I was at a Security Center customer this past Friday and they had asked how they could report on just certain computers that had certain applications on them. One of the things the Security Center can do is "mine" the results of the existing and future Nessus and Passive Vulnerability Scanner results to come up with dynamic lists of IP addresses with matching criteria. For example, consider this screen shot:
In the above image, the Security Center has been configured to dynamically create lists of various IIS, Sendmail, Apache and other types of applications. These rules are wizard driven and look like this:
That "2004" plugin ID probably isn't recognized by Nessus users because IDs 1 through 10,000 are reserved for results from Tenable's Passive Vulnerability Scanner. This rule says for each known IP address, if there has been a discovery of ID 2004 or 10263 (plugins which discover SMTP servers regardless if they are on port 25 or not) look at the content and if we see "Sendmail" and "8.13" put it on the list of "Sendmail 8.13" servers.
The Security Center allows for dynamic lists to be created like this with active or passive content based and also some interpreted content including:
- DNS name
- NetBIOS/Workgroup name
- MAC Address
- IP/Network address
- open TCP port
- open UDP ports
- existence of particular vulnerability IDs
- regular expression content search
Very sophisticated dynamic rules can be created. For example, all OSes actively fingerprinted as "Linux", in the 10.10.20.0/24 network with port 22 open could be placed on a list.
If an organization knows about their devices or networks, they can simply upload these lists of IP addresses and CIDR blocks to the Security Center. We call these static asset lists as compared to the dynamic asset lists generated based on the vulnerability content. All asset lists can be used for reporting, filtering and asset control as shown in this image below: