Passive Vulnerability Scanner
A major new feature of the PVS is the ability to stream new vulnerability information in realtime to the Security Center and to the Log Correlation Engine. As the PVS finds new data about the network, it is sent in realtime in logs such as this:
Apr 20 19:58:21 pvs: 192.168.20.22:0|0.0.0.0:0|17|13|new-host-alert|00:11:95:89:d4:8a
Dec 21 10:56:04 pvs: 126.96.36.199:53|188.8.131.52:36788|17|1016|DNS server detection|||INFO
Dec 21 10:56:04 pvs: 184.108.40.206:80|0.0.0.0:0|6|0|new-open-port|INFO
The PVS realtime alerts include:
· new vulnerability and network data with low, medium and high severity levels
· new hosts, new open ports, new "browsed" ports, new systems that perform
Internet browsing and new trust relationships between internal devices
· evidence of compromised systems and serious attacks, such as against SCADA devices
· detection of internal hosts performing port scans
· support for detecting a variety of sensitive data in motion and at rest
Example Screen Shots
Below is a screen shot of PVS events on a large enterprise network under the Security Center:
Each of the "events" listed above occurred when the PVS encountered new vulnerability data that it wasn't previously aware of. The LCE normalizes the 1000s of potential PVS vulnerabilities based on their severity levels. In the above screen shot, 26 new vulnerabilities with "HIGH" severity levels have been discovered.
Although not a network IDS, the PVS does discover very useful events which can be fed into the Security Center, the Log Correlation Engine or most SIM products. Below is a screen shot of several PVS events intermixed with IDS events from an Intrusheild IPS. There are several different port scan events as well as two Windows error event detections.
Log Correlation Engine Support
With this release, a separate Log Correlation Engine library for PVS events has been produced, and several of the existing correlation scripts have been updated to take advantage of the new events. These include
· tenable_pvs.prm log normalization library for PVS events
· botnet_with_scan.tasl correlates detected IDS Botnet events with the same host performing a port scan
· detect_change.tasl now also processes new host and new open port events from the PVS (Note: this script can be extended to alert on new trust relationships, new Internet browsing and new client side port browsing if desired.)
· ids_event_followed_by_change.tasl considers changes in host configurations or behavior after being attacked. Now supports detected attack events from the PVS.
· new_host_portscanning.tasl uses PVS events which identify new hosts and port scan events to discover when a new device immediately begins port scanning.
· portscan_spike.tasl now uses port scan and host scan logs from the PVS, along with any portscan log from supported IDS and firewall devices to look for short term spikes in scanning activity.
· windows_crashes_and_restarts.tasl now makes use of PVS ID #4722 which sniffs Windows error messages being sent back to Microsoft. The script considers this event along with Windows OS events such as crashing applications and system restarts to look for failed worm attacks and even failed compromise attempts.
lce_tasl.prm is the LCE PRM library which normalizes events from the TASL scrips. This file should be updated on your LCE if any of these modified TASL scripts are implemented.