Documentation Center
AlienVault® USM Appliance™

Excluding IP Addresses from a Scheduled Asset Scan

Version: 5.x
Deployment: All deployments

This topic describes how to exclude IP Addresses/Assets from an Asset Scan in AlienVault USM Appliance.

The recommended solution, following the current SANS and NIST best practices, is to move unscanned devices to a secure subnet in order to more closely watch traffic to and from the systems. Sometimes, however, this option may not be possible. If this is the case, then you will need to configure a network scan which excludes the sensitive addresses.

When scheduling asset scans, you can only enter CIDR notation. Because of this, configuring a scan which will exclude the desired IP addresses will require the scan to be created from smaller CIDR ranges that subnet around the sensitive addresses. This is accomplished by subnetting the larger regions of your base network in order to capture as many addresses as possible, and then filling in the rest of the space by using progressively smaller addresses in order to include all valid address space around the excluded addresses.

Example:

If you need to scan the 192.168.1.0/24 subnet, but have two printers, at 192.168.1.48 and 192.168.1.225, which cannot be moved; you can create the scan with the following CIDR ranges.

192.168.1.0/27
192.168.1.28/30
192.168.1.32/28
192.168.1.49/32
192.168.1.50/31
192.168.1.52/30
192.168.1.53/29
192.168.1.64/26
192.168.1.128/26
192.168.1.192/26
192.168.1.224/32
192.168.1.226/31
192.168.1.228/30
192.168.1.232/29
192.168.1.240/28

Once this is configured, you can run the scan, which will scan around the sensitive addresses while checking the rest of the network for assets.

The Network Startup Resource Center, at the following url, provides a quick reference chart, which may assist as a refresher for CIDR subnet sizes:
https://nsrc.org/workshops/2009/summer/presentations/day3/subnetting.pdf