Tenable Nessus Network Monitor Plugin Syntax
Plugins
Tenable Nessus Network Monitor plugins allow spaces and comment fields that start with a number (#) sign. Each plugin must be separated with the word “NEXT” on a single line. Create a .prm
file in the plugins
directory to make it available for use. You must restart Tenable Nessus Network Monitor to use new custom plugins.
Plugin Keywords
There are several keywords available for writing passive vulnerability plugins for Tenable Nessus Network Monitor. Some of these keywords are mandatory and some are optional. In the table below, mandatory keywords are boldened.
Name | Description |
---|---|
bid |
Tenable assigns SecurityFocus Bugtraq IDs (BID) to Tenable Nessus Network Monitor plugins. This allows a user reading a report generated by Tenable Nessus Network Monitor to link to more information available at http://www.securityfocus.com/bid. Multiple Bugtraq entries can be typed on one line if separated by commas. |
bmatch |
This is the same as |
clientissue |
If a vulnerability is determined in a network client such as a web browser or an email tool, a server |
cve |
Tenable also assigns Common Vulnerability and Exposure (CVE) tags to each Tenable Nessus Network Monitor plugin. This allows a user reading a report generated by Tenable Nessus Network Monitor to link to more information available at http://cve.mitre.org/. Multiple CVE entries can be typed on one line if separated by commas. |
dependency |
This is the opposite of |
dport |
This is the same as |
Exploitability: canvas core cvsstemporal metasploit |
Displays exploitability factors for the selected vulnerability. For example, if the vulnerability is exploitable via both Canvas and Core and has a unique CVSS temporal score, the following tags may be displayed in the plugin output: CANVAS : D2ExploitPack CORE : true CVSSTEMPORAL : CVSS2#E:F/RL:OF/RC:C |
family |
Each Tenable plugin for Tenable Nessus Network Monitor is included in a family. This designation allows Tenable to group Tenable Nessus Network Monitor plugins into easily managed sets that can be reported on individually. |
hs_dport |
This is the same as |
hs_sport |
Normally, when Tenable Nessus Network Monitor runs its plugins, they are either free ranging looking for matches on any port, or fixed to specific ports with the |
id |
Each Tenable Nessus Network Monitor plugin needs a unique rule ID. Tenable assigns these 16 bit numbers within the overall Tenable Nessus Network Monitor range of valid entries. A list of the current Tenable Nessus Network Monitor plugin IDs can be found on the Tenable website. |
match |
This keyword specifies a set of one or more simple ASCII patterns that must be present in order for the more complex pattern analysis to take place. The |
name |
This is the name of the vulnerability Tenable Nessus Network Monitor has detected. Though multiple Tenable Nessus Network Monitor plugins can have the same name, it is not encouraged. |
nid |
To track compatibility with the Tenable Nessus vulnerability scanner, Tenable associates Tenable Nessus Network Monitor vulnerability checks with relevant Tenable Nessus vulnerability checks. Multiple Tenable Nessus IDs can be listed under one |
nooutput |
For plugins that are written specifically to be used as part of a dependency with another plugin, the |
noplugin |
This keyword prevents a plugin from being evaluated if another plugin has already matched. For example, it may make sense to write a plugin that looks for a specific anonymous FTP vulnerability, but disable it if another plugin that checked for anonymous FTP has already failed. |
pbmatch |
This is the same as |
plugin_output |
This keyword displays dynamic data for a given vulnerability or event. The dynamic data is usually represented using %L or %P, and its value is obtained from the regular expressions defined using regex, regexi, pregex, or pregexi. |
pmatch |
This keyword is the same as |
pregex |
This is the same as |
pregexi |
This is the same as |
protocol_id |
This keyword is used to specify the protocol number of the protocol causing the plugin to fire. |
regex |
This keyword specifies a complex regular expression search rule applied to the network session. |
regexi |
This is the same as |
risk |
All Tenable Nessus Network Monitor plugins need a risk setting. Risks are classified as INFO, LOW, MEDIUM, HIGH, and CRITICAL. An INFO risk is an informational vulnerability such as client or server detection. A LOW risk is an informational vulnerability such as an active port or service. A MEDIUM risk is something that may be exploitable or discloses information. A HIGH risk is something that is easily exploitable. A CRITICAL risk is something that is very easily exploitable and allows for malicious attacks. |
seealso |
If one or more URLs are available, this keyword can be used to display them. Multiple URLs can be specified on one line if separated by commas. Example entries for this include CERT advisories and vendor information websites. |
solution |
If a solution is available, it can be described here. The report section highlights the solution with different text. |
sport |
This setting applies the Tenable Nessus Network Monitor plugin to just one port. For example, you may wish to write a SNMP plugin that just looks for activity on port 162. However, for detection of off-port services like a web server running on port 8080, a |
stripped_description |
This field describes on one line the nature of the detected vulnerability. This data is printed out by Tenable Nessus Network Monitor when printing the vulnerability report. Macros are available that allow the printing of matched network traffic such as banner information and are discussed in the examples below. For line breaks, the characters “\n” can be used to invoke a new line. |
timed-dependency |
This keyword slightly modifies the functionality of the |
udp |
This keyword specifies that plugins are to be based on the UDP protocol rather than TCP protocol. |
Tip: In addition to tcp or udp, the following protocols are supported: sctp, icmp, igmp, ipip, egp, pup, idp, tp, rsvp, gre, pim, esp, ah, mtp, encap, comp, ipv6, ospf, eigrp, isis, raw, or other.
Related Information