I am having some problems getting rules to work with Nessus-3.2.1-es5 on
RHEL 5.2. I have attached nessusd.messages,
/opt/nessus/etc/nessus/nessusd.rules, and
/opt/nessus/var/nessus/users/test/auth/rules. The short story is that
the rules files are not working.
The global rules file is set up to only allow scanning of our two class B
networks, the user's rules file further restricts to a single class C,
but I can still scan any IP, including off campus addresses.
If I put a 'reject 0.0.0.0/0' line in the user's rules file then the
client pops up a rejection message, and the server logs the rejection,
so I know I am editing the right file.
I strace'd a scan and see that the daemon is opening the global rules
file, and the child is opening the user's rule file:
[pid 17512] open("/opt/nessus//etc/nessus/nessusd.rules", O_RDONLY) = 4
[pid 17512] read(4, "#\n# Nessus rules\n#\n\n# Syntax : a"..., 4096) = 499
[pid 17527] open("/opt/nessus//var/nessus/users/test/auth/rules", O_RDONLY) = 0
[pid 17527] read(0, "accept 128.120.193.0/24\ndefault "..., 4096) = 37
I tried both 'default deny' and 'default reject', though Google seems
to indicate that either is okay.
Using rules files is at the cornerstone of how I want to roll out
Nessus 3 to the campus, so this is very important to us.
Any thoughts?
--
Omen Wild
Security Administrator
(530) 752-1700
RHEL 5.2. I have attached nessusd.messages,
/opt/nessus/etc/nessus/nessusd.rules, and
/opt/nessus/var/nessus/users/test/auth/rules. The short story is that
the rules files are not working.
The global rules file is set up to only allow scanning of our two class B
networks, the user's rules file further restricts to a single class C,
but I can still scan any IP, including off campus addresses.
If I put a 'reject 0.0.0.0/0' line in the user's rules file then the
client pops up a rejection message, and the server logs the rejection,
so I know I am editing the right file.
I strace'd a scan and see that the daemon is opening the global rules
file, and the child is opening the user's rule file:
[pid 17512] open("/opt/nessus//etc/nessus/nessusd.rules", O_RDONLY) = 4
[pid 17512] read(4, "#\n# Nessus rules\n#\n\n# Syntax : a"..., 4096) = 499
[pid 17527] open("/opt/nessus//var/nessus/users/test/auth/rules", O_RDONLY) = 0
[pid 17527] read(0, "accept 128.120.193.0/24\ndefault "..., 4096) = 37
I tried both 'default deny' and 'default reject', though Google seems
to indicate that either is okay.
Using rules files is at the cornerstone of how I want to roll out
Nessus 3 to the campus, so this is very important to us.
Any thoughts?
--
Omen Wild
Security Administrator
(530) 752-1700
Attached Files:
-
nessusd.messages (1.33 KB)
-
nessusd.rules (0.49 KB)
-
rules (37 B)
-
signature.asc (0.19 KB)