Log Analysis

Log Correlation Engine Rules Update

by Ron Gula
December 1, 2006

Tenable has released several new PRM libraries and TASL scripts. This blog entry details the changes and how Tenable customers can obtain them.

PRM Updates


New rules to parse zone transfer updates.

Added rule for generic "IP deny" events.


Added rule for generic "IP deny" events.

Example Network Behavior Analysis Detection (NBAD) with the Log Correlation Engine

by Ron Gula
October 10, 2006

All Log Correlation Engine licenses include the stats daemon. This daemon reads any log source, including netflow or sniffed TCP sessions, builds a baseline of normal activity and then creates alerts when there is activity which is statistically significant. This blog entry will explain in greater detail how the stats daemon accomplishes this, and discusses several example "anomaly" detections.

Tenable's Correlation Model in General

Automatic User MAC Address Tracking

by Ron Gula
October 9, 2006

The Log Correlation Engine can be used to track DHCP leases and Active Directory authentication logs to automatically learn each user's Ethernet address and then alert when this relationship changes. Tenable has released a TASL script named user_to_mac.tasl which can perform this function with a variety of DHCP sources and Active Directory "successful login" events. This script is useful for several reasons:

SE Linux Log Support

by Ron Gula
July 19, 2006

Security Enhanced Linux (commonly known as SE Linux) offers several methods to secure what the kernel and the applications can and can't do. This can help prevent successful buffer overflow attacks from both local and remote sources. When exceptions occur, the operating system will generate logs that are processed by Tenable's Log Correlation Engine. Currently, the logs are processed and can be manually analyzed by users.