IBM Support

QRadar: Rapid7 Nexpose Vulnerability Scan Imports Cause Disk Sentry Notifications

Troubleshooting


Problem

A scheduled Rapid7 Nexpose vulnerability scan import might generate 'Disk Sentry' warning system notifications and cause performance issues such as slow event and network searches.

Symptom

The following warning notification may be seen in the 'Messages' panel in the QRadar Web Console:

Disk Sentry: Disk Usage Exceeded warning Threshold

Cause

The CIDR range configured for the scanner is excessively broad, which returns vulnerability data for a very large number of systems. These large scans might cause the temporary file directory that stores the scan import data to fill or might cause out of memory issues.

Common issues when configuring a scanner
A common issue when configuring scan data is for an administrator to specify a 'default route' of 0.0.0.0/0 in CIDR notation, which requests the scanner to import data for all networks. Another common range is 10.0.0.0/8, which specifies to return data for the entire private network block.

These CIDR ranges may be inappropriate for large, distributed networks. When a scan import is run against the Rapid7 Nexpose vulnerability scanner, QRadar retains the temporary report data returned by the VA (Vulnerability) Scanner, until the import is complete, so a very large import has the potential to fill /store/tmp, the storage partition for QRadar temporary files.

Diagnosing The Problem

1. Verifying the size of the network scan

In QRadar, the administrator should verify the CIDR range used for the scan import and also verify the disk space used by the temporary scan data.

Procedure

  1. Log in to the QRadar Console as an administrator.
  2. Click the Admin tab.
  3. Click the VA Scanners icon.
  4. Double-click on your Rapid7 Nexpose scanner.
  5. Review the size of the scan to determine verify if you are scanning an entire network, such as 0.0.0.0/0.

    Figure 1: A scan size value of 0.0.0.0/0 or 10.0.0.0/8 are not recommended.

  6. Reduce the scan size to a more manageable CIDR ranges, instead of scanning large ranges.


2. Determining the disk space used by the scan data


To verify the disk space used by the scan, the administrator can SSH to the QRadar appliance that manages the scanner and verify the free disk space of the /store/tmp directory.

Procedure
  1. Using SSH, log in to the QRadar Console as the root user.
  2. Option. Using SSH, start a session to the QRadar host that manages the Rapid7 Nexpose scanner.
  3. To confirm current disk usage for /store/tmp, type the following command: df -h
  4. Optionally, to verify the size of scan import files in the directory, type: du -sh /store/tmp/vis

    Note: If/store/tmp/vis is gigabytes in size, run ls -ltr /store/tmp/vis

  5. Review the files in this directory and note the last modified timestamp assigned to the latest temporary file.

Resolving The Problem

By default, One of the properties in the VA Scanner configuration panel for this scanner is 'Cache Timeout' (minutes). This property specifies the length of time that scan report data is stored in the cache. For large scans, try lowering this value.

The value for 'Cache Timeout' may be set to 0. This will cause temporary scan report files to be immediately deleted once they are processed.

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"VA Scanners","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.1;7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
10 May 2019

UID

swg21676533

Page Feedback