The nessusd.rules file is important to know about and understand when using Tenable’s Nessus and SecurityCenter products. It allows the administrator to protect or skip fragile systems or ports as well as exclude individual plugins from running regardless of what is provided in the scan policy or scan definition.
The syntax works by using accept or reject on a line that has not been commented out (i.e. Using # at the head of the line,) and then the IP address or IP range of systems to be affected. (You can use CIDR notation) This can also be refined to skip various ports by adding a port number or range after the IP address. To accept select hosts or ports in a protected range, you would need to place the accept before the reject statement.
- Reject a single system:
- Reject port 80 on that system, but allow other ports to be scanned:
- Reject ports 400 to 600 on that host:
- Reject a range of hosts:
- Reject port 443 on those hosts:
- Reject ports 3000 to 5000 on those hosts:
- Reject every host in the 192.168.1.0/24 range, except for 192.168.1.45
The nessusd.rules file is an essential tool to help shape your active Vulnerability Assessment protocols, and can also be used when Nessus is being used in conjunction with Tenable’s SecurityCenter product, providing a local safe guard against scanning fragile devices with a scan that is not specifically tailored to those devices. (That is to say, you should be scanning and patching or hardening everything on your network, but some devices need TLC to identify issues or are production systems and don’t fit in with your daily Vulnerability Scanning regimen.
I built a little video demo for Nessus 5′s HTML5 interface with a Unix Compliance scan. The new interface kicks the compliance check results to a dedicated tab for easy analysis without having to resort to filters. Technically, this should eliminate the need to turn off plugins for compliance scans unless you are going for a faster scan time. (If you have a large network, you should probably be using Tenable’s SecurityCenter product and provisioning Nessus Scanners on every subnet for best performance.)
The steps are:
- Create the category
- Make the Post
- Direct the subdomain to the category URL