Tenable Network Security is proud to announce the release of version 3.2 of the Passive Vulnerability Scanner (PVS). This product is a network sniffer that scans for real-time vulnerability data and transmits it to Tenable’s Security Center management console along with real-time user and forensic activity transmitted to Tenable’s Log Correlation Engine (LCE). This blog entry describes many of the new features and enhancements in this release.
Enhanced Vulnerability Discovery
PVS 3.2 enables Tenable’s research team to write sophisticated rules that can track the state of many different types of services and protocols. Building on the robust vulnerability discovery features of PVS 3.0, this new release provides enhanced analysis capabilities of web client traffic, web server traffic, Microsoft file sharing, email, DNS, operating system identification and much more.
For example, two vulnerabilities normally detected by an active vulnerability scanner, such as Nessus, can now be detected with PVS: insecure usage of the “VIEWSTATE” hidden form field in web based .NET applications and insecure Active X components hosted on IIS web servers.
Real-time File Sharing Monitoring
A major new feature of PVS 3.2 is the addition of deeper logic to perform protocol analysis. In the same way that Nessus receives plugin updates, PVS is continually updated by Tenable’s Research team. Recently our research team has written plugins for PVS 3.2 that can parse complex file sharing protocols such as SMB, NFS, HTTP and FTP.
For example, if a host uploads or downloads a file to a Windows network share, to or from the Internet using web services or over traditional Unix services such as FTP and NFS, a PVS deployed to watch network traffic can log these events in real-time. When these logs are sent to the LCE, they are immediately available for searching, tracking and reporting by user, trending and can contribute to any type of incident or forensics investigation.
The following is a screen shot of PVS events related to users obtaining files at a major university over a period of five days:
Database Activity Monitoring
Tenable products have had the ability to scan databases for vulnerabilities and configuration issues for a long time. This release of PVS 3.2 now provides the ability to monitor database activity in real-time. The PVS can now look at SQL database traffic that has originated from end user or web applications and send a real-time log to the LCE.
This enables users the ability to search or perform forensic analysis of database transactions over a long period of time. The databases events obtained by the PVS can be used for intrusion detection event correlation and access control analysis for compliance and for anomaly detection.
Since the PVS is passively sniffing between the applications and the SQL database, there is no impact on system, network or database performance.
Finally, if the database server has not been subject to patch audits or vulnerability scans, the traffic to and from the server will be used by the PVS to identify client and server vulnerabilities in real-time.
Real time Forensics
PVS 3.2 includes many new plugins that detect the resources attached to your network and create logs that can be sent to the LCE in real time. For example, the screen shot below shows all web user agent strings observed by the PVS for a single host:
Data from these plugins centralize many different types of software, operating systems, web browsers, web browser plugins and media players in one report. The PVS performs this type of analysis in real-time for thousands of hosts.
Additional data now available for discovery with this release of PVS includes:
- Detection of user agent strings associated with known Trojans and malware
- Identification of a host’s NetBIOS and Domain names
- Identification of a host’s DNS name
- Enumeration of files shared via SMB, FTP and NFS
In addition to finding vulnerability data in real time, PVS 3.2 can also report a wide variety of user activities for forensic analysis in real time. Real time activity can now be sent to the Log Correlation Engine for these types of network events:
Any DNS resolution attempt - this provides a record of any DNS queries from your network, even if they are being sent to servers outside of your network. The LCE provides daily lists of all DNS queries for each host that facilities analysis of host activities.
Database SQL queries – after a web based attack, having logs of all SQL queries can aid in determining the attack vector and source. The LCE can also use these logs to automatically identify misuse, probes and anomalies.
Encrypted session logging – as the PVS observes network traffic, it tests the randomness of transmitted content to identify encrypted communications.
File transfers – all files transferred over SMB, HTTP, FTP and NFS are logged in real time. Having the PVS send these logs to the LCE is invaluable if there is an attacker or an inside threat, or if you just want to see who is sharing spreadsheets on the network.
Web activity – the PVS logs all HTTP GET and POST events. These logs can be used to help identify web-browsing abuse, such as downloading pornography or botnet activity.
For More Information
If you are interested in upgrading your Security Center to work with passive vulnerability data or would like to evaluate Tenable’s Unified Security Monitoring solution, please contact us at [email protected].