I am having some problems getting rules to work with Nessus-3.2.1-es5 on RHEL 5.2. I have attached nessusd.messages, /opt/nessus/etc/nessus/nessusd.rules, and /opt/nessus/var/nessus/users/test/auth/rules. The short story is that the rules files are not working.
The global rules file is set up to only allow scanning of our two class B
networks, the user's rules file further restricts to a single class C,
but I can still scan any IP, including off campus addresses.
If I put a 'reject 0.0.0.0/0' line in the user's rules file then the
client pops up a rejection message, and the server logs the rejection,
so I know I am editing the right file.
I strace'd a scan and see that the daemon is opening the global rules
file, and the child is opening the user's rule file:
[pid 17512] open("/opt/nessus//etc/nessus/nessusd.rules", O_RDONLY) = 4
[pid 17512] read(4, "#\n# Nessus rules\n#\n\n# Syntax : a"..., 4096) = 499
[pid 17527] open("/opt/nessus//var/nessus/users/test/auth/rules", O_RDONLY) = 0
[pid 17527] read(0, "accept 128.120.193.0/24\ndefault "..., 4096) = 37
I tried both 'default deny' and 'default reject', though Google seems
to indicate that either is okay.
Using rules files is at the cornerstone of how I want to roll out
Nessus 3 to the campus, so this is very important to us.
Any thoughts?
--
Omen Wild
Security Administrator
(530) 752-1700
[Wed Sep 24 10:07:02 2008][17361] nessusd 3.2.1 (build A919) started [Wed Sep 24 10:07:54 2008][17361] connection from 128.120.193.70 [Wed Sep 24 10:07:55 2008][17365] Client requested protocol version 12. [Wed Sep 24 10:07:55 2008][17365] successful login of test from 128.120.193.70 [Wed Sep 24 10:07:55 2008][17365] Redirecting debugging output to /opt/nessus//var/nessus/logs/nessusd.dump [Wed Sep 24 10:16:11 2008][17365] user test starts a new scan. Target(s) : 128.120.193.70,169.237.224.21,mandarb.com, with max_hosts = 20 and max_checks = 4 [Wed Sep 24 10:16:11 2008][17365] user test : testing 128.120.193.70 (128.120.193.70) [17419] [Wed Sep 24 10:16:11 2008][17365] user test : testing 169.237.224.21 (169.237.224.21) [17420] [Wed Sep 24 10:16:11 2008][17365] user test : testing mandarb.com (168.150.238.54) [17421] [Wed Sep 24 10:16:28 2008][17420] Finished testing 169.237.224.21. Time : 16.49 secs [Wed Sep 24 10:16:33 2008][17419] Finished testing 128.120.193.70. Time : 21.99 secs [Wed Sep 24 10:17:25 2008][17421] Finished testing mandarb.com. Time : 73.51 secs [Wed Sep 24 10:17:25 2008][17365] user test : test complete [Wed Sep 24 10:17:25 2008][17365] Total time to scan all hosts : 75 seconds [Wed Sep 24 10:17:25 2008][17365] user test : Kept alive connection [Wed Sep 24 10:18:36 2008][17365] Communication closed by client
# # Nessus rules # # Syntax : accept|reject address/netmask # reject 10.42.123.0/24 # You can also deny/allow certain ports : # Forbid connecting to port 80 for 10.0.0.1 : # reject 10.0.0.1:80 # Forbid connecting to ports 8000 - 10000 for any host in the 192.168.0.0/24 subnet : # reject 192.168.0.0/24:8000-10000 # You can also deny/allow the use of certain plugin IDs : # plugin-reject 10335 # plugin-accept 10000-40000 ### UCD Only! accept 128.120.0.0/16 accept 169.237.0.0/16 default deny
accept 128.120.193.0/24 default deny
signature.asc
Description: Digital signature
_______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
