Red Hat NETWORK 3.6 - Betriebsanweisung

Tenable Network Security, Inc. • 7063 Columbia Gateway Drive, Suite 100, Columbia, MD 21046 • 410.872.0555 • [email protected] • www.tenable.com C

Copyright © 2002-2012 Tenable Network Security, Inc. 10 Entering “i” for a new installation initiates prompts for configuration options. The fi

Copyright © 2002-2012 Tenable Network Security, Inc. 11 web server. To do this, only list the network CIDR blocks for which you want vulnerabi

Copyright © 2002-2012 Tenable Network Security, Inc. 12 PVS can report its data to the SecurityCenter console for centralised management. If you

Copyright © 2002-2012 Tenable Network Security, Inc. 13 Starting PVS via the “RC” script will also lint the pvs.conf script for syntax errors b

Copyright © 2002-2012 Tenable Network Security, Inc. 14 # ps aux | grep pvs root 25191 22.7 26.9 384388 274704 pts/2 Sl 15:26 0:05 /opt

Copyright © 2002-2012 Tenable Network Security, Inc. 15 Starting Passive Vulnerability Scanner cb67c871206b18d743a5e070276bf13d /opt/pvs/bin/pvs

Copyright © 2002-2012 Tenable Network Security, Inc. 16 The PVS requires the “-c” and “-r” options each time it runs. These options tell the PVS

Copyright © 2002-2012 Tenable Network Security, Inc. 17 the pvs command was run. For example, if you were in /home/userx when you issued the abov

Copyright © 2002-2012 Tenable Network Security, Inc. 18 On high-speed networks with more than 20,000 systems, if the system running the PVS is

Copyright © 2002-2012 Tenable Network Security, Inc. 19 nessus-report-version Specifies the Nessus report file version to save the file. The defa

Copyright © 2002-2012 Tenable Network Security, Inc. 2 Table of Contents Introduction ...

Copyright © 2002-2012 Tenable Network Security, Inc. 20 becomes available. The size of the cache will change dynamically and can be expected to g

Copyright © 2002-2012 Tenable Network Security, Inc. 21 > outbound-interactive-session (5) > inbound-interactive-session (6) > intern

Copyright © 2002-2012 Tenable Network Security, Inc. 22 time file size. realtime-syslog Specifies the IP address of a SYSLOG server to receive re

Copyright © 2002-2012 Tenable Network Security, Inc. 23 hosts. To prevent rediscovery of the entire network, the PVS can frequently write the lis

Copyright © 2002-2012 Tenable Network Security, Inc. 24 options { report-threshold 3; failure-threshold 10; interface "eth0"; interface

Copyright © 2002-2012 Tenable Network Security, Inc. 25 In the above picture, three sessions labeled A, B, and C are shown communicating to, fr

Copyright © 2002-2012 Tenable Network Security, Inc. 26 By default, these settings are disabled and must be manually edited in the pvs.conf fil

Copyright © 2002-2012 Tenable Network Security, Inc. 27 occurred at least once. For connections outside of the focus network, the PVS will only l

Copyright © 2002-2012 Tenable Network Security, Inc. 28 then list the detected interactive or encrypted session as a vulnerability. The PVS has

Copyright © 2002-2012 Tenable Network Security, Inc. 29 To prevent the PVS from having to relearn the network each time it starts, a file can be

Copyright © 2002-2012 Tenable Network Security, Inc. 3 What is a Passive Vulnerability Scanner ID? ...

Copyright © 2002-2012 Tenable Network Security, Inc. 30 destined for one or more addresses on the Internet. 00006 Inbound Interactive Sessions Th

Copyright © 2002-2012 Tenable Network Security, Inc. 31 Restarting the Passive Vulnerability Scanner Once new passive plugins or operating system

Copyright © 2002-2012 Tenable Network Security, Inc. 32 cvsstemporal metasploit CANVAS : D2ExploitPack CORE : true CVSSTEMPORAL : CVSS2#E:F/RL:O

Copyright © 2002-2012 Tenable Network Security, Inc. 33 nooutput For plugins that are written specifically to be used as part of a dependency wit

Copyright © 2002-2012 Tenable Network Security, Inc. 34 seealso If one or more URLs are available, this keyword can be used to display them. Mult

Copyright © 2002-2012 Tenable Network Security, Inc. 35 hs_sport=143 name=IMAP Banner description=An IMAP server is running on this port. Its ban

Copyright © 2002-2012 Tenable Network Security, Inc. 36 Case Insensitive Example There is a tool called SmartDownLoader that uploads and download

Copyright © 2002-2012 Tenable Network Security, Inc. 37 regex=^User-Agent: Mozilla/.* \(.*rv:(1\.3|1\.4a) Match patterns that begin with the “^”

Copyright © 2002-2012 Tenable Network Security, Inc. 38 The Passive Vulnerability Scanner can Match Binary Data The PVS also allows matching agai

Copyright © 2002-2012 Tenable Network Security, Inc. 39 In each of these cases, the plugin would not match if the patterns contained in these “no

Copyright © 2002-2012 Tenable Network Security, Inc. 4 Appendix 4: Non-Tenable License Declarations and Patent ...

Copyright © 2002-2012 Tenable Network Security, Inc. 40 Notice that plugin 1019 has the following field: dependency=1018. This field indicates th

Copyright © 2002-2012 Tenable Network Security, Inc. 41 related from causing millions of events. For example, the plugins for the Sasser worm onl

Copyright © 2002-2012 Tenable Network Security, Inc. 42 dependency=1277 hs_sport=79 track-session=10 realtimeonly name=App Subversion - Successfu

Copyright © 2002-2012 Tenable Network Security, Inc. 43 and Windows command shells occurring in services that should not have those command shell

Copyright © 2002-2012 Tenable Network Security, Inc. 44 One could argue that the “pregexi” statement could be expanded to include the trailing s

Copyright © 2002-2012 Tenable Network Security, Inc. 45 The following example shows how to create a custom plugin to detect users logging into m

Copyright © 2002-2012 Tenable Network Security, Inc. 46 The statement above ensures that they are posting to the host “login.myspace.com”. Final

Copyright © 2002-2012 Tenable Network Security, Inc. 47 0xde1d7f362734c4d71ecc93a23bb5dd4c and 0x747f029fbf8f7e0ade2a6198560c3278 A PVS plugin c

Copyright © 2002-2012 Tenable Network Security, Inc. 48 match=for HR data regarding Jane Mcintyre The two example plugins above (IDs 9005 and 90

Copyright © 2002-2012 Tenable Network Security, Inc. 49 P0f2 TCP Options N NOP option Wnnn window scaling option, value nnn (or * or

Copyright © 2002-2012 Tenable Network Security, Inc. 5 INTRODUCTION This document describes the Passive Vulnerability Scanner 3.6 architecture, i

Copyright © 2002-2012 Tenable Network Security, Inc. 50 ABOUT TENABLE NETWORK SECURITY Tenable Network Security, the leader in Unified Sec

Copyright © 2002-2012 Tenable Network Security, Inc. 51 APPENDIX 1: EXAMPLE PVS.CONF CONFIGURATION FILE options { # When adding new port, app

Copyright © 2002-2012 Tenable Network Security, Inc. 52 # than 1024 MB. It can be set to a number less than 1024 MB. max-packet-cache-siz

Copyright © 2002-2012 Tenable Network Security, Inc. 53 dependency 1149; dependency 1150; dependency 1151; # snmp dependency

Copyright © 2002-2012 Tenable Network Security, Inc. 54 dependency 1133; dependency 1134; dependency 1135; #################

Copyright © 2002-2012 Tenable Network Security, Inc. 55 # would be marked as 'Client Side Port Usage'. # connections-to-servic

Copyright © 2002-2012 Tenable Network Security, Inc. 56 APPENDIX 2: WORKING WITH SECURITYCENTER ARCHITECTURE The PVS operates under the control

Copyright © 2002-2012 Tenable Network Security, Inc. 57 In the above example, a filter is applied to only display events that have been correla

Copyright © 2002-2012 Tenable Network Security, Inc. 58 APPENDIX 3: WORKING WITH NESSUS It is possible to view a PVS report from within the Nessu

Copyright © 2002-2012 Tenable Network Security, Inc. 59 > generate-html-reports > nsr-report-file > xml-report-file > realtime-pl

Copyright © 2002-2012 Tenable Network Security, Inc. 6 > highlight all interactive and encrypted network sessions > detect when new hosts

Copyright © 2002-2012 Tenable Network Security, Inc. 60 APPENDIX 4: NON-TENABLE LICENSE DECLARATIONS AND PATENT Below you will find 3rd party sof

Copyright © 2002-2012 Tenable Network Security, Inc. 61 The word 'cryptographic' can be left out if the rouines from the library bei

Copyright © 2002-2012 Tenable Network Security, Inc. 7 SOFTWARE AND LICENSING Download or Obtain the Software To install the PVS, obtain the cor

Copyright © 2002-2012 Tenable Network Security, Inc. 8 INSTALLATION AND OPERATIONS UPGRADING FROM PVS 3.X Red Hat If you have used a PVS RPM to

Copyright © 2002-2012 Tenable Network Security, Inc. 9 Unless otherwise noted, perform all commands as the system’s root user. Install the PVS