6 Replies Latest reply: Sep 20, 2017 9:04 AM by kyle.cary RSS

Failing to Load Custom Plugins in Nessus Security Center 5.4

apuente Novice

Hi Everyone,

 

I've been following all instructions I've found trying to load a plugin to the Security Center with no luck. It is important to note that the plugin works perfectly in a Nessus Scanner: I can find it in the plugin list when I am creating a policy, use it and I get the right output. I just can't get it to load in my Security Center.

 

Content of the tar file:

 

user@laptop ~$ tar -vztf uploadme.tar.gz

-rw-r--r--  0 user staff      52 Aug 20 23:13 custom_feed_info.inc

-rw-rw-r--  0 user staff    2910 Aug 20 23:12 internal_version.nasl

 

I also signed the plugin with an RSA key and stored the public key in: /opt/sc/daemons/, in the same directory as /opt/sc/daemons/nessus_org.pem


[root@nessus-sc sc]# head ./data/customNasl/internal_version.nasl

#TRUSTED a882dd2c5b6c462959f148405a8de131b3c997afbdcb75047f1e4c43c4a696e73a80b58577a50a81389c65b651495c6c93372add0d87fe9f30b0986d07cb8d17ac8ae1214783a0db1cbb848020bee66a8c8baf9601bd9756c0b28dc3842536d3db74d69d6b38c8cba6e3bf644f641c69647a0507d5cef81270a6aad30a4f7108dc663dc8dfaddf4355f41751398938326fef2ffd94b6aaf972b2fbfd7488e3513791393106e3fd5545fdb0f460c69c166d07b515fa856848b03f6ee1291379159162609db796710a387ac5c4853e5479e44ce0941cce6868de0b2c3b8ca317c60c43c48e021e39082049451eb0

#

# (C) Company Inc.

# Security Operations

#

 

Logged in as I uploaded the Custom Plugin by going to "Admin User: -> "Plugins" -> Upload Custom Plugins.

 

Looking at the logs I can see:

 

[root@nessus-sc ~]# tail -f /opt/sc/admin/logs/201708.log

Mon, 21 Aug 2017 06:20:09 +0000|CustomPluginUpload|message|INFO|0|Custom Plugin Upload job #205396 has started.

Mon, 21 Aug 2017 06:20:16 +0000|CustomPluginUpload|customPlugin|INFO|0|Custom Plugins for Nessus Scanners have been uploaded.

Mon, 21 Aug 2017 06:20:16 +0000|CustomPluginUpload|customPlugin|INFO|0|CustomPlugin: 0 total Plugins with 0 added, 0 updated, 0 removed.

Mon, 21 Aug 2017 06:20:16 +0000|CustomPluginUpload|message|INFO|0|Custom Plugins updated: 0 total Plugins found, 0 new Plugins, 0 modifed Plugins, and 0 removed Plugins.

Mon, 21 Aug 2017 06:20:16 +0000|CustomPluginUpload|message|INFO|0|Custom Plugin Upload job #205396 has ended.

 

But the file exists:

[root@nessus-sc sc]# find . -iname "*internal*"

./data/nasl/bugzilla_internal_error_xss.nasl

./data/nasl/hp_sitescope_getfileinternal.nasl

./data/nasl/internal.pol

./data/nasl/propfind_internal_ip.nasl

./data/nasl/smb_internals.inc

./data/customNasl/internal_version.nasl <---- My Plugin

 

I even restarted the Security Center with no luck.

 

What am I doing wrong? Why the Security Center cannot see/load my script but will copy it to the CustomNasl directory? Why I cannot find the new Plugin? Right now I am using a custom family named "Company_Name". As I mentioned before the plugin works perfectly in a normal Nessus Scanner attached to my Security Center but I cannot find it nor the custom family.

 

Any useful help is appreciated.

Adrian Puente

  • Re: Failing to Load Custom Plugins in Nessus Security Center 5.4
    CodyDumont Master

    I would contact Technical Support on this issue, and work with them directly.

  • Re: Failing to Load Custom Plugins in Nessus Security Center 5.4
    kyle.cary Novice

    I got my plugin to show up in the SC plugins list:

    Used only the https://docs.tenable.com/sccv/Content/PDF/SecurityCenter_UserGuide.pdf

    "custom plugin" section.

     

    1. custom NASL (easier to modify an existing one as a test first, that way you KNOW everything is correct)

    2. in the NASL script, my plugin ID (listed as "script_id") I assigned was 950505; ENSURE plugin ID (script_id) is unique for your environment.

    3. Create a tar file containing the necessary files:

    -All .inc files that are listed in your custom script; can be viewed by greping for .inc files within your NASL script.

    -Also a custom feed.inc file needs to be created, contents as follows:

    ]# cat custom_feed_info.inc

    PLUGIN_SET = "201709131500";

    PLUGIN_FEED = "Custom";

     

    - Any custom nasl script(s) should be in this TAR as well.

    Tar command used, separate multiple files with spaces

    # tar -cvzf custom_nasl_archive.tar.gz custom_feed_info.inc compat.inc audit.inc cisco_func.inc global_settings.inc misc_func.inc cisco-sa-20160113-ise_Custom.nasl

     

    My Tar file is as follows: (permissions are not a concern because SC resets them upon import, from my experience)

    #  tar -tvf custom_nasl_archive.tar.gz

    -rw-r--r-- tns/tns          53 2017-09-13 16:53 custom_feed_info.inc

    -rw-r--r-- tns/tns        9773 2016-10-18 13:24 compat.inc

    -rw-r--r-- tns/tns       45292 2017-03-03 19:46 audit.inc

    -rw-r--r-- tns/tns       19999 2017-06-28 21:16 cisco_func.inc

    -rw-r--r-- tns/tns       11986 2016-10-18 13:29 global_settings.inc

    -rw-r--r-- tns/tns       57700 2017-08-11 21:31 misc_func.inc

    -rw-r--r-- tns/tns        4005 2017-09-13 09:50 cisco-sa-20160113-ise_Custom.nasl

     

    4.in my case, I used pscp.exe to transfer the tar.gz to my windows host, then I uploaded the tar.gz file into SC via the Plugins > Import Custom Plugin option

    5. My roadblock was I was trying to upload multipl times after making a few troubleshooting changes...YOU MUST change the PLUGIN_SET = "201709131500"; timestamp upon each import. After hours, I finally change my timestamp from the original, re-tar'd the file, then re-imported it. Then my plugin ID appeared.

     

    You can view verify that it was imported by checking in the /opt/sc/data/customNasl directory:

    (Note: this may take up to 5 minutes or so. I usually had to wait at least a few minutes for it to appear)

    # find /opt/sc/ -iname "cisco-sa-20160113-ise_Custom.nasl"

     

    /opt/sc/data/nasl/cisco-sa-20160113-ise_Custom.nasl

    /opt/sc/data/customNasl/cisco-sa-20160113-ise_Custom.nasl

     

    Note that your NASL script may disappear from the /opt/sc/data/nasl/ directory after import, and only exist in the /customNasl directory. This is normal apparently, not sure why this happens.

  • Re: Failing to Load Custom Plugins in Nessus Security Center 5.4
    apuente Novice

    Hi Kyle,

     

    Are you a customer or a support staff from Tenable? I followed the same instructions with partial success. I've been working directly with Tenable Support for days and they haven't been able to come back with a real solution to this problem and it seems other people are having the same issue.

     

    In your explanation you don't mention anything about the creation of a RSA key for signing the plugins nor how to sign the plugin with the key, something that you can only do in a Nessus Scanner because the internal directory structure is different. An unsigned plugin is a security threat and will only be loaded into the Security Center if you explicitly configure this setting. Do you had to configure this setting to load your plugin into Security Center?

     

    If it is not too much to ask would you please share with us the tarball you used to test this issue?

    • Re: Re: Failing to Load Custom Plugins in Nessus Security Center 5.4
      kyle.cary Novice

      I am a customer. The steps I listed are the exact step I took; I never created an RSA key for signing my NASL file(s). However the settings may have been configured by my predecessors. If what you mentioned is accurate, then I may have the explicit setting for allow importing of unsigned (untrusted) plugins (unlikely). However, I am unable to locate that setting. If someone would be able to find that setting in Security Center I will attempt the same process with the setting enabled; or someone else could attempt the plugin import with this setting disabled as a test.

       

      It also seems that most of the ".inc" files all contain the #TRUSTED strings at the top, which tells me they are signed. These are also in my tar file as I simply copied them from the /opt/sc/data/nasl/ directory. The only .inc file that does not contain the #TRUSTED string at the top is the "custom_feed_info.inc" file (the one I created). Also the .NASL files do NOT contain the #TRUSTED string either. Again, the contents of the TAR file I uploaded into SC is:

       

      tar -tvf custom_nasl_archive.tar.gz

      -rw-r--r-- tns/tns          53 2017-09-13 18:30 custom_feed_info.inc

      -rw-r--r-- tns/tns        9773 2016-10-18 13:24 compat.inc

      -rw-r--r-- tns/tns       45292 2017-03-03 19:46 audit.inc

      -rw-r--r-- tns/tns       19999 2017-06-28 21:16 cisco_func.inc

      -rw-r--r-- tns/tns       11986 2016-10-18 13:29 global_settings.inc

      -rw-r--r-- tns/tns       57700 2017-08-11 21:31 misc_func.inc

      -rw-r--r-- tns/tns        4005 2017-09-13 18:18 cisco-sa-20160113-ise_Custom.nasl

      -rw-r--r-- root/root      3887 2017-09-13 18:23 cisco-sa-20160113-ise_Custom2.nasl

      -rw-r--r-- root/root      3888 2017-09-13 18:25 cisco-sa-20160113-ise_Custom3.nasl

       

       

      Interestingly, as a test I ran (from Security Center):

      "/opt/sc/bin/nasl update /opt/sc/data/customNasl/cisco-sa-20160113-ise_Custom.nasl"

       

      and received the error:

      ...

      /opt/sc/data/customNasl/compat.inc: Could not verify the signature - this script will be run in non-authenticated mode

      ...

      /opt/sc/data/customNasl/audit.inc: Could not verify the signature - this script will be run in non-authenticated mode

      ...

      /opt/sc/data/customNasl/cisco_func.inc: Could not verify the signature - this script will be run in non-authenticated mode

      ...

      /opt/sc/data/customNasl/global_settings.inc: Could not verify the signature - this script will be run in non-authenticated mode

      ...

      /opt/sc/data/customNasl/misc_func.inc: Could not verify the signature - this script will be run in non-authenticated mode

       

      Even though the #TRUSTED string was present, and I copied the original files without modification to them. But when I ran a non-custom script (the original this is based off of) I did NOT get the "could not verify signature" errors. Regardless my plugins do work and I get results, however, this is further evidence that I may not be requiring signature verification for custom plugins imports

      Also here is a consideration if someone is using Windows based Nessus scanners:

      Creating a trusted plugin or running an untrusted one

       

      I would be able to share the tar file. I could email the file if you or a tenable rep message me with an email, assuming that's how it must be done. Are you hoping to import this TAR into your SC for testing?