INFORMATION

The nessusd.rules file is an editable, text-based file used to configure Nessus scans to allow and reject ports, IP addresses, IP ranges, plugins, and targets. Please note that if the scans are launching from Tenable.sc or Tenable.io, all scans that use this Nessus scanner will be subject to the nessusd.rules file.

By default, based on your operating system, the nessusd.rules file can be found in the following locations:

• Linux
  

  /opt/nessus/etc/nessus/nessusd.rules

• Windows (default location)
  

  C:\ProgramData\Tenable\Nessus\conf\nessusd.rules

  • Note: The ProgramData folder is by default a hidden folder in Windows. In addition, the path specified is the default but can vary if Nessus was installed on another drive (i.e. E:\Programdata\...\). For more information, see the Microsoft article Show hidden files.
• macOS
  

  /Library/Nessus/run/etc/nessus/nessusd.rule

• Tenable Core
  1. Log in to Tenable Core on port 8000.
  2. In the left navigation, click Nessus.
  3. The nessusd.rules file can be found on the left side of the resulting screen.

DETAILS

Lines that start with # are comments. Lines that do not start with # are actual settings.

The default nessusd.rules file begins with a series of comments which include explanations and examples. These are divided into 3 syntax sections: Target Syntax, Plugin Syntax, and Default Rule Syntax. The syntax section heading name is followed by a colon and then lists the exact allowable syntax.

You can use CIDR notation, ranges using a -, or hostnames to identify the targets.

Below each section heading, a sample explanation is followed by an indented line, which includes what the actual setting would look like.

# Target Syntax: accept|reject address/netmask:port[-port_max]
#
# Reject the target with IP 10.42.123.10
#   reject 10.42.123.10
# Reject any target on 10.42.123.x
#   reject 10.42.123.0/24
# Reject any target between 10.42.123.10-10.42.123.50
#   reject 10.42.123.10-10.42.123.50
# Reject the target with hostname 'NessusHost'
#   reject NessusHost
# Reject connecting to port 80 for 10.0.0.1
#   reject 10.0.0.1:80
# Reject connecting to port 8100 for all IP addresses
#   reject 0.0.0.0/0:8100

All settings in the nessusd.rules file take precedence over the scan's settings configured in the Nessus GUI.

If a setting is added to the nessusd.rules file to not scan certain ports, those ports will not be scanned even if those ports are listed to be scanned in any scan setting.
Note: Rules work from top down. Add new rules above the default accept the line, never below it.

For example, to stop port 80 from being scanned on 10.0.0.1:

1. In the nessusd.rules file, add the following:

   reject 10.0.0.1:80

   
   This statement tells Nessus to not connect to port 80 on 10.0.0.1.
2. In Nessus, a scan configured to scan 10.0.0.1 and port 80 in the Discovery's Port Scanning range would be ignored. No plugins will fire against port 80.

As a result, port 80 will not be scanned because the nessusd.rules settings take precedence over all scans configured in the GUI.

If desired, you can change the location of the nessusd.rules file. The rules setting and its file location is listed in the Advanced settings of Nessus. To ensure the file's location change takes effect, restart the Nessus service.

ADDITIONAL RESOURCES

Default nessusd.rules file contents:

# Nessus rules
#
#
# Target Syntax: accept|reject address/netmask:port[-port_max]
#
# Reject any target on 10.42.123.x
#   reject 10.42.123.0/24
# Reject connecting to port 80 for 10.0.0.1
#   reject 10.0.0.1:80
# Reject connecting to ports 8000 - 10000 (inclusive) for any host in the 192.168.0.0/24 subnet
#   reject 192.168.0.0/24:8000-10000
# Reject connecting to ports 1 - 1024 (inclusive) for the host 2001:db8::abcd
#   reject [2001:db8::abcd]:1-1024
#
#
# Plugin Syntax: plugin-accept|plugin-reject id[-id_max]
#
# Reject plugin #10335
#   plugin-reject 10335
# Allow plugins #10000 through #40000 (inclusive)
#   plugin-accept 10000-40000
#
#
# Default Rule Syntax (if no other rules apply): default accept|reject
#
# Accept everything else
#   default accept
# Reject everything else
#   default reject


default accept