New Advanced Dynamic Scan Policy Template in Nessus 8. According to Nessus 8.1.0 release notes, Tenable finally solved the problem with Mixed Plugin groups. At least partially. I will briefly describe the problem. Let’s say we found out that some Nessus plugins crash our target systems. This happens rarely, but it happens. So, we decided to disable these plugins in the scan policy:
Ok, problem is solved. But here is the question: what will happen with the new NASL plugins that will be added by Tenable in the same group, for example Misc.?
The answer is quite sad: Nessus doesn’t know if they should enabled of disabled, so they will be disabled in the scan policy by default. And this can lead to some False-Negatives. For example, on this screenshot you can see a fresh plugin “Xen Project Guest p2m Page Removal Error Handling DoS (XSA-277)” Published: December 13, 2018 was automatically disabled.
Previously, it was necessary to monitor this situation and add these plugins to Enabled manually or via API. But now with a new Dynamic Scan Policy template, this might be changed.
A new universal template looks like this:
And it’s pretty much like the Advanced Policy Template, but there is no Compliance section (I don’t know why) and the Plugins (Dynamic Plugins) tab looks differently:
In fact, these are the same filters that we can use in the scan results. We can combine them by AND or OR:
We can use any properties of the plugin:
And set the conditions:
Thus, we can exclude the following plugins from the scan policy:
As a nice bonus, we can also choose some interesting groups of plugins, for example, only the plugins with a link to Metasploit and preview these plugins in each plugin group:
It seems to me that there may potentially be problems with some linked plugins, but I hope Tenable already thought about it.
In conclusion
A pretty convenient feature, but there are some drawbacks:
- It will be necessary to create new policies using this new template
- Advanced grouping of conditions cannot be done; you will have to create multiple policies and this can be tricky, given the difficulties in storing scan credentials inside of Nessus scan policies
- For some reasons it is impossible to set Compliance checks in the policy
Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.
А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.
Pingback: First look at Tenable.io Web Application Scanner (WAS) | Alexander V. Leonov