Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

  • Twitter
  • Facebook
  • LinkedIn

Is the Passive Vulnerability Scanner an Intrusion Detection System?

When I was at RSA earlier this year, I gave a variety of media interviews and product demos about Tenable solutions. I demonstrated Nessus detecting malicious processes and the Passive Vulnerability Scanner (PVS) providing an audit trail of all network activity that led up to the infection. I also showed how the Log Correlation Engine (LCE) correlated PVS logged DNS queries to known botnets.

After these demos, I was often asked, “so, is this an IDS?” In one interview (and I hope they print this) I responded by saying that at Tenable, we focus on compromise detection as part of our continuous vulnerability analysis. As the leading vulnerability management vendor in the market, I really tried to emphasize the point that looking for vulnerabilities and configuration issues in known software is just as important as looking for malicious software and malicious users.

Detecting a compromised system is very different from detecting a system that is under attack. Most intrusion detection systems detect attacks and not actual compromises. Tenable’s approach of monitoring files, system settings, logs, application processes and network traffic as part of our continuous vulnerability detection is an excellent platform to hunt malware, compromised system accounts, and botnets.

Below is an example screen shot of an “indicators” dashboard that shows a wide variety of passive and active attack and compromise data in realtime:

The Passive Vulnerability Scanner is not a network intrusion detection system. It does not have a list of common or recently discovered attack patterns nor does it identify probes and scans. Instead, the focus is to audit your network in real-time. PVS creates two types of data:

  • A real-time report of all mobile, IPv4, and IPv6 vulnerabilities, open ports, browsed ports, boundary traversing and applications as if you had Nessus running in real time with full credentials on every system on your network.
  • A real-time log of all network traffic that is like an enhanced version of NetFlow that logs artifacts such as SSL certificate names, shared Windows files names, queried domain names, and browsed HTTP web sites.

The passive vulnerability data is useful for auditing activity on the network and identifying systems with applications and network connectivity that is suspicious including:

  • Comparing all Internet browsing and served ports. While this does not detect attacks that occur 100% over common streams of network traffic, such as HTTP, attacks that communicate on “uncommon” ports such as IRC, DNS, or high ports, are readily identified regardless if they are client or server based.
  • New web sites hosted on existing web servers. I’ve personally worked with organizations that have detected malware and compromised web servers by detecting new web sites being added to their Apache and Windows services.
  • Auditing the web user-agents in use. While it is more than possible for malware to perfectly emulate Firefox and other common browsers, there is a large amount of malware that claims to be something that is still readily identified. PVS logs all user agent strings observed for each host in one spot making this audit very easy to report against.
  • Identifying unique client-side network activity. PVS logs all client-side network application usage such as SNMP, NFS, FTP, IRC, and Telnet. In environments where there is infrequent usage of these protocols, this activity is an indicator of suspicious activity.
  • Identifying unique network services. PVS also logs all services running on every port. Regardless if a compromised system implements port knocking or only accepts connections from known hostile IP addresses, PVS will log the service. For example, if a system was compromised and an intruder placed a web server on port 31000 that only answered to IP addresses from a network block in China or Mississippi, PVS would report an HTTP speaking protocol there.
  • Identifying the active DNS server in use. Often, compromised systems will leverage DNS servers external to the organization. This can be done through direct re-configuration of the underlying operating system or simply performing DNS queries to known DNS servers.
  • Changes in trust relationships. PVS keeps track of which clients connect to which servers and on which ports. Dramatic changes in client-server trust counts on different ports can indicate worms, scanning and manual probing.

As an example, below is a screenshot of a web server found on port 2869 by the PVS:

There are many other “passive vulnerability” items detected by PVS that indicate compromise that are too numerous to identify and list here. Many of the customers and users of the PVS I speak with tell me they identify malware, infected systems, and software installed by intruders with PVS because something stood out from the other systems that were passively profiled.

Below is an example screen shot of a dashboard that shows real-time network activity based on SSL, VNC, RDP and SSH traffic.

PVS’s real-time logs are another great resource to detect intrusions and compromised systems. I’ve worked with many organizations that send their PVS real-time logs to applications such as Splunk. We also have organizations who deploy the Tenable Log Correlation Engine to process PVS real-time logs. There are so many built-in correlations for the PVS within LCE that we recently announced that all Tenable SecurityCenter ContinuousView licenses would now include a 5 TB LCE license.

  • Correlating all web, file sharing, network protocols and SSL traffic with a real-time list of high quality botnet IP addresses.
  • Correlating all web and DNS queries with DNS names and URLs that are known to be botnets.
  • Tracking systems that perform proxies and leap-frog attacks based on the SSH, VNC, and Windows RDP protocols.
  • Tracking anomalies and spikes in all types of logged PVS network sessions including SSL, DNS, NFS, web queries and, in particular, spikes in failed DNS queries.
  • Summarizing all executable files that have been downloaded on a daily basis.
  • Summarizing all DNS domains queried on both an hourly and daily basis.
  • Tracking all network traffic by learned user IDs. This facilitates analysis and reporting of any particular user’s network traffic.
  • Tracking client-side network browsing activity including web, VNC, SSH, and Windows RDP.

Below is a screen shot of a botnet dashboard which was created by leveraging PVS logs and LCE log searches to create graphs and trend lines of specific botnets.

There are many more types of correlations performed by LCE on PVS real-time logs. There are also a wide variety of forensic audits that can be used to perform forensic investigations of system behavior and network traffic.

When combined with Nessus active scans and logs from firewalls, operating systems, intrusion detection systems, and other sources, real-time data from PVS becomes a binding source of data that provides real-time context making the detection of intrusions possible.

Tenable’s Continous View offering allows organizations to deploy multiple Nessus scanners and Passive Vulnerability Scanners as well as a single SecurityCenter and single Log Correlation Engine. To learn how to leverage this platform for both unparalleled vulnerability discovery and the ability to hunt malware and intruders, please click here to read more.

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

Try for Free Buy Now
Tenable.io FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free


Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning


Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.



Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security


Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Try for Free Contact Sales

Try Tenable Lumin


Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.