deraison at nessus
Feb 20, 2007, 7:35 AM
Post #1 of 1
Nessus 3.2 beta available for testing !
I'm pleased to announce the release of Nessus 3.1.2 which is the
first public beta of what will become Nessus 3.2.
The whole Nessus 3.1.x cycle will be considered as being in beta. Do
not run Nessus 3.1.x on a production network without verifying that
it works properly for you in a lab environment.
At the moment, the beta is only for Linux, FreeBSD and Solaris systems.
Also note that we're still far away from the release. Some
functionalities might not make it into the final Nessus 3.2, some
notation might change, etc...
The major changes in Nessus 3.2 compared to Nessus 3.0 are the
- Experimental IPv6 support
- Improved bandwidth throttling
- Extended nessusd.rules to add support for ports and plugins
- New command 'nessuscmd' which lets you do a quick command-line scan
- Improved NASL engine
- Easy-update : Nessus can now update its own engine by doing /opt/
-> You can get Nessus 3.1.2 at http://www.nessus.org/download/
Here are some details about these features.
We'll probably go into more details for each of them on the Tenable blog
1. Experimental IPv6 support
Nessus 3.2 supports IPv6 natively.
It allows you to scan any IPv6 host provided that the host it runs on
has an IPv6 stack enabled. To scan an IPv6 host, simply type its IP
address. If the host is on the local network (fe80::XXXX) you also
need to specify the interface to go thru when doing the scan (ie:
enter "fe80::20d:93ff:abcd:efab%eth0" to scan the host fe80:20d:
83ff:abcd:efab on the local network connected to eth0).
*** Note that it is not possible to specify a range of addresses, as
scanning each of them would not make sense (ie: you really don't want
to scan fe80::1/64).
Nessus 3.2 has the ability to send a multicast ping query to
determine the IPv6 hosts of your local network. Simply enter "link6%
eth0" and nessusd will discover all the IPv6 enabled hosts.
Finally, if you scan the same host thru IPv4 and IPv6 (ie: you enter
a target of 192.168.1.1 and fe80::4242) then in the final report the
same host will appear twice : once has an IPv6 system, and once has
an IPv4 host.
2. Improved bandwidth throttling
In order to avoid flooding a network, Nessus now has the ability to
define a maximum number of TCP connections in parallel, on a per-
nessusd or per-scan basis.
In nessusd.conf, setting the following option :
global.max_simult_tcp_sessions = 50
will guarantee that the system running your nessus scan will never
establish more than 50 tcp sessions in parallel (wether there is one,
ten or one hundred scans going on at the same time).
In your .nessusrc, adding the option :
max_simult_tcp_sessions = 20
will guarantee that your *scan* will not establish more than 20
sessions in parallel. If you have two scans running with this
setting, then your system might end up doing 40 tcp sessions in
It is also possible to configure nessusd on a per-nessusd basis so
that a maximum number of hosts are being scanned in parallel (it
works like the current max_hosts, but on a per scanner basis, meaning
that if you set global.max_host to 20 in nessusd.conf and have 10
scans running, eventually each scan will only scan 2 hosts in parallel).
3. Extended nessusd.rules
*** Note that nessusd.rules do not work with IPv6 hosts yet
The grammar of the nessusd rules has been extended to let you forbid/
allow nessusd to connect to some ports.
In nessusd.rules, you can now prevent the connections to some ports.
For instance, adding :
will prevent the connection to any HP printer on port 9100. The ports
can be entered as ranges as well :
prevents nessusd from connecting to ports 1 to 1024 on the subnet
*** Note that these rules only apply to TCP ports, not UDP
You can also forbid the use of some plugins :
These rules can be set in nessusd.rules, on a per user basis or
supplied by the end-user (as this is currently the case in Nessus 3.0).
4. New command 'nessuscmd'
'nessuscmd' (whose name might change -- suggestions are welcome) is a
simple utility designed to perform a quick scan of a host or network
for a small set of plugin IDs.
For instance, if you want to scan your local subnet to determine
which hosts have a default SNMP community set, do :
/opt/nessus/bin/nessuscmd -i 10264 192.168.0.0/24
More info by doing :
Astute readers should find some similarity between some of the
switches of nessuscmd and nmap :)
5. Improved NASL engine
NASL was a bit improved and extended in this release :
a. New functions
A few new functions have been added, in particular a plugin may now
reduce the selected set of plugins while the scan is running. For
instance, one may want to make sure that if the remote host is
considered as being sensitive (ie: it's the payroll db server, a
SCADA device, etc...) then one wants to programatically disable all
plugins except one family or two which are known not to have any side
The functions to manage the plugin selection are :
Note that a script can only _reduce_ the set of selected plugins. If
you do a scan with only the plugin #12345 being enabled, you can't
have it enable plugins which were selected by the end user.
However, you could do a plugin like :
if ( remote_host_is_the_payroll_server() )
# Only audit the MSFT bulletins against the remote host
disable_all_plugins(); # First : disable every other plugin
enable_plugin_family("Windows : Microsoft Bulletins");
b. Support for pre-compiled libraries
NASL 3.2 supports the inclusion of pre-compiled libraries (we call
this .nlib files). One can import a .nlib file by doing :
The only .nlib file available at this time is our WMI library.
More information at : http://cgi.tenablesecurity.com/tenable/WMI.html
It's now very easy to upgrade your Nessus installation to the newest
version of the engine.
Simply make sure you are registered and type : /opt/nessus/sbin/
nessus-update and Nessus will update itself
*** This is not supported on Solaris yet
- Scan pausing is now supported (with the command-line client, put
the client in background by doing ctrl-Z to pause the scan and type
'fg' to resume it. GUI support will follow soon). Note that if you
disconnect from nessusd while a scan is paused, the scan will be lost.
- If a tested host is disconnected in the middle of a scan, nessusd
should detect it and stop scanning that particular system (and tell
you about it in nessusd.messages).
Please send me directly your feedback, crash dumps, suggestions and
Nessus-announce mailing list
Nessus-announce [at] list