NeXpose User’s Guide

Enterprise Edition Document version 1.7

Copyright © 2011 Rapid7 LLC. Boston, Massachusetts, USA. All rights reserved. Rapid7 and NeXpose are trademarks of Rapid7, LLC. Other names appearing in this content may be trademarks of their respective owners.

NeXpose User’s Guide

2

Revision history
The current document version is 1.7
Revision Date
June 15, 2010 August 30, 2010

Version
1.0 1.1

Description
Created document. Added information about new PCI-mandated report templates to be used by ASVs as of September 1, 2010; clarified how CVSS scores relate to severity rankings in NeXpose. Added more detailed instructions about specifying a directory for stored reports. Added instructions for SSH public key authentication. Added instructions for using Asset Filter search and creating dynamic asset groups. Also added instructions for using new asset search features when creating static asset groups and reports. Added information about new PCI report sections and the PCI Host Details report template. Added information about including organization information in site configuration and managing assets according to host type. Added information about expanded vulnerability exception workflows.

October 25, 2010 December 13, 2010 December 20, 2010

1.2 1.3 1.4

January 31, 2011 March 14, 2011

1.5 1.6

July 11, 2011

1.7

NeXpose User’s Guide

3

..................6 Startup procedures ............................................................... 12 Using configuration panels ........................................................................................................................................................................................................................................... 53 Working with reports ......13 Specifying general site information ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... 5 Other documents and Help ................................................................................................. 33 Using asset groups to your advantage ............................................7 Manually starting or stopping in Linux ................................................................................ 30 Running a manual scan ............................................................................................................................ 29 Adding users to a site ..................70 Index ........................................................................................................................................................................................................................................................................................ 43 Working with vulnerabilities ....... 55 Glossary ................................................................55 Viewing reports in the Web interface ...................................................................................................Enterprise Edition Table of Contents Revision history ......................... 35 Comparing dynamic and static asset groups ............................................... 31 Viewing scan results ........................................................................ 37 Configuring filters ..... 41 Creating and editing static asset groups ................................. 14 Including organization information in a site .................................................................................................................33 Viewing assets ............................................................................................................................................................................................................................9 Navigating the Security Console Home page ....................................................................5 Document conventions .................. 36 Performing filtered asset searches ............................ 30 Pausing..................................................................................................... resuming................ and stopping a scan ......................................................................................8 Accessing the Security Console Web interface ........................................................ 38 Combining filters ................................................................................................................................................................................................................................................. 32 Working with data from scans ................................................................................................................................................ 44 Using tickets ................ 13 Specifying scan settings .......................................................................................................................................................7 Changing the configuration for starting automatically as a service .........................................75 NeXpose User’s Guide 4 .................................................................................................................................................................5 Contacting Technical Support ..... 12 Setting up sites and running scans ................................................................................................................................... 4 About this guide ........................ 7 Manually starting or stopping in Windows ........................................................................................................................................8 Working with the daemon .............................................................................................................................................................. 10 Using the search function ...................................................................................................................................................................... 13 Specifying assets to scan ................................ 3 Table of Contents ..........................................................................................................................................................................................................................................................................................................................................................

You will also find the following documents useful. NeXpose User’s Guide 5 . You can download them from the Support page in NeXpose Help. Contacting Technical Support  To contact Technical Support. It provides instruction for doing key administrative tasks: • • • • • configuring NeXpose host systems for maximum performance planning a NeXpose deployment. It provides guidance for understanding key reporting concepts: • • • using preset and custom report templates using report formats reading and interpreting report data NeXpose API guides help you integrate features with your internal systems.com.Enterprise Edition About this guide This guide helps you to gather and distribute information about your network assets and vulnerabilities using NeXpose. send an e-mail to support@rapid7. NeXpose Administrator’s Guidehelps you to ensure that NeXpose works effectively and consistently in support of your organization's security objectives. It covers the following activities: • • • • • • logging onto the NeXpose Security Console and familiarizing yourself with the Web interface setting up sites and scans running scans manually viewing asset and vulnerability data creating remediation tickets creating reports Other documents and Help Click the Help link on any page of the NeXpose Security Console Web interface to find information quickly. For additional contact information and resources. click the Support link on the NeXpose Security Console Web interface. including determining how to distribute scan engines managing NeXpose users and roles tuning scan performance maintaining and troubleshooting NeXpose NeXpose Reporting Guide helps you to get the most useful information from NeXpose reports so that you can prioritize remediation tasks and monitor your organization's security posture.

and names of Web and GUI interface pages. NeXpose User’s Guide 6 . WARNINGS. TIPS. and DEFINITONS appear in shaded boxes.d/[daemon_name] <start|stop|restart> NOTES. chapter titles. Directory paths appear in the Courier font.Enterprise Edition Document conventions Words in bold typeface are names of hypertext links and controls. Example: [installer_file_name] Multiple options in commands appear between arrow brackets: Example: $ /etc/init. Generalized file names in command examples appear between box brackets. Words in italics are document titles. Command examples appear in the Courier font in shaded boxes.

msc. Familiarizing yourself with the interface will help you to find and use its features quickly. follow step 1 to start the product manually. and click OK. and select Run. double-click the icon for the NeXpose Security Console service. Changing the configuration for starting automatically  as a service By default NeXpose start automatically as a service when Windows starts. To manually stop NeXpose in Windows. You may log on to the Security Console Web interface immediately after the startup process has completed.Enterprise Edition Startup procedures The NeXpose Security Console includes a Web-based user interface for configuring and operating NeXpose. Manually starting or stopping in Windows If you disabled the initialize/start option as part of the installation. Click the Windows Start button. and select Start Services. In the Run dialog box. go the NeXpose folder.. Close Services.. 1. NeXpose is configured to start automatically when the host system starts. NOTE: Starting the Security Console for the first time will take 10 to 30 minutes because NeXpose is initializing its database of vulnerabilities. and click OK. 2. type services. 3. Click the Windows Start button. click the Windows Start button. or if you have configured NeXpose to not start automatically as a service when the host system starts. You can disable this feature and control when NeXpose starts and stops. 4. and select the Stop Services icon. you will need to start it manually. NeXpose User’s Guide 7 . 1. In the Services pane. 5. 2. go the NeXpose folder. If you have disabled automatic startup. From the drop-down list for Startup type: select Manual.

To prevent the NeXpose daemon from automatically starting when the host system starts: $ update-rc. stop. To start NeXpose from the command line. or restarting the daemon To manually start.d [daemon_name] remove NeXpose User’s Guide 8 . $ . Working with the daemon  NOTE: To start NeXpose from graphical user interface. 2. 2.rc in the /etc/init. stopping./[service_name] <start|stop> Preventing the daemon from automatically starting with the host system 3.sh Go to the directory that contains the script that starts NeXpose: Run the script: $ cd [installation_directory]/nsc WARNING: To detach from a NeXpose screen session. NOTE: Starting the Security Console for the first time will take 10 to 30 minutes because the database of vulnerabilities is initializing. press CTRL and type a and then d. or restart NeXpose as a daemon: 1. you will need to start NeXpose manually./nsc.Enterprise Edition Manually starting or stopping in Linux If you disabled the initialize/start option as part of the installation. You may log on to the Security Console Web interface immediately after startup has completed. double-click NeXpose icon in the Internet folder of the Applications menu. For a scan engine. The installation creates a daemon named nexposeconsole. the service name is nsesvc: $ cd [installation_directory]/nsc $ . stop. the script file name is nscsvc. take the following steps: 1.d/ directory. or restart the daemon. which will stop NeXpose. Go to the /nsc directory in the installation directory: Run the script to start. For the security console. Manually starting. Do not use CTRL-c.

select Options from the Tools menu and then clicked the Advanced icon in the Options dialog box. log on to NeXpose again.1:3780 NOTE: If there is a use conflict for port 3780. you will see the News page. then either an error has stopped the system from starting. If the console displays a warning about authentication services being unavailable. After you receive the key. Click the Logon button. and your network uses an external authentication source such as LDAP or Kerberos. you must install the appropriate language pack. In the Languages pane. When your browser displays the Logon box.0.xml. If you do not want to see this page every time you log on after an update. See Running NeXpose in maintenance mode in the NeXpose Administrator's Guide for more information.0. click the link to request one. (Optional) If you do not have a product key. where you can register to receive a key. If Rapid7 sent you a product key. and specify port 3780. See Using external sources for user authentication in the NeXpose Administrator’s Guide The problem may also indicate that the authentication server is down. Other browsers may operate successfully with the interface. 2. 3. the console displays an activation dialog box. 6. Click Activate to complete this step. and then clicking the Languages button in the Internet Options dialog box. 4.0. NeXpose’s AJAX user interface supports Microsoft Internet Explorer 7. type the default logon name and the password that you specified during installation. See Managing Security Console settings in the NeXpose Administrator's Guide. you can add a language by selecting Internet Options from the Tools menu. go to the IP address 127. in their default installations.x and later and Firefox 3. enter the product key in the text box. including new vulnerability checks. In the Windows version of Internet Explorer 7. If you are running the browser on the same computer as the console. such as those for Chinese languages. UTF-8 character sets.0.0. 1. If you are running the browser on a separate computer..5 and later browser versions. In the Windows version of Firefox 2. User names and passwords are case-sensitive and nonrecoverable. which lists all updates and improvements in the installed system.1 with the correct host name IP address. clear the check box for automatically displaying this page after every login. you may specify another available port in the XML file nsc\conf\httpd. to select a language to add. or a scheduled task has initiated maintenance mode.0.Enterprise Edition Accessing the Security Console Web interface Start a Web browser. Logon procedures 1.0. If you are a first-time user and have not yet activated your license. your global administrator must check the configuration for that source. Make sure to indicate HTTPS protocol when entering the URL: https://127.0. You also can switch the port after you log on. NOTE: If the logon box indicates that the Security Console is in maintenance mode. substitute 127. NOTE: Browsers do not include non-English. The first time you log on to the console. Doing so will open a page on the Rapid7 Web site. To use your browser with one of these languages. You can always view the News page by clicking the News link that appears in a row near the top right corner of every page of the console interface. Click Home to view the Security Console Home page. enter the product key.. 5.1. click Choose. NeXpose User’s Guide 9 .

On the Site Listing pane. The Reports page lists all generated reports and provides controls for editing and creating report templates. such as creating and editing user accounts. The Home page shows sites. and start to create a new site. NeXpose User’s Guide 10 . you can click controls to view and edit site information. and start to create a new asset group. The Assets page links to pages for viewing assets organized by different groupings. The Tickets page lists remediation tickets and their status. you can click controls to view information about tickets and assets for which those tickets are assigned. Information for any currently running scan appears in the pane labeled Current Scan Listings for All Sites. depending on your role and permissions. • • • • • • A row of tabs appears at the top of the Home page. such as the sites they belong to or the operating systems running on them. asset groups. tickets. and statistics about your network. asset groups. Use these tabs to navigate to the main pages for each area. based on scan data. After installation. The Vulnerabilities page lists all discovered vulnerabilities. you can view and edit site and asset group information. and scan and report templates. On the Ticket Listing pane. the only information in the database is the account of the default global administrator and the product license. The Administration page is the starting point for all management activities. Only global administrators see this tab. you can click controls to view and edit information about asset groups.Enterprise Edition Navigating the Security Console Home page When you log on to the NeXpose Home page for the first time. but no information contained in them. as well as every page of the Security Console. and run scans for your entire network on this page. you see place holders for information. run scans. If you are a global administrator. On the Asset Group Listing pane.

Search the database for assets. report. Export asset data to a comma‐separated value (CSV) file.Enterprise Edition On the Home page and throughout the interface. Click it to open the User Configuration panel where you can  edit account information such as the password and view site and asset group access. or user account. Edit properties for a site. Log out of the Security Console interface. Preview a report template. Configure link Click to display a list of closed panes and open any of the listed panes. Control Description Minimize any pane so that only its title bar appears. Expand a minimized pane. See (Insert X Ref) Reverse the sort order of listed items in a given column. asset groups. You can also click column headings to  produce the same result. Close a pane. Stop a scan. Delete a site. For security reasons. or a user account. Help link News link Log Out link User: <user name>  link Search box View Help. Only Global  Administrators can change roles and permissions. Pause a scan. Exclude a vulnerability from a report. and vulnerabilities. you can use various controls for navigation and administration. NeXpose User’s Guide 11 . Resume a scan. This link is the logged‐on user name. report. Start a manual scan. the Secu‐ rity Console automatically logs out a user who has been inactive for 10 minutes. View the News page which lists all updates. The Logon box appears.

You can change the search phrase and select check boxes to allow partial word matches and to specify that all words in the phrase appear in each result. After refining the criteria. For example. For example. NeXpose displays the results in a table that includes all possible features for that category. NeXpose displays the Search page.168. Enter your search criteria in the Search box on any a page of the security console interface. In the Search Criteria pane.168". you can search the NeXpose database using a variety of criteria.x. At the bottom of each category pane. or you can click a page link listed on the left column of each panel page to go directly to that page. including full or partial IP addresses. and NeXpose returns all IP address that start with 192. you can search for "192. click the Cancel button. NeXpose User’s Guide 12 . click the Search Again button. which lists results in various categories. To save configuration changes. NOTE: Parameters labeled in red denote required parameters on all panel pages. To discard changes. you can view the total number of results and change settings for how results are displayed. click the Save button that appears on every page.x. You can either use the navigation buttons in the upper-right corner of each panel page to progress through each page of the panel. the table in the Vulnerability Results pane includes all the columns that appear on the Vulnerabilities page. Using configuration panels NeXpose provides panels for configuration and administration tasks: • • • • • • creating and editing user accounts creating and editing asset groups creating and editing scan templates creating and editing report templates configuring NeXpose Security Console settings troubleshooting and maintaining NeXpose All panels have the same navigation scheme. Within each category pane. you can refine and repeat the search.Enterprise Edition Using the search function With the powerful full-text search feature. and click the magnifying glass icon.

2. such as Full Audit. You can manually enter addresses and host names in the text box labeled Devices to scan. You may wish to associate the name with the type of scan that you will perform on the site. To prevent assets within an IP address range from being scanned. When the console displays the Assets page. Doing so involves the following steps: • • • • • Setting up sites and running scans on page 13 Specifying assets to scan on page 13 Specifying scan settings on page 14 Setting up alerts on page 23 Establishing scan credentials on page 24 Specifying general site information To begin setting up a site: 1. fully qualified domain name. 3. A Normal setting does not change the risk index. click the Browse button in the Included Devices area. If you are a global administrator. manually enter addresses and host names in the text box labeled Devices to Exclude from scanning. or Denial of Service. NeXpose User’s Guide 13 . and select the appropriate . Specifying assets to scan Go to the Devices page to list assets for your new site. You also can import a comma.Enterprise Edition Setting up sites and running scans You must set up at least one site containing at least one asset in order to run scans in NeXpose. On the Site Configuration – General page. click the View link next to sites. The Very Low setting reduces a risk index to 1/3 of its initial value.or new-line-delimited ASCII-text file that lists addresses and host names that you don’t want to scan. 4.txt file from the local computer or shared network drive for which read access is permitted. See the box labeled More Information. click New Site. 6. Each address in the file should appear on its own line. The Low setting reduces the risk index to 2/3 of its initial value. type a name for your site. When the console displays the Sites page. Type a brief description for the site and select a level of importance from the drop down list. Click the New Site button on the Home page. you may edit or delete addresses already listed in the site detail page. 5. The importance level corresponds to a risk factor that NeXpose uses to calculate a risk index for each site. host name. High and Very High settings increase the risk index to 2x and 3x times its initial value. including CIDR notation. or import a comma. OR Click the Assets tab.or new-line-delimited ASCII-text file that lists IP address and host names of assets you want to scan. respectively. To import an asset list. Addresses may incorporate any valid NeXpose convention. and range of devices.

and it will discontinue scanning it. In the process. if NeXpose is unable to make that determination. it will perform one or more phases of a scan on the specified asset. A scan template is a predefined set of scan attributes that you can select quickly rather than manually define properties. See Managing global settings in the NeXpose Administrator’s Guide. NeXpose User’s Guide 14 . Each address in the file should appear on its own line. Addresses may incorporate any valid NeXpose convention. and range of devices. and vulnerabilities.txt file from the local computer or shared network drive for which read access is permitted. Go to the Scan Setup page to select a scan template and/or scan engine other than the default settings. A global administrator can customize scan templates for your organization’s specific needs. Specifying scan settings NOTE: If you specify a host name for exclusion. Click Browse button in the Excluded Devices area Select the appropriate . NeXpose may be able to determine that the asset has been excluded from the scope of the scan. You also can create a custom scan template. such as pinging or port discovery. The boxes that follow list descriptions and attributes for each default template. If it is initially unable to do so. host name. NeXpose will attempt to resolve it to an IP address prior to a scan. When you modify a template.Enterprise Edition To exclude devices: 1. such as target assets. 2. You also can enable scans to run on a specified schedule. However. fully qualified domain name. it will continue scanning the asset. See Modifying and creating scan templates in the NeXpose Administrator’s Guide for more information. all sites that use that scan template will use the modified settings. You also can exclude specific assets from scans in all sites throughout your deployment on the global Device Exclusion page. See Modifying and creating scan templates in the NeXpose Administrator’s Guide for more information. services. including CIDR notation. Select an existing scan template from the drop down list.

22. 389. 139. 5 retries UDP ports to scan: Well-known numbers Simultaneous port scans: 5 Specific vulnerability checks enabled (which disables all other checks): None Specific vulnerability checks disabled: Local.135.67. 220. 1433. 23. policy check types Discovery scan Description: This scan locates live assets on the network and identifies their host names and operating systems. 1433. 445. 22.111. 8080. 110. 449. 139.1701 Device discovery performance: 5 ms send delay. 524. 1521. 25 blocks. Why use this template: You can run a discovery scan to compile a complete list of all network assets. 143. 9100 TCP port scan performance: 0 ms send delay. 88. 4 retries. 993. 111. 500 ms block delay. 25. 500 Simultaneous port scans: 10 Specific vulnerability checks enabled (which disables all other checks): None Specific vulnerability checks disabled: None NeXpose User’s Guide 15 .Enterprise Edition Denial of service Description: This basic audit of all network assets uses both safe and unsafe (denial-of-service) checks. or application-layer auditing. 995. 264. 443. 1521. patch. 995. 23. 585. 3 retries UDP ports to scan: 161. 3389. This scan does not include indepth patch/hotfix checking. 1000 ms block time-out TCP port scan method: Stealth scan (SYN) TCP optimizer ports: None TCP ports to scan: Well known numbers + 1-1040 TCP port scan performance: 0 ms send delay. 264. 1723. 135. 1723. Why use this template: You can run a denial of service scan in a preproduction environment to test the resistance of assets to denial-of service conditions. policy compliance checking. 9100 UDP ports used for device discovery: 53. 25.220. 585. 3000 ms block time-out TCP port scan method: Stealth scan (SYN) TCP optimizer ports: None TCP ports to scan: 21. 445. 110. 636. 443. 8080. Device/vulnerability scan: Y/Y Maximum # scan threads: 10 ICMP (Ping hosts): Y TCP ports used for device discovery: 80 UDP ports used for device discovery: None Device discovery performance: 5 ms send delay. or vulnerability scanning with this template. Afterward. 524. 449. Device/vulnerability scan: Y/N Maximum # scan threads: 10 ICMP (Ping hosts): Y TCP ports used for device discovery: 21. NeXpose does not perform enumeration.500. you can target subsets of these assets for intensive vulnerability scans. 10 blocks. 80. 993.161. policy. such as with the Exhaustive scan template. 10 ms block delay.137. 143. 80. 2 retries.

which may trigger IPS/IDS sensors. 139. 110. 10 ms block delay. and application-layer auditing. 3000 ms block time-out TCP port scan method: Stealth scan (SYN) TCP optimizer ports: None TCP ports to scan: 21. 23. 585. 1723. 111. 500. or vulnerability scanning with this template. 636. much faster. policy compliance assessments. Device/vulnerability scan: Y/Y Maximum # scan threads: 10 ICMP (Ping hosts): Y TCP ports used for device discovery: 80 UDP ports used for device discovery: None Device discovery performance: 5 ms send delay. 4 retries. including patch/hotfix inspections. 8080 TCP ports to scan: All possible (1-65535) TCP port scan performance: 0 ms send delay. 264. 993. SYN flood protection. 23. 143. 264. 135. 443. 67. 1723. 135. 110. Use this template to run intensive scans targeting a low number of assets. 8080. Why use this template: This template is identical in scope to the discovery scan. 5 retries UDP ports to scan: Well-known numbers Simultaneous port scans: 5 Specific vulnerability checks enabled (which disables all other checks): None Specific vulnerability checks disabled: None NeXpose User’s Guide 16 . 1521. 449. or even days. depending on the number of target assets. 524. 111. 110. NeXpose sends packets at a very high rate. 449. to complete. 500 Simultaneous port scans: 25 Specific vulnerability checks enabled (which disables all other checks): None Specific vulnerability checks disabled: None Exhaustive Description: This thorough network scan of all systems and services uses only safe checks.Enterprise Edition Discovery scan (aggressive) Description: This fast. 25. 25. therefore. The trade-off is that scans run with this template may not be as thorough as with the Discovery scan template. 80. 2 retries. 3 retries UDP ports to scan: 161. 25 blocks. but slow. 445. 220. 22. 445. 1000 ms block time-out TCP port scan method: NeXpose determines optimal method TCP optimizer ports: 21. This scan could take several hours. 585. and exhaust states on stateful firewalls. 449. 445. 111. NeXpose does not perform enumeration. 995. 443. 143. 1521. 9100 TCP port scan performance: 0 ms send delay. 500 ms block delay. 8080. 135. 25. except that it uses more threads and is. 3389. Device/vulnerability scan: Y/N Maximum # scan threads: 25 ICMP (Ping hosts): Y TCP ports used for device discovery: 21. 443. 88. 1433. 993. 161. policy. 524. 80. 80. 1433. 139. 9100 UDP ports used for device discovery: 53. 10 blocks. 137. 22. Why use this template: Scans run with this template are thorough. 23. 220. 995. 139. cursory scan locates live assets on high-speed networks and identifies their host names and operating systems. 389. 1701 Device discovery performance: 0 ms send delay.

Also. 1000 ms block time-out TCP port scan method: Stealth scan (SYN) TCP optimizer ports: None TCP ports to scan: Well known numbers + 1-1040 TCP port scan performance: 0 ms send delay.312 (“Technical Safeguards”). 10 ms block delay. or inadequate transmission security (encryption). Device/vulnerability scan: Y/Y Maximum # scan threads: 10 ICMP (Ping hosts): Y TCP ports used for device discovery: 80 UDP ports used for device discovery: None Device discovery performance: 5 ms send delay. 5 retries UDP ports to scan: Well-known numbers Simultaneous port scans: 5 Specific vulnerability checks enabled (which disables all other checks): None Specific vulnerability checks disabled: None NeXpose User’s Guide 17 . including network-based vulnerabilities. Why use this template: This is the default NeXpose scan template. NeXpose scans only default ports and disables policy checking.” Device/vulnerability scan: Y/Y Maximum # scan threads: 10 ICMP (Ping hosts): Y TCP ports used for device discovery: 80 UDP ports used for device discovery: None Device discovery performance: 5 ms send delay. The scan will flag any conditions resulting in inadequate access control. NeXpose does not check for potential vulnerabilities with this template. 10 blocks. which makes scans faster than with the Exhaustive scan. 4 retries. and application-layer auditing. 10 ms block delay. Why use this template: Use this template to scan assets in a HIPAA-regulated environment. inadequate authentication. 1000 ms block time-out TCP port scan method: Stealth scan (SYN) TCP optimizer ports: None TCP ports to scan: Well known numbers + 1-1040 TCP port scan performance: 0 ms send delay. Use it to run a fast.Enterprise Edition Full audit Description: This full network audit of all systems uses only safe checks. 4 retries. loss of integrity. 5 retries UDP ports to scan: Well-known numbers Simultaneous port scans: 5 Specific vulnerability checks enabled (which disables all other checks): None Specific vulnerability checks disabled: Policy check type HIPAA compliance Description: NeXpose uses safe checks in this audit of compliance with HIPAA section 164. as part of a HIPAA compliance program. inadequate auditing. 10 blocks. patch/hotfix checking. thorough vulnerability scan right “out of the box.

5 retries UDP ports to scan: None Simultaneous port scans: 5 Specific vulnerability checks enabled (which disables all other checks): RPM check type Specific vulnerability checks disabled: None NeXpose User’s Guide 18 . VPN. mail (SMTP/POP/IMAP/Lotus Notes). TFTP. 4 retries. Lotus Notes/Domino. Why use this template: Use this template to scan assets in your DMZ. Why use this template: Use this template to scan assets running the Linux operating system. 1000 ms block time-out TCP port scan method: Stealth scan (SYN) TCP optimizer ports: None TCP ports to scan: Well-known numbers TCP port scan performance: 0 ms send delay. FTP. Telnet. Device/vulnerability scan: Y/Y Maximum # scan threads: 10 ICMP (Ping hosts): Y TCP ports used for device discovery: 22. Device/vulnerability scan: Y/Y Maximum # scan threads: 10 ICMP (Ping hosts): N TCP ports used for device discovery: None UDP ports used for device discovery: None Device discovery performance: 5 ms send delay. database. 10 ms block delay. NeXpose does not perform in-depth patch/hotfix checking and policy compliance audits will not be performed. 4 retries. use administrative credentials. 10 blocks. 23 TCP port scan performance: 0 ms send delay. 10 blocks. 23 UDP ports used for device discovery: None Device discovery performance: 5 ms send delay. 10 ms block delay. SSH. For optimum success. such as Web.Enterprise Edition Internet DMZ audit Description: This penetration test covers all common Internet services. FTP. SSH. Mail. 1000 ms block time-out TCP port scan method: Stealth scan (SYN) TCP optimizer ports: None TCP ports to scan: 22. database. 5 retries UDP ports to scan: None Simultaneous port scans: 5 Specific vulnerability checks enabled (which disables all other checks): DNS. Web check categories Specific vulnerability checks disabled: None Linux RPMs Description: This scan verifies proper installation of RPM patches on Linux systems. Telnet. and VPN. DNS.

use administrative credentials. NeXpose scans all TCP ports and well-known UDP ports. Device/vulnerability scan: Y/Y Maximum # scan threads: 10 ICMP (Ping hosts): Y TCP ports used for device discovery: 22. 5 blocks. Why use this template: Use this template to scan assets as part of a PCI compliance program. and application-layer testing.Enterprise Edition Microsoft hotfix Description: This scan verifies proper installation of hotfixes and service packs on Microsoft Windows systems. 139. 443 UDP ports used for device discovery: None Device discovery performance: 5 ms send delay. 2400 UDP ports used for device discovery: None Device discovery performance: 5 ms send delay. 445. 80. 4 retries. Device/vulnerability scan: Y/Y Maximum # scan threads: 10 ICMP (Ping hosts): Y TCP ports used for device discovery: 135. patch/hotfix verification. 1433. NeXpose does not perform policy checks. including network-based vulnerabilities. 2433 TCP port scan performance: 0 ms send delay. For optimum success. 5 retries UDP ports to scan: None Simultaneous port scans: 5 Specific vulnerability checks enabled (which disables all other checks): Microsoft hotfix check type Specific vulnerability checks disabled: None Payment Card Industry (PCI) audit Description: This audit of Payment Card Industry (PCI) compliance uses only safe checks. 5 retries UDP ports to scan: Well-known numbers Simultaneous port scans: 5 Specific vulnerability checks enabled (which disables all other checks): None Specific vulnerability checks disabled: Policy check types NeXpose User’s Guide 19 . 1000 ms block time-out TCP port scan method: Stealth scan (SYN) TCP optimizer ports: None TCP ports to scan: All possible (1-65535) TCP port scan performance: 1 ms send delay. 25. 1433. 4 retries. 15 ms block delay. 1000 ms block time-out TCP port scan method: Stealth scan (SYN) TCP optimizer ports: None TCP ports to scan: 135. 23. 10 blocks. 10 ms block delay. 139. 445. Why use this template: Use this template to verify that assets running Windows have hotfix patches installed on them.

Why use this template: This template is useful for a quick. general scan of your network. 10 blocks. patch. 135. 4 retries. Device/vulnerability scan: Y/Y Maximum # scan threads: 10 ICMP (Ping hosts): Y TCP ports used for device discovery: 80 UDP ports used for device discovery: None Device discovery performance: 5 ms send delay. Device/vulnerability scan: Y/Y Maximum # scan threads: 10 ICMP (Ping hosts): Y TCP ports used for device discovery: 21. 10 ms block delay. 4 retries. 1000 ms block time-out TCP port scan method: Stealth scan (SYN) TCP optimizer ports: None TCP ports to scan: Well known numbers + 1-1040 TCP port scan performance: 0 ms send delay. Also. 139. 10 blocks. 80. 22. 25. NeXpose does not perform in-depth patch/hotfix checking. policy check types Safe network audit Description: This non-intrusive scan of all network assets uses only safe checks. or application-layer auditing. 111. Host-discovery and network penetration features allow NeXpose to dynamically detect assets that might not otherwise be detected. 10 ms block delay. Why use this template: With this template.Enterprise Edition Penetration test Description: This in-depth scan of all systems uses only safe checks. policy check types NeXpose User’s Guide 20 . policy compliance checking. 443. or application-layer auditing. NeXpose does not perform in-depth patch/hotfix checking. policy compliance checking. 8080 TCP ports to scan: Well known numbers + 1-1040 TCP port scan performance: 0 ms send delay. 25. 1000 ms block time-out TCP port scan method: NeXpose determines optimal method TCP optimizer ports: 21. 23. you may discover assets that are out of your initial scan scope. 443. running a scan with this template is helpful as a precursor to conducting formal penetration test procedures. 23. 5 retries UDP ports to scan: Well-known numbers Simultaneous port scans: 5 Specific vulnerability checks enabled (which disables all other checks): None Specific vulnerability checks disabled: Local. patch. 110. 5 retries UDP ports to scan: Well-known numbers Simultaneous port scans: 5 Specific vulnerability checks enabled (which disables all other checks): None Specific vulnerability checks disabled: Local. 449. 80. 445. 8080 UDP ports used for device discovery: None Device discovery performance: 5 ms send delay.

2000 ms block time-out TCP port scan method: Stealth scan (SYN) TCP optimizer ports: None TCP ports to scan: Well known numbers + 1-1040 TCP port scan performance: 10 ms send delay. Device/vulnerability scan: Y/Y Maximum # scan threads: 10 ICMP (Ping hosts): Y TCP ports used for device discovery: 80 UDP ports used for device discovery: None Device discovery performance: 5 ms send delay. and availability. 10 blocks. Packet block delays have been increased. time between sent packets has been increased. 3 retries.” or less aggressive. data access auditing. 10 ms block delay. Device/vulnerability scan: Y/Y Maximum # scan threads: 5 ICMP (Ping hosts): Y TCP ports used for device discovery: None UDP ports used for device discovery: None Device discovery performance: 10 ms send delay. Why use this template: Use this template to scan assets as part of a SOX compliance program. 4 retries UDP ports to scan: Well-known numbers Simultaneous port scans: 5 Specific vulnerability checks enabled (which disables all other checks): None Specific vulnerability checks disabled: Policy check type TCP port scan performance: 0 ms send delay. 10 ms block delay. It detects threats to digital data integrity. accountability. using only safe checks. network audit of sensitive Supervisory Control And Data Acquisition (SCADA) systems. and Section 409 (“Real Time Issuer Disclosures”) respectively. 10 blocks. Why use this template: Use this template to scan SCADA systems. 5 retries UDP ports to scan: Well-known numbers Simultaneous port scans: 5 Specific vulnerability checks enabled (which disables all other checks): None Specific vulnerability checks disabled: None NeXpose User’s Guide 21 . as mandated in Section 302 (“Corporate Responsibility for Fiscal Reports”). 4 retries. 1000 ms block time-out TCP port scan method: Stealth scan (SYN) TCP optimizer ports: None TCP ports to scan: Well known numbers + 1-1040 SCADA audit Description: This is a “polite. Section 404 (“Management Assessment of Internal Controls”).Enterprise Edition Sarbanes-Oxley (SOX) compliance Description: This is a safe-check Sarbanes-Oxley (SOX) audit of all systems. protocol handshaking has been disabled. and simultaneous network access to assets has been restricted.

mail servers. All scheduled scans appear on the Calendar page. Nor does it scan FTP servers. click Save. 10 ms block delay. Schedule a scan to run automatically. The console displays options for a start date and time. 4 retries. including application servers.Enterprise Edition Web audit Description: This audit of all Web servers and Web applications is suitable public-facing and internal assets. Why use this template: Use this template to scan public-facing Web assets. 4. it will pause for an interval that you specify in the option labeled Repeat every. and frequency of repetition. To save the site configuration. or database servers. 2. If you select the option to restart the paused scan from the beginning. The newly scheduled scan will appear in the Next Scan column of the Site Summary pane of the page for the site that you are creating. the paused scan will continue at the next scheduled start time. 5. 3. If you select the option to continue where the scan left off. and CGI scripts. NeXpose does not perform patch checking or policy compliance audits. 10 blocks. as is the case with the DMZ Audit scan template. ASPs. 1000 ms block time-out TCP port scan method: Stealth scan (SYN) TCP optimizer ports: None TCP ports to scan: Well-known numbers TCP port scan performance: 0 ms send delay. Select an option for what you want the scan to do after the pause interval. which you can view by clicking Monthly calendar on the Administration page. maximum scan duration in minutes. If the scheduled scan runs and exceeds the maximum specified duration. click the check box labeled Enable schedule. NOTE: The Save button appears on every page of the panel. 5 retries UDP ports to scan: None Simultaneous port scans: 5 Specific vulnerability checks enabled (which disables all other checks): Web category check Specific vulnerability checks disabled: None 1. the paused scan will stop and then start from the beginning at the next scheduled start time. Choose a scan engine from the drop-down list. NeXpose User’s Guide 22 . Device/vulnerability scan: Y/Y Maximum # scan threads: 10 ICMP (Ping hosts): N TCP ports used for device discovery: None UDP ports used for device discovery: None Device discovery performance: 5 ms send delay.

Select the check boxes for types of events that you wish to generate alerts for. Limited-text alerts only include the name and severity. Your selection will control which additional fields appear below this box. specify a mail relay server for sending the alert e-mails. 9. 7. NeXpose generates an alert every time it pauses or resumes a scan. 10. NeXpose User’s Guide 23 . enter the addresses of your intended recipients. it reports a “confirmed” vulnerability. NeXpose can send alerts via SMTP email. Type a name for the alert. Click the Enable alert check box to ensure that NeXpose generates this type of alert. The new alert appears on the Alerting page. verifying the existence of an asset. and variety of service (for example. When NeXpose scans an asset. If you select the e-mail method. Select a notification method from the drop-down box. 6. if you select Paused and Resumed. see Viewing active vulnerabilities in the NeXpose User's Guide. The difference between these latter two classifications is the level of probability. type the address of the Syslog server to which NeXpose will send messages. If you select the option to send SNMP alerts. port. Click the Limit alert text check box to send the alert without a description of the alert or its solution. Then. You can filter alerts for vulnerabilities based on the level of certainty that those vulnerabilities exist. 8. If your network restricts outbound SMTP traffic. and/or Potential check boxes to receive only those alerts. service. Click Save. based on the asset's profile. it reports an “unconfirmed” or “potential” vulnerability. You can click the box again at any time to disable the alert if you prefer not to receive that alert temporarily without having to delete it. The console displays a New Alert dialog box. NeXpose attempts to test the asset for vulnerabilities known to be associated with that asset. Unconfirmed vulnerabilities are more likely to exist than potential ones. If you select the option to send a Syslog message. Select a severity level for vulnerabilities that you wish to generate alerts for.Enterprise Edition Setting up alerts You can set up alerts for certain scan events: • • • • To set up alerts: 1. a scan starting a scan stopping a scan failing to conclude successfully a scan discovering a vulnerability that matches specified criteria Go to the Alerting page and click New Alert. Select the Confirmed. Type a value in the Send at most field if you wish to limit the number of this type of alert that you receive during the scan. type the name of the SNMP community and the address of the SNMP server to which NeXpose will send alerts. 4. If NeXpose is able to verify a vulnerability. Unconfirmed. it performs a sequence of discoveries. based on the information gathered in the discovery phase. For information about severity levels. This is a security option for alerts sent over the Internet or as text messages to mobile devices. SNMP message. 5. an Apache Web server or an IIS Web server). 2. or Syslog message. If NeXpose is unable to verify a vulnerability known to be associated with that asset. For example. 3.

NeXpose User’s Guide 24 . Restrict to Device and Restrict to Port. 2. And you cannot edit credentials after saving them. NOTE: If you save your credentials with the Restrict to Device field filled. Select the desired type of credentials from the drop-down list labeled Service. After you finish configuring your site. and click New Login. Additionally. credentialed scans can check for software applications and packages or hotfixes. Typing in the name or IP address of an asset in the Restrict to Device field enables you to test your credentials on that asset to ensure that the credentials will be accepted in the site. inspecting assets for a wider range of vulnerabilities. However. you can only delete them. Therefore. Go to the Credentials page of the Site Configuration panel. all forms include fields for entering some kind of user name and/or password. all forms contain two fields. if you wish to run a scan of Web servers. Additionally. To avoid scanning all Web services within a site. such as policy violations. you would use the HTTP credentials. NeXpose will use the credentials to scan the specified asset only. This selection determines the other fields that appear in the form. you can specify only those assets with a specific port. click Save. The new credentials appear on the Credentials page. or spyware. NOTE: NeXpose protects all credentials with RSA encryption and triple DES encryption before storing them in its database. 3. The console displays a New Login box.Enterprise Edition Establishing scan credentials Establishing logon credentials for your scan engine enables it to perform deep checks. or NeXpose will use the credentials to scan that specified asset only! Specifying a port in the Restrict to Port field allows you to limit your range of scanned ports in certain situations. delete the information that you typed in the Restrict to Device field after testing the credentials unless you are intending to only use the credentials on the specified asset. Upon completing the test. Click Save. After filling that field. adware. To establish scan credentials: 1. NOTE: The Save button appears on every page of the panel. 4. make sure to remove the asset name or address from the Restrict to Device field. click the Test login button to make sure that the credentials work. For example.

Then. as a human user would. Example: http://example. It is advisable to consult the developer of the Web site before using this feature. use the method called Web Site HTTP Authentication in the Login type drop down list. NeXpose may not be able to use a form to become authenticated by a Web application. With this method. select Web Site Form Authentication. the base URL and the base of the login URL may be different. The credentials you enter for logging on to the site will apply to any page on the site. From the Login type drop-down list. NeXpose displays two text fields for the site in which the logon form is located. In some cases. 1. Examples: http://example. Creating a logon for Web site form authentication NOTE: Instructions for setting up a logon using HTTP headers appears in the section titled Denial of service on page 15.com/login. It may involve some trial and error to determine which method works better. go the Credentials page of the configuration panel for the site that you are creating or editing.com or https://example. You must include the base URL when you enter this URL. which NeXpose does not execute for security reasons. If these circumstances apply to your Web application. NeXpose User’s Guide 25 . With authentication.Enterprise Edition Using HTML forms and HTTP headers to authenticate on Web sites NOTE: For HTTP servers that challenge users with Basic authentication or Integrated Windows authentication (NTLM). Enter the required information for each field. it presents these credentials to the application.com The Login page URL text box is for the actual page in which users log on to the site. For example. starting with the base URL. To create an HTML form logon. NeXpose can scan Web assets for critical vulnerabilities such as SQL injection and cross-site scripting. Or. Two authentication methods are available: • Web site form authentication: NeXpose enters credentials into an HTML authentication form. The console displays a New Login dialog box. you may be able to authenticate NeXpose with the following method. 2. Many Web authentication applications challenge would-be users with forms. You must include the protocol with the address. when NeXpose is about to scan the Web site. a form may use Javascript. Scanning Web sites at a granular level of detail is especially important. The authentication method you use depends on the Web server and authentication application you are using. The Base URL text box is for the main address from which all paths in the target site begin. a form may use a CAPTCHA test or a similar challenge that is designed to prevent logons by computer programs. NeXpose will attempt to retrieve the form from this page. • Web site session authentication: NeXpose sends the target Web server an authentication request that includes an HTTP header—usually the session cookie header—from the logon page. Click New Login. In some cases. NeXpose retrieves a form from the Web application and allows you to specify credentials that the application will accept. since publicly accessible Internet hosts are attractive targets for attack.

NeXpose displays the Regular Expression and Login Test page. From the drop-down list. If you are not certain of what value to use. consult your Web administrator. If NeXpose displays a failure notification. see Appendix A: Using regular expressions in the NeXpose Administrator’s Guide. it displays a failure notification that lists the reason for the failure. click Next. select the form with which NeXpose will log on to the application. Only change the value to match what the server will accept from NeXpose when NeXpose logs on to the site. For more information. If you wish to use a regular expression (regex) that is different from the default value. change the value in the Regular expression text box. If the value was provided by the Web server. click Save. NeXpose displays a table of fields for that particular form. If NeXpose fails to make contact or retrieve any forms. 7. 6. Click the Edit icon for any field value that you wish to edit. If NeXpose successfully retrieves one or more forms. 9. NeXpose displays a dialog box for editing the field value. 8. Click Next.Enterprise Edition 3. Based on your selection. If NeXpose displays a success notification. If you are unsure of what regular expression to use. When the regular expression appears in the text box appears as desired. NOTE: If the test logon fails repeatedly. 4. NeXpose now displays the Form Selection and Customization page with the field value changed. contact your Web administrator. NeXpose User’s Guide 26 . If NeXpose continues to fail to log on to the Web application. it may be that NeXpose simply does not support the form or Web authentication application. consult the Web administrator. Repeat the editing step for any other values that you want to change. 5. save the HTML form information and proceed with any other site configuration tasks. it displays the Form Selection and Customization box. When the table displays the form field data as desired. click the Test login button to make sure that NeXpose can successfully log on to the Web application. After changing the value. NeXpose contacts the Web server to retrieve any available forms. The default value works in most logon cases. you must select the option button to specify a new value. return to the Form Selection and Customization page to change any field data.

NeXpose displays a text field for the base URL. click Save. NeXpose displays a dialog box for entering an HTTP header. The console displays a New Login dialog box. NeXpose displays the name/value pair in the dialog box for specifying a header. Web server type. For more information. save the HTML form information and proceed with any other site configuration tasks. “Value” corresponds to the actual value string that NeXpose sends to the server for that data type. 1. From the Login type drop-down list. 7. or supported languages. Click Add. session identifier. return to the Form Selection and Customization page to change any field data. change the value in the Regular expression text box. make sure that the session ID header is valid between the time you save this ID for the site and when you start the scan. such as the Web host name. NeXpose displays the Regular Expression and Login Test page. Click New Login. click the Test login button to make sure that NeXpose can successfully log on to the Web application. which are referred to jointly as a name/value pair. see Appendix A: Using regular expressions in the NeXpose Administrator’s Guide. If NeXpose displays a success notification. If NeXpose continues to fail to log on to the Web application. go the Credentials page of the configuration panel for the site that you are creating or editing. “Name” corresponds to a specific data type. If you are unsure of what regular expression to use. Click Next. When the regular expression appears in the text box appears as desired. You must include the protocol with the address. Examples: http://example. consult your Web administrator.com 3. NeXpose displays a box for specifying an HTTP header. consult your Web administrator. Every header is consists of two elements. consult your Web administrator. 2. 6. which is the main address from which all paths in the target site begin.Enterprise Edition Creating a logon for Web site session authentication with HTTP headers NOTE: When using HTTP headers to authenticate NeXpose. If NeXpose displays a failure notification. If you are not sure what header to use. To create an HTTP header logon. consult the Web administrator.com or https://example. select Web Site Session Authentication. After entering a name/value pair. NeXpose User’s Guide 27 . the value for a session ID (SID) might be a uniform resource identifier (URI). If you wish to use a regular expression (regex) that is different from the default value. 5. 4. Click Next. The default value works in most logon cases. For example. For more information about the session ID header.

9. Provide NeXpose with the private key.pub file to the . If not. It is recommended that you use a passphrase to protect the key if you plan to use the key elsewhere in addition to NeXpose. Make sure that the computer with which you are generating the key has a . or large. run the mkdir command to create it: mkdir /home/[username]/.ssh directory. Make the public key available for NeXpose on the target asset. and the public key file. NOTE: Some checks require root access. but you should use any directory that you trust to protect the file. cat /[directory]/id_rsa. In the Security Console Web interface. On the target asset.pub. involves the creation of two related keys. RSA keys can range between 768 and 16384 bits. DSA keys must be 1024 bits. append the contents of the /tmp/id_rsa.ssh/ authorized_keys file in the home directory of a user with the appropriate access-level permissions that NeXpose requires for complete scan coverage. 7. id_rsa. specifying a secure directory for storing the new file. consult the documentation for the particular system that you are using. also known as asymmetric key encryption. The following example involves a 2048-bit RSA key. NOTE: The ssh-keygen process will provide the option to enter a passphrase. 3. NeXpose supports SSH protocol version 2 RSA and DSA keys. Consult the documentation for your Linux distribution to verify the appropriate file.ssh/ authorized_keys 6. 8. random numbers: • • a public key that any entity can use to encrypt authentication information a private key that only trusted entities can use to decrypt the information encrypted by its paired public key When generating a key pair.ssh Copy the contents of he public key that you created by running the command /tmp/ id_rsa.and Drop down-based SSH daemons. keep the following guidelines in mind: • • • • 1.pub. This method. NOTE: This topic provides general steps for configuring an asset to accept public key authentication. NOTE: . ssh-keygen -t rsa -b 2048 -f /tmp/id_rsa This command generates the private key files. Generate a key pair that is appropriate for NeXpose.ssh/authorized_keys is the default file for most OpenSSH. either edit a site or create a site for which you want to provide NeXpose with SSH public key authentication. Keys must be OpenSSH-compatible and PEM-encoded. Run the ssh-keygen command to create the key pair. NeXpose User’s Guide 28 . This example incorporates the /tmp directory. For specific steps. 2.pub >> /home/[username]/. 4. 5. id_rsa.Enterprise Edition Using SSH public key authentication You can use NeXpose to perform credentialed scans on assets that authenticate users with SSH public key authentication.

Enterprise Edition 10. go to the Organization page in the Site Configuration panel. note the IP address of a target asset that accepts the key pair that you created. Copy the contents of that file into the PEM-format private key text box. It should match the user specified in step 2. Upon completing a successful test. and business address. enter it in the appropriate text box. Go to the credentials page of the Site Configuration panel. Select Secure Shell (SSH) Public Key as the from Login type drop down list. click Save. Click Save to complete the public key authentication setup. If you created a passphrase when generating the keys. such as its name. Enter any desired information. 16. Including organization information in a site The Organization page in the Site Configuration panel includes optional fields for entering information about your organization. Then click the Test login button. This latter method incorporates passwords instead of keys. click the Save button on any page of the panel. And you cannot edit credentials after saving them. Filling all fields is not required.b. Enter the appropriate user name. NeXpose displays the New Login dialog box. 12. The private key that you created by running the command in step 2. If you have no other site configuration tasks to complete. for NeXpose. NeXpose will use the credentials to scan the specified asset only. primary contact. you can only delete them. is the /tmp/id_rsa file on the target asset. remove the IP address from the Restrict to Device field. NeXpose User’s Guide 29 . NeXpose incorporates this information in PCI reports. 11. unless you want to use this authentication on that address alone. 13. 14. 15. NOTE: If you save your credentials with the Restrict to Device field filled. To save the site configuration. NeXpose displays a message indicating whether the test was successful. NOTE: This authentication method is different from the method listed in the drop down as Secure Shell (SSH). Web site URL. To include organization information in a site. Enter that address in the Restrict to Device field. delete the information that you typed in the Restrict to Device field after testing the credentials unless you are intending to only use the credentials on the specified asset. Therefore. To test the authentication.

OR c. or if a full site scan has been automatically started by the scheduler. or to specify certain target assets. and specific site and scan pages. you can click the New Manual Scan button on the Sites page or on the page for a specific site. NOTE: You can start as many manual scans as you require. However. Or. Sites. select either the option to scan all assets within the scope of a site. Select the check box in the top row to add all users. NeXpose User’s Guide 30 . to check for critical vulnerabilities or verify a patch installation. To save the site configuration. NeXpose will not permit you to run another full site scan. with assets in that site. such as scanning or reporting.Enterprise Edition Adding users to a site NOTE: If you enter information in the Organization page and you are also using the Site configuration API. See Pausing. Go to the Access page in the Site Configuration panel. Click the Start Now button to begin the scan immediately*. Running a manual scan To start a scan manually. click the New Manual Scan icon for a given site in the Site Listing pane of the Home page. Refer to the lists of included and excluded assets for the desired IP addresses and host names. and if the Option element is not parsed. In the Add Users dialog box. and stopping a scan on page 31. Click Add Users. You can copy and paste the addresses. select the check box for every user account that you want to add to the access list. Click Save. the API client may generate parsing errors. 3. b. Add users to the site access list. 4. a. You also can pause. if you have manually started a scan of all assets in a site. enter their IP addresses or host names in the text box. You must give users access to a site in order for them to be able view assets or perform asset-related operations. 2. The console displays the Start New Scan dialog box. click Save on any page of the panel. Populated organization fields in the site configuration may cause the API to return the Organization element in a response to site configuration request. make sure to incorporate the Organization element.1 Guide. resuming. In the Manual Scan Targets area. If you select the option to scan specific assets. and stop scans using these pages. even though it's optional. resume. 1. which lists all the assets that you specified in the site configuration for NeXpose to scan. for example. Specifying the latter is useful if you want to scan a particular asset as soon as possible. right away. See the topics about SiteSaveRequest and Site DTD in the NeXpose API v1. You can view the status of any currently running scan in several areas: • • • • the Home page the Sites page the page for the site that is being scanned the page for the actual scan NOTE: Remember to use bread crumb links to go back and forth between the Home. or to exclude from the scan.

Pausing. To pause a scan. you can pause. resuming. it appears in the Asset Listing pane of the scan page. or specific site page. asking you to confirm that you want to stop the scan. and if your NeXpose server is running low on memory. For more information. The console displays the Device Properties page. click the Pause icon for the scan on the Home. *If you have the process auto-stop feature enabled. It will display a message indicating that system resources are insufficient. You can pause. Sites. Click OK. site. Sites. NeXpose displays scan results from distributed engines when the scan is completed. simply click the link for any listed asset's address. see Viewing general Security Console information and enabling auto-stop in the NeXpose Administrator’s Guide. A message displays asking you to confirm that you want to pause the scan.Enterprise Edition Each time NeXpose discovers an asset. To stop a scan. and stopping a scan If you are a user with appropriate site permissions. asking you to confirm that you want to resume the scan. Click the link for any listed vulnerability to read details about that vulnerability. whether the scan is in progress or complete. click the Stop icon for the scan on the Home. or click the Pause Scan button on the specific scan page. You can view any vulnerabilities discovered by the local scan engine on the scan page. In either case. or specific site page. The stop operation may take 30 seconds or more to complete pending any in-progress scan activity. or click the Stop Scan button on the specific scan page. resume. but it does not store those results in the asset database until it successfully completes the scan. Sites. or stop scans in several areas: • • • • the Home page the Sites page the page for the site that is being scanned the page for the actual scan NOTE: Remember to use bread crumb links to go back and forth between the Home. To resume a paused scan. or click the Resume Scan button on the specific scan page. and scan pages. NeXpose displays a message. NeXpose displays a message. Click OK. NeXpose will not start a scan. if you are using a local scan engine. or specific site page. NeXpose displays scan results from a local scan engine while the scan is in progress. Click OK. You can view any vulnerabilities discovered by remote scan engines when the scan is complete. NeXpose User’s Guide 31 . click the Resume icon for the scan on the Home. resume or stop manual scans and scans that have been started automatically by the NeXpose scheduler.

On this page. to sort results by that category. such as Address or Vulnerabilities. In the Asset Listing pane. but asset groups can include assets that also are included in sites.Enterprise Edition Viewing scan results The console lists scan results by ascending or descending order for any category. which lists all scans. The interface displays the Scan History page. Click the site name link to view devices in the site. information about that asset. To view the results of a scan. Viewing history for all scans You can quickly browse the scan history for your entire NeXpose deployment by clicking the Scan History link on the Administration page. and other information pertaining to each scan. Viewing the scan log To view the activity log of a scan that is in progress or complete. Click your browser’s Back button to return to the Scan Progress page. plus the total number of scanned assets. not asset groups. discovered vulnerabilities. Click the link for an asset name or address to view scan-related. Remember that NeXpose scans sites. depending on your sorting preference. you also can view information about any asset within the site by clicking the link for its name or address. NeXpose User’s Guide 32 . You can click the date link in the Completed column to view details about any scan. along with pertinent information about the scan results. click the desired category column heading. The console displays the scan log. and other. click the link for a site's name on the Home page. click the View scan log button.

Enterprise Edition Working with data from scans The NeXpose Security Console interface provides several tools for viewing and managing vulnerability and asset data gathered during scans. This does not necessarily mean that these assets do not have any available exploits. If a scan is in progress for any site. Viewing assets by sites To view assets by sites to which they have been assigned. Click the link for any site in the Site Listing pane to view its assets. the number of vulnerabilities. For more information. See Setting up sites and running scans on page 13. NeXpose release. See Setting up sites and running scans on page 13. statistical charts and graphs. Click the date link in the Last Scan column for any site to view information about the most recently completed scan for that site. To view information about that scan. See Managing and creating asset groups in the NeXpose Administrator’s Guide. click the Scan in progress link. On this page. This chapter contains information about performing the following activities: • • • • • drilling down to view asset data by different categories creating asset groups to control who sees what asset data viewing vulnerabilities and risk-related metrics creating vulnerability exceptions. It means that they were scanned before the feature was available in NeXpose. From this page. NOTE: You will see an exploit count of 0 for assets that were scanned prior to the January 29. a column labeled Last Scan appears in the table. Charts and graphs at the top of the Sites page provide a statistical overview of sites. which includes the Exploit Exposure feature. From this page you can create a new site. and the risk score. you can view important security-related information about each asset to help you prioritize remediation projects: the number of available exploits. it is a best practice to create asset groups to control which NeXpose users can see which asset information in your organization. a column labeled Scan Status appears in the table. You can view network assets by various categories: • • • • • sites to which they are assigned asset groups to which they are assigned operating systems that they are running services that they are running software that they are running To view assets. click the View link next to Sites. and a list of assets. The console displays the Sites page. including recent scan information. The console displays a page for that site. including risks and vulnerabilities. The console displays the Assets page. 2010. see Appendix B Using Exploit Exposure in the NeXpose Administrator’s Guide. You also can start a new scan. See Working with reports on page 55. Click the View link for the category by which you would like to see the assets organized. NeXpose User’s Guide 33 . If no scans are in progress. click the Assets tab on the console interface. you can manage site assets and create site-level reports. which prevent vulnerabilities from appearing in reports creating vulnerability remediation tickets Viewing assets While it is easy to view information about scanned assets.

metasploit. you can view any reported vulnerabilities and any vulnerabilities excluded from reports. These map to Metasploit's seven-level exploit ranking. and directories on that asset as discovered by NeXpose. Fingerprinting is a set of methods by which NeXpose identifies as many details about the asset as possible. Make sure that your assets permit the highest level of access required for the scans you are running to prevent these problems. Using baseline comparison reports to list differences between scans may yield incorrect results or provide more information than necessary because of these changes. their required skill levels. you can manage and add site assets. and their online sources. even if no remediation has occurred. An administrative change to your network. may change the level of access that an asset permits during its next scan. In the Vulnerability Listing pane. or a unique acknowledgement interchange. The Exploit Database is an archive of exploits and vulnerable software. statistical charts and graphs. If NeXpose previously discovered certain vulnerabilities because an asset permitted greater access. and view scan history. Click this link to open a box that displays descriptions about all available exploits. and a list of assets. NeXpose displays the resources. TM icon and a link to a Metasploit module that provides detailed exploit information and There are three levels of exploit skill: Novice. files. services. such as new credentials. The console displays a page for that asset. Intermediate. click the View link next to Groups on the Assets page. The console displays a page for that site. Finally. click on the link for that asset. start a new scan. see the Metasploit Framework page (http://www. See Creating asset groups in the NeXpose Administrator’s Guide. See Using tickets on page 53. you can open a ticket for tracking the remediation of the vulnerabilities. For more information. you can view any asset fingerprints. including risks and vulnerabilities. This may result in a lower number of reported vulnerabilities. • • • Beginner maps to Great through Excellent. you can run a scan or create a report for the device. Finally. Viewing assets by groups To view assets by groups to which they have been assigned. You also can view a list of assets in the Device Listing pane. Intermediate maps to Normal through Good. See Working with reports on page 55. Charts and graphs at the top of the Groups page provide a statistical overview of asset groups. databases. On this page. From this page.Enterprise Edition To view information about an asset listed in the Device Listing pane. NeXpose can identify indicators about the asset’s hardware and operating system. If a Metasploit exploit is available. Click the link for any site in the Site Listing pane to view the assets it includes. that vulnerability data will no longer be available due to diminished access. policy listings. Click on the link for any asset to view information about that specific asset NeXpose User’s Guide 34 . and Expert. the timing of a response. By inspecting properties such as the specific bit settings in reserved areas of a buffer. The console displays the Groups page. From this page you can create a new asset group. including recent scan information. For each discovered vulnerability with an associated exploit NeXpose displays an exploit link. You can also view information about software. Expert maps to Manual through Low through Average. From this page. create site-level reports.com/redmine/projects/ framework/wiki/Exploit_Ranking). you can view any users or groups associated with the asset.

and vulnerability information about any asset. The console displays the Operating Systems page. Asset groups also have a useful security function in that they limit what member users can see. click the View link next to Operating Systems on the Assets page. Click the link for a program to view the assets that are running it. You can view scan. The network topology includes one head office and 15 branches. as well as products that are using them.2. the addresses in the second branch are 10. You can click a link for the site to which the asset belongs to view information about the site. which lists all the operating systems running in your network and the number of instances of each operating system. An exception to this would be when NeXpose discovers a vulnerability that permits root/admin access. Click the link for an operating system to view the assets that are running it. and vulnerability information about any asset. You can view scan. which lists any software that NeXpose found running in your network. and the type of program.1. You also can click the link for any asset address to view information about it. names. you can view the scan. NeXpose User’s Guide 35 . The IP addresses in the first branch are all 10. A description of the service appears in the top pane of the page. the number of instances of program.1. The console displays the Software page. risk. In the Discovered Instances pane. For each branch. click the View link next to Services on the Assets page. NeXpose only lists software for which it has credentials to scan. A bank purchases NeXpose with a fixednumber IP address license. The console displays the Services page. and so on. The console displays a page for that service. You also can click the link for any asset address to view information about it. Viewing assets by operating system To view assets by the operating systems running on them. Viewing assets by services To view assets by the services they are using.x. The asset groups that you create will influence the types of roles and permissions you assign to users. or create groups that include assets from any number of different sites. click the View link next to Software on the Assets page. The console displays a page for that asset group. including statistical charts and graphs and a list of assets. and report on. risk. You also can click the link for any asset address or name to view information about it. and ports for assets running the service. and vulnerability information about any asset. You also can click the link for any asset address or name to view information about it..Enterprise Edition Click the link for any group in the Asset Group Listing pane to view its assets. whatever integer equals . One use case illustrates how asset groups can “spin off” organically from sites. You can use the same grouping principles that you use for sites.5 is always a server. you can view a list of addresses. which lists all the services running in your network and the number of the number of instances of each service. risk. The console displays a page that lists all the assets running that program. asset information. You can click a link for the site to which the asset belongs to view information about the site. Click the link for a service to view the assets that are running it.x is a certain type of asset. view.1. all with similar “cookiecutter” IP address schemes. Viewing assets by software To view assets by the software running on them. In the Device Listing pane. create subsets of sites. Using asset groups to your advantage Asset groups provide different ways for members of your organization to grant access to. You can click a link for the site to which the asset belongs to view information about the site. For example .x. The console displays a page that lists all the assets running that operating system. and vice-versa. and dictate what nonmember users cannot see.

You define these criteria with asset search filters.5” assets. Another approach to creating asset groups is categorizing them according to membership. a dynamic asset group allows you to track changes to your live asset inventory and security posture at a quick glance. An ever-evolving snapshot of your environment. the security team can create more finally specialized asset groups. but after NeXpose completes a scan and integrates the new asset information in the database. For example . For example. Assets that no longer meet the group's Asset Filter criteria after a scan will be removed from the list. You can create dynamic asset groups using the filtered asset search. If the patch application was successful. NeXpose User’s Guide 36 . and to create reports based on the most current data.Enterprise Edition The security team scans each site and then “chunks” the information in various ways by creating reports for specific asset groups. you can have an “Executive” asset group for senior company officers who see high-level business-sensitive reports about all the assets within your enterprise. the group theoretically should not include any assets. workstations. and . you can create two different kinds of “snapshots”. It creates one set of asset groups based on locations so that branch managers can view vulnerability trends and high-level data. you can run a scan and view the dynamic asset group to determine if any assets still have this vulnerability. For example. or Web servers. such as databases. Newly discovered assets that meet the criteria will be added to the list. Comparing dynamic and static asset groups One way to think of an asset group is as a snapshot of your environment. You can have more technical asset groups for different members of your security team.52 may correspond to database servers. such as IP address range or hosted operating systems. The users in charge of remediating server vulnerabilities will only see “. Each type of asset group can be useful depending on your needs.51 may correspond to file servers. The dynamic asset group is a snapshot that potentially changes with every scan. See Creating and editing static asset groups on page 43. See Performing filtered asset searches on page 37. Note that the list does not change immediately. after applying the patch for the vulnerability. Using dynamic asset groups A dynamic asset group contains scanned assets that meet a specific set of search criteria. Then. This snapshot provides important information about your assets and the security issues affecting them: • • • • • their network location the operating systems running on them the number of vulnerabilities discovered on them whether exploits exist for any of the vulnerabilities their risk scores With NeXpose. you can create a dynamic asset group of assets with a vulnerability that was included in a Patch Tuesday bulletin. who are responsible for remediating vulnerabilities on specific types of assets. a dynamic asset group differs from a static asset group. and the static asset group is an unchanging snapshot. The list of assets in a dynamic group is subject to change with every scan. In this regard. If the “x” integer is subject to more granular divisions. The team creates another set of asset groups based on that last integer in the IP address.

Enterprise Edition

You grant user access to dynamic asset groups through the User Configuration panel. See Managing and creating user accounts in the NeXpose Administrator’s Guide.
NOTE: Once a user has access to a dynamic asset group, he or she will have access to newly discovered assets that meet group criteria regardless of whether or not those assets belong to a site to which the user does not have access. For example, suppose you have created a dynamic asset group of Windows XP workstations. You grant two users, Joe and Beth, access to this dynamic asset group. You scan a site to which Beth has access and Joe does not. The scan discovers 50 new Windows XP workstations. Joe and Beth will both be able to see the 50 new Windows XP workstations in the dynamic asset group list and include them in reports, even though Joe does not have access to the site that contains these same assets. When managing user access to dynamic asset groups, you need to assess how these groups will affect site permissions. To ensure that a dynamic asset group does not include any assets from a given site, use the site filter. See Filter by site name on page 39.

Using static asset groups
A static asset group contains assets that meet a set of criteria that you define according to your organization’s needs. Unlike with a dynamic asset group, the list of assets in a static group does not change unless you alter it manually. Static asset groups provide useful time-frozen views of your environment that you can use for reference or comparison. For example, you may find it useful to create a static asset group of Windows servers and create a report to capture all of their vulnerabilities. Then, after applying patches and running a scan for patch verification, you can create a baseline report to compare vulnerabilities on those same assets before and after the scan. You can create static asset groups using either of two options:

• •

the Group Configuration panel; see Creating and editing static asset groups on page 43 the filtered asset search; see Performing filtered asset searches on page 37

Performing filtered asset searches
When dealing with networks of large numbers of assets, you may find it necessary or helpful to concentrate on a specific subset. The filtered asset search feature allows you to search for assets based on criteria that can include IP address, site, operating system, software, services, vulnerabilities, and asset name. You can then save the results as a dynamic asset group for tracking and reporting purposes. See Viewing, using, and saving search results on page 42. Using search filters, you can find assets of immediate interest to you. This helps you to focus your remediation efforts and to manage the sheer quantity of assets running on a large network. To start a filtered asset search: 1. Click the Asset Filter icon, which appears next to the Search box in the Web interface. The Filtered asset search page appears. OR 2. Click the Administration tab to go to the Administration page, and then click the dynamic link next to Asset Groups. OR 3. If you are on the Asset Groups page already, click New Dynamic Asset Group.

NOTE: Performing a filtered asset search is the first step in creating a dynamic asset group.

NeXpose User’s Guide

37

Enterprise Edition

Configuring filters
A search filter allows you to choose the attributes of the assets that you are interested in. You can add multiple filters for more precise searches. For example, you could create filters for a given IP address range, a particular operating system, and a particular site, and then combine these filters to return a list of all the assets that simultaneously meet all the specified criteria. Using fewer filters typically increases the number of search results. You can combine filters so that the search result set contains only the assets that meet all of the criteria in all of the filters (leading to a smaller result set). Or you can combine filters so that the search result set contains any asset that meets all of the criteria in any given filter (leading to a larger result set). See Combining filters on page 41. Eight asset search filters are available:

• • • • • • • •

IP address range Site name Operating system name Software name Service name Vulnerability name Asset name Host type

To select the first filter in the Filtered asset search panel, use the first drop down list. When you select a filter, the configuration options, operators, for that filter dynamically become available. Select the appropriate operator. To add filters, use the + button. To remove filters, use the - button. To remove all the filters, click the Reset button.

Filtering by IP address range
The IP address range filter lets you specify a range of IP addresses, so that the search returns a list of assets that are either in the IP range, or not in the IP range. It works with the following operators:

• •

is returns all assets with an IP address that falls within the IP address range. is not returns all assets whose IP addresses do not fall into the IP address range.

When you select the IP address range filter, you will see two blank fields separated by the word to. You use the left field to enter the start of the IP address range, and use the right to enter the end of the range. The format for the IP addresses is a “dotted quad.” Example: 192.168.2.1 to 192.168.2.254

NeXpose User’s Guide

38

Enterprise Edition

Filter by site name
The site name filter lets you search for assets based on the name of the site to which the assets belong. This is an important filter to use if you want to control users’ access to newly discovered assets in sites to which users do not have access. See the note in Using dynamic asset groups on page 36. The filter applies a search string to site names, so that the search returns a list of assets that either belong to, or do not belong to, the specified sites. It works with the following operators:

• •

is returns all assets that belong to the selected sites. You select one or more sites from the adjacent list. is not returns all assets that do not belong to the selected sites. You select one or more sites from the adjacent list.

Filter by operating system name
The operating system name filter lets you search for assets based on their hosted operating systems. Depending on the search, you choose from a list of operating systems, or enter a search string. The filter returns a list of assets that meet the specified criteria. It works with the following operators:

• •

contains returns all assets running on the operating system whose name contains the characters specified in the search string. You type the search string in the adjacent field. You can use an asterisk (*) as a wildcard character. does not contain returns all assets running on the operating system whose name does not contain the characters specified in the search string. You type the search string in the adjacent field. You can use an asterisk (*) as a wildcard character.

Filter by software name
The software name filter lets you search for assets based on software installed on them. The filter applies a search string to software names, so that the search returns a list of assets that either runs or does not run the specified software. It works with the following operators:

• •

contains returns all assets with software installed so that the search returns the software's name contains the search string. You can use an asterisk (*) as a wildcard character. does not contain returns all assets that do not have software installed so that the search returns the software's name contains the search string. You can use an asterisk (*) as a wildcard character.

After you select an operator, you type the search string for the software name in the blank field.

Filter by service name
The service name filter lets you search for assets based on the services running on them. The filter applies a search string to service names, so that the search returns a list of assets that either have or do not have the specified service. It works with the following operators:

• •

contains returns all assets running a service whose name contains the search string. You can use an asterisk (*) as a wildcard character. does not contain returns all assets that do not run a service whose name contains the search string. You can use an asterisk (*) as a wildcard character.

After you select an operator, you type a search string for the service name in the blank field.

NeXpose User’s Guide

39

or finding out at a quick glance how many. ends with returns all assets whose names end with the same characters as the search string contains returns all assets whose names contain the search string anywhere in the name. you type a search string for the vulnerability name in the blank field. does not contain returns all assets that do not have a vulnerability whose name contains the search string. The filter applies a search string to vulnerability names. Filter by asset name The asset name filter lets you search for assets based on the asset name. security issues that are specific to host types. is not returns all assets that do not match the host type that you select from the adjacent drop down list. Hypervisor is a host of one or more virtual machines. You can combine multiple host types in your criteria to search for assets that meet multiple criteria. NeXpose User’s Guide 40 . You can use an asterisk (*) as a wildcard character.Enterprise Edition Filter by vulnerability name The vulnerability name filter lets you search for assets based on the vulnerabilities that have been flagged on them during scans. It works with the following operators: • • • • • • is returns all assets whose names match the search string exactly. After you select an operator. You can use this filter to track. the selected host types. you can create a filter for “is Hypervisor” and another for “is virtual machine” to find all-software hypervisors. Unknown is a host of an indeterminate type. For example. is not returns all assets whose names do not match the search string. so that the search returns a list of assets that either match. This is a useful filter to use for verifying patch applications. For example. It works with the following operators: • • contains returns all assets with a vulnerability whose name contains the search string. It works with the following operators: • • is returns all assets that match the host type that you select from the adjacent drop down list. After you select an operator. The filter applies a search string to the asset names. where assets can be any one or more of the following types: • • • • Bare metal is physical hardware. Virtual machine is an all-software guest of another computer. or do not match. You can use an asterisk (*) as a wildcard character. Filter by host type The Host type filter lets you search for assets based on the type of host system. and which. so that the search returns a list of assets that either have or do not have the specified service. starts with returns all assets whose names begin with the same characters as the search string. The filter applies a search string to host types. and report on. does not contain returns all assets whose names do not contain the search string. you type a search string for the asset name in the blank field. a hypervisor may be considered especially sensitive because if it is compromised then any guest of that hypervisor is also at risk. assets have a particular high-risk vulnerability. so that the search returns assets that meet the specified criteria.

the result set will contain all of the assets. NeXpose User’s Guide 41 . linux04. whereas the Any setting will return assets that match any given filter. If you perform a filtered asset search with the two filters using the All setting. and their names are linux01. the search will return a list of assets that run Windows or have “linux” in their names. win02. The other five run Windows. and it returns a list of assets that have “linux” in their names. Five of the assets run Windows. linux03. linux02. and it returns a list of assets that run Windows. Therefore. there will be no search results. Suppose you create two filters. win03. suppose you are scanning a site with 10 assets. and their names are win01. Since no such assets exist. and the other five assets have “linux” in their names. the search will return a list of assets that run Windows and have “linux” in their asset names. The first filter is an operating system filter. and linux05. or a list of assets that match any of the criteria specified in the filters. For example. a search with All selected typically returns fewer results than Any. You can make this selection in a drop down list at the bottom of the Search Criteria panel. The second filter is an asset filter. win04. you can have NeXpose return a list of assets that match all the criteria specified in the filters. and win05. For this reason.Enterprise Edition Combining filters If you create multiple filters. The difference between All and Any is that the All setting will only return assets that match the search criteria in all of the filters. However. if you use the same filters with the Any setting. Five of the assets run Linux.

2. 3. NOTE: Only Global Administrators or users with the Manage Group Assets permission can create asset groups. depending on what kind of asset group you want to create. In the Add Users dialog box. select the check box for every user account that you want to add to the access list.Enterprise Edition Viewing. In the bottom-right corner of the Asset Group configuration area. NeXpose displays controls for creating an asset group. click Save. Click the Export to CSV link at the bottom of the table. the asset list is subject to change with every scan. click Search. f. You must give users access to an asset group in order for them to be able view assets or perform asset-related operations. Find a dynamic asset group that you want to modify. See Comparing dynamic and static asset groups on page 36. 4. a. NOTE: If this is a dynamic asset group. and then click the view link next to Groups. Enter a unique asset group name and description. and click the Edit icon. so only these users can save Asset Filter search results. OR NeXpose User’s Guide 42 . All asset groups appear in the Asset Group Listing table on the Assets :: Asset Groups page. using. NOTE: You must be a Global Administrator or have Manage Asset Group Access permission to add users to an asset group. Changing criteria for inclusion in a dynamic asset group You can change criteria for membership in a dynamic asset group at any time. Click Add Users. b. Select either the Dynamic or Static option. and saving search results To save. g. To export the results to a comma-separated values (CSV) file that you can view and manipulate in a spreadsheet program. 1. 2. Click Create Asset Group. or view search results: 1. OR (Optional) Select the check box in the top row to add all users. with assets in that group. NeXpose displays a table of assets that meet the filter criteria. you can save the results as an asset group. OR 3. and then click the manage link next to Groups. Click the Assets tab to go to the Assets page. e. See Using dynamic asset groups on page 36. d. Click OK. Go to the Assets :: Asset Groups page by one of the following routes: Click the Administration tab to go to the Administration page. use. such as reporting. After you have configured your filters. The new group will include the assets listed in the search results table. c. If you have permissions to create asset groups.

6. NeXpose displays the Asset Group Configuration panel. Type a group name and description in the appropriate fields. Configuring general attributes for a static asset group 1. OR 3. The console displays a page with search filters. 3. To create a new static asset group. NOTE: There may be a delay if the search returns a very large number of assets. Or click the Create button next to Asset Groups on the Administration page. The console displays the General page of the Asset Group Configuration panel. and then click the view link next to Groups. Click the Administration tab to go to the Administration page. 7. click the Edit icon for any group listed with a static asset group icon. 3. click the Save button. Any of these approaches causes NeXpose to display the Filtered asset search panel with the filters set for the most recent asset search. NeXpose User’s Guide 43 . For example. Go to the Assets page of the Asset Group Configuration panel. 1. You can simply click Display all assets. 2. On the Asset Groups page. which is convenient if your NeXposedatabase contains a small number of assets. Use any of these filters to find assets that certain criteria. Click the link for the name of the desired asset group. click the New Static Asset Group button. Creating and editing static asset groups NOTE: Only global administrators can create asset groups. Adding assets to a static asset group If your NeXposedatabase contains a large number of scanned assets. then click Display matching assets to run the search. To save the new asset group information. NOTE: You can only create an asset group after running an initial scan of assets that you wish to include in that group. you can select all of the assets within an IP address range that run on a particular operating system. See Performing filtered asset searches on page 37. and then click the manage link next to Groups. Click the Assets tab to go to the Assets page. OR 2.Enterprise Edition 5. you can save time by searching for assets that meet specific criteria for inclusion in your asset group. 4. The process for editing an existing group is the same as the process for creating a group. 2. To edit a static asset group. See Configuring general attributes for a static asset group on page 43. Click Save. and run a search. You can either click the Edit Asset Group link or click the View Asset Filter link to review a summary of filter criteria and then click the Edit Asset Group button. Go to the Assets :: Asset Groups page by one of the following routes: 1. Change the filters according to your preferences. NeXpose displays the page for that group. click the New Static Asset Group button.

enabling you to verify those vulnerabilities. To the left of Vulnerability column heading is a Microsoft Excel icon.Enterprise Edition 4. A NeXpose algorithm computes the CVSS score based on ease of exploit. the report. The score. Select the assets you wish to add to the asset group. You can export the vulnerability list to a Microsoft Excel file by clicking this icon. credentialed access requirement. or most recently edited. Since global administrators have access to all assets in your organization. searchable database also stores information on patches. you will see the list of assets that you selected when you created.0. go to the FIRST Web site (http:// www. full-text.0 to 10. the next search will clear that set. The database has been certified to be compatible with the MITRE Corporation's Common Vulnerabilities and Exposures (CVE) index. which appears on every page of the panel. Viewing active vulnerabilities Viewing vulnerabilities and their risk scores helps you to prioritize remediation projects. which standardizes the names of vulnerabilities across diverse security products and vendors. To include all assets. click the Save button. you will not see any assets displayed. NeXpose keeps the database current through a subscription service that maintains and updates vulnerability definitions and links. Click the Save button. The Vulnerability column lists the name of each vulnerability. and other criteria. NeXpose displays the resources. The Exploit Database is an archive of exploits and vulnerable software. remote execution capability. their required skill levels. You also can find out which vulnerabilities have exploits available. which ranges from 1. depending on that user's permissions.html).first. 6. Click the Vulnerabilities tab that appears on every page of the console interface. and their online sources. Click this link to open a box that displays descriptions about all available exploits. For each discovered vulnerability with an associated exploit NeXpose displays an exploit link. You must be running Internet Explorer and have Active X controls enabled and Microsoft Excel installed. The console displays the Vulnerabilities page. NOTE: The Vulnerabilities page list all the vulnerabilities for assets that the currently logged-on user is authorized to see. is used in Payment Card Industry (PCI) compliance testing. The index rates vulnerabilities according to MITRE's Common Vulnerabilities Scoring System (CVSS) Version 2. downloadable fixes. NOTE: When you use this asset selection feature to create a new asset group. 5.org/cvss/cvss-guide. If you do not save a set of selected search results. When you use this asset selection feature to edit an existing report. and reference content about security weaknesses. This extensive. See Appendix B: Using Exploit Exposure in the NeXpose Administrator’s Guide. TM icon and a link to a Metasploit module that provides detailed exploit information and NeXpose User’s Guide 44 . You will need to save a set of results before proceeding to the next results. To save the new asset group information. NeXpose contacts this service for new information every six hours. Working with vulnerabilities Every vulnerability that NeXpose discovers in the scanning process appears in the NeXpose vulnerability database. The assets appear on the Assets page. You can change the sorting criteria by clicking any of the column headings in the Vulnerability Listing page. they will see all the vulnerabilities in the database. For more information about CVSS scoring. select the check box in the header row. If a Metasploit exploit is available. TIP: You can repeat the asset search to include multiple sets of search results in an asset group.

Enterprise Edition There are three levels of exploit skill: Novice. The Status column lists a “Vulnerable” status for an asset if NeXpose confirmed the vulnerability. Intermediate. You can click on the link for the device name or address to view all of its vulnerabilities. and Moderate—reflect how much risk a given vulnerability poses to your network security. The Published On column lists the date when information about each vulnerability became available. and whether exploits are available. The risk model you select controls the scores that appear in the Risk column. The console displays a page for that vulnerability. you can create a ticket for remediation. port. Below these items is a table listing each affected asset. which you can configure. and Expert. CVSS. CVSS. see the PCI. indicating the potential danger that each vulnerability poses to an attacker exploits it. and risk scoring FAQs. Security (SANS) Institute maintains an Internet security knowledge base from which it publishes and updates a “Top 20” list of critical security risks.com/redmine/projects/ framework/wiki/Exploit_Ranking). vulnerability age and prevalence. To learn more about risk scores and how they are calculated. NeXpose provides two risk scoring models. The Risk column lists the risk score that NeXpose calculates. Viewing vulnerability details Click the link for any vulnerability listed on the Vulnerabilities page to view information about it. which you can access in the NeXpose Support page. DEFINITION: The SysAdmin. See Viewing vulnerability details on page 45. The Instances column lists the number the total number of instances of that vulnerability in your site. and the site on which a scan reported the vulnerability. and risk scoring FAQs. If you click the link for the vulnerability name. NeXpose User’s Guide 45 . These map to Metasploit's seven-level exploit ranking. Network. The SANS column displays a SANS Top 20 logo for any vulnerability that appears on the list for that service. you can view which specific assets are affected by the vulnerability. The Port column in the Affected Assets table lists the port that NeXpose used to contact the affected service or software during the scan. which you can access in the NeXpose Support page. See the PCI. NeXpose uses various factors to rate severity. The three severity levels— Critical. which is listed in the Severity column. see the Metasploit Framework page (http://www. Expert maps to Manual through Low through Average. See Using tickets on page 53. On the device page. its severity level and CVSS rating. Audit. Intermediate maps to Normal through Good. It lists a “Vulnerable Version” status if NeXpose only detected that the asset is running a version of a particular program that is known to have the vulnerability. 0 to 3 = Moderate 3 to 7 = Severe 7 to 10 = Critical NOTE: The severity ranking in the Severity column is not related to the severity score in PCI reports. See Selecting a model for calculating risk scores in the NeXpose Administrator's Guide.” The CVSS Score column lists the score for each vulnerability. At the top of the page is a description of the vulnerability. including CVSS scores. You can click the icon in the Exclude column for any listed vulnerability to exclude that vulnerability from a report. SANS defines these risks as “requiring immediate remediation.metasploit. • • • Beginner maps to Great through Excellent. Severe. You also can click the site link to view information about the site. NeXpose assigns each vulnerability a severity level. For more information.

which appears below the Affected Assets pane. and other indicators of susceptibility. NeXpose uses exploitation methods typically associated with hackers. If a Metasploit exploit is available. including vulnerabilities. lists links to Web sites that provide comprehensive information about the vulnerability. While this vulnerability could result in the asset or site failing the audit. which. The console displays a page of search results organized by different categories. It may be acceptable to exclude these vulnerabilities from the report under certain circumstances. anonymous FTP access may be a deliberate practice and not a vulnerability. money. Additionally. the merchant could argue that the firewall reduces any real risk under normal circumstances. Acceptable risk: In certain situations. Compensating controls: Network managers may mitigate the security risks of certain vulnerabilities. For example. Understanding cases for excluding vulnerabilities There are several possible reasons for excluding vulnerabilities from reports. The Exploits pane lists descriptions of available exploits and their online sources. NeXpose displays the link to a Metasploit module that provides detailed exploit information and resources. and you know its name. software version numbers. banners. Your organization can exclude certain vulnerabilities from appearing in reports or affecting risk scores.Enterprise Edition The Proof column lists the method that NeXpose used to detect the vulnerability on each asset. At the very bottom of the page is the Solution pane. applying a specific patch for a vulnerability may prevent an application from functioning. further reducing risk. or other resources to be justified. especially if the vulnerability poses minimal risk. For example. type all or part of the name in the Search box that appears on every page of the console interface. which lists remediation steps and links for downloading patches and fixes. it may be preferable not to remediate a vulnerability if the vulnerability poses a low security risk and if remediation would be too expensive or require too much effort. could prevent their organization from being PCI compliant. The Exploit Database is an archive of exploits and vulnerable software. For example. NeXpose User’s Guide 46 . Working with vulnerability exceptions All discovered vulnerabilities appear in Vulnerabilities Listing table of the security console web interface. TM icon and a The References pane. and click the magnifying glass icon. the network may have host. technically. If you wish to query the database for a specific vulnerability.or network-based intrusion prevention systems in place. Acceptable use: Organizations may have legitimate uses for certain practices that NeXpose would interpret as vulnerabilities. Re-engineering the application to work on the patched system may require too much time. NeXpose may discover a vulnerable service on an asset behind a firewall because it has credentialed access through the firewall. inspecting registry keys.

• • Backporting may cause false positives. Delete Vulnerability Exceptions: A user with this permission can delete vulnerability exceptions and exception requests. a merchant should be able to report a false positive. In that sense. If you do now know what your permissions are. Three permissions are associated with the vulnerability exception workflow: • • • Submit Vulnerability Exceptions: A user with this permission can submit requests to exclude vulnerabilities from reports. Below are scenarios in which it would be appropriate to exclude a false positive from an audit report. relevant dates. For example. which can then be verified and accepted by a Qualified Security Assessor (QSA) or Approved Scanning Vendor (ASV) in a PCI audit. In all cases. NeXpose User’s Guide 47 . a user with this permission can wield a check and balance against users who have permission to review requests. NOTE: In order to comply with federal regulations.Enterprise Edition False positives: According to PCI criteria. it would be appropriate to exclude these results. Understanding vulnerability exception permissions Your ability to work with vulnerability exceptions depends on your permissions. an Apache update installed on an older Red Hat server may produce vulnerabilities that should be excluded as false positives. a QSA or ASV would need to approve the exception. This permission is significant in that it is the only way to overturn a vulnerability request approval. and information about the exception. consult your NeXpose administrator. Review Vulnerability Exceptions: A user with this permission can approve or reject requests to exclude vulnerabilities from reports. it is often critically important to document the details of a vulnerability exception. If an exploit reports false positives on one or more assets. such as the personnel involved in requesting and approving the exception. such as the Sarbanes-Oxley Act (SOX).

. but not overturn the approval submit another exception request delete the exception. but not approved or rejected) under review (and submitted by you) under review (submitted. as indicated in the following table If the vulnerability has the following exception status.. thus overturing the approval rejected approved or rejected Submit Exception Request Delete Vulnerability Exceptions NeXpose User’s Guide 48 .you can take the following action: submit an exception request Submit Exception Request submit an exception request Review Vulnerability Exceptions approve or reject the request recall the exception delete the request Review Vulnerability Exceptions view and change the details of the approval. but not approved or rejected) approved Delete Vulnerability Exceptions .. never been submitted for an exception previously approved and later deleted or expired under review (submitted. Submit Exception Request .Enterprise Edition Understanding vulnerability exception status and work flow Every vulnerability has an exception status.... including vulnerabilities that have never been considered for exception. as well as your permissions...and you have the following permission. The range of actions you can take with respect to exceptions depends on the exception status.

make sure to review how many instances of the vulnerability have been discovered and how many assets are affected. For information about exception reasons. you may have many instances of a vulnerability related to an open SSH port. Select a reason for the exception from the dropdown list. c. Click the Vulnerabilities tab of the security console Web interface. If an exception request has not previously been submitted for that vulnerability. Enter additional comments. Create and submit the exception request. a vulnerability may be discovered on each of several ports on a server. you may want to exclude that vulnerability globally. e. b.Enterprise Edition Understanding different options for exception scope A vulnerability may be discovered once on a certain asset. d. see Understanding cases for excluding vulnerabilities on page 46. you can view the reasons for the rejection and the user name of the reviewer in a note at the top of the box. However. such as a firewall. If an exception request was previously submitted and then rejected. On the Vulnerabilities page. if in all instances a compensating control is in place. NOTE: If a vulnerability has an action link other than Exclude. NOTE: Only a Global Administrator can submit and approve a vulnerability exception. It’s also important to understand the circumstances surrounding each affected asset. A Vulnerability Exception dialog box appears. b. the column displays an Exclude link. locate the vulnerability in the Vulnerability Listing table. Or the vulnerability may be discovered on hundreds of assets. You may want to exclude the vulnerability instance that affects that protected port. You can control the scope of the exception by using one of three options when submitting a request: • • • You can create global exception that affects all discovered instances of a vulnerability on all affected assets. a. For example. This column displays one of several possible actions. Only a Global Administrator can submit requests for global exceptions. additional comments are required. For example. Or perhaps it only runs for very limited periods of time for a specific purpose. see Understanding vulnerability exception status and work flow on page 48. Submitting or re‐submitting a request for a global vulnerability exception A global vulnerability exception means that NeXpose will not report the vulnerability against any asset in your network. Before you submit a request for a vulnerability exception. a. However. NeXpose User’s Guide 49 . OR Click Submit to place the exception under review and have another individual in your organization review it. Look at the Exceptions column for the located vulnerability. Click Submit & Approve to have the exception take effect. For example one of the assets affected by a particular vulnerability may be located in a DMZ. or if it was submitted and then rejected. making it less sensitive. 1. one of those ports is behind a firewall. These are especially helpful for the reviewer of your exception request to understand your reasons or the background context for the request. You can create an exception for a single asset. You can create an exception for a single instance of a vulnerability. NOTE: If you select Other as a reason from the drop-down list. Locate the vulnerability for which you want to request an exception. Click the link . or several times on a certain asset. 2.

Click the Administration tab. Submitting or re‐submitting an exception request for a single instance of a vulnerability When you create an exception for a single instance of a vulnerability. These are especially helpful for the reviewer of your exception request to understand your reasons or the background context for the request. you can view the reasons for the rejection and the user name of the reviewer in a note at the top of the box. c. Create and submit the exception request. This column displays one of several possible actions. Locate the instance of the vulnerability for which you want to request an exception. locate the vulnerability in the Vulnerability Listing table. Click the link. b. see Understanding cases for excluding vulnerabilities on page 46. and click the link for it. a. b. Locate the vulnerability for which you want to request an exception. a. see Understanding vulnerability exception status and work flow on page 48. Submitting or re‐submitting an exception request for all instances of a vulnerability on a  specific asset 1. NOTE: If you select Other as a reason from the drop-down list. locate the affected asset in the in the Affects table. b. c. Click the Vulnerabilities tab of the security console Web interface. click the Manage link for Vulnerability Exceptions. the vulnerability no longer appears in the list on the Vulnerabilities page. For information about exception reasons. Enter additional comments. additional comments are required. Click the Vulnerabilities tab of the security console Web interface. 1. click the link for the asset that includes the instances of the vulnerability that you want to have excluded. On the details page for the vulnerability. locate the vulnerability in the Vulnerability Listing table. c. a.Enterprise Edition 3. and additional data match. After you approve an exception. and click the link for it. A Vulnerability Exception dialog box appears. In the Affects table of the vulnerability details page. 2. locate the vulnerability in the Vulnerability Listing table. d. the column displays an Exclude link. Select a reason for the exception from the dropdown list. If an exception request was previously submitted and then rejected. If an exception request has never been submitted for that vulnerability. NeXpose will not report the vulnerability against the asset if the device. Locate the exception in the Vulnerability Exception Listing table. On the details page of the affected asset. a. Look at the Exceptions column for the located vulnerability. Click Submit. b. On the Vulnerabilities page. or if it was submitted and then denied. NOTE: If a vulnerability has an action link other than Exclude. NeXpose User’s Guide 50 . d. Verify the exception (if you submitted and approved it). On the Vulnerabilities page. On the Administration page. The link in the Exceptions column changes to Under Review. c. port.

A Vulnerability Exception dialog box appears. 2. a vulnerability exception request that you submitted if its status remains under review. c. c. you can either approve or reject it. the column displays an Exclude link.Enterprise Edition 2. The link in the Exceptions column changes to Under Review. read the comments by the user who submitted the request and decide whether to approve or reject the request. c. you can view the reasons for the rejection and the user name of the reviewer in a note at the top of the box. NOTE: If you select Other as a reason from the drop-down list. if the exception is for all instances of the vulnerability on a single asset. b. Locate the exception request. Locate the request in the Vulnerability Exception Listing table. Enter comments in the Reviewer’s Comments text box. Recall the request a. locate that asset in the Affects table on the details page for the vulnerability. Create and submit the exception request. see Understanding vulnerability exception status and work flow on page 48. see Understanding cases for excluding vulnerabilities on page 46. Click the Administration tab of the security console Web interface. you may want the exception to be in effect only until a PCI audit is complete. NeXpose User’s Guide 51 . The location depends on the scope of the exception. Reviewing an exception request Upon reviewing a vulnerability exception request. The result of the review appears in the Review Status column. These are especially helpful for the reviewer of your exception request to understand your reasons or the background context for the request. Click Approve or Reject. Review the request. Doing so may be helpful for the submitter. Locate the exception request. This column displays one of several possible actions. In the Review Status dialog box. On the Administration page. additional comments are required. or cancel. b. Look at the Exceptions column for the located asset. a. If you want to select an expiration date for the review decision. click Recall. Click the link. click the Manage link next to Vulnerability Exceptions. For example. NOTE: If a vulnerability has an action link other than Exclude. Select a reason for requesting the exception from the drop-down list. For information about exception reasons. 2. click the calendar icon and select a date. If an exception request has never been submitted for that vulnerability. The link in the Exceptions column changes to Under Review. d. depending on your decision. If the link in the Exceptions column is Under review. a. and verify that it is still under review. NOTE: You also can click the top row check box to select all requests and then approve or reject them in one step. Recalling an exception request that you submitted You can recall. 1. 3. 1. For example. Click the Under Review link. In the Vulnerability Exception dialog box. Click the Under review link in the Review Status column. Click Submit. or if it was submitted and then denied. d. Enter additional comments. b. b. you can recall it. If an exception request was previously submitted and then rejected. a.

Click the Administration tab of the security console Web interface. a. On the Administration page. In XML and CSV reports.Exception suppressed potential vulnerability The exception details are not currently available in the XML Export format. Delete the exception or exception request.Exception suppressed exploited vulnerability exception-vulnerable-version .Exception suppressed version-checked vulnerability exception-vulnerable-potential . The affected vulnerability appears in the appropriate vulnerability listing with an Exclude icon. c. a. Viewing vulnerability exceptions in the Report Card report When you generate a report based on the NeXpose default Report Card template. XML: The vulnerability test status attribute will be set to one of the following values for vulnerabilities suppressed due to an exception: exception-vulnerable-exploited . CSV: The vulnerability result-code column will be set to one of the following values for vulnerabilities suppressed due to an exception. exception information is also available. each vulnerability exception appears on the vulnerability list with the reason for its exception. Locate the exception or exception request. See Vulnerability Exceptions on page 69. Select the check box for the located entry. 1. which means that a user appropriate permission can submit an exception request for it.Enterprise Edition Deleting a vulnerability exception or exception request Deleting an exception is the only way to override an approved request. Each code corresponds to results of a vulnerability check: NeXpose User’s Guide 52 . 2. Locate the request in the Vulnerability Exception Listing table. b. Click the Delete icon. b. click the Manage link next to Vulnerability Exceptions. Report templates include a section dedicated to exceptions. How vulnerability exceptions appear in XML and CSV formats Vulnerability exceptions can be important for the prioritization of remediation projects and for compliance audits. The entry no longer appears in the Vulnerability Exception Listing table.

you also can click the link for an asset's address to view information about that asset. ev (excluded. Viewing tickets Click the Tickets tab to view all active tickets. potential): The check for a potential vulnerability was positive. exploited): A check for an exploitable vulnerability was excluded. Creating and updating tickets The process of creating a new ticket for an asset starts on the console page that lists details about that asset. version check): The check was positive. NeXpose User’s Guide 53 . sv (skipped because of inapplicable version): NeXpose did not perform a check because the version of the scanned item is not included in the list of checks. sd (skipped because of DoS settings): sd (skipped because of DOS settings)—If unsafe checks were not enabled in the scan template. disabled): A check was not performed because it was disabled in the scan template. Click a link for a ticket name to view or update the ticket. From the Tickets page. er (error during check): An error occurred during the vulnerability check. nv (not vulnerable): The check was negative. version check): A check for a vulnerability that would ordinarily be positive because the version of the target service or application is associated with known vulnerabilities was negative due to information from other checks. vv (vulnerable. ov (overridden. An exploit verified the vulnerability. The version of the scanned service or software is associated with known vulnerabilities. and open a new ticket. It is for a vulnerability that can be identified because the version of the scanned service or application is associated with known vulnerabilities. nt (no tests): There were no checks to perform. NeXpose skipped the check because of the risk of causing denial of service (DOS). ve (vulnerable. uk (unknown): An internal issue prevented NeXpose from reporting a scan result. The console displays the Tickets page. potential): A check for a potential vulnerability was excluded. Each ticket is associated with an asset and contains information about one or more vulnerabilities discovered during the scanning process. API: The NeXpose API does not currently support vulnerability exception management. You can get to that page by selecting a view option on the Assets page and following the sequence of console pages that ends with asset. ep (excluded. Using tickets You can use the NeXpose ticketing system to manage the remediation work flow and delegate remediation tasks. vp (vulnerable. exploited): The check was positive. version check): A check was excluded. See the following section for details about editing tickets. The exception details are not currently available in the CSV export.Enterprise Edition Each code corresponds to results of a vulnerability check: • • • • • • • • • • • • • • ds (skipped. ee (excluded. See Viewing assets on page 33. See Configuring vulnerability check settings in the NeXpose Administrator’s Guide.

You can click the link for any vulnerability to view details about it. Add any other relevant information in the dialog box and click the Save button.Enterprise Edition Opening a ticket When you want to create a ticket for a vulnerability.. The console displays all comments on the History page. As NeXpose users and administrators add comments related to the work flow. The status of the ticket appears in the Ticket State field. Assign the ticket to a user who will be responsible for overseeing the remediation work flow. which appears at the bottom of the Vulnerability Listings pane on the detail page for each asset. NeXpose User’s Guide 54 . The priority of a ticket is often associated with external ticketing systems. 2. by annotating the ticket history. or other issues. Click the Select Vulnerabilities. button. and Problem not considered an issue (policy reasons). See Viewing assets by sites on page 33. To do so. 3. ranging from Critical to Low. questions. 1. depending on factors such as the vulnerability level.. Problem not reproducible. Only accounts that have access to the affected asset appear in the list. reports. Assign a priority to the ticket. click the Close Ticket button on this page. including remediation guidance. Select the check boxes for all the vulnerabilities you wish to include in the ticket. type name for the new ticket. Adding vulnerabilities Go to the Ticket Configuration—Vulnerabilities page.. The console displays the General page of the Ticket Configuration panel. select a user name from the drop down list labeled Assigned To.. button. click the Open a ticket button. To do so. The selected vulnerabilities appear on the Vulnerabilities page. The console displays a box with a drop down list of reasons for closing the ticket. You can close the ticket to stop any further remediation action on the related issue. The console displays a box that lists all reported vulnerabilities for the asset. Options include Problem fixed. Go to the Ticket Configuration—History page. you must first add that user to the associated asset group. Click Save. where you can type a comment. Updating ticket history You can update coworkers on the status of a remediation project. and click the Save button. These names are not unique. They appear in ticket notifications. or note impediments. NOTE: If you need to assign the ticket to a user who does not appear on the drop down list. The state changes as the ticket issue is addressed. The console displays a box. On the Ticket Configuration–General page. You cannot modify this field in the panel. and the list of tickets on the Tickets page. you can track the remediation progress. Click the Add Comments.

or you can manually generate a report by clicking the Generate icon for that report*. NeXpose User’s Guide 55 . You can tailor reports to include all historical scan data or just data from the most recent scan. Also. You can see all the reports of which you have ownership. Doing the latter enables you to create modified version of an existing template that incorporates some but not all of the original template's attributes. See Viewing reports in the Web interface on page 55. NOTE: The NeXpose authorization scheme is based on asset names and sites as defined by NeXpose administrators. See Selecting assets to be included in the report. click its History icon. To view all past instances of a report. or you may run reports manually. This makes it possible for multiple administrators with RFC1918 addressing to maintain assets with identical IP addresses. For more information. click the New Report button on the Reports page. The console displays the General page of the Report Configuration panel. click the Reports tab that appears on every page of the console interface. assets to report on. if the assets are listed in multiple sites. The console displays the Reports page. NeXpose will not start generating a report. NeXpose will immediately start generating a report. A global administrator can see all reports. Different export formats also make it possible to integrate NeXpose with external systems and databases. Viewing reports in the Web interface To view existing reports. You also can configure a report by clicking the Edit icon. *If you have the process auto-stop feature enabled. it changes the date in the Most Recent Report column. It will display a message indicating that system resources are insufficient. see Viewing general Security Console information and enabling auto-stop in theNeXpose Administrator’s Guide.Enterprise Edition Working with reports Reports allow you to distribute critical security data to stakeholders in your organization who do not have access to the NeXpose Security Console interface. The Reports page lists reports by name and most recent report generation date. Type a name for the new report. unless you have the process auto-stop feature enabled low system memory. and distribution options. You can click the link for that date to view the most recent instance of the report. or copy a template by clicking the Copy icon. Whether you click the Edit or Copy icon. Specifying general report attributes To create a new report. Report names are unique in NeXpose. the console displays the General page of the Report Configuration panel. You may schedule automatic reports for generation and distribution after scans or on a fixed calendar timetable. and if your NeXpose server is running low on memory. It will be unique in NeXpose. Creating a new report Report configuration entails selecting a report template. After you go through all the following configuration steps and click Save. Select a format for the report. Every time NeXpose writes a new instance of a report. you can customize NeXpose to generate reports automatically on a schedule or after each scan. not IP addresses.

• Text can be opened and viewed in any text editing program. Database Export can be output to Oracle. Its contents must be parsed so that other systems can use its information. human-readable XML and is ideal for exporting to other document formats. The characters for code are “ov. you can only use the RTF format. Inc. and read immediately: • • • PDF can be opened and viewed in Adobe Reader. make sure that UTF-8 fonts are properly installed on your host computer. SQL/Server. NOTE: A vulnerability check status code. XML Export. PDF reports with UTF-8 fonts tend to be slightly larger in file size.” NeXpose User’s Guide 56 . It is ideal for integration of scan data with the Metasploit vulnerability exploit framework.Enterprise Edition Several formats make report data easy for security team members to distribute. and the data can easily be manipulated with macros. also known as “raw XML. Qualys* XML Export is intended for integration with the Qualys reporting framework. RTF can be opened and viewed in Microsoft Word. This format supports compliance with Security Content Automation Protocol (SCAP) criteria for an Unauthenticated Scanner product. See Exporting scan data to external databases on page 60. NOTE: If you wish to generate PDF reports with Asian-language characters.8 release of NeXpose. NeXposeTM Simple XML is also a “raw XML” format. NOTE: If you are using the PCI Attestation of Compliance or PCI Executive Summary template or a custom template made with sections from either of these templates. Other formats are ideal for integration with third-party systems: • • • • CSV (comma separated value) can be opened in Microsoft Excel. and external databases.” contains all possible data from a scan with minimal structure. added with the 4. XML arranges data in clearly organized. • • *Qualys is a trademark of Qualys. These two templates require ASVs to fill in certain sections manually. It contains a subset of the data available in the XML Export format: • • • • • hosts scanned vulnerabilities found on those hosts services scanned vulnerabilities found in those services SCAP Compatible XML is also a “raw XML” format that includes Common Platform Enumeration (CPE) names for fingerprinted platforms. open. HTML can be opened and viewed in a Web browser. indicates that the results of a remote vulnerability check have been overridden by a local operating system patch check.

Report Card lists every test that NeXpose has run against an asset and characterizes test results by “pass” and “fail” grades. SANS Top 20 highlights vulnerabilities that appear on a list compiled by the SANS Institute. select one from the drop down list. • • • • • • • • • NOTE: If you are a global administrator. 2010. Executive Overview provides a high-level summary of scan results. This report requires a credentialed scan with a template for which a policy file has been defined. you can copy a template by clicking the Copy icon. 2010. 2010. The selected template appears in the drop down list. It indicates whether each scanned asset received a Pass or Fail score. It summarizes and provides granular information about each vulnerability. It provides high-level scan information. PCI Executive Report (legacy) is one of two reports no longer used by ASVs in PCI scans as of September 1. Vulnerability Details is one of three PCI-mandated report templates to be used by ASVs for PCI scans as of September 1. It is only available in RTF format because ASVs have to manually fill in certain sections. PCI Executive Summary is one of three PCI-mandated report templates to be used by ASVs for PCI scans as of September 1. Click the Browse Templates button to view information about each template. covered in a PCI scan. Select a time zone for reports from the drop down list. Baseline Comparison evaluates scan results against a set of results that you define as a baseline from a previous scan. ranking each discovered vulnerability according to its Common Vulnerability Scoring System (CVSS) ranking. You can use any of these default templates by clicking the link for the template name. PCI Audit Report (legacy) is one of two reports no longer used by ASVs in PCI scans as of September 1. It contains all the information fields that ASVs must populate in order to demonstrate that a scanned merchant has met PCI criteria. 2010. • • • • • Audit Report provides detailed information about network systems. It also displays the Pass or Fail score for the scan.sans. NeXpose User’s Guide 57 . It is only available in RTF format because ASVs have to manually fill in certain sections. potential exceptions.org). remediation solutions. or host.Enterprise Edition If you wish to use a standard NeXpose template. 2010. Doing so launches the Report Template Configuration panel. The console displays the Report Configuration—General page again. Remediation Plan limits the report to steps for removing the vulnerability. vulnerabilities and resources. which enables you to create a modified version of the template. PCI Attestation of Compliance is one of three PCI-mandated report templates to be used by ASVs for PCI scans as of September 1. sorted scan information about each asset. Highest Risk Vulnerabilities lists the top 10 discovered vulnerabilities and classifies them by risk level. but allows for the time localization of generated reports. It provides a list of discovered vulnerabilities. PCI Host Details provides granular. Policy Evaluation assesses the compliance of scanned assets with a security policy. and a space for ASVs to enter special notes. services. which provides information and security training (www. This setting defaults to the local NSC time zone. It provides detailed scan results. It is only available in RTF format because ASVs have to manually fill in certain sections. You also can click the Preview icon for any template to view a sample.

the next search will clear that set. If you are not a global administrator. 8. Select the assets you wish to add to the asset group. NeXpose will include all historical scan data in the report. you can select all of the assets within an IP address range that run on a particular operating system. Go to the Content page of the Report Configuration panel. 4. Click the Save button. and individual assets. NeXpose User’s Guide 58 .. The selected sites or asset groups appear on the Content page. Select assets to be included in the report. If you are a global administrator. which causes NeXpose to display a list of sites or asset groups. asset groups. You also can have a copy of the report stored in the report owner's directory.. you will see a list of users to whom you can assign ownership of the report. 3. 9. If you wish to use only the most recent scan data in your report. you will not see a list of users.. button. If you click the Select assets. If you want to be more granular about which assets to include in the report. the console displays a page with search filters. NOTE: There may be a delay if the search returns a very large number of assets. See Storing reports in report owner directories on page 59. click the check box for that option on the Content page. TIP: These choices are not mutually exclusive. select the check box in the header row. only a global administrator and the designated report owner can see that report on the Reports page. 5. button. you can select individual assets by clicking the Select assets. or select the check box in the header row to include all items. After setting up the search click Display matching assets to run the search. which is convenient if your database contains a small number of assets. The assets appear on the Content page.Enterprise Edition Selecting assets to be included in the report 1. You can combine selections of sites. You will need to save a set of results before proceeding to the next results. After a report is generated. it is helpful to use these filters to find assets that meet certain criteria. Otherwise. TIP: You can repeat the asset search to include multiple sets of search results in a report. In each case. Then click Save. OR Simply click Display all assets. If you do not save a set of selected search results. You can select entire sites or asset groups by clicking the appropriate button. Select a report owner. Select a report owner. 2. 6. If your database contains a large number of assets. To select all assets. 7. select the items you wish to include in the report.. You will automatically become the report owner. For example.

Enterprise Edition Selecting a scan as a baseline Designating an earlier scan as a baseline for comparison against future scans allows you to track changes in your network. Storing reports in report owner directories When NeXpose generates a report. You must select the Baseline Comparison report template in order to be able to define a baseline. Go to the Report Configuration—Output page. Another option for sharing reports is to distribute them via e-mail. If you prefer a specific date. or a specific scan date depending on your preference for a baseline. For example. Click the Distribution link in the left navigation column to go the Distribution page. Possible changes between scans include newly discovered assets. or a combination of these to create a directory path. This will become especially useful if you store copies of many reports. See Configuring NeXpose to distribute reports on page 60. and vulnerabilities that were mitigated or remediated. Click the radio button for the first scan ever performed for the site. if you specify the path windows_scans/$(date). variables. Within this subdirectory will be another directory with a hexidecimal identifier containing the report copy. you can access the newly created report at: reports/[report_owner]/windows_scans/$(date)/[hex_number]/[report_file_name] Consider designing a path naming convention that will be useful for classifying and organizing reports. and it is given the report owner's user name. format is HH-mm-ss $(user): the report owner's user name $(report_name): the name of the report. It is a subdirectory of the reports folder. See Specifying report attributes. Available variables include: • • • • $(date): the date that the report is created. click the calendar icon to select a date. Go to the Report Configuration—Baseline page. it stores it in the reports directory on the console host: [installation_directory]/nsc/htroot/reports/ You can configure NeXpose to also store a copy of the report in a user directory for the report owner. which was created on the General page of the Report Configuration panel After you create the path and run the report. NeXpose creates the report owner's user directory and the subdirectory path that you specified on the Output page. format is yyyy-MM-dd $(time): the time that the report is created. specify the directory path to be created off the / reports/[user_name] directory. services and vulnerabilities. assets and services that are no longer available.  In the text box. You can use string literals. NeXpose User’s Guide 59 . the most recent scan (previous).

or you can configure NeXpose to generate reports automatically on a schedule. check the database to make sure that the scan data has populated the tables. Enter the IP address of the database server. type “0” in the field labeled Repeat every. the Report Configuration—Output page contains fields specifically for transferring scan data to a database. an uncompressed file (File). such as HTML pages with graphs. If such a report is attached without being zipped. 2. When recipients click the URL link. Go to the Report Configuration—Schedule page. 3. or Microsoft SQL Server create a new database with administrative rights. 1. 2. enter it in the appropriate text box. Since these assets will be scanned frequently. Doing the latter is a good idea if you have an asset group containing assets that are assigned to many different sites. Go to the Report Configuration—Distribution page. Using a link is recommended when recipients have network access. NOTE: Selecting the uncompressed file option is not recommended for reports that consist of multiple files. Enter the administrative user ID and password for logging on to that database. Configuring NeXpose to distribute reports You can configure NeXpose to distribute reports via e-mail as a URL link or an attachment. After NeXpose completes a scan. on demand. If you want to set a server port other than the default. and you are concerned with securing the report data and minimizing the size of the e-mail. click the radio button labeled On the following schedule. Type a start time in the hour and minute fields to the right of the calendar icon. Click the check box labeled Send E-mail. NOTE: Recipients of the report as an HTML link must be either global administrators or users who have access to the assets included in the report. Click a radio button for attaching the report as a URL. you must set up a JDBC-compliant database. each with a different scan template. 4. click the radio button labeled After each scan. MySQL. Attachments work better when one or more recipient does not have access to your network or global administrator privileges in NeXpose. NeXpose User’s Guide 60 . In the Report Configuration—Output page. on the spot. and you are not concerned about report security. If you want NeXpose to generate a report every time it successfully completes a scan of any one asset. Before you type information in these fields. To set a time interval for repeating the report. or a zipped file. If you wish to produce a report manually. click the radio button labeled This time only. Enter a name for the database. If you wish to schedule reports for regular time intervals. Type the IP address and port of the database server. Scheduling reports You can produce a report manually. Click the calendar icon to select a start date. NeXpose will send only the HTML page and not the graph files. If you wish to run a report only once.Enterprise Edition Exporting scan data to external databases If you selected Database Export as your report format. select the database type from the drop down list. 1. type a value in the field labeled Repeat every and select a time unit. their browsers will display a logon challenge. 5. In Oracle. it makes sense to generate reports automatically.

Other options correspond to features of the report itself. and Risk Assessment. Also NeXpose regards the mail sender address as the “originator” of e-mailed reports. or cancel the new report. The console displays the Report Template Configuration—Report Sections page listing the selected sections. • • • Baseline Comparison: You can select the scan date that you wish to use as a baseline.Enterprise Edition If you wish to e-mail reports to NeXpose users with access to the assets included into the report. such as Baseline Comparison. you can review the attributes for your new report and then change or save those attributes. click the Create link for Report Templates. Type the e-mail address of the sender. such as Cover Page and Table of Contents. Executive Summary: You can type a preamble to begin the report. the PCI Attestation of Compliance template is a section unto itself. 1. If you have completed all other configuration steps in the panel. click the New Template button. On the Report Configuration—General page. You may require an SMTP relay server for one of several reasons. The report name is unique in NeXpose. NeXpose User’s Guide 61 . ASVs can combine the sections for PCI templates into one custom template for use in PCI scans. NeXpose searches for a suitable mail server for sending reports. You can change the order of how the sections appear in the report by clicking the Move Up and Move Down arrows for sections you wish to move. If you have selected any of these sections. type a name and description for your custom report. Some of these correspond to types of information. a firewall may prevent NeXpose from accessing your network's mail server. 5. If you leave SMTP relay server field blank. type its address in the appropriate field. Executive Summary. click the Next tab on the Report Configuration—Distribution page to view a summary page. The console displays a box listing sections that you can include in the report. There. 5. 2. This is a convenient way to distribute reports automatically to users who are responsible for remediation of vulnerabilities. 4. Click the Save button. The console displays the Report Template Configuration panel. on the Administration page. NOTE: You must select at least one report section. Also. Three of the available sections have properties that you can edit. Go to the Report Sections page and click the Select Sections button. Click the check boxes for sections that you wish to include in the report. click the appropriate check box. On the Report Template Configuration—General page. Cover page: You can choose the elements that appear on the cover page. For example. Type all other recipient e-mail addresses. 4. 3. it appears on the list with an Edit icon. are the same as those for modifying a standard template. From the drop down list. such as title and scan date. and is not divided into smaller sections. NOTE: The PCI Attestation of Compliance and PCI Executive Summary templates are only available in RTF format. as detailed in this section. 6. If you are using an SMTP relay server. select a level of technical detail for information to be included in the report. Creating a custom report template The steps for creating a custom template. Or. because they require ASVs to fill in certain sections manually. 3.

Your new custom report template appears in the Browse Template box. NOTE: The PCI Attestation of Compliance and PCI Executive Summary are only available in RTF format because they require ASVs to fill in certain sections manually. click Select sections. the name of the report. If you want to display your own logo on the cover page.Enterprise Edition 7. You can easily customize a cover page to include your own title and logo. including those that appear in preset report templates and those that you can include in your own customized template. 1. 4. enter the name of the logo file.. Do not insert a space between the word “image:” and the file name. NOTE: NeXpose supports GIF and JPEG logo formats. as well as IP addresses. See Selecting assets to be included in the report. 3. In the Select Sections dialog box. Click Save. It also may include the Rapid7logo or no logo at all. 5. NeXpose displays a dialog box for selecting cover page elements. If you want to customize the report title. click the Edit icon for Cover page.jpg. Selecting report template sections Customizing a report template involves selecting the sections to be included in the template. Example: image:file_name. Click the Save button. go to the Report Sections page. 2. the directory is [installation_directory]\shared\reportImages. click the check box. enter a title in the appropriate text box. Customizing a report template with your own logo By default. because it is a section unto itself. In Linux. making it unnecessary to create a custom template. depending on the report template.. a report cover page includes a generic title. the directory is [installation_directory]/shared/reportimages. If you want to display your own logo on the cover page. the date of the scan that provided the data for the report. NeXpose User’s Guide 62 . You may find that a given preset template contains all the sections that you require in a particular report. Select the check box for each element that you want to include on the cover page. The PCI Attestation of Compliance column is blank. The following matrix lists all report sections available in NeXpose. preceded by the word “image:”. On the Report Sections page. 8. which you can view by clicking the Browse Templates button on the General page of the Report Configuration panel. If you want the report to include asset names. See Cover Page on page 65. Descriptions of all report sections follow the matrix. and the date that the report was generated. If the cover page section is not listed. in the text box labeled Logo image name. copy the logo file to the designated directory of your NeXpose installation: In Windows. Go to the Report Template Configuration—Settings page. When you are creating or editing a custom report template in the Report Template Configuration panel. select the Cover page check box and click Save.

Enterprise Edition Highest Risk Vulnerabilities PCI Executive Summary Baseline Comparison Executive Overview PCI Executive Overview (Legacy) PCI Vulnerability Details PCI Attestation PCI Host Details Audit Report Report section Asset and Vulnerabilities  Compliance Overview Baseline Comparison Cover Page Discovered Databases Discovered Files and Directories Discovered Services Discovered System Information Discovered Users and Groups Discovered Vulnerabilities Executive Summary Highest Risk Vulnerability  Details Index of Vulnerabilities Payment Card Industry (PCI)  Component Compliance  Summary Payment Card Industry (PCI)  Executive Summary Payment Card Industry (PCI)  Host Details Payment Card Industry (PCI)  Scan Information x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x NeXpose User’s Guide Custom Templates 63 PCI Audit (Legacy) Remediation Plan Policy Evaluation SANS Top 20 Report Card .

  and Small) Policy Evaluation Remediation Plan Risk Assessment SANS Top 20 Device Listing SANS Top 20 Device Synopsis SANS Top 20 Executive  Summary SANS Top 20 Vulnerability  Details SANS Top 20 Vulnerability  Synopsis Spidered Web Site Structure Table of Contents Vulnerability Exceptions x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x NeXpose User’s Guide Custom Templates 64 PCI Audit (Legacy) Remediation Plan Policy Evaluation PCI Host Details PCI Attestation Audit Report SANS Top 20 Report Card . Medium.Enterprise Edition PCI Executive Overview (Legacy) Highest Risk Vulnerabilities PCI Vulnerability Details PCI Executive Summary Baseline Comparison Executive Overview Report section Payment Card Industry (PCI)  Scanned Hosts/Networks Payment Card Industry (PCI)  Special Notes Payment Card Industry (PCI)  Vulnerability Details Payment Card Industry (PCI)  Vulnerability Synopsis Payment Card Industry (PCI)  Vulnerabilities Noted (sub‐ sectioned into High.

newly discovered vulnerabilities may be attributable to the installation of vulnerable software that occurred after the baseline scan. the scan on which the report is based must meet the following conditions: • • database server scanning must be enabled in the scan template NeXpose must have correct database server logon credentials NeXpose User’s Guide Custom Templates 65 PCI Audit (Legacy) Remediation Plan Policy Evaluation PCI Host Details PCI Attestation Audit Report SANS Top 20 Report Card . and the date that the report was generated. Cover Page The Cover Page includes the name of the site. Other display options include a customized title and company logo. this section provides suggestions as to why changes in data may have occurred between the two scans. For information to appear in this section. Discovered Databases This section lists all databases discovered through a scan of database servers on the network. For example. This section appears when you select the Baseline Report template.Enterprise Edition PCI Executive Overview (Legacy) Highest Risk Vulnerabilities PCI Vulnerability Details PCI Executive Summary Baseline Comparison Executive Overview Report section Vulnerability Report Card by  Node Vulnerability Report Card  Across Networks Vulnerability Test Errors x x x x x Baseline Comparison NOTE: In generated reports. It provides a comparison of data between the most recent scan and the baseline. the date of the scan. this section appears with the heading Trend Analysis. enumerating the following changes: • • • • • • discovered assets that did not appear in the baseline scan assets that were discovered in the baseline scan but not in the most recent scan discovered services that did not appear the baseline scan services that were discovered in the baseline scan but not in the most recent scan discovered vulnerabilities that did not appear in the baseline scan vulnerabilities that were discovered in the baseline scan but not in the most recent scan Additionally.

Highest Risk Vulnerability Details This section lists highest risk vulnerabilities and includes their categories. Use this section to help you understand and fix vulnerabilities. and the number of vulnerabilities discovered on each asset.Enterprise Edition Discovered Files and Directories This section lists files and directories discovered on scanned assets. This section does not distinguish between potential and confirmed vulnerabilities. this section appears with the heading Discovered and Potential Vulnerabilities. including numbers and types of network vulnerabilities. If you selected a High level of technical detail. NeXpose adds a narrative of how it found the vulnerability to the description. This section lists all vulnerabilities discovered during the scan and identifies the affected assets and ports. Discovered System Information This section lists the IP addresses. If you selected a Medium technical detail level for your report template. the IP addresses of the assets running each service. and risk scores for scanned assets. NeXpose provides a basic description of each vulnerability and a list of related reference documentation. Discovered Services This section lists all services running on the network. operating systems. It also lists the Common Vulnerabilities and Exposures (CVE) identifier for each vulnerability that has an available CVE identifier. Each vulnerability is classified by severity. For information to appear in this section. Executive Summary This section provides statistics and a high-level summation of the scan data. and their Common Vulnerability Scoring System (CVSS) Version 2 scores. See Understanding how vulnerabilities are characterized according to certainty in the NeXpose Reporting Guide. Discovered Vulnerabilities NOTE: In generated reports. NeXpose User’s Guide 66 . risk scores. as well as remediation options. the scan on which the report is based must meet the following conditions: • • file searching must be enabled in the scan template NeXpose must have correct logon credentials See Establishing scan credentials on page 24 for information on configuring these settings. alias names. The section also provides references for obtaining more information about each vulnerability. Discovered Users and Groups This section provides information about all users and groups discovered on each node during the scan.

If the ASV has configured the oem. this section appears with the heading Vulnerability Details. which is the last day that the scan results are valid from a PCI perspective. which you can request from Technical Support. For more information. and granular vulnerability information tailored for PCI scans. it will contain the ASV's name. the ASV's name must be entered manually as well. see the ASV Guide. PCI compliance status.2) the scan customer’s declaration of secure implementation or description of action taken to either remove the software or secure it NOTE: Any instance of remote access software or directory browsing is automatically noted. including its hosted operating system. Payment Card Industry (PCI) Host Details This section lists information about each scanned asset. Payment Card Industry (PCI) Special Notes In this PCI report section.Enterprise Edition Index of Vulnerabilities NOTE: In generated reports. The customer's name must be entered manually. This section also includes the date the scan was completed and the scan expiration date. Payment Card Industry (PCI) Executive Summary This section includes a statement as to whether a set of assets collectively passes or fails to comply with PCI security standards.xml file to auto-populate the name field. ASVs manually enter the notes about any scanned software that may pose a risk due to insecure implementation. names. The notes should include the following information: • • • • the IP address of the affected asset the note statement. It also lists each scanned asset and indicates whether that asset passes or fails to comply with the standards. Payment Card Industry (PCI) Scan Information This section includes name fields for the scan customer and approved scan vendor (ASV). rather than an exploitable vulnerability. which is one of four types specified by PCIco (see the PCI ASV Program Guide v1. Otherwise. It includes the following information about each discovered vulnerability: • • • • • • severity level Common Vulnerability Scoring System (CVSS) Version 2 rating category URLs for reference description solution steps Payment Card Industry (PCI) Component Compliance Summary This section lists each scanned IP address with a Pass or Fail result. written according to PCIco (see the PCI ASV Program Guide v1. NeXpose User’s Guide 67 .2) the type of special note. Payment Card Industry (PCI) Scanned Hosts/Networks This section lists the range of scanned assets.

with some exceptions.org/cvss/cvss-guide. Policy Evaluation This sections lists the results of any policy evaluations. and account privileges.0. the exception is indicated here. Risk Assessment This section ranks each node (asset) by its risk index score. CVSS score. SANS TOP 20 Device Synopsis This section includes a matrix of network assets and the number of discovered vulnerabilities discovered in each SANS category from the current SANS Top 20 list. and other remediation measures. It quantifies the vulnerability according to its severity level and its Common Vulnerability Scoring System (CVSS) Version 2 rating. registry ACLs. work-arounds. such as types of client applications and server-side software.first. NeXpose User’s Guide 68 . registry settings. or Compensating Controls field in the PCI Executive Summary report is auto-populated with the user name of an individual who excluded a given vulnerability. Use this section to research fixes. such as whether Microsoft security templates are in effect on scanned systems. which indicates the risk that asset poses to network security. including Web links for downloading them. Possible scores range from 1. Remediation Plan This section consolidates information about all vulnerabilities and provides a plan for remediation.0 or higher indicates failure to comply. file ACLs. False Positives. The column labeled Exceptions. This section includes detailed network information about each scanned asset and lists its vulnerabilities that appear on the current SANS Top 20 vulnerabilities list. An asset's confirmed and unconfirmed vulnerabilities affect its risk score. or go to the FIRST Web site (http://www. Payment Card Industry (PCI) Vulnerability Synopsis This section lists vulnerabilities by categories. Payment Card Industry (PCI) Vulnerability Details This section contains in-depth information about each vulnerability included in a PCI Audit report. patches. according to the CVSS v2 metrics. this section appears with the heading Device Details. For each remediation. For more information about CVSS scoring.html). SANS TOP 20 Executive Summary This section includes high-level network information. summarizing the incidence of SANS Top 20 discovered vulnerabilities on scanned assets that appear on the current SANS Top 20 list. group membership. see How NeXpose implements CVSS in the NeXpose Administrator’s Guide. SANS Top 20 Device Listing NOTE: In generated reports.0 to 10. the database provides a time estimate. This latter number is used to determine whether the vulnerable assets in question comply with PCI security standards. A score of 4. The NeXpose database of vulnerabilities feeds the Remediation Plan section with information about patches and fixes. and whether the vulnerability passes or fails the scan.Enterprise Edition Payment Card Industry (PCI) Vulnerabilities Noted This section includes a table listing each discovered vulnerability with a set of attributes including PCI severity. If an ASV runs a PCI Executive Summary report and has marked a vulnerability for exception. Section contents include system settings.

Table of Contents This section lists the contents of the report. and other categories. and indicates how each node (asset) in the network responded when NeXpose attempted to confirm a vulnerability on it. A typical example is the PCI Audit report. see How vulnerability exceptions appear in XML and CSV formats on page 52. and remediation steps. Vulnerability Exceptions This section lists each vulnerability that has been excluded from report and the reason for each exclusion. Use this section to anticipate or prevent system errors and to validate that scan parameters are set properly. but business policies may dictate that you list excluded vulnerabilities if only to indicate that they were excluded. Use this section as an overview of the network's susceptibility to each vulnerability. Vulnerability Report Card by Node This section lists the results of vulnerability tests for each node (asset) in the network. but the exclusions must be noted. NeXpose displays the list as a range. If the IP addresses are consecutive. Scanned Hosts and Networks This section lists the assets that were scanned. Vulnerabilities of a certain severity level may result in an audit failure. lists each vulnerability. such as types of client applications. Vulnerabilities by IP Address and PCI Severity Level This section. Do not confuse an excluded vulnerability with a disabled vulnerability check. Trend Analysis This section appears when you select the Baseline report template. The section also includes remediation information. Vulnerability Test Errors This section displays vulnerabilities that were not confirmed due to unexpected failures. SANS Top 20 Vulnerability Synopsis This section includes a list of all discovered SANS Top 20 vulnerabilities that appear on the current SANS Top 20 list. They may be excluded for certain reasons. To learn how vulnerability exceptions are expressed in other reporting formats. such as those to be targeted for remediation. indicating whether it has passed or failed in terms of meeting PCI compliance criteria. the affected assets. sorted by various criteria. Vulnerability Report Card Across Network This section lists all tested vulnerabilities. Use this section to assess the vulnerability of each asset. You may not wish to see certain vulnerabilities listed with others. Use this section to gauge progress in reducing vulnerabilities improving network’s security. which appears in PCI Audit reports. server-side software.Enterprise Edition SANS TOP 20 Vulnerability Details This section includes exhaustive information about each discovered SANS Top 20 vulnerability that appears on the current SANS Top 20 list. The section also includes. It compares the vulnerabilities discovered in a scan against those discovered in a baseline scan. An excluded vulnerability has been discovered by NeXpose. which means the check was enabled. NeXpose User’s Guide 69 .

Continuous scan A continuous scan starts over from the beginning if it completes its coverage of site assets within its scheduled window. To access the command console page. When you use this tool. search for the term in NeXpose Help. An asset’s data has been integrated into the scan database. An asset group may contain assets that belong to multiple sites or other asset groups. run manual scans. Asset Owner Asset Owner is one of the preset NeXpose roles. but you can configure NeXpose to authenticate users with an external LDAP or Kerberos source. See Dynamic asset group on page 71 and Static asset group on page 73. Authentication Authentication is the process of a security application verifying the logon credentials of a client or user that is attempting to gain access. The term API also refers to one of two sets of NeXpose XML APIs. By default NeXpose authenticates users with an internal process.Enterprise Edition Glossary For more detailed information on any term in this glossary. See Managed asset on page 71 and Unmanaged asset on page 73. This is a site configuration setting. Appliance configurations include a Security Console/Scan Engine combination and an Scan Engine-only version. NeXpose User’s Guide 70 . See the NeXpose API documentation. each with its own included operations: API v1. which you can download from the Support page of Help.2. An asset group is not a site. Asset group An asset group is a logical collection of managed assets to which specific members have access for creating or viewing reports or tracking remediation tickets. Command console The command console is a page in the NeXposeSecurity Console Web interface for entering commands to run certain operations. it differs from a node. An asset group is either static or dynamic. API (application program interface) An API is a NeXpose function that a developer can integrate with another software application by using program calls. click the Run console commands link next to the Troubleshooting item on the Administration page. To learn about each API. so it can be listed in sites and asset groups.1 and Extended API v1. an asset may also be referred to as a device. you can see real-time diagnostics and a behind-the-scenes view of Security Console activity. Asset An asset is a single device on a network that NeXpose discovers during a scan. See Site on page 73. In this regard. and create and run reports in accessible sites and asset groups. Appliance An Appliance is a set of NeXpose components shipped as a dedicated hardware/software unit. See Node on page 71. In the Web interface and API. A user with this role can view data about discovered assets.

See Static asset group on page 73. You can configure scan pools using the Extended API v1. Manual scan A manual scan is one that you start at any time. a dynamic asset group differs from a static asset group. A Scan Engine pool is a group of shared Scan Engines that can be bound to a site so that the load is distributed evenly across the shared Scan Engines. either automatically or manually. See Asset on page 70. Global Administrator Global Administrator is one of the preset NeXpose roles. Managed asset A managed asset is a network device that has been discovered during a scan and added to a site’s target list. Synonyms include ad-hoc scan and unscheduled scan. Penetration testers use benign exploits only to verify that vulnerabilities exist. The list of assets in a dynamic group is subject to change with every scan or when vulnerability exceptions are created. in which NeXpose finds devices on a network. You define these criteria with asset search filters. Others are not subject to this kind of access.2.Enterprise Edition Dynamic asset group A dynamic asset group contains scanned assets that meet a specific set of search criteria. Discovery Discovery is the first phase of a scan. or vulnerability. Node A node is a device on a network that NeXposediscovers during a scan. After NeXposeintegrates its data into the scan database. Only managed assets can be checked for vulnerabilities and tracked over time. according to your NeXpose license. Metasploit Metasploit is a product that performs benign exploits to verify vulnerabilities. Permission A permission is the ability to perform one or more specific operations in NeXpose. even if it is scheduled to run automatically at other times. The Metasploit product is a tool for performing benign exploits. Malicious exploits can result in system disruptions or theft of data. the device is regarded as an asset that can be listed in sites and asset groups. Once an asset becomes a managed asset. NeXpose User’s Guide 71 . Exploit An exploit is an attempt to penetrate a network or gain access to a computer through a security flaw. See Metasploit on page 71. In this regard. Dynamic Scan Pool The Dynamic Scan Pool feature allows you to use Scan Engine pools to enhance the consistency of your scan coverage. it counts against the maximum number of assets that can be scanned. such as IP address range or operating systems. See Exploit on page 71. Some permissions only apply to sites or asset groups to which an assigned user has access.

or weight. Five preset roles NeXpose are available in NeXpose. You also can create custom scan templates. NeXpose User’s Guide 72 . NeXpose supports many different authentication mechanisms for a wide variety of platforms. Various preset scan templates are available in NeXpose for different scanning scenarios. Scan engines can be distributed within or outside a firewall for varied coverage. Scan A scan is a process by which NeXpose discovers network assets and checks them for vulnerabilities. It is also possible to start any scan manually at any time. which can be used for scans within the console’s network perimeter. Scan Engine The Scan Engine is one of two major NeXpose components. that you assign to a site when you configure it. Each installation of the Security Console also includes a local engine. The score indicates the potential danger posed to network and business security in the event of a malicious exploit. The Weighted model is based primarily on asset data and vulnerability types. Older vulnerabilities are easier to exploit because attackers have known about them for a longer period of time. Role A role is a set of permissions. Scan credentials Scan credentials are the user name and password that NeXpose submits to target assets for authentication in order to gain access and perform deep checks. as well as the nature of the risk. See Discovery on page 71 and See Vulnerability check on page 74. See Asset Owner on page 70. You also can create custom roles by manually selecting permissions. The scheduling of a scan is an optional setting in site configuration.Enterprise Edition Risk score A risk score is a rating that NeXpose calculates for every asset and vulnerability. It performs asset discovery and vulnerability detection operations. and Site Owner on page 73. Scan template A scan template is a set of parameters for defining how NeXpose scans assets. You can configure NeXpose to rate risk according to one of two available scoring models: • • The Temporal model emphasizes the length of time that the vulnerability has been known to exist. and it takes into account the level of importance. Parameters of scan templates include the following: • • • • methods for discovering assets and services types of vulnerability checks. including safe and unsafe Web application scanning properties verification of compliance with policies and standards for various platforms Scheduled scan A scheduled scan starts automatically at predetermined points in time. Global Administrator on page 71.

NeXpose automatically downloads and applies two types of updates: • • Content updates include new checks for vulnerabilities. and new product features. NeXpose User’s Guide 73 . and other scan-related settings. Unmanaged asset An unmanaged asset is a device that has been discovered during a scan but not correlated against a managed asset or added to a site’s target list. and security policy compliance. Each site is associated with a list of target assets. a scan template. Site A site is a collection of assets that are targeted for a scan. Site Owner Site Owner is one of the preset NeXpose roles. Product updates include performance improvements. It also controls all NeXpose operations and provides a Web-based user interface. Security Manager Security Manager is one of the preset NeXpose roles. Vulnerability A vulnerability is a security flaw in a network or computer. create reports. An individual with this role can view asset data and run reports in accessible sites and asset groups. User User is one of the preset NeXpose roles.Enterprise Edition Security Console The Security Console is one of two major NeXpose components. Content updates always occur automatically when they are available. Static asset group A static asset group contains assets that meet a set of criteria that you define according to your organization's needs. and view asset data in accessible sites and asset groups. NeXpose is designed to provide sufficient information about unmanaged assets so that you can decide whether to manage them. create reports. Update An update is a released set of changes to NeXpose. and view asset data in accessible sites. the list of assets in a static group does not change unless you alter it manually. An unmanaged assets does not count against the maximum number of assets that can be scanned according to your NeXpose license. It controls Scan Engines and retrieves scan data from them. one or more Scan Engines. A user with this role can configure and run scans. it is possible to disable automatic product updates and update the product manually. bug fixes. patch verification. Unlike with a dynamic asset group. See Dynamic asset group on page 71. Unlike content updates. A user with this role can configure and run scans. A site is not an asset group. By default.

NeXpose User’s Guide 74 . Excluded vulnerabilities also are not considered in the computation of risk scores. Vulnerability exception A vulnerability exception is the removal of a vulnerability from a report and from any asset listing table.Enterprise Edition Vulnerability check A vulnerability check is a series of operations that NeXpose performs to determine whether a security flaw exists on a target asset.

51 R credentials 24 Remediation Plan 68 Credentials page 24 Risk Assessment 68 Customizing a report template with your own logo 62 risk index 13 D Running a manual scan 30 Discovered Databases 65 S Discovered Files and Directories 66 SANS Top 20 Device Listing 68 Discovered Services 66 SANS TOP 20 Device Synopsis 68 Discovered System Information 66 SANS TOP 20 Executive Summary 68 Discovered Users and Groups 66 SANS TOP 20 Vulnerability Details 69 Discovered Vulnerabilities 66 SANS Top 20 Vulnerability Synopsis 69 Document conventions 6 NeXpose User’s Guide 75 . vulnerabilities 23 asset Restrict to Device 24 Restrict to Port 24 E Executive Summary 66 Exporting scan data to external databases 60 F Filter by asset name 40 Filter by host type 40 Filter by operating system name 39 Filter by service name 39 Filter by site name 39 Filter by software name 39 Filter by vulnerability name 40 Filtering by IP address range 38 H Highest Risk Vulnerability Details 66 How vulnerability exceptions appear in XML and CSV formats 52 I Including organization information in a site 29 Index of Vulnerabilities 67 L Logging on 9 logon credentials 24 N Navigating the Security Console Home page 10 O Opening a ticket 54 Other documents and Help 5 B Baseline Comparison 65 C P Pausing. resuming. 43 Policy Evaluation 68 Creating and updating tickets 53 policy violations 24 Creating global vulnerability exceptions 47. Alerting page 23 alerts.Enterprise Edition Index A Adding assets to a static asset group 43 Adding vulnerabilities 54 adware 24 Alerting page 23 alerts Alerting page 23 Enable alert 23 Limit alert text 23 New Alert 23 New Alert dialog box 23 Paused scan 23 Resumed scan 23 Send at most field 23 severity level for vulnerabilities 23 SMTP e-mail 23 SNMP message 23 Syslog 23 alerts. and stopping a scan 31 Changing criteria for inclusion in a dynamic asset groupPayment Card Industry (PCI) Component Compliance 42 Summary 67 Combining filters 41 Payment Card Industry (PCI) Executive Summary 67 Comparing dynamic and static asset groups 36 Payment Card Industry (PCI) Host Details 67 Configuring filters 38 Payment Card Industry (PCI) Scan Information 67 Configuring general attributes for a static asset group 43 Payment Card Industry (PCI) Scanned Hosts/Networks 67 Configuring report distribution 60 Payment Card Industry (PCI) Special Notes 67 Cover Page 65 Payment Card Industry (PCI) Vulnerabilities Noted 68 Creating a custom report template 61 Payment Card Industry (PCI) Vulnerability Details 68 Creating a logon for Web site form authentication 25 Payment Card Industry (PCI) Vulnerability Synopsis 68 Creating a new report 55 Pen test 20 Creating and editing static asset groups 33.

HIPAA compliance 17 Scanned Hosts and Networks 69 scans. 22 Payment Card Industry (PCI) audit 19 Penetration test 20 Safe network audit 20. HTTP credentials 24 Scheduling reports 60 Selecting a scan as a baseline 59 Selecting assets to be included in the report 58 Selecting report template sections 62 Site Configuration panel 24 SOX 21 Specifying assets to scan 13 Specifying general report attributes 55 Specifying general site information 13 spyware 24 Storing reports in report owner directories 59 Vulnerabilities by IP Address and PCI Severity Level 69 vulnerabilities. 22 Full audit 17 Internet DMZ audit 18 Linux RPMs 18 Microsoft hotfix 19. potential 23 vulnerability.Enterprise Edition scan type Denial of service 15 Discovery scan 15 Discovery scan (aggressive) 16 Exhaustive 16. 22 Sarbanes-Oxley (SOX) compliance 21 SCADA audit 21 Web audit 22 scan types. confirmed 23 vulnerability. associated assets 23 Vulnerability Exceptions 69 Vulnerability Report Card Across Network 69 Vulnerability Report Card by Node 69 Vulnerability Test Errors 69 vulnerability. unconfirmed 23 W Working with vulnerabilities 44 T Table of Contents 69 Trend Analysis 69 U Understand cases for excluding vulnerabilities 46 Updating ticket history 54 Using asset groups to your advantage 35 Using dynamic asset groups 36 Using static asset groups 37 Using the search function 12 V Viewing active vulnerabilities 44 Viewing assets 33 Viewing assets by groups 34 Viewing assets by operating system 35 Viewing assets by services 35 Viewing assets by sites 33 Viewing assets by software 35 Viewing history for all scans 32 Viewing reports in the Web interface 55 Viewing the scan log 32 Viewing tickets 53 Viewing vulnerability details 45 Viewing vulnerability exceptions in the Report Card report 52 NeXpose User’s Guide 76 .

Sign up to vote on this title
UsefulNot useful