2 Replies Latest reply: May 18, 2017 12:44 PM by cbirt2010 RSS

Plugin 19506

cbirt2010 Novice

Hi All,

 

This is sort of a random question dealing with filtering in the vulnerability analysis. It is my understanding that plugin 19506 is basically used just to grab details about the Nessus scan itself. So if I want to do some analysis on all my assets in my enterprise I return a result of 14507 total IPs. When I add one filter (Plugin ID 19506) I receive a different number of IPs as a result 13500......Why would the 19506 plugin give me a different IP result? Shouldn't the number be the same since all 19506 does is retrieve scan information? Thank you in advance.

  • Re: Plugin 19506
    rseguin Apprentice

    Hi Corey,

     

    This can happen if you have devices that were just pinged, and not really scanned in any way. If your scanners hit targets that give very minimal response, so much so that we can't actually run any port checks against it, 19506 won't fire for that IP because there weren't any plugins that were able to run against it that would trigger a vuln scan worthy of notating. Often times this is caused by host discovery scans being run on certain subnets, and no followup vulns scans were then run again on those same targets.

     

    You can create a dynamic asset list that has "Plugin ID is not equal to 19506" set as a filter to get all of the hosts that fit that criteria. You can then use that asset to scan those IPs to see if network conditions have changed enough to let your scanners hit them.

     

    Also, you'll sometimes get firewalls or routers that respond on behalf of any IP that fits within their assignable ARP table, regardless as to whether or not there's anything actively plugged into those ports or assigned those IPs. Usually this feature exists on those devices for faster network speeds and address assignment, but it will cause our scanners to get a response from something that doesn't exist. The good news there though is that they don't count against your license, as we don't count certain basic info plugins like ping against your host count.