Nessus 3.2.1 Released -- New Report Filtering Features Added

Tenable Network Security has released version 3.2.1 of the Nessus vulnerability scanner. This point release includes a variety of small bug fixes as well as a new report filtering interface for the Nessus client. This blog entry will discuss the new Nessus features, bug fixes and reporting filters for the Nessus Client.

Nessus Release Notes

New features

• New multi-criteria report filter in NessusClient. There is more on this later in the blog.
• On Mac OS X, it is now possible to authenticate with NessusClient to a remote Nessus server via a SSL certificate
• New NASL functions - bn_dec2raw(), bn_raw2dec(), bn_hex2raw(), bn_raw2hex(), rsa_public_encrypt(), rsa_private_encrypt() and rsa_private_decrypt()
• New options in nessusd.conf : 'enable_listen_ipv4' and 'enable_listen_ipv6' let the user disable IPv4 and IPv6 bindings
• Builds for Ubuntu Linux 8.04 and Fedora 9
• Support for Windows 2000

Bug fixes in this release

'nessus' command-line client :

• report entries longer than 16Kb would be truncated
• When exporting a report to the .nessus format, some report entries could sometimes be truncated
• When exporting a report to the .nessus format, backslashes would not be properly escaped

Nessus server :

• Fixed a concurrency issue when too many threads write to the plugin database
• On Solaris, SIGCHLD signals would not always be properly handled, thus leaving zombie processes
• Fixed a segmentation fault in nasl occurring on 64 bits systems

Nessus client :

• When searching for plugins, the filtering interface now works as expected

Plugins :

• ssl_ciphers.nes has been removed in favor of the new ssl_ciphers.nasl
• Fixed a segmentation fault in nessus_tcp_scanner.nes

Packaging :

• The %uninstall section of the RPMs contained a bug which would force users doing an upgrade to call 'chkconfig nessusd on' manually. Due to the nature of this bug, be sure to call 'chkconfig nessusd on' when upgrading from 3.x.y to 3.2.1
• The Debian 4 i386 build was incorrectly registering itself as x86-64, thus breaking 'nessus-update' on Debian 4 i386

Report Filtering

In the below screen shot, under version 3.2.1 of the Nessus Client on OS X, when viewing a report a new "Filter..." option is now available.

Clicking on the "Filter..." button will present the user with a dialog box that can be used to create a simple or complex filter statement. This box is shown below:

This box allows the Nessus user to create a set of rules where any or all of the following conditions are met:

• Plugin ID
• Plugin Name
• Port Name
• Host Name Starts With
• Host Name Contains
• Report Contains
• Plugin Severity

All fields use a text box to enter desired strings or numbers except for the severity level which lets the user choose a list of low, medium or high.

By default, all options set with "any" so you could choose port names of http, https and smtp to give all web and email server vulnerabilities. If the "all" option is chosen, then only vulnerabilities matching the entire criteria will be listed. Keep in mind that if you choose two filters that create exclusive sets such as a port rule to match "http" and a second rule to match a port name of "smtp" you will most likely not have any matching results.

Once a desired filter statement is set, only the matching systems with the matching vulnerabilities are displayed. Also, only the matching vulnerabilities on those systems are displayed as well.

Filters that are in effect also control what type of data is sent to the .html, .nsr or .nbe file formats. This allows you to select what type of data goes into your .html web reports or that gets exported.

To reset the filter, simply choose the "Filter..." button again and reset the filter.