I'm trying to set up Nessus 1.2.0 on Solaris 8 to only scan for CodeRed and Nimda vulnerabilities or infections. My first issue is that running the Nessus GUI, selecting those two tests, and then exiting the GUI refused to create a PLUGIN_SET definitions in my .nessusrc. All the other settings were written to the .nessusrc, though. Therefore, I manually added the following:
begin(PLUGIN_SET) 10713 = yes 10767 = yes end(PLUGIN_SET) After I put that in there and ran Nessus in batch mode, all the other available plugins were added to that section and set to yes. So, I again edited the .nessusrc and changed all of the PLUGIN_SET tests to no except for the two that I wanted. I then ran nmap to get a list of IPs that were listening on port 80 and created an input file for Nessus from them. I ran those IPs through Nessus 1.2.0 on Solaris 8 using the command line, but it said that no hosts were scanned. I then ran with verbose mode and got the following (edited for readability): bash-2.03$ nessus -V -T text -c ./.nessusrc localhost 1241 scan pass in out attack|192.168.0.54|1|2|CodeRed version X detection attack|192.168.0.54|2|2|Tests for Nimda Worm infected HTML files attack|192.168.0.54|3|2|??? attack|192.168.0.54|4|2|??? attack|192.168.0.54|5|2|??? attack|192.168.0.54|6|2|??? attack|192.168.0.80|1|2|CodeRed version X detection attack|192.168.0.80|2|2|Tests for Nimda Worm infected HTML files attack|192.168.0.80|3|2|??? attack|192.168.0.80|4|2|??? attack|192.168.0.80|5|2|??? attack|192.168.0.80|6|2|??? The output summary said that no hosts were alive during the test. When I ran snoop during the test, I saw the Nessus server doing a GET / on port 80 of the IPs and the web servers replying with the default index.html. However, no attacks are sent. If I take out the PLUGIN_SET section, so set all of them to "yes," then all the attacks are carried out and reported fine. I tried running the restricted test on Nessus 1.0.10 for Linux. In this case, the .nessusrc is different in that the PLUGIN_SET looks like the following: ... Nimda/Code Blue vulnerability = yes ... Tests for Nimda Worm infected HTML files = yes ... CodeRed Infection detection = yes (Everything else in the plugin section is set to no.) This time, a number of vulnerable hosts and a couple infected ones were found. Any idea what's going on? All I want to do is set up a cron job to test a couple networks for Nimda and Code Red every week. I have this running fine on Nessus 1.0.10 on Linux, but would like to port it to 1.2.0 on a Solaris 8 box. Thanks, Karyl
