I am trying to disable or strongly reduce the number of hosts that GVM adds while scanning multiple IPs.
E.g. I start with 10 IP addresses, and in the final results I have 30+ different hosts, many of which are not related to the original list, like some CDN or Cloud services addresses.
I have trined to set the expand_vhosts option to 0, but nothing changed. I don’t know if I have to dig in the Network Vulnerability Test Families or there is some other option I did not find.
Thanks,
Nicola.
How are you setting expand_vhosts? It is not a command line argument, it must be set either globally in the openvas.conf configuration file which is typically located at /etc/openvas/openvas.conf or in a cloned scan configuration.
The expand_vhosts option collects vhosts from both reverse DNS and any additional hostnames/domains found in the SSL/TLS certificate SAN (Subject Alternative Name) section.
However, depending on your setup, if you are using a WAF like Cloudflare, (i.e. your NS records point to the Cloudflare WAF), then the scan will stop at the Cloudflare WAF, not reaching your actual web-server. While this maybe useful for assessing your WAF setup, it won’t assess your actual web-server.
It’s also possible you have some mis-configuration of your web-server, or SSL/TLS certificates.
Hi,
from the Scan Configs page of the GVM UI, I edit my Configuration, then open the section Edit Scanner Preferences, and then I change the value of expand_vhosts to 0.