Passive Vulnerability Scanner 3.6 Linux User Guide September 20, 2013 (Revision 4) The newest version of this document is available at the following URL: http://static.tenable.com/prod_docs/PVS_3.6_Linux_user_guide.pdf Copyright © 2002-2012 Tenable Network Security, Inc. Tenable Network Security, Nessus and ProfessionalFeed are registered trademarks of Tenable Network Security, Inc.
Table of Contents Introduction ............................................................................................................................... 5 Standards and Conventions ....................................................................................................... 5 Passive Vulnerability Scanner Background and Theory ............................................................. 5 Pre-Installation ......................................................................................
What is a Passive Vulnerability Scanner ID? .............................................................................29 Internal Passive Vulnerability Scanner IDs ................................................................................29 Working with Passive Vulnerability Scanner Plugins ............................................................30 Vulnerability and Passive Fingerprint Overview.........................................................................
Appendix 4: Non-Tenable License Declarations and Patent .................................................60 Related 3rd Party and Open-Source Licenses ...........................................................................60 Copyright © 2002-2012 Tenable Network Security, Inc.
INTRODUCTION This document describes the Passive Vulnerability Scanner 3.6 architecture, installation, operation, integration with the SecurityCenter and export of data to third parties. Please email any comments and suggestions to support@tenable.com. The Passive Vulnerability Scanner 3.
> > > > > highlight all interactive and encrypted network sessions detect when new hosts are added to a network track exactly which systems communicate with other systems and on what ports detect what ports are served and what ports are browsed by each system detect how many hops away each monitored host is This document provides directions for deploying, configuring and operating the PVS.
SOFTWARE AND LICENSING Download or Obtain the Software To install the PVS, obtain the correct version for your desired operating system from the Tenable Support Portal. Confirm the integrity of the installation package by comparing the download MD5 checksum with the one listed in the product release notes. It is important to ensure that the correct build for your operating environment is downloaded since they are not binary compatible with each other.
INSTALLATION AND OPERATIONS UPGRADING FROM PVS 3.X Red Hat If you have used a PVS RPM to install PVS previously, an upgrade is simple and retains configuration settings. Transfer the PVS RPM package to the system it is being installed on. Confirm the integrity of the installation package by comparing the download md5 checksum with the one listed in the product release notes. Before upgrading you will first need to stop the PVS service: # service pvs stop Install the PVS software with the following command.
Unless otherwise noted, perform all commands as the system’s root user. Install the PVS software for Red Hat with the following command. Note that the specific filename will vary, depending on your version: # rpm -ivh pvs-x.x-es3.i386.rpm Preparing...
Entering “i” for a new installation initiates prompts for configuration options. The first screen displayed permits setting of the network devices. All Unix servers have network devices that can be placed into “promiscuous” mode to sniff network packets. The PVS needs to know which device to use for sniffing. On Linux systems, this is typically “eth0”, with the 0 varying depending on the configuration of the server.
web server. To do this, only list the network CIDR blocks for which you want vulnerability reports for. PVS will analyze any client or server vulnerabilities on only those networks. Valid inputs are : 192.168.1.0/24 10.0.0.0/255.0.0.0 If no CIDR blocks are specified, the default of 0.0.0.0/0 will be chosen, causing all network traffic to be monitored. Press [ENTER] after every CIDR block. Press Ctrl+D when you are done. 192.168.10.0/24 You entered : 192.168.10.
PVS can report its data to the SecurityCenter console for centralised management. If you enable SecurityCenter support, PVS will run a daemon (pvs-proxy) which will be polled by SecurityCenter regularly to fetch all the new reports. To do so, you will need to set up a username and password for pvs-proxy and give these credentials to SecurityCenter.
Starting PVS via the “RC” script will also lint the pvs.conf script for syntax errors before starting. If errors are detected, PVS will direct you to address the errors and will not start. Post Installation Once installed, the original RPM file or unpacked files are not needed and may be deleted if desired. If multiple Ethernet devices should be monitored, simply edit the pvs.conf file located in /opt/pvs/etc and add multiple lines which contain “interface” keywords and the specified Ethernet devices.
# ps aux | grep pvs root 25191 22.7 26.9 384388 274704 pts/2 /opt/pvs//bin/pvs root 25194 0.1 0.6 13312 6380 pts/2 /opt/pvs//bin/pvs-proxy root 25199 0.0 0.0 103300 844 pts/2 Sl 15:26 0:05 S 15:26 0:00 S+ 15:26 0:00 grep pvs# Once running, the pvs binary will be managed completely by the pvs-proxy daemon. In this mode, the PVS will store its vulnerability (.nsr files) reports in a directory monitored by the PVS Proxy, /opt/pvs/var/pvs-proxy/scans.
Starting Passive Vulnerability Scanner cb67c871206b18d743a5e070276bf13d /opt/pvs/bin/pvs Valid license detected for host pvshostname Initializing PVS. Version: 3.6.0 Build ID: 201201182 Load of file /opt/pvs/var/pvs/disabled-scripts.txt is complete. md5 checksum : 3e25b1d5076fa924393ad55fe1a95390 /opt/pvs/var/pvs/plugins/tenable_plugins.prmx Loaded include file: byte_func.inc Loaded include file: cpe.inc Loaded include file: cpe_db.inc … … Loaded 4929 plugins Filter expression: (net 0.0.0.
The PVS requires the “-c” and “-r” options each time it runs. These options tell the PVS where to obtain its configuration information and where to write out its vulnerability report. The other options are available for diagnostics and to analyze TCPDUMP trace files. By default, the current content of the reports will be written to disk in the file pvsreport.nsr every sixty minutes. Changing the “report-frequency” setting in the pvs.conf file will allow the report time to be modified.
the pvs command was run. For example, if you were in /home/userx when you issued the above command, the report file would be located in /home/userx/report.nsr. If you want the report.nsr file to be created in a specific directory, specify the full path, such as “-r /home/jsmith/myreport.nsr”. The PVS Watchdog The PVS Proxy uses a watchdog service to check the running state of the PVS and to restart the PVS service if it is detected to be down at any point.
On high-speed networks with more than 20,000 systems, if the system running the PVS is CPU bound, it may take up to 30 seconds to generate the report. Downloading New Vulnerability Plugins To manually update the PVS plugins, run /opt/pvs/bin/pvs-update-plugins.sh. This will update the plugins located in /opt/pvs/var/pvs/plugins. If the SecurityCenter is being used to manage a PVS, new plugins for the PVS will expect to be sent to /opt/pvs/var/pvs/plugins and the PVS Proxy will restart the PVS.
nessus-report-version Specifies the Nessus report file version to save the file. The default is “2”. log-directory The log-directory keyword specifies a location for the pvs binary to write system logs. Log files of the format “YYYYMM.log” (e.g., 200502.log) will be created. These detail PVS operation and can be useful for debugging. interface The interface keyword specifies the network device to use for sniffing packets. Examples include: eth0 and fxp1.
becomes available. The size of the cache will change dynamically and can be expected to grow to this maximum number only when needed. memory When reconstructing network sessions, the PVS will preallocate as many megabytes of memory as specified by this variable. By default, the PVS is installed with a memory value of “50” megabytes. Networks with sustained speeds larger than 100 Mb/s or more than 5,000 unique IP addresses should modify this value to “100” MB.
> > > > > outbound-interactive-session (5) inbound-interactive-session (6) internal-encrypted-session (7) outbound-encrypted-session (8) inbound-encrypted-session (9) The number in parentheses represents the corresponding plugin ID field. detect-interactivesessions This keyword block specifies a set of “dependency” and “exclude” statements that the PVS uses to analyze sessions that contain interactive traffic.
time file size. realtime-syslog Specifies the IP address of a SYSLOG server to receive realtime events from the PVS. Up to sixteen SYSLOG servers can be specified for alerting. A local SYSLOG daemon is not required. Multiple realtime-syslog keywords can be used to specific more than one SYSLOG server. vulndata-syslog Specifies the IP address of a SYSLOG server to receive vulnerability data from the PVS. Up to sixteen SYSLOG servers can be specified for alerting. A local SYSLOG daemon is not required.
hosts. To prevent rediscovery of the entire network, the PVS can frequently write the list of active hosts to a file so that the information is available to PVS across restarts. Tenable recommends that this file be updated every 120 minutes. Backup-file The location on the disk to save the backup file. networks Specifies the networks to be monitored. This is set by the PVS installation script in Unix. excluded-networks Specifies any networks that should be excluded from PVS monitoring.
options { report-threshold 3; failure-threshold 10; interface "eth0"; interface "eth1"; key-file "/opt/pvs/var/tenable.key"; plugins-directory "/opt/pvs/var/pvs/plugins"; fingerprints "/opt/pvs/var/pvs/osfingerprints.txt"; memory 50; report-lifetime 30; report-frequency 60; } networks { 192.168.0.0/24; } REMOVING PVS Red Hat To remove PVS for Red Hat versions, you need to know what name it is registered as within the RPM database. This name will not be the same as the filename used for installation.
In the above picture, three sessions labeled A, B, and C are shown communicating to, from, and inside a focus network. In session A, the PVS only analyzes vulnerabilities observed on the server inside the focus network and does not report client side vulnerabilities. In session B, the PVS ignores vulnerabilities on the destination server, but reports client side vulnerabilities. In session C, both client and server vulnerabilities are reported.
By default, these settings are disabled and must be manually edited in the pvs.conf file. The PVS detects many applications through plugin and protocol analysis. At a lower level, the PVS also detects open ports and outbound ports in use on the monitored networks. By default, the PVS will detect any TCP server on the protected network if it sees a TCP “SYNACK” packet.
occurred at least once. For connections outside of the focus network, the PVS will only log what ports are browsed, not the actual destinations. If logging session-by-session network events is a requirement for your network analysis, Tenable offers the Log Correlation Engine product, which can be used to log firewall, web server, router, and sniffer logs. For more information, please visit http://www.tenable.com/products/lce/ .
then list the detected interactive or encrypted session as a vulnerability. The PVS has a variety of plugins to recognize telnet, Secure Shell (SSH), Secure Socket Layer and other protocols. In combination with the detection of the interactive and encryption algorithms, it is likely that the PVS will log multiple forms of identification for the detected sessions.
To prevent the PVS from having to relearn the network each time it starts, a file can be specified to save the active host information. This file contains a list of all the current active hosts for the PVS. The scanner also requires that an interval to update this file be specified. Tenable recommends an update time of at least one day (1440 minutes). When the PVS logs a new host, the Ethernet address is saved in the message.
destined for one or more addresses on the Internet. 00006 Inbound Interactive Sessions The PVS has detected one or more interactive network sessions originating from one or more addresses on the Internet to this address within your focus network. 00007 Internal Encrypted Session The PVS has detected one or more encrypted network sessions between two hosts within your focus network.
Restarting the Passive Vulnerability Scanner Once new passive plugins or operating system fingerprints are available to the PVS, it must be stopped and started again. WRITING PASSIVE VULNERABILITY SCANNER PLUGINS Plugin Keywords There are several keywords available for writing passive vulnerability plugins for PVS. Some of these keywords are mandatory and some are optional. The mandatory keywords are highlighted in blue.
cvsstemporal metasploit CANVAS : D2ExploitPack CORE : true CVSSTEMPORAL : CVSS2#E:F/RL:OF/RC:C These keywords are displayed only in vulnerabilities detected by PVS 3.4 and greater. dport Same as “sport”, but for destination ports. family Each Tenable plugin for the PVS is included in a family. This designation allows Tenable to group PVS plugins into easily managed sets that can be reported on individually. hs_dport Same as “hs_sport” except for destination ports.
nooutput For plugins that are written specifically to be used as part of a dependency with another plugin, the “nooutput” keyword will cause the PVS to not report anything for any plugin with this keyword enabled. noplugin This keyword will prevent a plugin from being evaluated if another plugin has already matched.
seealso If one or more URLs are available, this keyword can be used to display them. Multiple URLs can be specified on one line with commas. Example entries for this could include CERT advisories and vendor information web sites. Note: PVS 3.0.x will only display the last seealso defined in the PRM. PVS 3.2 and later will display multiple seealso directives. solution If a solution is available, it can be described here. The report section will highlight the solution with different text.
hs_sport=143 name=IMAP Banner description=An IMAP server is running on this port. Its banner is :
%L risk=NONE match=OK match=IMAP match=server ready regex=^.*OK.*IMAP.
Case Insensitive Example There is a tool called SmartDownLoader that uploads and downloads large files. Unfortunately, versions 0.1 through 1.3 use the syntax “SmartDownloader”, versions 1.4 through 2.7 use “smartdownloader” and versions 2.8 through current uses the syntax “SMARTdownloader”.
regex=^User-Agent: Mozilla/.* \(.*rv:(1\.3|1\.4a) Match patterns that begin with the “^” symbol mean that at least one line in the packet payload must begin with the following pattern. Match patterns that begin with the “!” symbol indicate that the string must NOT match anything in the packet payload. In this case, the “!” and “^” symbols are combined to indicate that we should not evaluate any packet whose payload contains a line starting with the pattern “Received:”.
The Passive Vulnerability Scanner can Match Binary Data The PVS also allows matching against binary patterns. Here is an example plugin that makes use of binary pattern matching to detect the usage of the well known community string “public” in SNMPv1 response packets (The “#” is used to denote a comment.): ### # SNMPv1 response # # Matches on the following: # 0x30 - ASN.
In each of these cases, the plugin would not match if the patterns contained in these “not” statements were present. For example, in the first pmatch statement, if the pattern “pattern” were present, then the plugin would not match. In the second statement, the binary pattern of “AAA” (the letter “A” in ASCII hex is 0x41) would match only if it were not presenting the first three characters.
Notice that plugin 1019 has the following field: dependency=1018. This field indicates the plugin 1018 must first evaluate successfully before plugin 1019 may be evaluated (i.e., that plugin 1019 depends on plugin 1018’s success before it can be evaluated). One more step is needed to complete the plugin for the anonymous FTP session. We need to ensure that both plugins are actually evaluating the same FTP session. We can do this by attaching a time dependency to plugin 1019.
related from causing millions of events. For example, the plugins for the Sasser worm only generate one event. Output from plugins with this keyword will show up in the vulnerability report. realtimeonly If a plugin has this keyword, then the PVS will generate a SYSLOG message or real-time log file entry each time the plugin evaluates successfully. These plugins never show up in the report file.
dependency=1277 hs_sport=79 track-session=10 realtimeonly name=App Subversion - Successful finger query to multiple users description=A response from a known finger daemon was observed which indicated that the attacker was able to retrieve a list of three or more valid user names. risk=HIGH match=Directory: match=Directory: match=Directory: With this plugin, we are only looking for these patterns on systems where a working finger daemon has been identified (dependency #1277).
and Windows command shells occurring in services that should not have those command shells in them. Here is an example plugin: # look for Windows error when a user tries to # switch to a drive that doesn't exist id=0201 include=services.inc trigger-dependency track-session=10 realtimeonly name=Successful shell attack detected - Failed cd command description=The results of an unsuccessful attempt to change drives on a Windows machine occurred in a TCP session normally used for a standard service.
One could argue that the “pregexi” statement could be expanded to include the trailing space after the “d” character and also the first character. The plugin then looks for the expected results of the failed “cd” command. The first match statement makes sure this pattern is not part of the FTP protocol. It turns out that looking for “cd” in one side of a session and the error of attempting to change to a directory in an FTP session would cause false positives for this plugin.
The following example shows how to create a custom plugin to detect users logging into myspace.com accounts. First, a unique plugin ID is assigned, in this case “9000”. So, the first line of our plugin will be: id=9000 Next, we will want to have a description of what the vulnerability detects: description=The remote client was observed logging into a myspace.com account. You should ensure that such behavior is in alignment with corporate policies and guidelines.
The statement above ensures that they are posting to the host “login.myspace.com”. Finally, we have a match and regex statement that detects the user’s login credentials: match=email= regex=email=.*%40[^&]+ Putting it all together, we have a single plugin as follows: id=9000 family=Web Clients clientissue dependency=1735 name=MySpace_Usage description=The remote client was observed logging into a myspace.com account.
0xde1d7f362734c4d71ecc93a23bb5dd4c and 0x747f029fbf8f7e0ade2a6198560c3278 A PVS plugin could then be created to look for this pattern as follows: id=9005 trigger-dependency dependency=2004 dependency=2005 hs_dport=25 description=POLICY - Confidential data passed outside the corporate network. The Confidential file don'tshare.doc was just observed leaving the network via email.
match=for HR data regarding Jane Mcintyre The two example plugins above (IDs 9005 and 9006) would detect files leaving the network via email. Most corporations have a list of ports that are allowed outbound access. SMTP is typically one of these ports. Other ports may include FTP, Messenger client ports (e.g., AIM, Yahoo and ICQ), or Peer2Peer (e.g., GNUTELLA and bittorrent).
P0f2 TCP Options N Wnnn Mnnn S T T0 ?n NOP option window scaling option, value nnn (or * or %nnn) maximum segment size option, same as above selective ACK is permitable timestamp options are present a timestamp option is present with a zero value unrecognized option number n P0f2 "Quirks" E P Z I U X A T F D ! End-Of-Line terminated options Options are present past the EOL entry The IP packet ID number is ‘zero’ IP options are present The TCP ‘urgent’ value is non-zero The unused (x2) TCP header option i
ABOUT TENABLE NETWORK SECURITY Tenable Network Security, the leader in Unified Security Monitoring, is the source of the Nessus vulnerability scanner and the creator of enterprise-class, agentless solutions for the continuous monitoring of vulnerabilities, configuration weaknesses, data leakage, log management, and compromise detection to help ensure network security and FDCC, FISMA, SANS CAG, and PCI compliance.
APPENDIX 1: EXAMPLE PVS.CONF CONFIGURATION FILE options { # When adding new port, application, or vulnerability information to # the PVS model of the observed network, the report-threshold is used # to limit false positives and reports on ephemeral ports. An item # will not be reported until it has occurred the specified number # of times. report-threshold 3; # Specify the files into which PVS will write its report information.
# than 1024 MB. It can be set to a number less than 1024 MB. max-packet-cache-size 1024; # The memory keyword specifies the size in megabytes of the session # table. By default it is set to 50. However, if you have a large # network (such as a university network with 10,000 nodes or more) # a setting of 500 should be used. PVS will use another 200 to 300 # MB to store vulnerability and host data in addition to the memory # used in the session table. Please refer to the documentation for # more information.
dependency 1149; dependency 1150; dependency 1151; # snmp dependency 1120; # vnc dependency 1882; # SSL server dependency 1133; dependency 1134; dependency 1135; # don't examine web traffic exclude 0.0.0.0/0 80; exclude 0.0.0.0/0 443; # don't examine ssh traffic exclude 0.0.0.
dependency 1133; dependency 1134; dependency 1135; ################# # Exclusions ################# # ftp control channel exclude 0.0.0.0/0 21; # ssh exclude 0.0.0.0/0 22; # telnet exclude 0.0.0.0/0 23; # smtp exclude 0.0.0.0/0 25; # pop3 exclude 0.0.0.0/0 110; # imap exclude 0.0.0.0/0 143; } # Are we running on a high-speed network ? # high-speed; # When the following option is enabled, PVS will # strip VLAN tags when processing PVS packets.
# would be marked as 'Client Side Port Usage'. # connections-to-services; # Uncomment this keyword to cause PVS to record who each host communicates # with. For example, if a particular host checked email, sent email and # browsed the web on port 80, a list of each host being used to send or # receive email, as well as each web server would be shown. PVS will not # record how many times a connction occurred, just that a particular network # connection has occurred.
APPENDIX 2: WORKING WITH SECURITYCENTER ARCHITECTURE The PVS operates under the control of a SecurityCenter that provides it with passive vulnerability data. SecurityCenter has a variety of reporting, remediation and notification mechanisms to efficiently distribute vulnerability information across large enterprises. In addition, it can also control a distributed set of Nessus or other active vulnerability scanners.
In the above example, a filter is applied to only display events that have been correlated. THE PASSIVE VULNERABILITY SCANNER IS REAL-TIME Since the PVS’s vulnerability data is being fed into SecurityCenter 24x7 and PVS’s plugins are updated by Tenable, the accuracy of the passive vulnerability data in SecurityCenter greatly enhances the quality of the security information available to the SecurityCenter’s users. Copyright © 2002-2012 Tenable Network Security, Inc.
APPENDIX 3: WORKING WITH NESSUS It is possible to view a PVS report from within the Nessus interface by enabling the nessusreport-file option in /opt/pvs/etc/pvs.conf and setting the path and filename for the report file output. To ensure that the greatest amount of PVS data is able to be imported into Nessus, it is necessary that the nessus-report-version be set to “2” as shown below. 1. Once the report is generated you may import the resulting .nessus file directly into your Nessus server.
> > > > > > > generate-html-reports nsr-report-file xml-report-file realtime-plugins realtime-file realtime-syslog vulndata-syslog If connection data is not needed, disabling connections-to-services and showconnections in pvs.conf will allow PVS to only report vulnerability data. Further tuning can be performed by disabling unwanted plugins through use of a disabledplugins.txt file via the disabled-plugins option in pvs.conf. The file contains a list of IDs, one per line, followed by a new-line.
APPENDIX 4: NON-TENABLE LICENSE DECLARATIONS AND PATENT Below you will find 3rd party software packages that Tenable provides for use with the Passive Vulnerability Scanner (Patent 7,761,918 B2). Section 1 (b) (ii) of the Passive Vulnerability Scanner License Agreement reads: (ii) The Software may include code or other intellectual property provided to Tenable by third parties, including Plug-Ins that are not owned by Tenable, (collectively, “Third Party Components”).
The word 'cryptographic' can be left out if the rouines from the library being used are not cryptographic related :-). 4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: "This product includes software written by Tim Hudson (tjh@mincom.oz.
