You are here: Additional Resources > PVS Plugins > PVS Plugin Syntax (PVS)

PVS Plugin Syntax

Plugins

PVS plugins allow spaces and comment fields that start with a number (#) sign. Each plugin must be separated with the word “NEXT” on a single line. Create a .prm file in the plugins directory to make it available for use. You must restart PVS to use new custom plugins.

Plugin Keywords

There are several keywords available for writing passive vulnerability plugins for PVS. Some of these keywords are mandatory and some are optional. In the table below, mandatory keywords are highlighted in blue.

Name Description

bid

Tenable assigns SecurityFocus Bugtraq IDs (BID) to PVS plugins. This allows a user reading a report generated by PVS to link to more information available at http://www.securityfocus.com/bid. Multiple Bugtraq entries can be entered on one line if separated by commas.

bmatch

This is the same as match but can look for any type of data. A bmatch must always have an even number of alphanumeric characters.

clientissue

If a vulnerability is determined in a network client such as a web browser or an email tool, a server port is associated with the reported vulnerability.

cve

Tenable also assigns Common Vulnerability and Exposure (CVE) tags to each PVS plugin. This allows a user reading a report generated by PVS to link to more information available at http://cve.mitre.org/. Multiple CVE entries can be entered on one line if separated by commas.

dependency

This is the opposite of noplugin. Instead of specifying another plugin that has failed, this keyword specifies which plugin must succeed. This keyword specifies a PVS ID that should exist to evaluate the plugin. In addition, this plugin can take the form of dependency=ephemeral-server-port, which means the evaluated server must have an open port above port 1024.

dport

This is the same as sport, but for destination ports.

Exploitability:

canvas

core

cvsstemporal

metasploit

Displays exploitability factors for the selected vulnerability. For example, if the vulnerability is exploitable via both Canvas and Core and has a unique CVSS temporal score, the following tags may be displayed in the plugin output:

CANVAS : D2ExploitPack

CORE : true

CVSSTEMPORAL : CVSS2#E:F/RL:OF/RC:C

family

Each Tenable plugin for PVS is included in a family. This designation allows Tenable to group PVS plugins into easily managed sets that can be reported on individually.

hs_dport

This is the same as hs_sport except for destination ports.

hs_sport

Normally, when PVS runs its plugins, they are either free ranging looking for matches on any port, or fixed to specific ports with the sport or dport keywords. In very high speed networks, many plugins have a fallback port, known as a high-speed port, which focuses the plugin only on one specific port. In High Performance mode, the performance of a PVS plugin with an hs_sport keyword is exactly the same as if the plugin was written with the sport keyword.

id

Each PVS plugin needs a unique rule ID. Tenable assigns these 16 bit numbers within the overall PVS range of valid entries. A list of the current PVS plugin IDs can be found on the Tenable website.

match

This keyword specifies a set of one or more simple ASCII patterns that must be present in order for the more complex pattern analysis to take place. The match keyword gives PVS a lot of its performance and functionality. With this keyword, if it does not see a simple pattern, the entire plugin does not match.

name

This is the name of the vulnerability PVS has detected. Though multiple PVS plugins can have the same name, it is not encouraged.

nid

To track compatibility with the Nessus vulnerability scanner, Tenable associates PVS vulnerability checks with relevant Nessus vulnerability checks. Multiple Nessus IDs can be listed under one nid entry such as nid=10222,10223.

nooutput

For plugins that are written specifically to be used as part of a dependency with another plugin, the nooutput keyword causes PVS not to report anything for any plugin with this keyword enabled.

noplugin

This keyword prevents a plugin from being evaluated if another plugin has already matched. For example, it may make sense to write a plugin that looks for a specific anonymous FTP vulnerability, but disable it if another plugin that checked for anonymous FTP has already failed.

pbmatch

This is the same as bmatch except for binary data on the previous side of the reconstructed network session.

plugin_output

This keyword displays dynamic data for a given vulnerability or event. The dynamic data is usually represented using %L or %P, and its value is obtained from the regular expressions defined using regex, regexi, pregex, or pregexi.

pmatch

This keyword is the same as match but is applied against the previous packet on the other side of the reconstructed network session.

pregex

This is the same as regex except the regular expression is applied to the previous side of the reconstructed network session.

pregexi

This is the same as pregex except the pattern matching is not case sensitive.

protocol_id

This keyword is used to specify the protocol number of the protocol causing the plugin to fire.

regex

This keyword specifies a complex regular expression search rule applied to the network session.

regexi

This is the same as regex except the pattern matching is not case sensitive.

risk

All PVS plugins need a risk setting. Risks are classified as INFO, LOW, MEDIUM, HIGH, and CRITICAL. An INFO risk is an informational vulnerability such as client or server detection. A LOW risk is an informational vulnerability such as an active port or service. A MEDIUM risk is something that may be exploitable or discloses information. A HIGH risk is something that is easily exploitable. A CRITICAL risk is something that is very easily exploitable and allows for malicious attacks.

seealso

If one or more URLs are available, this keyword can be used to display them. Multiple URLs can be specified on one line if separated by commas. Example entries for this include CERT advisories and vendor information websites.

solution

If a solution is available, it can be described here. The report section highlights the solution with different text.

sport

This setting applies the PVS plugin to just one port. For example, you may wish to write a SNMP plugin that just looks for activity on port 162. However, for detection of off-port services like a web server running on port 8080, a sport field is not used in the plugin.

stripped_description

This field describes on one line the nature of the detected vulnerability. This data is printed out by PVS when printing the vulnerability report. Macros are available that allow the printing of matched network traffic such as banner information and are discussed in the examples below. For line breaks, the characters “\n” can be used to invoke a new line.

timed-dependency

This keyword slightly modifies the functionality of the noplugin and dependency keywords such that the evaluation must have occurred within the last N seconds.

udp

This keyword specifies that plugins are to be based on the UDP protocol rather than TCP protocol.

Tip: In addition to tcp or udp, the following protocols are supported: sctp, icmp, igmp, ipip, egp, pup, idp, tp, rsvp, gre, pim, esp, ah, mtp, encap, comp, raw or other.

Related Information

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.