Wednesday, 22 January 2025

exclude IP's from nessus scan

Say we want to exclude 101 and 102 we can create targets like so:


192.168.1.1-192.168.1.100, 192.168.1.103-192.168.1.254


Reducing scan impact:

1. Exclude or Limit Scanning of Network Infrastructure Devices

  • Exclude devices like:

    • Firewalls

    • Switches

    • Wireless access points

    • Routers

  • These devices often:

    • React poorly to port scans and probes

    • Have limited CPU/RAM for handling scan traffic

    • Could throttle or interrupt user traffic when overwhelmed

Yes, you should exclude these devices unless you have a clear need to scan them and have coordinated with the network team.


✅ 2. Use Scan Throttling and Performance Settings

Adjust the performance settings in Nessus:

  • Scan Configuration > Performance Settings:

    • Reduce the number of max simultaneous checks per host.

    • Lower the max simultaneous hosts scanned.

    • Increase the timeout to prevent retries.

    • Set network scan delay (e.g., 100–300 ms).

    • Use Safe Checks to avoid DoS-like behavior.

This reduces the burst load on the network and the devices.


✅ 3. Use Targeted or Segmented Scans

  • Break the scan into smaller IP ranges or subnets.

  • Focus on servers, endpoints, or business-critical systems first.

  • Scan different segments at different times or windows.

This distributes the load and avoids network congestion.


✅ 4. Schedule Scans During Off-Hours

  • Run scans during non-peak hours (e.g., late evening or weekends).

  • Coordinate with the customer for a maintenance window.

This is often the simplest way to avoid affecting productivity.


✅ 5. Enable Credentialed Scanning Where Possible

  • Credentialed scans are less noisy on the network.

  • They use authenticated access (e.g., SSH, SMB) to gather data from inside the system.

More accurate and less intrusive than aggressive remote scans.


✅ 6. Use Passive or External Discovery Methods First

  • Start with:

    • ARP sweep

    • DNS enumeration

    • SNMP discovery

    • Existing asset inventories

  • Use these to map devices before a full vulnerability scan.


✅ 7. Communicate and Test First

  • Run a scan in a test VLAN or lab to profile the impact.

  • Communicate with the network and system admins.

  • Make sure there’s monitoring in place to see how scans affect performance.


No comments:

Post a Comment