New Advanced Dynamic Scan Policy Template in Nessus 8

According to Nessus 8.1.0 release notes, Tenable finally solved the problem with Mixed Plugin groups. At least partially. I will briefly describe the problem. Let’s say we found out that some Nessus plugins crash our target systems. This happens rarely, but it happens. So, we decided to disable these plugins in the scan policy:

Mixed Plugins

Ok, problem is solved. But here is the question: what will happen with the new NASL plugins that will be added by Tenable in the same group, for example Misc.?

The answer is quite sad: Nessus doesn’t know if they should enabled of disabled, so they will be disabled in the scan policy by default. And this can lead to some False-Negatives. For example, on this screenshot you can see a fresh plugin “Xen Project Guest p2m Page Removal Error Handling DoS (XSA-277)” Published: December 13, 2018 was automatically disabled.

Previously, it was necessary to monitor this situation and add these plugins to Enabled manually or via API. But now with a new Dynamic Scan Policy template, this might be changed.

A new universal template looks like this:

Advanced Dynamic Scan Policy Templates

And it’s pretty much like the Advanced Policy Template, but there is no Compliance section (I don’t know why) and the Plugins (Dynamic Plugins) tab looks differently:

Dynamic Scan

In fact, these are the same filters that we can use in the scan results. We can combine them by AND or OR:

Combine filters

We can use any properties of the plugin:

Plugin properties

And set the conditions:

Criteria

Thus, we can exclude the following plugins from the scan policy:

Excluding Nessus plugins

As a nice bonus, we can also choose some interesting groups of plugins, for example, only the plugins with a link to Metasploit and preview these plugins in each plugin group:

Nessus plugins with exploit

It seems to me that there may potentially be problems with some linked plugins, but I hope Tenable already thought about it.

In conclusion

A pretty convenient feature, but there are some drawbacks:

  1. It will be necessary to create new policies using this new template
  2. Advanced grouping of conditions cannot be done; you will have to create multiple policies and this can be tricky, given the difficulties in storing scan credentials inside of Nessus scan policies
  3. For some reasons it is impossible to set Compliance checks in the policy

1 thought on “New Advanced Dynamic Scan Policy Template in Nessus 8

  1. Pingback: First look at Tenable.io Web Application Scanner (WAS) | Alexander V. Leonov

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.