Plugin Settings Section

The Plugin Settings section allows you to create custom, passive plugins, enable/disable existing plugins and PASLs, and modify the SIEM core queries.

The Plugin Settings section contains the following subsections:

  • Plugin Management - Provides a list of enabled and disabled plugins, respectively, the options to move plugins between those lists, and the option to delete custom plugins.
  • PASL Management - Provides a list of enabled and disabled PASLs, respectively, and the options to move PASLs between those lists.
  • SIEM Plugin Management - Shows options for managing plugins related to SIEM analysis.

    Note: SIEM analysis features are only available for RH/CentOS 7 and RH/CentOS 8.

    The following table provides a brief summary of each SIEM plugin setting:

    SIEM Plugin Option Purpose
    Key Name The SIEM event category for events collected from a Windows or Linux system.
    Plugin IDs The plugin IDs associated with the selected SIEM event category/Key Name.
    SIEM Server The SIEM server related to the plugin. The options for this box are configured in the SIEM Servers section of the Tenable Nessus Network Monitor Settings Section.
    Query Prefix (Optional) The custom query prefix for additional query functionality.
    Core Query The system-generated query related to the selected Key Name. This query is not configurable.
    Query Suffix (Optional) The custom query suffix for additional query functionality.
  • Create Custom Plugin - Shows options for creating custom plugins and creating new plugin fields.

    The following table provides a brief summary of each custom plugin option:

    Custom Plugin Option Purpose

    ID

    The unique numeric ID of the plugin.

    Name

    The name of the plugin. The plugin name should start with the vendor name.

    Description

    The full text description of the vulnerability.

    Synopsis

    A brief description of the plugin or vulnerability.

    Solution

    Remediation information for the vulnerability.

    See Also

    External references to additional information regarding the vulnerability.

    Risk

    Info, Low, Medium, High, or Critical risk factor.

    Plugin Output

    Displays dynamic data in Tenable Nessus Network Monitor plugin reports.

    Family

    The family to which the plugin belongs.

    Dependency

    Other dependencies required to trigger the custom plugin.

    NoPlugin

    Prevents a plugin from being evaluated if another plugin has already matched. For example, it may make sense to write a plugin that looks for a specific anonymous FTP vulnerability, but to disable it if another plugin that checked for anonymous FTP had already failed.

    No Output

    For plugins that are written specifically to be used as part of a dependency with another plugin. When enabled, this keyword causes Tenable Nessus Network Monitor not to report anything for any plugin.

    Client Issue

    Indicates the vulnerability is located on the client side.

    Plugin Type

    Vuln, realtime, or realtimeonly plugin type.

    cve

    The CVE reference.

    bid

    The Bugtraq ID (BID) reference.

    osvdb

    The external reference (e.g., OSVDB, Secunie, MS Advisory).

    nid

    To track compatibility with the Tenable Nessus vulnerability scanner, Tenable® associates Tenable Nessus Network Monitor vulnerability checks with relevant Tenable Nessus vulnerability checks. Multiple Tenable Nessus IDs can be listed under one nid entry such as nid=10222,10223.

    cpe

    Filters the result of discovered vulnerabilities based on their CPE identifier.

    Match

    This keyword specifies a set of one or more simple ASCII patterns that must be present in order for the more complex pattern analysis to take place. The match keyword gives Tenable Nessus Network Monitor significant performance and functionality.

    Regex

    Specifies a complex regular expression search rule applied to the network session.

    Revision

    The revision number associated with custom plugin.

    Raw Text Preview

    A preview of the custom plugin in raw text. An xample of a custom plugin created to find a IMAP Banner of Tenable Rocks is:

    id=79000

    name=IMAP Banner

    description=An IMAP server is running on this port. Its banner is Tenable Rocks

    risk=NONE

    match=OK

    match=IMAP

    match=server ready

    regex=^.*OK.*IMAP.*Tenable Rocks