Introduction to the .nessus Scan, Policy and Report Format

The Nessus Client 3.0 introduced a new format for Nessus scan policies, targets and results. This is known as the ".nessus" format. This blog entry discusses the advantages of this new file type and includes links to recently published technical documentation about the format and layout of the file.

Unified Scan Targets, Policy and Results

Historically, Nessus daemons and clients supported various file formats for scan configurations as well as scan results. When Tenable designed the new file format, we wanted to unify these into one file. This allows for rapid and accurate reproduction of a previous scan as well as understanding what a scan was looking for to begin with.

For example, if you only enabled FTP checks and performed a scan, you should expect to get information about FTP security issues and not SSH or Internet Explorer issues. You also shouldn't conclude that there aren't any SSH or Internet Explorer issues because your FTP scan didn't find any, but this is exactly what a variety of NAC and SIM vendors do. We're hoping that the unified .nessus format will make working with the scan results easier.

Multiple Scan Policies

Multiple scan policies can be specified within one .nessus file. This can help identify different scan settings for different portions of a network. It can also make it very easy to publish "standard" scan settings for your consultants, auditors and IT administrators.

For example, Tenable recently released a SANS Top 20 2007 policy which included individual policies for each unique area of concern identified by SANS. I've spoken with several Tenable customers and Nessus users that are using  .nessus policy files to standardize on remote scans of external networks and to scan servers and applications before they go into production.

Credential Management

The Nessus Client also won't save credentials for a scan policy unless a user specifically checks the 'Save credentials in clear text' option. This is a feature which was added in version 3.0.1 of the Nessus Client.  If you wish to share polices among multiple users which include credentials to audit systems, you must enable this option. Otherwise, the Nessus client won't store the credentials in the .nessus file.

Integration with the Security Center

Customers who use the new Nessus Client 3.0 along with the Security Center can upload their results centrally. Security Center 3.4 (scheduled for release early this quarter) has the ability for any user to upload their Nessus scan results. This allows for remediation tracking, secure sharing of scan results, automatic asset discovery, report creation, vulnerability/IDS event correlation and many other features. It also makes it convenient for corporations to centralize scan results from networks which may be physically separated.

Technical Reference

Tenable has produced a technical reference for programmers who wish to develop tools to parse and analyze Nessus results. This document describes each section of the .nessus document format.

Publishing Scan Policies

If you wish to author and publish your own Nessus scan polices, consider following these guidelines :

• Do not publish credentials in your policies unless you specifically need them.
• Name each sub-policy something informational and that can be grasped by a new user easily.
• Include a description for each policy.
• Minimize your policy such that it is purposeful. For example, if you don't need a certain family, disable it.
• When placing your policies online for other Nessus users, consider compressing them with both ZIP and GZIP so that Nessus users on different platforms can easily obtain them.