NNM Plugin Syntax


NNM plugins allow spaces and comment fields that start with a number (#) sign. Each plugin must be separated with the word “NEXT” on a single line. Create a .prm file in the plugins directory to make it available for use. You must restart NNM to use new custom plugins.

Plugin Keywords

There are several keywords available for writing passive vulnerability plugins for NNM. Some of these keywords are mandatory and some are optional. In the table below, mandatory keywords are highlighted in blue.

Name Description


Tenable assigns SecurityFocus Bugtraq IDs (BID) to NNM plugins. This allows a user reading a report generated by NNM to link to more information available at http://www.securityfocus.com/bid. Multiple Bugtraq entries can be typed on one line if separated by commas.


This is the same as match but can look for any type of data. A bmatch must always have an even number of alphanumeric characters.


If a vulnerability is determined in a network client such as a web browser or an email tool, a server port is associated with the reported vulnerability.


Tenable also assigns Common Vulnerability and Exposure (CVE) tags to each NNM plugin. This allows a user reading a report generated by NNM to link to more information available at http://cve.mitre.org/. Multiple CVE entries can be typed on one line if separated by commas.


This is the opposite of noplugin. Instead of specifying another plugin that has failed, this keyword specifies which plugin must succeed. This keyword specifies a NNM ID that should exist to evaluate the plugin. In addition, this plugin can take the form of dependency=ephemeral-server-port, which means the evaluated server must have an open port above port 1024.


This is the same as sport, but for destination ports.






Displays exploitability factors for the selected vulnerability. For example, if the vulnerability is exploitable via both Canvas and Core and has a unique CVSS temporal score, the following tags may be displayed in the plugin output:

CANVAS : D2ExploitPack

CORE : true



Each Tenable plugin for NNM is included in a family. This designation allows Tenable to group NNM plugins into easily managed sets that can be reported on individually.


This is the same as hs_sport except for destination ports.


Normally, when NNM runs its plugins, they are either free ranging looking for matches on any port, or fixed to specific ports with the sport or dport keywords. In very high speed networks, many plugins have a fallback port, known as a high-speed port, which focuses the plugin only on one specific port. In High Performance mode, the performance of a NNM plugin with an hs_sport keyword is exactly the same as if the plugin was written with the sport keyword.


Each NNM plugin needs a unique rule ID. Tenable assigns these 16 bit numbers within the overall NNM range of valid entries. A list of the current NNM plugin IDs can be found on the Tenable website.


This keyword specifies a set of one or more simple ASCII patterns that must be present in order for the more complex pattern analysis to take place. The match keyword gives NNM a lot of its performance and functionality. With this keyword, if it does not see a simple pattern, the entire plugin does not match.


This is the name of the vulnerability NNM has detected. Though multiple NNM plugins can have the same name, it is not encouraged.


To track compatibility with the Nessus vulnerability scanner, Tenable associates NNM vulnerability checks with relevant Nessus vulnerability checks. Multiple Nessus IDs can be listed under one nid entry such as nid=10222,10223.


For plugins that are written specifically to be used as part of a dependency with another plugin, the nooutput keyword causes NNM not to report anything for any plugin with this keyword enabled.


This keyword prevents a plugin from being evaluated if another plugin has already matched. For example, it may make sense to write a plugin that looks for a specific anonymous FTP vulnerability, but disable it if another plugin that checked for anonymous FTP has already failed.


This is the same as bmatch except for binary data on the previous side of the reconstructed network session.


This keyword displays dynamic data for a given vulnerability or event. The dynamic data is usually represented using %L or %P, and its value is obtained from the regular expressions defined using regex, regexi, pregex, or pregexi.


This keyword is the same as match but is applied against the previous packet on the other side of the reconstructed network session.


This is the same as regex except the regular expression is applied to the previous side of the reconstructed network session.


This is the same as pregex except the pattern matching is not case sensitive.


This keyword is used to specify the protocol number of the protocol causing the plugin to fire.


This keyword specifies a complex regular expression search rule applied to the network session.


This is the same as regex except the pattern matching is not case sensitive.


All NNM plugins need a risk setting. Risks are classified as INFO, LOW, MEDIUM, HIGH, and CRITICAL. An INFO risk is an informational vulnerability such as client or server detection. A LOW risk is an informational vulnerability such as an active port or service. A MEDIUM risk is something that may be exploitable or discloses information. A HIGH risk is something that is easily exploitable. A CRITICAL risk is something that is very easily exploitable and allows for malicious attacks.


If one or more URLs are available, this keyword can be used to display them. Multiple URLs can be specified on one line if separated by commas. Example entries for this include CERT advisories and vendor information websites.


If a solution is available, it can be described here. The report section highlights the solution with different text.


This setting applies the NNM plugin to just one port. For example, you may wish to write a SNMP plugin that just looks for activity on port 162. However, for detection of off-port services like a web server running on port 8080, a sport field is not used in the plugin.


This field describes on one line the nature of the detected vulnerability. This data is printed out by NNM when printing the vulnerability report. Macros are available that allow the printing of matched network traffic such as banner information and are discussed in the examples below. For line breaks, the characters “\n” can be used to invoke a new line.


This keyword slightly modifies the functionality of the noplugin and dependency keywords such that the evaluation must have occurred within the last N seconds.


This keyword specifies that plugins are to be based on the UDP protocol rather than TCP protocol.

Tip: In addition to tcp or udp, the following protocols are supported: sctp, icmp, igmp, ipip, egp, pup, idp, tp, rsvp, gre, pim, esp, ah, mtp, encap, comp, ipv6, ospf, eigrp, isis, raw, or other.

Related Information