Solved

Nessus scan - TLS/SSL errors on servers

Posted on 2014-04-02
8
1,193 Views
Last Modified: 2014-04-15
We have Nessus scans running against all servers as part of security and compliance.

This is causing a lot of TLS/SSL errors on the servers every week.

More info on the setting in Nessus causing this: https://discussions.nessus.org/message/24142#24142

Is there any way to add the Nessus servers to a 'safe list' so that they will not flood the event logs of servers every week when these scans are run?
0
Comment
Question by:ServerNotFound
  • 4
  • 2
  • 2
8 Comments
 
LVL 61

Expert Comment

by:btan
ID: 39975011
the tls ssl errors are really due to the crypto negotiation stating servers does not have that "capability" to do that exchange and causing error to form, ideally we should really go into having the server has the appropriate crypto support as shared here, but there can be legacy system that you want to scan but taken these SChannel errors as expected and accepted the risk (not really good but balanced out as user).

Maybe it ie better than to disable the plugin (see from forum) instead trigger all these alert since it expected and should not be that of high risk and other vulnerability is more important and safeguarding the servers as not to DoS them inadvertently.

We were able to resolve most of the schannel events by rejecting the following plugins:  21643, 35297, 56984, 62563, 62564.
0
 

Author Comment

by:ServerNotFound
ID: 39978789
Unfortunately we cannot disable any of the plugins.  We actually are not using most of the ones listed.  We cannot disable the SSL cipher scanning as this is part of a security compliance definition.
0
 
LVL 61

Expert Comment

by:gheist
ID: 39979243
You should silence SSL server log by masking out particular scan error (making sure you are not vulnerable)
0
 
LVL 61

Expert Comment

by:btan
ID: 39979410
If that is the case, then the server end has to be not "noisy" then. You can try this then

Locate the following key in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL
On the Edit menu, click Add Value, and then add the following registry value:
Value Name: EventLogging
Data Type: REG_DWORD
Note After you add this property, you must give it a value. See the table in the "Logging options" section to obtain the appropriate value for the kind of events that you want to log.

Value      Description
0x0000      Do not log
0x0001      Log error messages
0x0002      Log warnings
0x0004      Log informational and success events

If you see also DCOM error with Schannel errors, then can try in Group Policy Editor (run: gpedit.msc),  went to Computer Configuration > Administrative Templates > System > Distributed COM > Application Compatibility and enabled "allow local activation security check exemptions"
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:ServerNotFound
ID: 39984470
These options would disable ALL errors of this kind.  

We would still want to have errors when the source was something other than the the Nessus servers.
0
 
LVL 61

Accepted Solution

by:
btan earned 250 total points
ID: 39984776
Since we do not whitelist from nessus end and need to do it on servers end, it is I was thinking from the (assuming Windows) event viewer to perform some sort of custom view instead. That is probably the best from server to be "less noisy" though still getting scan but the view is filtered off the "noise"

5. You can create a custom view for either a specific set of logs or a specific set of event sources:
- Use the Event Logs list to select event logs to include. You can select multiple event logs by selecting their related check boxes. If you select specific event logs, all other event logs are excluded.
- Use the Event Sources list to select event sources to include. You can select multiple event sources by selecting their related check boxes. If you select specific event sources, all other event sources are excluded.

6. Optionally, use the User and Computer(s) boxes to specify users and computers that should be included. If you do not specify the users and computers to include, events generated by all users and computers are included.

If you are a XML scripting folk, you may want to modify the XML query used to generate Custom Views, you can see if there is a metadata pertaining to the nessus scan server that can be part of the custom view condition rule.
0
 
LVL 61

Assisted Solution

by:gheist
gheist earned 250 total points
ID: 39986988
In theory you can use whichever centralized log collection windows allows, and not send those errors if they come from the probe...
0
 
LVL 61

Expert Comment

by:btan
ID: 39987561
Yp if you install snare or sort of log agent to pipe the event over to log server for aggregation. from windows perspective, the event log will likely still be available even with log piped though unlikely probably the norm network device etc. I maybe wrong though but the intent for log server is correlate and for some storage for a longer term
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video discusses moving either the default database or any database to a new volume.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now