3 Replies Latest reply: Jul 5, 2016 1:11 PM by zaneta22 RSS

SC - Delete an individual active IP

gkengkok Novice

Hi All,

 

I have some question to ask.

 

As far i know delete entire of repository will reset active IP count. Is there any step to delete an individual active IP from repository?

 

Any answer will be appreciated.

 

Regards.

  • Re: SC - Delete an individual active IP
    JimmyKumbaya Expert

    Check out nessusd.rules in the documentation: if you attempt a scan on an IP address you've blocked via a reject instruction in the rules file, SC (at least SC4) will remove that IP address's vulnerability information from the repository.

  • Re: SC - Delete an individual active IP
    hkuhfeldt Novice

    Good Morning!

     

    The suggested method for removing a single IP from the SecurityCenter Repository is to create a custom policy that uses at least 100 plugins ( the default of all plugins enabled is completely fine) and does not ping the host during the scan.  (You will need to make sure that the host is not connected to the network when the scan runs and that no other scans will scan it or the data will not be removed. LCE and PVS data can also cause the IP to remain.)

     

    To create a custom policy, select Scans, then Policies from the menu at the top of the screen.  Click on the Add button in the top right corner to add a policy. Once the Policy Selection Screen loads, select Advanced Scan from the Custom section at the bottom of the page. The Add Policy > Advanced Scan  page will load.

     

    Disable Ping the remote host in the custom policy by selecting Host Discovery from the menu at left, and then clicking the button at right.  The button should turn grey, as shown below.

     

    Screen Shot 2016-07-05 at 10.59.27 AM.png

     

     

    Once you have disabled Ping the remote host, click Submit after scrolling to the bottom of the interface page.

     

    Once the Policies page is visible, create a scan for this policy by selecting Scans, then Active Scans in the menu at top.  Select the Add button in the top right corner to enter the Add Active Scan wizard. On the General page, give the scan a Name that you can identify easily and select the policy that you created in the previous section. You can see an example below.

     

    Screen Shot 2016-07-05 at 8.42.18 AM.png

     

     

    Once you have named your scan and identified the policy, click on the Settings link to the right, which will open the Settings page.  Select the Repository that contains the vulnerability data for the IP that you wish to remove as the Import Repository.

    Screen Shot 2016-07-05 at 10.53.35 AM.png

    Once you have selected the repository, click on the button to the right of “Immediately remove vulnerabilities from scanned hosts that do not reply”

    An option to set the number of days to wait before removing dead hosts will appear. Set this to 1.  (You will need to make sure that the host is not connected to the network when the scan runs and that no other scans will scan it or the data will not be removed. LCE and PVS data can also cause the IP to remain.)  An example of the setting is below.


    Screen Shot 2016-07-05 at 10.50.16 AM.png

     

    After competing the tasks on the Settings page, click on the Targets link at left.  The page will change and will allow you to select the targets for the scan.  Change the Target Type Drop down menu to IP / DNS Name and insert the IP Address you want to remove in the field below.  Below is an example, but you will have to substitute your target’s IP address for our placeholder.

     

     

    Screen Shot 2016-07-05 at 8.44.02 AM.png

     

    Finally, Click on Submit, and then run the scan.  The offline host will not respond, and the data should be removed by the following day.

  • Re: SC - Delete an individual active IP
    zaneta22 Expert

    I am not sure if it will count for your IP but what I do is simply cut off the box. Scan the IP and the results go away. Make sure you have it set to now for inactive.

    (Also which repository are you trying to delete it from?)

     

    Let me know if this works.