Finding Interactive and Encrypted Sessions with the Passive Vulnerability Scanner

The Passive Vulnerability Scanner (PVS) has the ability to discover network services which have the characteristic of being "interactive" or being "encrypted". The PVS can analyze traffic in real-time and recognize when the size and frequency of packets is indicative of an "interactive" session. The PVS can also look at the traffic's randomness and determine if the data is encrypted. This blog post helps PVS users understand how to analyze this data, where false positives can occur and what these events mean.

Native PVS Event IDs

The Passive Vulnerability Scanner has several thousand plugins which detect a wide variety of client and server applications. It also has several "built in" plugins which detect many low-level items. These are:

• #00000 Detection of open port The PVS has observed a SYN-ACK leave from a server.
• #00001 Passive OS Fingerprint The PVS has observed enough traffic about a server to perform a guess of the operating system.
• #00002 Client Side Port Usage The PVS has observed client-side network browsing traffic from a host.
• #00003 Show Connections The PVS has logged a unique network trust relationship of source IP, destination IP, and destination port.
• #00004 Internal Interactive Sessions The PVS has detected one or more interactive network sessions between two hosts within your focus network.
• #00005 Outbound Interactive Sessions The PVS has detected one or more interactive network sessions originating from within your focus network and destined for one or more addresses on the Internet.
• #00006 Inbound Interactive Sessions The PVS has detected one or more interactive network sessions originating from one or more addresses on the Internet to this address within your focus network.
• #00007 Internal Encrypted Session The PVS has detected one or more encrypted network sessions between two hosts within your focus network.
• #00008 Outbound Encrypted Session The PVS has detected one or more encrypted network sessions originating from within your focus network and destined for one or more addresses on the Internet.
• #00009 Inbound Encrypted Session The PVS has detected one or more encrypted network sessions originating from one or more addresses on the Internet to this addresses within your focus network.
• #00012 Host TTL Discovered The PVS logs the number of hops away each host is located.

Vulnerability IDs 4,5 and 6 look for "interactive" sessions inside, outbound and inbound to the network being monitored by the PVS. This allows to identify all types of "human typing" that is both legitimate and perhaps, illegitimate.

Similarly IDs 7,8 and 9 look for "encrypted" traffic inside, outbound and inbound to the network being monitored by the PVS. This will not only identify things like SSH and HTTPS services, but also services that are not natively recognized by other PVS rules.

Once the PVS flags a device as having a particular open port, encrypted session, interactive session or trust relationship, this will show up in the vulnerability report. Typically, network and security analysts are accustomed to seeing these sorts of alerts in logs or real-time. However, with the PVS, this data has state. If an e-commerce site has 1,000,000 SSL connections to port 443, the PVS will only have report one encrypted session record for that report.

Interactive Session Analysis

Based on the frequency and size of packets between two hosts, the PVS can identify a session that is interactive. By interactive, the PVS is looking for data that is sent by a user typing at the keyboard. Example sources of data include Telnet, chat and SSH. By default, the PVS will ignore ports with well known interactive services such as 23 for Telnet.

There are a variety of false positives that can occur with these algorithms. If there are network performance issues which cause packets for any service to flow at a trickle, it is possible that an incorrect match will result. However, most "slow services" still put 1500 bytes into their packets and this won't cause a match.

When matches do occur, they will be reported for analysis. When considering a large network for monitoring, this data can be very useful.

Port summaries for inbound, outbound and internal interactive traffic can indicate common services used. For example, one might be able to discover that all of the routers on a network have had a "telnet" service put on a high port.

When specific ports of interest are found, the results from recent Nessus scans as well as other PVS plugins should be considered. Both Nessus and the PVS are very good at identifying services.

Also, when analyzing the open ports, the system under consideration should be taken into account. For example, a router won't likely be participating in a P2P file sharing network or running a VoIP application whereas a desktop would.

If your Security Center has been configured with assets for your business and technology in use, choosing vulnerability IDs 4-6 and then conducting an Asset Summary query can give you an at-a-glance view of which assets have interactive sessions occurring.

For example, in this listing below, the only 3 "interactive sessions" reported have occurred for assets labeled "Clients", "FTP Servers" and "SMTP Clients". 

Encrypted Session Analysis

Based on the "randomness" of the monitored data, the PVS will report that a monitored system is communicating inbound, outbound and internally on certain ports with encrypted traffic.

There are several "naturally occurring" random data sources. Any time compressed files (.zip, .gz, .etc) are moved around on the network, there is a good change the network session will flag as being encrypted. We'll see in an example below how email can be the source of some "encrypted" sessions.

Analyzing the results of traffic is also accomplished with the Security Center. Port summaries, lists of matching IP addresses and reporting which assets have made "encrypted" sessions can shed light on what these detected services are doing.

Below is an example listing of a set of assets that have had at least one occurrence of PVS ID 7,8 or 9:

Two things should jump out to an analyst looking at this data:

• Of the 16 reported devices with encrypted sessions, many of these occurred on SMTP clients or servers. The PVS will trigger on messages that are encrypted with PGP or GPG. There content will also match on specific plugins designed to identify hosts sending PGP and GPG encrypted emails.
• There were 4 matches on the Symantec_Worm group. In a previous post, it was discussed how to create a dynamic asset list in the Security Center that matched hosts likely compromised with a worm targeting the Symantec AV engine. It is interesting that these hosts are also communicating on encrypted ports.

Configuring the PVS

While searching network sessions for encrypted or interactive data, the PVS can be configured to ignore specific ports or even hosts that have certain plugins already detected on them. On UNIX, this is accomplished by editing the pvs.conf file located in the /opt/pvs/etc  directory. The PVS Windows version has GUI elements to select specific plugins and ports to ignore.   

Conclusion

The PVS can be used to identify devices which are the source or destination of interactive or encrypted network sessions. This data can be used to look for policy violations or perhaps backdoors and rootkits.