• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1673
  • Last Modified:

Nessus scan - TLS/SSL errors on servers

We have Nessus scans running against all servers as part of security and compliance.

This is causing a lot of TLS/SSL errors on the servers every week.

More info on the setting in Nessus causing this: https://discussions.nessus.org/message/24142#24142

Is there any way to add the Nessus servers to a 'safe list' so that they will not flood the event logs of servers every week when these scans are run?
0
ServerNotFound
Asked:
ServerNotFound
  • 4
  • 2
  • 2
2 Solutions
 
btanExec ConsultantCommented:
the tls ssl errors are really due to the crypto negotiation stating servers does not have that "capability" to do that exchange and causing error to form, ideally we should really go into having the server has the appropriate crypto support as shared here, but there can be legacy system that you want to scan but taken these SChannel errors as expected and accepted the risk (not really good but balanced out as user).

Maybe it ie better than to disable the plugin (see from forum) instead trigger all these alert since it expected and should not be that of high risk and other vulnerability is more important and safeguarding the servers as not to DoS them inadvertently.

We were able to resolve most of the schannel events by rejecting the following plugins:  21643, 35297, 56984, 62563, 62564.
0
 
ServerNotFoundAuthor Commented:
Unfortunately we cannot disable any of the plugins.  We actually are not using most of the ones listed.  We cannot disable the SSL cipher scanning as this is part of a security compliance definition.
0
 
gheistCommented:
You should silence SSL server log by masking out particular scan error (making sure you are not vulnerable)
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
btanExec ConsultantCommented:
If that is the case, then the server end has to be not "noisy" then. You can try this then

Locate the following key in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL
On the Edit menu, click Add Value, and then add the following registry value:
Value Name: EventLogging
Data Type: REG_DWORD
Note After you add this property, you must give it a value. See the table in the "Logging options" section to obtain the appropriate value for the kind of events that you want to log.

Value      Description
0x0000      Do not log
0x0001      Log error messages
0x0002      Log warnings
0x0004      Log informational and success events

If you see also DCOM error with Schannel errors, then can try in Group Policy Editor (run: gpedit.msc),  went to Computer Configuration > Administrative Templates > System > Distributed COM > Application Compatibility and enabled "allow local activation security check exemptions"
0
 
ServerNotFoundAuthor Commented:
These options would disable ALL errors of this kind.  

We would still want to have errors when the source was something other than the the Nessus servers.
0
 
btanExec ConsultantCommented:
Since we do not whitelist from nessus end and need to do it on servers end, it is I was thinking from the (assuming Windows) event viewer to perform some sort of custom view instead. That is probably the best from server to be "less noisy" though still getting scan but the view is filtered off the "noise"

5. You can create a custom view for either a specific set of logs or a specific set of event sources:
- Use the Event Logs list to select event logs to include. You can select multiple event logs by selecting their related check boxes. If you select specific event logs, all other event logs are excluded.
- Use the Event Sources list to select event sources to include. You can select multiple event sources by selecting their related check boxes. If you select specific event sources, all other event sources are excluded.

6. Optionally, use the User and Computer(s) boxes to specify users and computers that should be included. If you do not specify the users and computers to include, events generated by all users and computers are included.

If you are a XML scripting folk, you may want to modify the XML query used to generate Custom Views, you can see if there is a metadata pertaining to the nessus scan server that can be part of the custom view condition rule.
0
 
gheistCommented:
In theory you can use whichever centralized log collection windows allows, and not send those errors if they come from the probe...
0
 
btanExec ConsultantCommented:
Yp if you install snare or sort of log agent to pipe the event over to log server for aggregation. from windows perspective, the event log will likely still be available even with log piped though unlikely probably the norm network device etc. I maybe wrong though but the intent for log server is correlate and for some storage for a longer term
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Network Scalability - Handle Complex Environments

Monitor your entire network from a single platform. Free 30 Day Trial Now!

  • 4
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now