OpenVAS
Greenbone Networks •
Since 2009
Quick Actions
Official Docs
What is OpenVAS?
OpenVAS (Open Vulnerability Assessment Scanner) is a full-featured open-source vulnerability scanner maintained by Greenbone Networks. It evolved from the original open-source Nessus project and provides comprehensive vulnerability testing with a regularly updated feed of network vulnerability tests. As a security tool, it does not respect robots.txt.
User Agent String
OpenVAS
How to Control OpenVAS
Block Completely
To prevent OpenVAS from accessing your entire website, add this to your robots.txt file:
# Block OpenVAS
User-agent: OpenVAS
Disallow: /
Block Specific Directories
To restrict access to certain parts of your site while allowing others:
User-agent: OpenVAS
Disallow: /admin/
Disallow: /private/
Disallow: /wp-admin/
Allow: /public/
Set Crawl Delay
To slow down the crawl rate (note: not all bots respect this directive):
User-agent: OpenVAS
Crawl-delay: 10
How to Verify OpenVAS
Verification Method:
Verify scanner is authorized by the website owner
Verify scanner is authorized by the website owner
Learn more in the official documentation.
Detection Patterns
Multiple ways to detect OpenVAS in your application:
Basic Pattern
/OpenVAS/iStrict Pattern
/^OpenVAS$/Flexible Pattern
/OpenVAS[\s\/]?[\d\.]*?/iVendor Match
/.*Greenbone Networks.*OpenVAS/iImplementation Examples
// PHP Detection for OpenVAS
function detect_openvas() {
$user_agent = $_SERVER['HTTP_USER_AGENT'] ?? '';
$pattern = '/OpenVAS/i';
if (preg_match($pattern, $user_agent)) {
// Log the detection
error_log('OpenVAS detected from IP: ' . $_SERVER['REMOTE_ADDR']);
// Set cache headers
header('Cache-Control: public, max-age=3600');
header('X-Robots-Tag: noarchive');
// Optional: Serve cached version
if (file_exists('cache/' . md5($_SERVER['REQUEST_URI']) . '.html')) {
readfile('cache/' . md5($_SERVER['REQUEST_URI']) . '.html');
exit;
}
return true;
}
return false;
}
# Python/Flask Detection for OpenVAS
import re
from flask import request, make_responsedef detect_openvas():
user_agent = request.headers.get('User-Agent', '')
pattern = r'OpenVAS'
if re.search(pattern, user_agent, re.IGNORECASE):
# Create response with caching
response = make_response()
response.headers['Cache-Control'] = 'public, max-age=3600'
response.headers['X-Robots-Tag'] = 'noarchive'
return True
return False# Django Middleware
class OpenVASMiddleware:
def __init__(self, get_response):
self.get_response = get_response
def __call__(self, request):
if self.detect_bot(request):
# Handle bot traffic
pass
return self.get_response(request)
// JavaScript/Node.js Detection for OpenVAS
const express = require('express');
const app = express();// Middleware to detect OpenVAS
function detectOpenVAS(req, res, next) {
const userAgent = req.headers['user-agent'] || '';
const pattern = /OpenVAS/i;
if (pattern.test(userAgent)) {
// Log bot detection
console.log('OpenVAS detected from IP:', req.ip);
// Set cache headers
res.set({
'Cache-Control': 'public, max-age=3600',
'X-Robots-Tag': 'noarchive'
});
// Mark request as bot
req.isBot = true;
req.botName = 'OpenVAS';
}
next();
}app.use(detectOpenVAS);
# Apache .htaccess rules for OpenVAS# Block completely
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} OpenVAS [NC]
RewriteRule .* - [F,L]# Or redirect to a static version
RewriteCond %{HTTP_USER_AGENT} OpenVAS [NC]
RewriteCond %{REQUEST_URI} !^/static/
RewriteRule ^(.*)$ /static/$1 [L]# Or set environment variable for PHP
SetEnvIfNoCase User-Agent "OpenVAS" is_bot=1# Add cache headers for this bot
<If "%{HTTP_USER_AGENT} =~ /OpenVAS/i">
Header set Cache-Control "public, max-age=3600"
Header set X-Robots-Tag "noarchive"
</If>
# Nginx configuration for OpenVAS# Map user agent to variable
map $http_user_agent $is_openvas {
default 0;
~*OpenVAS 1;
}server {
# Block the bot completely
if ($is_openvas) {
return 403;
}
# Or serve cached content
location / {
if ($is_openvas) {
root /var/www/cached;
try_files $uri $uri.html $uri/index.html @backend;
}
try_files $uri @backend;
}
# Add headers for bot requests
location @backend {
if ($is_openvas) {
add_header Cache-Control "public, max-age=3600";
add_header X-Robots-Tag "noarchive";
}
proxy_pass http://backend;
}
}
Should You Block This Bot?
Recommendations based on your website type:
| Site Type | Recommendation | Reasoning |
|---|---|---|
| E-commerce | Optional | Evaluate based on bandwidth usage vs. benefits |
| Blog/News | Allow | Increases content reach and discoverability |
| SaaS Application | Block | No benefit for application interfaces; preserve resources |
| Documentation | Selective | Allow for public docs, block for internal docs |
| Corporate Site | Limit | Allow for public pages, block sensitive areas like intranets |
Advanced robots.txt Configurations
E-commerce Site Configuration
User-agent: OpenVAS
Crawl-delay: 5
Disallow: /cart/
Disallow: /checkout/
Disallow: /my-account/
Disallow: /api/
Disallow: /*?sort=
Disallow: /*?filter=
Disallow: /*&page=
Allow: /products/
Allow: /categories/
Sitemap: https://example.com/sitemap.xml
Publishing/Blog Configuration
User-agent: OpenVAS
Crawl-delay: 10
Disallow: /wp-admin/
Disallow: /drafts/
Disallow: /preview/
Disallow: /*?replytocom=
Allow: /
SaaS/Application Configuration
User-agent: OpenVAS
Disallow: /app/
Disallow: /api/
Disallow: /dashboard/
Disallow: /settings/
Allow: /
Allow: /pricing/
Allow: /features/
Allow: /docs/
Quick Reference
User Agent Match
OpenVASRobots.txt Name
OpenVASCategory
securityRespects robots.txt
May not respect
Copied to clipboard!