CVE-2018-11409 Nessus Scan Trick modify restmap.co...

kballow · ‎07-28-2021

Hello All,

Nessus keeps throwing the error that "/en-US/splunkd/__raw/services/server/info/server-info?output_mode=json" exposes critical information for unauthenticated scans, but it the test is stupid and runs an authenticated scan, therefore it fails since the data will be presented if authenticated.

We need a clean Nessus scan result and I managed to make the following changes to restmap.conf

[admin:server-info]
requireAuthentication = true
acceptFrom = "127.0.0.1"

[admin:server-info-alias]
requireAuthentication = true
acceptFrom = "127.0.0.1"

This basically makes it even if you are authenticated you will get forbidden if you visit "/en-US/splunkd/__raw/services/server/info/server-info?output_mode=json".

This works great, but a side effect is that I am unable to view some UI pages like for example the user page anymore. I would have to remove the 127.0.0.1 line to view the UI elements. Anyone know how I can specially block "/en-US/splunkd/__raw/services/server/info/server-info?output_mode=json" but not cause other pages like users from being blocked?

This is to just get the nessus scan to pass.

CVE-2018-11409 Nessus Scan Trick modify restmap.conf

authentication

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine

Are you a member of the Splunk Community?

CVE-2018-11409 Nessus Scan Trick modify restmap.conf

authentication

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine