Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Log Correlation Engine Rules Update

Tenable has released several new PRM libraries and TASL scripts. This blog entry details the changes and how Tenable customers can obtain them.

PRM Updates

dns_bind.prm

New rules to parse zone transfer updates.

Added rule for generic "IP deny" events.

firewall_cisco_pix.prm

Added rule for generic "IP deny" events.

firewall_netscreen.prm

Added rules to detect authorized SNMP polling and running policy configuration changes.

mail_postfix.prm

Added rule to process rejected logs due to Spamhaus filtering.

nbad_arbor.prm

This new library has rules to parse events from the Arbor network behavioral anomaly detection products. Incidentally, the nids_stealthwatch.prm was renamed to nbad_stealthwatch.prm.

os_win2k_sys.prm

New rules were added to identify unexpected Windows service crashes, as well as application faults due to failed memory write attempts. These may be generated by failed buffer overflow or worm attacks. These events are also consumed by the new windows_crashes_and_restarts.tasl script that looks for these events occurring across multiple hosts.

PRM_mappings.prm

This PRM library does not contain any rules, but does include a list of all PRM IDs used by all libraries. This is useful to have for TASL writers and for choosing new IDs for new PRM rules.

router_cisco.prm

New rules for "RSH" connection attempts as well as link "up" and "down" messages.

ssh_openssh.prm

New rule added for processing of user login attempts which don't have executable shells.

virus_clamav.prm

A new PRM library to analyze logs generated by the Clam Anti Virus application. Multiple PRM rules are used to normalize detected viruses as Trojans, Worms, Phishing attempts and so on.

vpn_cisco_concentrator.prm

The regular expressions were modified to handle logs from systems specified by an IP address or a DNS name. Also, administrator login success events and failures now generate specific events.

TASL Updates

detect_change.tasl

Now processes change detection events for NetScreen firewalls.

ids_event_followed_by_change.tasl

This TASL has been updated to include alerts from Arbor devices. In addition, it now also considers normalized Snort IDS events for detected executable code in motion.

standard_deviation_long_term.tasl

This TASL has also been updated to include alerts from Arbor devices.

windows_crashes_and_restarts.tasl

This TASL looks for many different types of Windows events, including new events added to the os_win2k_sys.prm library. These rules identify unexpected Windows service crashes, Windows restarts due to crashes as well as application faults due to failed memory write attempts. These may be generated by failed buffer overflow or worm attacks. The script looks for these events occurring across multiple hosts.

Obtaining These Rules

To obtain a particular PRM library, a user can use the UNIX wget program to load the file directly from the www.tenablesecurity.com web site. below is an example of a user obtaining the os_linux.prm file:

wget http://www.tenablesecurity.com/os_linux.prm .

The period is needed and means to place the file in the local directory. If this command were executed from the /usr/thunder/daemons/plugins directory, a user would just need to make sure the file is owned by user 'thunder' and then restart the thunderd service. To restart the Log Correlation Engine, please run:

/etc/rc.d/init.d/thunder restart

The TASL scripts are available for web download from:

http://cgi.tenablesecurity.com/tasl.html

Individual scripts can also be obtained with the wget tool in a similar manner. Here is an example download of the Windows Event Correlator script:

wget http://www.tenablesecurity.com/os_linux.prm . http://cgi.tenablesecurity.com/tasl/windows_event_correlator.tasl

As with PRM libraries, if this command were executed from the /usr/thunder/daemons/plugins directory, a user would just need to make sure the file is owned by user 'thunder' and then restart the thunderd service.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training