ET SCAN Nessus User Agent
This alert is triggered when detecting external communication to a Nessus User Agent on an asset in the network. Nessus User Agents are management programs that collect vulnerability, compliance and system data. This alert may by trigerd by an adversery atempting to comunicat with the Nessus user agent in order to get information on the asset.
ID Number
4000522
Signature
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Nessus User Agent"; flow: established,to_server; content:"User-Agent|3a|"; http_header; nocase; content:"Nessus"; http_header; fast_pattern; nocase; pcre:"/^User-Agent\:[^\n]+Nessus/Hmi"; threshold: type limit, track by_src,count 1, seconds 60; reference:url,www.nessus.org; reference:url,doc.emergingthreats.net/2002664; classtype:attempted-recon; sid:4000522; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
MITRE ATT&CK Technique
-
Severity
Low
Recommendations/Investigative actions
It is recommended to disable all external communications to the Nessus User Agent. If there is a need to allow external access to the Nessus User Agent, enable access to specific assets.