ThreatFactor NSIA

h1. Troubleshooting

h2. NSIA Does Not Scan Some URLs

NSIA may not scan some URLs that you expect it to. Below are potential causes and solutions that may address the issue:

h3. The scanner is hitting the recursion depth limit

Increase the "Levels to Recurse" in the scan rule to allow NSIA to scan more URLs.

h3. The scanner is hitting the scan count limit

Increase the "Maximum Number of Resource to Scan" in the scan rule to allow NSIA to scan more URLs.

h3. The link is not a descendant of one of the links defined in the rule

NSIA will scan all URLS you define and then scan descendants of the URLs until it either hits the scan limit or runs out of URLs to scan. URLs that are not descendants of the one of the defined URLs will not be scanned. To address this, add additional URLs to the "Addresses to Scan" field in the scan rule.

h3. The domain restriction is too restrictive

If the domain restriction is too restrictive then NSIA may be ignoring URLs that you want to scan. For example, a domain limit of +*threatfactor.com/somedir*+ will prevent +*threatfactor.com/anotherdir*+ from being scanned. To fix this, change the domain restriction to be less restrictive (e.g. changing it to +*threatfactor.com*+)..

h2. NSIA Runs Out of Memory

To resolve this either:

* Reduce the rate of the scans (this is preferred)

* Increase the amount of memory available to NSIA

Note that NSIA has a limit on the maximum amount of memory that it will use which is independent of the amount of memory that the server it if running on has. In other words, NSIA may be running out of memory even though the server has plenty of available memory. The maximum limit can be modified by changing the Java settings

h3. Reducing the Scan Rate

To reduce the scan rate, open the configuration page (i.e. http://127.0.0.1:8080/System/Configuration) and reduce the "Maximum HTTP Scan Threads" setting. By default, the system will allocate 10 threads to scanning at one time. Reducing the number of threads will reduce the memory and CPU usage of the system at any one time.

Additionally, reducing the scan frequency of the individual rules may be necessary to reduce the load on the system. Finally, system load can be reduced by decreasing the number of resources to be scanned by lowering the depth or resource limit on HTTP Auto-Discovery rules. However, note that reducing the number of resources to scan reduces the chance that NSIA will detect a security problem. Generally, this option should be avoided.

h3. Increasing Memory

The Java Runtime Environment contains a setting that limits how much memory the application uses. To increase this value, edit the config.ini file and change the value of the JVM.Arguments option. The value of the argument should be "-Xmx" followed by the amount of mamoery you want allocated to the JRE. Below is a sample of a config.ini file that allocates up to 2 GB:

<pre>

JVM.Arguments=-Xmx2g

</pre>

Note that the config.ini file will only have an effect if the NSIA binaries are used (such as "ThreatFactor NSIA.exe" or "ThreatFactor NSIA Service.exe"). You'll need to set the options to the JVM if you are calling it directly. Note that the daemon script that is provided with NSIA will need to be modified to change the memory settings for the the daemon.

h2. NSIA Terminates Indicating "invalid maximum heap size"

NSIA may fail if the memory settings are incorrect with a message such as:

<pre>

Invalid maximum heap size: -Xmx512m

Could not create the Java virtual machine.

</pre>

The settings need to be changed to be more conservative such as:

<pre>

JVM.Arguments=-Xms40m -Xmx256m

</pre>

h2. NSIA Service Terminates

The NSIA service will terminate if the underlying NSIA application could not be executed. The Windows event log may include a message such as: "NSIA has stopped unexpectedly, the service will now shutdown too".

To debug this issue, run NSIA directly (as opposed to running the service) and see if it runs without the service. Follow the instructions below to run it directly:

 # Open a command prompt (Start Menu > Run > cmd.exe)

 # Change to the path that NSIA was installed in (e.g. cd "C:\Program Files\ThreatFactor.com NSIA\")

 # Change to the bin path (cd bin)

 # Run NSIA.jar ("java -jar nsia./jar")

This should start NSIA or throw an error if it could not be launched. Most likely it will fail (since the service could not start it either) indicating why it could not be executed.