Hello All, I previously ran a handful of nessus sessions last night, saving the knowledge base entries across a bunch of systems. Using the system with the oldest plugin feed, I copied all the kbs files into the appropriate directory and was hoping to create one large HTML file from the output. nessus was ran as the following:
nessus -x -V -T html -c nessusrc -q somehost 1241 nessus god hostfile all.html I was making the assumption that nessusd shouldn't need to fire any plugins since all of them were current in the kbs. To be sure, I kicked up tcpdump to watch traffic. Here are my kb_* entries: save_knowledge_base = yes kb_restore = yes only_test_hosts_whose_kb_we_dont_have = no only_test_hosts_whose_kb_we_have = yes kb_dont_replay_scanners = yes kb_dont_replay_info_gathering = yes kb_dont_replay_attacks = yes kb_dont_replay_denials = yes kb_max_age = 864000 So, it would seem to me that if it's in the kbs file, no old plugins would be reran. This was not the case. The TCP port scanner, an snmp plugin, and one sending 23/tcp traffic were all fired. nessusd nicely made a backup of the kbs file, which I diffed. Most, if not all, the Settings plugins [1] were reran it seems. The original nessusrc file used had these enabled, which were subsequently disabled (contact offline, too big for the list). I also disabled such things as auto_enable_dependencies. Once they were all explicitly disabled, I still had snmp traffic going to the target network. It seems plugin 19762 [2] caused this. The remaining plugins that still ran are here [3]. The big issue is why nessusd is reruning a plugin that is explicitly disabled and already has results. (Unless I missed something in the nessusrc file which is totally within the realm of possibilities.) Any ideas on how to not have nessus rerun these or disable them in the nessusrc? Jon [1] +1127488371 3 Launched/10180=1 ping settings -1127426573 3 Launched/10180=1 +1127488371 3 Launched/10308=1 cgibin in KB settings -1127426579 3 Launched/10308=1 +1127488371 3 Launched/10870=1 login conf settings -1127426579 3 Launched/10870=1 +1127488371 3 Launched/10889=1 nids eva settings -1127426579 3 Launched/10889=1 +1127488371 3 Launched/10890=1 http nids settings -1127426580 3 Launched/10890=1 +1127488371 3 Launched/10917=1 smb scope settings -1127426579 3 Launched/10917=1 +1127488371 3 Launched/11038=1 smtp settings settings -1127426579 3 Launched/11038=1 +1127488371 3 Launched/11933=1 don't sc prt settings -1127426579 3 Launched/11933=1 +1127488371 3 Launched/12241=1 don't prt settings -1127426579 3 Launched/12241=1 +1127488371 3 Launched/12288=1 glob vars settings -1127426579 3 Launched/12288=1 +1127488363 3 Launched/14273=1 ssh sett settings -1127488075 3 Launched/14273=1 +1127488371 3 Launched/17351=1 kerb sett settings -1127426579 3 Launched/17351=1 +1127488363 3 Launched/19762=1 snmp sett settings -1127488075 3 Launched/19762=1 [2] http://www.nessus.org/plugins/index.php?view=viewsrc&id=19762 [3] +1127491324 3 Launched/10870=1 -1127426579 3 Launched/10870=1 +1127491325 3 Launched/10917=1 -1127426579 3 Launched/10917=1 +1127491325 3 Launched/11038=1 -1127426579 3 Launched/11038=1 +1127491324 3 Launched/12288=1 -1127426579 3 Launched/12288=1 +1127491325 3 Launched/14273=1 -1127426563 3 Launched/14273=1 +1127491325 3 Launched/17351=1 -1127426579 3 Launched/17351=1 +1127491324 3 Launched/19762=1 -1127426563 3 Launched/19762=1 __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
