Hello,
For Greenbone community edition, is it possible to attach some sort of token/identifier to the requests when launching scans during the vulnerability tests so that our operators could add this identifier to a whitelist in order to not create alerts on their end?
It’s in a case where they can’t check the IP of the requests.
Hi,
It is better to create a alert and inform the NOC / SOC that a scan is started. Due to the fact that is not possible with many PDUs to include such a identifier.
I see, thanks for reply.
Note that at least for many HTTP based tests the scanner is already adding / using a UserAgent identifier like e.g. the following:
UserAgent: Mozilla/5.0 [en] (X11, U; OpenVAS-VT 9.0.3)
Yes I noticed indeed, tho idk if its for all requests
As cfi mentioned, this is added to HTTP requests. Not all protocols use headers the same way as HTTP. For example, SSH (Secure Shell) does not support the use of custom headers.
In addition to this there are also various HTTP VTs which are e.g. not sending a User-Agent on purpose (because e.g. it is required for an exploit to overwrite it).
But the operators probably could already use the existing user agent to identify the IP / origin of the scanner to identify the whole scan traffic accordingly.