Known Issues

There are a few known issues with the Nessus Vulnerability Scanner:

• Nessus does not provide feedback when a scan is requested for a target outside your scan permission list
• Nessus does not support LDAP authentication
• Nessus is not compatible with SSL VPNs
• Nessus OS identification is a best-effort guess

Nessus does not provide feedback when a scan is requested for a target outside your scan permission list

Overview

The Nessus web interface communicates with the backend Nessus daemon which actually performs the security scans requested through the web interface. Tufts Nessus users are allowed to request scans for subnets for which they are responsible; for example if you only run servers on 192.168.2.0/24, you won't be able to scan anything outside that subnet. Unfortunately, however, the web interface doesn't gracefully let you know if a scan you requested was disallowed (although it is logged accurately on the backend).

Symptoms

Immediately after requesting a scan of an IP that is not in your scan permission list, the scan will complete but will not have any results attached to it. No indication is provided through the web interface that the scan was not allowed (although it is logged correctly on the backend). Attempting to view the results of a disallowed scan will show only a blank results screen.

Resolution

If your scan gets moved to the completed section without any results, double-check that you entered the correct IP address, and then make a Nessus Support Request to see why the scan didn't run (and to let us know if a subnet you support needs to be added to your scan permission list).

Nessus does not support LDAP authentication

Overview

Tenable has declined to include LDAP authentication for Nessus. Nessus cannot tie into any authentication or authorization infrastructure.

Resolution

Separate passwords (which are thankfully hashed safely) or user certificates must be used.

Nessus is not compatible with SSL VPNs

Overview

The Nessus web interface uses a Flash applet to interact with the Nessus vulnerability scanner. This Flash applet does not provide the correct links when accessed through the SSL VPN (it applies an absolute HTTP path rather than a relative path).

Symptoms

You'll be unable to log in or use Nessus. After the Flash applet initially loads, you will see this error: https://wikis.uit.tufts.edu/confluence/download/attachments/39557353/nessus-error.png\

Resolution

• It is possible to use the SSL VPN's Network Connect\ client to connect to the scanning service from off-site through the VPN. This should work equally well for Windows, Mac, and Linux clients using their respective Network Connect client.
• It is not possible to use the browser-only functionality of the VPN to connect to Nessus. The developer of the software indicated to Information Security that Nessus is not compatible with SSL VPNs because it is too difficult to develop Flash applications using relative path names. Tenable also indicated that there is no planned date to resolve this issue and become compatible with SSL VPNs.

Nessus OS identification is a best-effort guess

Overview

Nessus uses the data generated in the course of a scan to try to identify the operating system of the target system. This is a statistical test that is run on the traffic generated by the scan, and can sometimes yield inaccurate results.

Symptoms

Your OS, and especially your OS version, may be guessed incorrectly.

Resolution

Try using a full TCP scan, which will generate more traffic than a SYN or UDP scan. You should also be ready to discount the importance of scan results that conflict with what you know about your host - for instance, if your host is detected running Windows 2000, which is unsupported, but you know that it is running XP SP3, which is supported, ignore scan results relating only to Windows 2000.

Finally, if you would like to work with Information Security to do so, we can collect traffic from your scan and provide it to the vendor in order to iteratively improve their OS detection engine.