Tenable Nessus Network Monitor Plugin Syntax

Plugins

Tenable Nessus Network Monitor plugins allow spaces and comment fields that start with a number (#) sign. Each plugin must be separated with the word “NEXT” on a single line. Create a .prm file in the plugins directory to make it available for use. You must restart Tenable Nessus Network Monitor to use new custom plugins.

Plugin Keywords

There are several keywords available for writing passive vulnerability plugins for Tenable Nessus Network Monitor. Some of these keywords are mandatory and some are optional. In the table below, mandatory keywords are boldened.

Name	Description
bid	Tenable assigns SecurityFocus Bugtraq IDs (BID) to Tenable Nessus Network Monitor plugins. This allows a user reading a report generated by Tenable Nessus Network Monitor to link to more information available at http://www.securityfocus.com/bid. Multiple Bugtraq entries can be typed on one line if separated by commas.
bmatch	This is the same as `match` but can look for any type of data. A `bmatch` must always have an even number of alphanumeric characters.
clientissue	If a vulnerability is determined in a network client such as a web browser or an email tool, a server `port` is associated with the reported vulnerability.
cve	Tenable also assigns Common Vulnerability and Exposure (CVE) tags to each Tenable Nessus Network Monitor plugin. This allows a user reading a report generated by Tenable Nessus Network Monitor to link to more information available at http://cve.mitre.org/. Multiple CVE entries can be typed on one line if separated by commas.
dependency	This is the opposite of `noplugin`. Instead of specifying another plugin that has failed, this keyword specifies which plugin must succeed. This keyword specifies a Tenable Nessus Network Monitor ID that should exist to evaluate the plugin. In addition, this plugin can take the form of `dependency=ephemeral-server-port`, which means the evaluated server must have an open port above port 1024.
dport	This is the same as `sport`, but for destination ports.
Exploitability: canvas core cvsstemporal metasploit	Displays exploitability factors for the selected vulnerability. For example, if the vulnerability is exploitable via both Canvas and Core and has a unique CVSS temporal score, the following tags may be displayed in the plugin output: CANVAS : D2ExploitPack CORE : true CVSSTEMPORAL : CVSS2#E:F/RL:OF/RC:C
family	Each Tenable plugin for Tenable Nessus Network Monitor is included in a family. This designation allows Tenable to group Tenable Nessus Network Monitor plugins into easily managed sets that can be reported on individually.
hs_dport	This is the same as `hs_sport` except for destination ports.
hs_sport	Normally, when Tenable Nessus Network Monitor runs its plugins, they are either free ranging looking for matches on any port, or fixed to specific ports with the `sport` or `dport` keywords. In very high speed networks, many plugins have a fallback port, known as a high-speed port, which focuses the plugin only on one specific port. In High Performance mode, the performance of a Tenable Nessus Network Monitor plugin with an `hs_sport` keyword is exactly the same as if the plugin was written with the `sport` keyword.
id	Each Tenable Nessus Network Monitor plugin needs a unique rule ID. Tenable assigns these 16 bit numbers within the overall Tenable Nessus Network Monitor range of valid entries. A list of the current Tenable Nessus Network Monitor plugin IDs can be found on the Tenable website.
match	This keyword specifies a set of one or more simple ASCII patterns that must be present in order for the more complex pattern analysis to take place. The `match` keyword gives Tenable Nessus Network Monitor a lot of its performance and functionality. With this keyword, if it does not see a simple pattern, the entire plugin does not match.
name	This is the name of the vulnerability Tenable Nessus Network Monitor has detected. Though multiple Tenable Nessus Network Monitor plugins can have the same name, it is not encouraged.
nid	To track compatibility with the Tenable Nessus vulnerability scanner, Tenable associates Tenable Nessus Network Monitor vulnerability checks with relevant Tenable Nessus vulnerability checks. Multiple Tenable Nessus IDs can be listed under one `nid` entry such as `nid=10222,10223`.
nooutput	For plugins that are written specifically to be used as part of a dependency with another plugin, the `nooutput` keyword causes Tenable Nessus Network Monitor not to report anything for any plugin with this keyword enabled.
noplugin	This keyword prevents a plugin from being evaluated if another plugin has already matched. For example, it may make sense to write a plugin that looks for a specific anonymous FTP vulnerability, but disable it if another plugin that checked for anonymous FTP has already failed.
pbmatch	This is the same as `bmatch` except for binary data on the previous side of the reconstructed network session.
plugin_output	This keyword displays dynamic data for a given vulnerability or event. The dynamic data is usually represented using %L or %P, and its value is obtained from the regular expressions defined using regex, regexi, pregex, or pregexi.
pmatch	This keyword is the same as `match` but is applied against the previous packet on the other side of the reconstructed network session.
pregex	This is the same as `regex` except the regular expression is applied to the previous side of the reconstructed network session.
pregexi	This is the same as `pregex` except the pattern matching is not case sensitive.
protocol_id	This keyword is used to specify the protocol number of the protocol causing the plugin to fire.
regex	This keyword specifies a complex regular expression search rule applied to the network session.
regexi	This is the same as `regex` except the pattern matching is not case sensitive.
risk	All Tenable Nessus Network Monitor plugins need a risk setting. Risks are classified as INFO, LOW, MEDIUM, HIGH, and CRITICAL. An INFO risk is an informational vulnerability such as client or server detection. A LOW risk is an informational vulnerability such as an active port or service. A MEDIUM risk is something that may be exploitable or discloses information. A HIGH risk is something that is easily exploitable. A CRITICAL risk is something that is very easily exploitable and allows for malicious attacks.
seealso	If one or more URLs are available, this keyword can be used to display them. Multiple URLs can be specified on one line if separated by commas. Example entries for this include CERT advisories and vendor information websites.
solution	If a solution is available, it can be described here. The report section highlights the solution with different text.
sport	This setting applies the Tenable Nessus Network Monitor plugin to just one port. For example, you may wish to write a SNMP plugin that just looks for activity on port 162. However, for detection of off-port services like a web server running on port 8080, a `sport` field is not used in the plugin.
stripped_description	This field describes on one line the nature of the detected vulnerability. This data is printed out by Tenable Nessus Network Monitor when printing the vulnerability report. Macros are available that allow the printing of matched network traffic such as banner information and are discussed in the examples below. For line breaks, the characters “\n” can be used to invoke a new line.
timed-dependency	This keyword slightly modifies the functionality of the `noplugin` and `dependency` keywords such that the evaluation must have occurred within the last N seconds.
udp	This keyword specifies that plugins are to be based on the UDP protocol rather than TCP protocol.

Tip: In addition to tcp or udp, the following protocols are supported: sctp, icmp, igmp, ipip, egp, pup, idp, tp, rsvp, gre, pim, esp, ah, mtp, encap, comp, ipv6, ospf, eigrp, isis, raw, or other.

Related Information