Over the past few weeks, we've released several new tools, Nessus audit policies, Log Correlation Engine log parsers and Log Correlation Engine TASL scripts. A summary of these releases is provided below.
New Product Releases and Updates
- Nessus 188.8.131.52 for Windows - This release fixes a security hole for users running Internet Explorer 6. All users are strongly encouraged to upgrade. Nessus plugin #25799 checks Windows systems for this vulnerability. Direct Feed customers can download 184.108.40.206 directly from the Tenable Support Portal and it can also be downloaded from http://nessus.org.
- Security Center 3.2.3 - This release improves a wide variety of performance, user management, reporting and distributed scanning issues. The maximum size of "managed" vulnerability data has been increased from 4GB to 16GB. Also, dynamic asset list computation has been reduced from more than 30 minutes in some cases to less than 1 minute. Builds for RedHat ES3 and ES4, along with a complete list of issues resolved with this release are available for download from the Tenable Support Portal.
- NessusClient 3.0.0 beta 2 - A new release of this Windows and Linux Nessus client is now available for download from http://nessus.org.
- Nessus 3.2 beta 4 - For users testing the Nessus 3.2 beta, a 4th release (Nessus 3.1.4) has been made available for Linux, FreeBSD and Solaris.
New and Updated Audit Polices
- CIS Certified FreeBSD Audit - Tenable was recently awarded certification to perform Center for Internet Security audits according to the best practice consensus guide of securing FreeBSD systems. This .audit policy is available for download from the Tenable Support Portal by choosing the "Downloads" button and then the "Download CIS Audit and Compliance Files" button.
- PCI Configuration Audit Updates - Version 1.0.2 of the Windows and version 1.0.3 of the Linux Payment Card Industry 1.1 audit polices are now available. This update relaxes some of the more specific checks to accommodate more stringent settings. These .audit policies are available for download from the Tenable Support Portal by choosing the "Downloads" button and then the "Download Configuration Audit Polices" button.
Updated and New Event Correlation TASL Scripts
- blacklist.tasl - Similar to the blacklist_domain.tasl script, which was blogged about here, this IP based blacklist lookup correlation script can now accept two "black lists". The second list is for users who want to maintain their own static list of "bad" IP addresses which is not updated based on content from Arbor, SANS or the Bleeding Threat project.
- long_tcp_sessions.tasl - Previously, Tenable had been maintaining two separate TASL scripts which would monitor the length, bandwidth and ports of each TCP session obtained through NetFlow or direct sniffing. This new TASL script accepts both event types.
- new_user.tasl - Support to automatically recognize new user names from MS SQL Server logins.
- successful_login_after_multiple_failures.tasl - Added several new login event IDs and removed account names associated with normal system processes.
- windows_logon_unknown_network.tasl - Added several new login event IDs and removed common account names associated with normal system processes.
Updated and New Log Parsing PRM Files
- nids_snort.prm - More in-depth parsing for Bleeding Threat Snort event names is now supported.
- prm_map.prm - This PRM contains the latest list of all event names and it is parsed by several TASL scripts, such as the Never Before Seen script.
- sql_mssql.prm - Additional log parsing rules for Microsoft SQL Server.
- ssh_dropbear.prm - The Dropbear application is a very small SSH client and server.
- tenable_network_monitor.prm - This PRM is required to parse events from the new long_tcp_sessions.tasl script.
- web_apache.prm - There are several new rules to parse script errors and file handle activity.
- web_w3c_extended_log_format.prm - Bugfixes for Apache '402' Payment Received rules.
Note: To install any of these TASL or PRM files for the Log Correlation Engine, download these files to your /usr/thunder/daemons/plugins directory and then restart the thunderd service.