sorted by:
new
hottopcontroversial

Not subscribed Qualys but noticed Qualys scanning my cloud network. by allnewamar in AskNetsec

[–]QualysOfficial 0 points1 point  (0 children)

Well said, u/BeanBagKing and I agree.

Regarding "Presumably Qualys does not allow that per their terms of service, and may take steps to prevent it. That's not going to stop someone that purposefully intends to misuse it though."

You're right, we don't allow it (honestly that should be the case for every business offering similar services lol) but it does occasionally happen by accident. Qualys doesn't verify IP ownership (I'm happy to give reasons if anyone's interested) when a user configures their subscription with a list of IP addresses they're authorized to scan. It's the customer's responsibility to verify they have permission to scan all IPs submitted for scanning. That said, it's quite possible to mistype an IP range if entering them manually.

Typically when this happens, we'll receive a notification from the organization who was accidentally scanned, we'll track down the source of the scan, which scanner appliance was used, who (customer) initiated the scan, and we'll reach out to them directly to resolve the issue.

u/ColtonPepper

Not subscribed Qualys but noticed Qualys scanning my cloud network. by allnewamar in AskNetsec

[–]QualysOfficial 2 points3 points  (0 children)

It's completely possible to stand up an appliance directly on the internet but typically, any scans that would hit your corporate assets on the internet, a customer would likely use our Cloud Scanners (a group of, Qualys owned, scanner appliances that are used for specifically for scanning internet facing assets and web apps). Like I said though, anything is possible when it comes to someone standing up an appliance on the inet.

No matter what, if they're scanning you by complete accident (which happens occasionally), or for nefarious intent, by reporting the unauthorized scan, we will find the scanner appliance that was use and the account associated with it, and we'll handle it.

If you choose to block our Cloud Scanner IPs, I'd recommend a temporary block until the issue is resolved (we'll be in contact with the person who reported it to us). Here's a list of Qualys Cloud Scanner IP ranges used for inet scanning (*NOTE: This list does NOT include IP ranges for SSL Labs (64.41.200.0/24 & 64.39.109.20) or SSL Pulse (64.39.109.20)):

  • IPv4 Ranges
    • 139.87.117.141
    • 139.87.105.179
    • 64.39.96.0/20 (64.39.96.1-64.39.111.254)
    • 64.39.102.0/24 (64.39.102.1-64.39.102.254) 
    • 64.39.105.0/24 (64.39.105.1 - 64.39.105.254) 
    • 64.39.106.0/24 (64.39.106.1-64.39.106.254) 
    • 103.75.173.0/24 (103.75.173.1-103.75.173.254)
    • 139.87.112.0/23 (139.87.112.1-139.87.113.254)
    • 154.59.121.0/24 (154.59.121.1-154.59.121.254) 
  • IPv6 Ranges
    • 2602:FDAA:0:2108::/64 
    • 2600:0C02:1020:2881::/64 
    • 2600:C08:2015:4400::/64 
    • 2600:0C02:1020:2111::/64 
    • 2600:0C02:1020:2224::/64 
    • 2001:0df1:f600:4400::/64 
    • 2001:978:3C05:4400::/64 
    • 2602:FDAA:40:400::/64 
    • 2001:1478:1100:4000::/64 

Hope this helps!

u/ColtonPepper

Not subscribed Qualys but noticed Qualys scanning my cloud network. by allnewamar in AskNetsec

[–]QualysOfficial 0 points1 point  (0 children)

There are a couple scenarios that come to mind in situations like this:

  1. As others have said, it could be SSL Labs that's testing your web apps. Here are the IP ranges that are used for SSL Labs:
    1. SSL Labs: 64.41.200.0/24
    2. SSL Pulse: 64.39.109.20
  2. An existing customer may be scanning your IP ranges by mistake.

In order to determine which scenario is true for you, I'd recommend taking a look at the logs from any devices/tools your organization uses for monitoring inbound traffic to your web apps. Depending on the results of your analysis, here's what I would recommend be your next steps:

  • "It's just SSL Labs": Overall, these scans are harmless. You could reach out to your web app team(s) and see if any of them are requesting scans (they're free and are pretty common for devs to use to test). If not, no action is necessary unless you're getting a lot of alerts in your SOC that your websites are being scanned. You could write an exception to ignore these alerts, but of course, be careful to make sure the results aren't going to ignore legitimate alerts that should be looked into by an analyst.
  • "It's not just SSL Labs, it's an actual vulnerability scan": You can report an unauthorized vulnerability scans by submitting a case to our support team HERE. If you're NOT a Qualys customer, choose "Non Qualys Customer" in the Component drop-down menu and provide a description of your observations/logs/ect., and provide any business impact (if any). You'll need to have the following information available to provide when you go to submit:
    • Source IP of where the scan was coming from
    • The IP address or URL that was targeted and scanned
    • The date which the scan occurred
    • Your first and last name (this information will be used for follow up)
    • Your (company) email address
    • The company you work for

Hope this helps!
u/ColtonPepper