Red Hat NETWORK 3.6 - Betriebsanweisung PDF herunterladen (Seite 44)

One could argue that the “pregexi” statement could be expanded to include the

trailing space after the “d” character and also the first character.

The plugin then looks for the expected results of the failed “cd” command. The first match

statement makes sure this pattern is not part of the FTP protocol. It turns out that looking

for “cd” in one side of a session and the error of attempting to change to a directory in an

FTP session would cause false positives for this plugin. Adding a rule to ignore if a line starts

with “550” avoids this. While writing and testing this plugin, Tenable considered having a

different set of plugins just for FTP, but the additional filter statement took care of any false

positives we had been seeing. And finally, the last two match statements look for the results

of the failed change directory attempt. They are spread across two match statements and

could have been combined into one regular expression statement, but there was enough

content in the basic message to have them split into higher-speed matching.

PASSIVE VULNERABILITY SCANNER CORPORATE POLICY PLUGINS

Most companies have an “Acceptable Use Policy” that defines appropriate use of the

company’s IT facilities. Often, this policy is abused to some extent since detecting abuse

can be difficult.

The PVS can help in this regard through use of PVS Corporate Policy plugins. These plugins

can be used to look for policy violations and items such as credit card numbers, Social

Security numbers, and other sensitive content in motion.

Tenable ships PVS with a large number of plugins that are frequently updated. The primary

focus of these plugins is to discover hosts, applications and their related client/server

vulnerabilities. The list of built-in PVS checks is available at the following location:

http://static.tenable.com/dev/tenable_plugins.pdf

Many of the available plugins already detect activities that would fall into the “Inappropriate

Use” category in most companies. Some of the activities that are detected through these

plugins include (but are not limited to):

> game server detection

> botnet client and server detection

> peer to peer file serving

> IRC server/client

> chat clients

> tunneling software or applications like Tor, GoToMyPC and LogMeIn

Detecting Custom Activity Prohibited by Policy

The plugins provided with PVS are useful for detecting generally inappropriate activities, but

there may be times when more specific activities need to be detected. For example, a

company may want to have an alert generated when email is sent to a competitor’s mail

service or if users are managing their myspace.com web page from the corporate network.

Tenable provides the ability for users to write their own custom plugins, as documented in

the section “Writing Passive Vulnerability Scanner Plugins”. These plugins are saved as “prm”

files.

1 2 ... 39 40 41 42 43 44 45 46 47 48 49 ... 60 61

Keine Kommentare

Red Hat NETWORK 3.6 - Betriebsanweisung Seite 44