TOC & Recently Viewed

Recently Viewed Topics

Plugin Examples

Basic Example

This plugin illustrates the basic concepts of PVS plugin writing:




name=IMAP Banner

description=An IMAP server is running on this port. Its banner is :\n %L




match=server ready

regex=^.*OK.*IMAP.*server ready

This example uses the following fields:

  • id - A unique number assigned to this plugin.
  • nid - The Nessus ID of the corresponding Nessus NASL script.
  • hs_sport - The source port to key on if High Performance mode is enabled.
  • name - The name of the plugin.
  • description - A description of the problem or service.
  • match - The set of match patterns that must be found in the payload of the packet before the regular expression can be evaluated.
  • regex - The regular expression to apply to the packet payload.

Tip: The description contains the %L macro. If this plugin evaluates successfully, then the string pattern in the payload that matched the regular expression is stored in %L and prints out at report time.

Complex Example






name=Atrium Mercur Mailserver

description=The remote imap server is Mercur Mailserver 3.20. There is a flaw in this server (present up to version 3.20.02) which allow any authenticated user to read any file on the system. This includes other user mailboxes, or any system file. Warning : this flaw has not been actually checked but was deduced from the server banner

solution=There was no solution ready when this vulnerability was written; Please contact the vendor for updates that address this vulnerability.


match=>* OK



regex=^\* OK.*MERCUR IMAP4-Server.*v3\.20\..*$

Tip: The first match pattern makes use of the > symbol. The > symbol indicates that the subsequent string must be at the beginning of the packet payload. Use of the > symbol is encouraged where possible as it is an inexpensive operation.

Case-Insensitive Example

There is a tool called SmartDownLoader that uploads and downloads large files. Unfortunately, versions 0.1 through 1.3 use the capitalization SmartDownloader, versions 1.4 through 2.7 use smartdownloader and versions 2.8 through current use SMARTdownloader. Searching for the various combinations of this text with purely the regex command would cause us to use a statement that looks like this:


However, with the regexi command, the search string is much less complex and less prone to creating an error:


By using regexi, we can more quickly match on all three versions as well as future permutations of the string smartdownloader. In a case such as this, regexi is the logical choice.




name=SmartDownLoader Detection

description=The remote host is running SmartDownLoader, a tool for performing rudimentary uploads and downloads of large binary files.

solution=Ensure that this application is in keeping with Corporate policies and guidelines





A complete example PVS plugin using the regexi keyword is shown above. The use of the match keyword searching for the string ownloader is not a typo. By searching for network sessions that have this string in them first, PVS can avoid invoking the expensive regexi search algorithm unless the ownloader pattern is present.

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.