Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Advanced Dynamic Asset Rules

The Security Center can use the vulnerability data obtained by Nessus scans, Nessus patch audits and the data obtained by the Passive Vulnerability Scanner (PVS). Combinations of specific IDs, DNS names, results content and open ports can be used to create a "dynamic" asset list. These lists are updated each time a new scan is completed or passive vulnerability data is processed.

This blog entry will consider two examples of dynamic asset list creation which are more advanced than a typical user might need, but illustrate the flexibility of the type of rules which can be created.

Detecting Potentially infected Nugache Instances

The Nugache virus is a classic type of worm which opens up a backdoor (in this case on port 8) and also connects out to IRC servers for commands.

If the PVS is configured to watch a network, it will see many types of applications in use and it will also see basic open ports and browsed ports. The PVS logs "open port" data to plugin #0 (the same as Nessus open ports). It also logs "browsed port" data to plugin ID #2.

So in Nugache's case, and active infection should have an open port on port 80, as well as having connected out to IRC on port 6667. A dynamic asset rule to detect this is shown below:

Advanced_nugache

Having a TCP port number of 8 open is very simple. Basically, any vulnerability can contribute to an open port, and if the port is 8, the first part of this rule matches.

The second clause is more tricky. In this case, we want to find hosts that have the presence of plugin ID #2 (browsed ports) but also on a specific port of 6667.  Plugin ID #2's data looks like this:

1.2.3.4 -> 80

That would mean that host 1.2.3.4 browses on port 80. Knowing that the port is at the end of the data, we can write a regular expression that looks plugin ID #2 with data that ends in " 6667". The text in the above image says "2: 6667$" which means to look for plugin ID #2 that ends with a space and the string "6667".

If you are not familiar with regular expressions, the dollar sign is used to indicate the end of the match. Without it, the pattern could be matched anywhere. The expression "2: 6667" could match " 6667" as well as " 66677" or " 66671" or any other type of number which started with "6667".

Users that are new to writing dynamic asset rules might want to write this rule as follows:

Advanced_badrule

This is incorrect. The spoken logic for this rule would sound like this:

"Find any hosts for port 8 open, and then make sure that they also have at least one vulnerability on port 6667 AND they also have at least one instance of plugin ID #2 for browsed ports".

So when the dynamic rules say that ALL rules must match, they must indeed match, but they are each evaluated individually across all of the available vulnerabilities for a given host.

We could make this dynamic asset rule a bit more generic by changing the rule for watching network browsing on port 6667, to a more generic PVS rule which finds and identifies IRC clients. These are PVS IDs 3101 and 3471. These rules have the advantage of being port independent. IRC servers can run on many different ports, and the PVS can recognize them through protocol analysis. We will use these rules in our next example.

Detecting the IRC Browsing Web Server

Once users get the hang of writing dynamic asset rules, we often see them create very creative rules that identify a wide variety of potential security issues as well as configuration issues.

One common idea we see often is to look for IRC activity from a server. The idea is to see an attacker's use of IRC after they have compromised a server.

Consider the following rule:

Advanced_irc_web_rules

Plugin ID #1442 is a PVS rule to generically find a web server on any port. Plugin IDs #3101 and #3471 find systems that use IRC clients. This rule, spoken in plain English, would say:

"Find any system which runs a web server on it (plugin #1442) and also uses an IRC browser (with either plugin #3101 or #3471 being present)."

Now, consider what we find what we ran this on a large test network:

Advanced_irc_web_vulns

We can see that plugin ID #1442 (Web Server) is present and that also plugin ID #3101 is also present. However, based on the other passively discovered vulnerabilities such as Media Player and various versions of Mozilla, this might not really be a "server".

Further analysis (not shown here) shows that the web server is indeed a P2P application known as Lime Wire. PVS accurately identified a service that spoke HTTP, but it wasn't really what we intended to seek out in the first place. The Lime Wire server wasn't even running on port 80 in this case.

If we wanted to make our dynamic rule more accurate, we could try adding a regular expression to the rule clause for plugin ID #1442 to match "Apache" or "IIS". Such a rule would look as follows:

Advanced_irc_web_better

Instead of simply matching for plugin ID #1442, we now have a rule which looks at the text of the vulnerability results and does a simple pattern match for "IIS" which occurs in most Microsoft web server banners. If we wanted to add support for Apache or restrict the port, we could add more rules to this initial clause.

For More Information

The Security Center documentation contains many more examples and ideas for creating dynamic asset rules.

Related Posts

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,190.00

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 60 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578.00

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 60 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security