Converting Packets to Syslog

Tenable’s Passive Vulnerability Scanner (PVS) performs protocol analysis on network traffic to discover vulnerabilities and log the sessions that have occurred. Unlike network forensic systems which log the actual packets and session content, the PVS creates a single syslog message for each identified network session. These logs are ideal for consumption by a SIEM or log analysis tool such as Tenable’s Log Correlation Engine. This blog entry describes what types of applications are logged and how they can be used for alerting and analysis.

Network Session Types

The PVS tracks and logs many types of network events in a port-independent manner including:

• Administration protocols such as VNC, Remote Desktop and Secure Shell (SSH)
• HTTP GET and POST transactions
• SSL sessions, logging the SSL certificate involved, if present
• File transfers via FTP, SMB (Windows File sharing) and NFS
• DNS lookups, DNS lookup failures and mDNS queries
• SQL INSERT, DELETE and other transactions for databases
• Encrypted and interactive network sessions, regardless of port
• Email messages and file attachments
• Many “Internet” applications such as Twitter, LinkedIn and DropBox

The PVS can log these transactions to a local file and it can also send syslog messages to send these to one or more servers.

Having additional logs other than what you may already be collecting from your systems, proxies, firewalls, web servers and other devices is an advantage because few of these log sources contain all of this information in one location.

For example, you may be collecting NetFlow from a network and know that a session left your network on port 8000, but would not be able to say if it was a web session, a Secure Shell session, VNC or something else. Tenable has also worked with security teams from organizations who had access to network traffic, but not the web logs from the monitored systems.

Auditing Files in Motion and File Propagation

A central log of files that were downloaded makes it easy to search for who has a given file. For example, a user may become infected with a virus from an email with a certain attachment name. A log searching tool such as the Log Correlation Engine (LCE) can be used to parse PVS logs and find any network session with the file name of interest.

Identifying Activity by Users

SIEMs that correlate IP addresses with user identity can accept the real-time logs from the PVS and associate this with a user. This allows you to quickly profile a specific user’s activity. Tenable customers who implement the LCE and PVS in this manner can visualize all activity from a given user. 

SSL Traffic is more than Secure Web 

The PVS identifies SSL network sessions in a port independent manner, both inbound and outbound to your network. This logs many “encrypted” IMAP services offered by Google and other similar service providers. It also logs all SSL sessions into your network, such as IMAP sessions initiated by an employee’s mobile phone to your corporate email server.

Looking for Anomalies

If your SIEM can look for anomalies based on “first time” occurrences or statistical changes in behavior, these real-time logs can be fed into the anomaly engine to churn out alerts when network usage changes. Tenable customers who have implemented the PVS and LCE to accomplish this automatically produce new alerts for many very useful situations including:

• When a user downloads a statistically large amount of images or files. This could indicate excessive Internet browsing, downloading pornography, etc.
• When an insider transfers a statistically large amount of files. This could indicate an insider who is trolling the network for spreadsheets, PDFs and other documents.
• When a system has a statistically large amount of DNS failures. Botnets and systems configured to send spam often spend a lot of time “looking up” the IP address of email servers and command and control systems that might not be correct.
• When a system starts to communicate in a new way. If you have a secure server that’s been running great for months and then all of a sudden, it starts to initiate SSH sessions outside of your network, would you be worried?

Correlating with Botnets and Viruses

If your SIEM has the ability to accept logs and then correlate the IP addresses contained in them with known lists of IP addresses that are part of one or more botnets, then the real-time PVS logs can be leveraged to look for sessions to or from botnets. This allows for a rapid understanding of what the botnet may have been doing.

Many Tenable customers have implemented this type of correlation and routinely see evidence of botnet compromises. For example, you may have had a virus slip past your antivirus and spam systems to infect a host, but when the host reaches out to a botnet command and control server and the PVS logs a real-time SSL session, the LCE parses this log and correlates the IPs with known botnet, identifying the infection.

Incident Response

If you are required to perform incident response, the more information you have, the better. If you are in a situation where all that you have are network IDS events, it is difficult to determine if a host is compromised. If you can also add in the PVS’s real-time logs, you can understand much more about what a host was doing and what was transferred in context with the actual IDS events. I’ve worked with Tenable PVS and LCE deployments that were able to log many events such as:

• A hostile JavaScript file being downloaded and infecting a computer.
• HTTP GET requests for a malicious executable on non-port 80 servers.
• Infected Windows systems attempting to propagate by uploading a hostile file via SMB.

In each of these cases, the IDS events that were generated were interesting, but not enough to accurately identify that malicious activity. Real-time PVS logs also can help “prove” that an IDS event is indeed a false positive by providing the necessary background data and context on a host.

For More Information

If you would like more information about the PVS, please read more about it at our web site or contact our sales group. We’ve also uploaded many videos to our YouTube channel which discuss the capabilities and examples of PVS deployments.