The nessusd.rules file is important to know about and understand when using Tenable’s Nessus and SecurityCenter products. It allows the administrator to protect or skip fragile systems or ports as well as exclude individual plugins from running regardless of what is provided in the scan policy or scan definition.

The syntax works by using accept or reject on a line that has not been commented out (i.e. Using # at the head of the line,) and then the IP address or IP range of systems to be affected. (You can use CIDR notation) This can also be refined to skip various ports by adding a port number or range after the IP address. To accept select hosts or ports in a protected range, you would need to place the accept before the reject statement.

Examples:

• Reject a single system:

reject 192.168.1.1

• Reject port 80 on that system, but allow other ports to be scanned:

reject 192.168.1.1:80

• Reject ports 400 to 600 on that host:

reject 192.168.1.1:400-600

• Reject a range of hosts:

reject 192.168.1.0/24

• Reject port 443 on those hosts:

reject 192.168.1.0/24:443

• Reject ports 3000 to 5000 on those hosts:

reject 192.168.1.0/24:3000-5000

• Reject every host in the 192.168.1.0/24 range, except for 192.168.1.45

accept 192.168.1.45
reject 182.168.1.0/24

The nessusd.rules file is an essential tool to help shape your active Vulnerability Assessment protocols, and can also be used when Nessus is being used in conjunction with Tenable’s SecurityCenter product, providing a local safe guard against scanning fragile devices with a scan that is not specifically tailored to those devices. (That is to say, you should be scanning and patching or hardening everything on your network, but some devices need TLC to identify issues or are production systems and don’t fit in with your daily Vulnerability Scanning regimen.