application is awebbrowser, so the family ID is definedas follows:

family=Web Clients

Since this is awebbrowser, a dependency can be assigned that tells NNM to look at only those clients thathave been observed surfing theweb:

dependency=1735

Furthermore, sinceweare looking at client traffic, we define:

clientissue



respective owners.

- 190 -

Next, we assign a risk rating for the observed behavior:

risk=MEDIUM

In the final sectionwe creatematch andregex statements that NNM looks for passively.Wewant all ofthese statements to be true before the client is flagged for inappropriate usage:

match=>POST /

Theweb requestmust beginwith aPOST verb. This weeds out all “GET” requests.

match=^Host: *.facebook.com

The statement above ensures that they are posting a host with a domain of *.facebook.com.

Finally, we have amatch andregex statement that detects the user’s login credentials:

match=email=

regex=email=.*%40[^&]+

Altogether, we have a single plugin as follows:

id=79420family=Web Clientsclientissuedependency=1735name=Facebook_Usagedescription=The remote client was observed logging into a Facebook account.You should ensure that such behavior is in alignment withCorporate Policies and guidelines. For your information, the user accountwas logged as:risk=MEDIUMsolution=Stay off of Facebook.match=>POST /match=^Host: *.facebook.commatch=email=regex=email=.*%40[^&]+

This plugin could be namedFacebook.prm and added into the/opt/NNM/var/nnm/plugins/ directory.If Tenable.sc is used tomanage one or moreNNM systems, use the plugin upload dialog to add the new .prmfile.



respective owners.

- 191 -

If youwish to create a policy file that includes multiple checks, use the reservedwordNEXTwithin the policyfile. For example:

id=79420…rest of plugin…NEXTid=79421…etc.



respective owners.

- 192 -

Detecting Confidential Data in Motion

Many organizations want to ensure that confidential data does not leave the network. NNM canaid in this bylooking at binary patterns within observed network traffic. If critical documents or data can be taggedwith a bin-ary string, such as anMD5checksum, NNM has the ability to detect these files being passed outside the net-work. For example:

Create a document that has a binary string of:

0xde1d7f362734c4d71ecc93a23bb5dd4c and 0x747f029fbf8f7e0ade2a6198560c3278

ANNM plugin can then be created to look for this pattern as follows:

id=79580trigger-dependencydependency=2004dependency=2005hs_dport=25description=POLICY - Confidential data passed outside thecorporate network. The Confidential file don'tshare.doc wasjust observed leaving the network via email.name=Confidential file misusefamily=Genericclientissuerisk=HIGHbmatch=de1d7f362734c4d71ecc93a23bb5dd4cbmatch=747f029fbf8f7e0ade2a6198560c3278

These binary codes were created by simply generatingmd5hashes of the following strings:

"Copyright 2006 BigCorp, file: don'tshare.doc"

"file: don'tshare.doc"

The security compliance groupmaintains the list of mappings (confidential file tomd5hash). Themd5hashcan be embeddedwithin the binary file and can then be tracked as it traverses the network.

Similar checks can be performedagainst ASCII strings to detect, for example, if confidential datawas cut-and-pasted into an email. Simply create text watermarks that appear benign to the casual observer andmap to aspecific file name. For example:

"Reference data at \\192.168.0.2\c$\shares\employmentfiles for HR data regard-ing Jane Mcintyre" could be a string which maps to a file named Finances.xls.



respective owners.

- 193 -

ANNM plugin can look for the string as follows:

id=79581trigger-dependencydependency=2004dependency=2005hs_dport=25description=POLICY - Confidential data passed outside thecorporate network. Data from the confidential file Finances.xls was justobserved leaving the network via email.name=Confidential file misusefamily=Genericclientissuerisk=HIGHmatch=Reference data atmatch=192.168.0.2\c$\shares\employmentfilesmatch=for HR data regarding Jane Mcintyre

The twoexample plugins above (IDs 79580 and 79581) detect files leaving the network via email. Most cor-porations have a list of ports that are allowed outbound access. SMTP is typically one of these ports. Otherports may includeFTP,Messenger client ports (e.g., AIM, Yahoo and ICQ), or Peer2Peer (e.g., GNUTELLAandBitTorrent). Depending on your specific network policy, youmay wish to clone plugins 79580 and 79581 todetect these strings on other outbound protocols.



respective owners.

- 194 -

Working with Tenable.sc

NNM canoperate under the control of Tenable.sc, which provides NNMwith passive vulnerability data andretrieves scanned data. Tenable.sc has a variety of reporting, remediation, and notificationmechanisms to effi-ciently distribute vulnerability information across large enterprises. In addition, it can also control a distributedset of Nessus active vulnerability scanners. By combining active and passive vulnerability scanning, Ten-able.sc can be used to efficiently and accurately manage security across large networks.

This section contains the following information about NNM integrationwith Tenable.sc.

l Managing Vulnerabilities

l Updating the NNM Management Interface



respective owners.

- 195 -

Managing Vulnerabilities

Tenable.sc displays a summary of vulnerabilities detected by NNM. These vulnerabilities can be inde-pendently viewedby many different users with different access control. Tenable.sc also allows security man-agers to issue recommendations that help guide network administrators as towhich vulnerabilities should bemitigated.

For more information, see theTenable.sc User Guide.

NNM is Real-Time

SinceNNM’s vulnerability data is constantly fed into Tenable.sc andNNM’s plugins are updated by Tenable®,the accuracy of the passive vulnerability data in Tenable.sc greatly enhances the quality of the security inform-ation available to Tenable.sc users.



respective owners.

- 196 -

Offline NNM Plugin Update in Tenable.sc

To perform an offline NNM plugin update:

1. If not already in place, install aNNM scanner on the samehost as Tenable.sc. It does not need to be star-ted or otherwise configured.

2. Toprevent theNNM scanner from starting automatically upon restarting the system, run the followingcommand:

# /sbin/systemctl is-enabled nnm off

3. Run the following commandand save the challenge string that is displayed:

# /opt/nnm/bin/nnm –challenge


l If you are usingPVS versions 4.2.1 to 5.3.x, in your browser, navigate tohttps://plu-gins.nessus.org/v2/offline-pvs.php.

l If you are usingNNM versions 5.4.x or later, in your browser, navigate tohttps://plu-gins.nessus.org/v2/offline-nnm.php.

5. Paste the challenge string from Step 3 and your ActivationCode in the appropriate boxes on thewebpage.

6. Click Submit.

7. On the next page, copy the link that starts withhttps://plugins.nessus.org/v2/... and bookmark it inyour browser. The other information on the page is not relevant for usewith Tenable.sc.

8. Click the bookmarked link.

The page prompts you to download a file.

9. Download the file, which is calledsc-passive.tar.gz.

10. Save thesc-passive.tar.gz on the system used to access your Tenable.sc GUI.

Note: Access the NNM feed setting and change the activation from offline to Tenable.sc.



respective owners.



https://plugins.nessus.org/v2/offline-nnm.php

https://plugins.nessus.org/v2/offline-nnm.php

- 197 -

11. (missing or bad snippet)

12. Click System > Configuration.

TheConfiguration page appears.

13. Click Plugins/Feed.

ThePlugins/Feed Configuration page appears.

14. In theSchedules section, expand thePassive Plugins options.

15. ClickChoose File and browse to the savedsc-passive.tar.gz file.

16. Click Submit.

After severalminutes, the plugin update finishes and the page updates theLast Updated date andtime.



respective owners.

- 198 -

Tenable.sc Troubleshooting

NNM server does not appear to be operational

1. (missing or bad snippet)

2. Verify that theNNM server appears asUnable to Connect underStatus.

3. SSH to the remoteNNM host tomake sure the underlying operating system is operational.

4. Confirm that theNNM is running (Linux example below):

# service nnm status

NNM is stoppedNNM Proxy (pid 3142) is running#

5. If theNNM service is not running, start the service:

# service nnm startStarting NNM Proxy [ OK ]Starting NNM [ OK ]#

Cannot add an NNM server

1. Confirm that theNNM proxy is listening on the sameport as Tenable.sc (port 8835 by default):

# ss -pan | grep 8835tcp 0 0 0.0.0.0:8835 0.0.0.0:* LISTEN 406/nnm

2. Check connectivity by telnetting from theTenable.sc console into theNNM server on port 8835 (theNNM listening port). If successful, the response includes: Escape character is '^]'.

No vulnerabilities are being received from the NNM server



respective owners.

- 199 -

1. Ensure that theNNM service is running on theNNM host.

2. Ensure that theNNM appears in Tenable.sc underResources > Passive Scanners and that thestatus of theNNM appears asWorking.

3. Click Edit to ensure that the IP address or hostname, port, username, password, and selected repos-itories for theNNM are correct.

4. Edit any incorrect entries to their correct state.

5. Click Submit to attempt to reinitialize theNNM scanning interface.

NNM plugins fail to update

1. Manually test a plugin update underPluginswithUpdate Plugins.

If successful,Passive Plugins Last Updated updates to the current date and time.

2. Ensure that the Tenable.sc host allows outboundHTTPS connectivity to theNNM PluginUpdateSite.

3. For all other NNM plugin update issues, contact TenableSupport.



respective owners.

- 200 -

Syslog Messages

NNM provides options to send real-time and vulnerability data as Syslogmessages. This section describesthe availableSyslogmessage types:

l Standard Syslog Message Types

l CEF Syslog Message Types



respective owners.

- 201 -

Standard Syslog Message Types

Message Types

l Syslogmessage format for real-timeSyslog entries generated by realtimeonly PRMs:

<priority>timestamp nnm: src_ip:src_port|dst_ip:dst_port|protocol|plugin_id|plugin_name|matched_text_current_packet|matched_text_previous_packet|risk

l Syslogmessage format for vulnerability and real-timeSyslog entries generated by PASLs, PRMs, andinternal plugins:

<priority>timestamp nnm: src_ip:src_port|dst_ip:dst_port|protocol|plugin_id|plugin_name|plugin_description|plugin_output|risk

Message Fields

Name Description

dst_ip Displays the destination IP address for reported traffic.

dst_port Displays the destination port for reported traffic.

matched_text_current_packet

Reports the payload, causing amatch in the packet to trigger theNNM event.

matched_text_previous_packet

Reports the payload that was observed prior to the payload in thematched_text_current_packet field.

plugin_id Displays the reportedNNM plugin or PASL ID triggered by reported traffic.

plugin_name Displays the nameof theNNM plugin or PASL ID triggered by reportedtraffic.

plugin_output Displays dynamic data for a given vulnerability or event. This fieldmay beempty if there is no plugin-specific data.

priority Displays theSyslog facility level of themessage.



respective owners.

- 202 -

Name Description

protocol Reports the integer value for the protocol used for the reported traffic.

risk Displays the associated risk level of the reported vulnerability. This can beNONE, LOW,MEDIUM,HIGH,CRITICAL, or INFO.

src_ip Displays the source IP address reported for the traffic.

src_port Displays the source port for the reported traffic.

timestamp Displays the date and timeof theSyslogmessage.



respective owners.

- 203 -

CEF Syslog Message Types

Message Type

Syslogmessage format for vulnerability and real-timeSyslog entries generated by PASLs, PRMs, andinternal plugins:

timestamp CEF: Version|Device Vendor|Device Product|Device Version|SignatureID|Name|Severity|Extension

Message Fields

Name Description

DeviceProduct

Displays the nameof the product on the detected sending device.

DeviceVendor

Displays the vendor of the product on the detected sending device.

Device Ver-sion

Displays the version of the product on the detected sending device.

Extension Displays key-value pairs for one or more of the following additional fields: src, dst,spt, dpt, proto, andmsg.

Name Displays the nameof theNNM plugin or PASL ID triggered by the reported traffic.

Severity Displays the associated severity level of the reported vulnerability.

SignatureID

Displays the reportedNNM plugin or PASL ID triggered by the reported traffic.

timestamp Displays the date and timeof theSyslogmessage.

Version Displays the version of theCEF format version.



respective owners.

- 204 -

Custom SSL Certificates

By default, NNM is installed andmanaged usingHTTPS andSSL support and uses port 8835. Default install-ations of NNM usea self-signedSSL certificate.

To avoid browser warnings, use a custom SSL certificate specific to your organization. During the installation,NNM creates two files thatmake up the certificate: servercert.pem and serverkey.pem. Youmust replacethese files with certificate files generated by your organization or a trustedCA.

Before replacing the certificate files, stop theNNM server. Replace the two files and re-start theNNM server.If the certificatewas generated by a trustedCA, subsequent connections to the scanner do not display anerror.

Certificate File Locations

Operating System Directory

Linux /opt/nnm/var/nnm/ssl/servercert.pem

/opt/nnm/var/nnm/ssl/serverkey.pem

Windows C:\ProgramData\Tenable\NNM\nnm\ssl\servercert.pem

C:\ProgramData\Tenable\NNM\nnm\ssl\serverkey.pem

macOS /Library/NNM/var/nnm/ssl/servercert.pem

/Library/NNM/var/nnm/ssl/serverkey.pem

Optionally, you can use the /getcert switch to install the root CA in your browser, which removes the warning:

https://<IP address>:8835/getcert

To set up an intermediate certificate chain, place a file namedserverchain.pem in the samedirectory astheservercert.pem file.

This filemust contain the 1-n intermediate certificates (concatenated public certificates) necessary to con-struct the full certificate chain from theNNM server to its ultimate root certificate (one trusted by the user’sbrowser).

SSL Client Certificate Authentication



respective owners.

- 205 -

NNM supports use of SSL client certificate authentication.When the browser is configured for this method, theuse of SSL client certificates is allowed.

NNM allows for password-based or SSLCertificate authenticationmethods for user accounts.When creatinga user for SSL certificate authentication, use theNNM-make-cert-client utility through the command line on theNNM server.



respective owners.

- 206 -

Configure NNM for Certificates

Toallow SSL certificate authentication, youmust first configure theNNMweb server with a server certificateandCA.

This process allows theweb server to trust certificates created by theCA for authentication purposes. Gen-erated files related to certificates must be ownedby root:root and, by default, have the correct permissions.

This section contains the following instructions:

l Create a Custom CA and Server Certificate

l Create NNM SSL Certificates for Login

l Connect to NNM with a User Certificate



respective owners.

- 207 -

Create a Custom CA and Server Certificate

To create a custom CA and server certificate:

1. Optionally, create a new custom CA and server certificate for theNNM server using theNNM-make-cert command. This places the certificates in the correct directories.

2. Whenprompted for the host name, type theDNS nameor IP address of the server in the browser (eg.,https://hostname:8835/ or https://ipaddress:8835/). The default certificate uses the host name.

3. If youwish to use aCA certificate instead of theNNM generated one,make a copy of the self-signedCA certificate using the appropriate command for your OS:

OperatingSystem

Command

Linux # cp /opt/nnm/var/nnm/ssl/cacert.pem/opt/nnm/var/nnm/ssl/ORIGcacert.pem

Windows copy \ProgramData\Tenable\NNM\nnm\ssl\cacert.pemC:\ProgramData\Tenable\NNM\nnm\ssl\ORIGcacert.pem

macOS # cp /Library/NNM/var/nnm/ssl/cacert.pem/Library/NNM/var/nnm/ssl/ORIGcacert.pem

4. If the authentication certificates are created by aCA other than theNNM server, theCA certificatemustbe installed on theNNM server. Copy the organization's CA certificate to the appropriate location foryour OS:

Operating System File Location

Linux /opt/nnm/var/nnm/ssl/cacert.pem

Windows C:\ProgramData\Tenable\NNM\nnm\ssl\cacert.pem

macOS /Library/NNM/var/nnm/ssl/cacert.pem

5. Once theCA is in place, restart theNNM services.

6. After NNM is configuredwith the proper CA certificate(s), users may log in toNNM usingSSL client cer-tificates.



respective owners.

- 208 -

Create NNM SSL Certificates for Login

You can log in to anNNM server with SSL certificates. Once certificate authentication is enabled, usernameandpassword login is disabled. Youmust create the certificates using thennm-make-cert command.

Note:When asked if you want to create a server certificate, select no to be prompted for the user certificateinformation.

To create NNM SSL certificates for login:

1. On theNNM server, run thennm-make-cert command.

Operating System Command

Linux # /opt/nnm/bin/nnm-make-cert

Windows C:\Program Files\Tenable\NNM\nnm-make-cert

macOS # /Library/NNM/bin/nnm-make-cert

2. Configure the client certificate by answering the various questions.

Two files, the certificate and the key, are created in the temporary directory.

OperatingSystem

Directory

Linux /tmp/

Windows C:\users\<username>\AppData\Local\Temp, where <username>is the user currently logged in.

macOS /tmp/

3. Combine and export the certificate and key file into a format that can be imported into thewebbrowser,such as .pfx.

In the following examplewhere the username is admin, the files cert_admin.pem andkey_admin.pem are combined into the filecombined_admin.pfx .



respective owners.

- 209 -

Note: The username you type must correspond with an existing username in NNM. By default,NNM has only one administrative user. If you add another administrative user, then you can use morethan one certificate.

openssl pkcs12 -export -out combined_admin.pfx -inkey key_admin.pem -in cert_admin.pem -chain -CAfile /opt/nnm/var/nnm/ssl/cacert.pem -passout'pass:password' -name 'NNM User Certificate for: admin'

The resulting file is created in the directory from which the commandwas launched.

4. Import the combined file into thewebbrowser's personal certificate store.

5. Configure theNNM server for certificate authentication using the appropriate command for your oper-ating system.

Once certificate authentication is enabled, usernameandpassword login is disabled.

OperatingSystem

Command

Linux # /opt/nnm/bin/nnm --config "Enable SSL ClientCertificate Authentication" "1"

Windows C:\Program Files\Tenable\NNM\nnm --config "EnableSSL Client Certificate Authentication" "1"

macOS # /Library/NNM/bin/nnm --config "Enable SSL ClientCertificate Authentication" "1"



respective owners.

- 210 -

Connect to NNM with a User Certificate

To connect to NNM with a user certificate:

1. In awebbrowser, navigate tohttps://<ip address or hostname>:8835.

The browser displays a list of available certificates.

2. Select the appropriate certificate.

The certificate becomes available for the current NNM session.

3. Click theSign In button.

You are automatically logged in as the designated user andNNM can be used normally.

Note: If you log out of NNM, the standard NNM login screen appears. If you want to log in with thesame certificate, refresh your browser. If you want to use a different certificate, restart your browsersession.



respective owners.

Documents

NNM 5.7 User Guide · NessusNetworkMonitor5.7.xUser Guide LastUpdated:July01,2020. TableofContents WelcometoNessusNetworkMonitor 7 GetStartedwithNNM 8 SystemRequirements 9