Automatic vulnerability scanning

After specifying the Quick Scan or Deep Scan parameters, you can set the NetProfiler to automatically run scans in response to specified types of alerts.

The Integration > Vulnerability Scanning page Auto Scan tab lists the type of network events that cause the NetProfiler to send traffic-related alerts.  For each level of alert these events can trigger, you can specify a scan action to be taken: No Scan, Quick Scan, or Deep Scan.  

Fields near the bottom of the page provide for limiting the volume and rate of scanning to protect your network from being overwhelmed by scan traffic. The NetProfiler reports up to 256 hosts involved in an event.  It runs up to 4 scans concurrently and up to 12 scans per hour. The scan traffic is recorded in the NetProfiler flow logs and becomes part of the profile.

To specify vulnerability scans in response to alerts:

  1. On the Administration > Integration > Vulnerability Scanning page, select the Auto Scan tab.

  2. Select the Low, Medium or High cells for the types of alerts that are to trigger Quick scans. You can toggle the selections on or off by cells or by rows.

  3. Click Set Scan and select Quick Scan from the menu. "Quick Scan" appears in the cells you had selected.

  4. Select the Low, Medium or High cells for the types of alerts that are to trigger Deep scans.

  5. Click Set Scan and select Deep Scan from the menu. "Deep Scan" appears in the cells you had selected.

  6. If applicable, select the Low, Medium or High cells for the types of alerts that are to trigger no scans.

  7. Click Set Scan and select No Scan from the menu. "No Scan" appears in the cells you had selected.

  8. Set maximum scan volumes and rates, if desired.

  9. Click Apply.

The Clear Selection button deselects the cells that are currently selected.

What is scanned

The event that triggers an automatic scan also determines which hosts are scanned, as follows:

Type of event that triggered the scan

What is scanned

Denial of Service/Bandwidth Surge

Attacker hosts

Host Scan

Scanner host

New Host

New host

New Server Port

Host that provided or consumed a service over the port

Port Scan

Victim hosts

Suspicious Connection

Source and victim

User-defined Policy

Source and destination or client and server hosts involved in the event.

Worm

Victim hosts

Only hosts identified as having "inside addresses" are scanned. Inside addresses are specified on the Administration > General Settings page.

Manually initiating a vulnerability scan

Types of vulnerability scans

Vulnerability scans