At Rapid7, our commitment is to provide you with the most accurate and reliable scan data possible; as such, we are continuously updating our underlying technology. Today we are excited to announce an upcoming enhancement to the InsightVM scan engine, aimed at improving the accuracy of Simple Network Management Protocol (SNMP) fingerprinting in unauthenticated scans and reducing false positives in your scan results.
What's changing?
InsightVM is being upgraded to use a newer version of Nmap, moving from version 7.92 to 7.95, bringing significant improvements to how UDP ports are assessed. Our testing has revealed that the new version of Nmap is much more precise in identifying ambiguous ports, resulting in a significant decrease in ports being definitively marked as closed and a corresponding increase in ports being correctly identified as open|filtered.
This industry-wide improvement highlighted that our existing method for handling the ambiguous open|filtered state during unauthenticated SNMPv1 and SNMPv2 fingerprinting could report false positives to customers. With the new UDP port detection in Nmap, the frequency of these false positives would likely increase, so we have updated our fingerprinting process to be more reliable.
Increasing reliability and reducing false positives
For unauthenticated scans, our platform will now adopt a more direct approach to identifying SNMP services. This change is designed to deliver more accurate results and reduce the noise from potential false positives.
Authenticated scans that use valid SNMP credentials are not affected by this change. Also, due to the nature of the protocol, this update does not affect SNMPv3 scanning.
What this means for your scans
With this new, more accurate behavior, reliable fingerprinting of SNMPv1 and v2 services will be achieved under the following conditions:
An unauthenticated scan against an SNMP asset that is using one of the common, default community strings that our scanner checks for.
An authenticated scan against any SNMP asset where you have provided valid credentials.
A key benefit of this change is a reduction in false positives, particularly for certain types of SNMPv1 and SNMPv2 servers.
Which SNMPv1 and SNMPv2 servers will see this change?
This change is unlikely to affect most Linux SNMPv1 and SNMPv2 servers, as they typically respond with an authentication error to incorrect community strings, allowing our scanner to confirm the service is running.
The native SNMP service on Windows is designed to silently drop packets when a non-default community string is used. Our previous method may have incorrectly flagged these open|filtered ports as a running service. With the new logic, our scanner will no longer attempt to fingerprint SNMP in these ambiguous cases, significantly improving accuracy for these assets. This also applies to other network devices that adopt a similar "silent drop" security posture.
Our recommendations
For the most accurate and reliable fingerprinting of your SNMPv1 and v2 servers, we strongly recommend configuring your scans with credentials. Authenticated scanning is a security best practice that provides the most detailed and accurate information about the services running on your assets.
We are confident that this enhancement will improve the quality of your scan data and help you focus on what matters most.
You can check out Rapid7’s Vulnerability Management solution, InsightVM, in greater detail here.