Log Analysis

Enhanced Botnet Detection with Nessus

by Ron Gula
March 22, 2012

Tenable’s Research team recently added the ability for Nessus to evaluate audited hosts to see if they are connected to or configured with a known botnet IP address. In this blog entry, we will review all of the features available within Nessus for botnet and malware detection, as well as the types of features that are available in other Tenable products.

Preventing & Detecting Malware: A Multifaceted Approach

by Paul Asadoorian
April 5, 2011

Successful Attacks from Automated Malware

Recently, malware dubbed "LizaMoon" (named after the first web site found distributing it) has been popping up in the news:

Dubbed LizaMoon, unidentified perpetrators of the scareware campaign inject script into legitimate URLs, so when people try to access the website, they get redirected to a page warning them that their PCs are infected with malware that can be removed by downloading a free AV application called Windows Stability Center.

From LizaMoon SQL Injection Attack Hits Websites

LizaMoon scans web sites for easily exploitable SQL injection vulnerabilities, then uses that to put redirects on the web site that take users to a site which installs malware. This is not a new form of attack, however the "Lizamoon" malware has been surprisingly successful. Google searches for infected sites report that over 1.5 million pages have been infected. The important thing to not about the numbers of infection is "pages" does not refer to sites, as a site can have multiple infected pages. This type of attack typically works as follows:

Analyzing the Compromise - without Going Hungry

by Paul Davis
February 21, 2011


It's 4:55 PM on a Friday and you are looking forward to an enjoyable dinner with your family. Your Blackberry starts buzzing from across your desk while your inbox starts filling up with alerts from your SecurityCenter along with frantic emails from Human Resources. It seems a disgruntled employee named Jack Black quit today and nobody remembered to tell the IT group to disable his accounts until after important files started disappearing. Suddenly, you are stuck in Incident Response mode, gathering data on the user's activities. Do you cancel your reservations?

Fortunately, you have deployed Tenable Network Security's Unified Security Monitoring products, and have a wide array of resources[1] at hand to streamline the response process. These resources include SecurityCenter, the Passive Vulnerability Scanner (PVS) and Log Correlation Engine (LCE). At a high level, what can these resources do for you?


SecurityCenter provides a unified view of both vulnerability and event data along with the alerting, ticketing and reporting required for thorough user forensics.

Passive Vulnerability Scanner

PVS not only tracks vulnerabilities, but logs user and network activities detected in real-time on the wire. These activities include:

Log Correlation Engine 3.6 – Now with its own GUI

by Ron Gula
January 5, 2011

Tenable Network Security has released version 3.6 of the Log Correlation Engine. This new version includes many performance enhancements as well as its own web-based user interface. This blog entry describes the new user interface, the increased performance and the new features of LCE 3.6.

Airport Security: Don't Make The Same Mistakes

by Paul Asadoorian
January 7, 2010

Airport "Security"

Those of us who travel through any U.S. airport are used to the inconvenience of airport security - the long lines, metal detectors, having to take off your shoes, belts, earrings, and of course the ominous "liquids and gels" inspection. While most people accept these inconveniences as an unfortunate necessity, much of what has been implemented shares some of the common pitfalls found in many computer and network security programs. Using the U.S. airport security model as an example, let’s take a look at some of the security being implemented and relate it to security gone wrong in the enterprise:

  • Throwing Technology at the Problem - Airports are equipped with some of the latest technology to provide security, such as full body scanners and x-ray machines, yet breaches still happen. Most of us who have served in a security role in an organization are all too familiar with this problem. The typical knee-jerk reaction from management to a security problem is to buy a product, such as a firewall, and install it on the network. Technology is important, but the process and people that surround it are what really makes it work. Training people to administer the firewall, and other security measures, to ensure they are being used properly is the key to success. Policy also needs to exist and be enforced, allowing businesses to operate securely.
  • airport-security-line.jpg
    The dreaded long lines at airport security are a by-product of the current security model at U.S. airports.