advertisement
PVS 4.4 User Guide
Revision 2
11 February, 2016
SecurityCenter Continuous View
Install, Upgrade, Configure, and Remove PVS
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
Start and Stop PVS for Mac OS X
Register PVS Offline via the PVS Interface
Register PVS Offline via the CLI
Configure High Performance Mode
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
Nessus Scanner Settings Section
Remove a Chart from a Dashboard
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
Configure the Performance Mode
Download New Vulnerability Plugins
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
Common Command Line Operations
Windows Command Line Operations
Mac OS X Command Line Operations
Real-Time Traffic Analysis Configuration Theory
Detecting Server and Client Ports
Detecting Specific Server and Client Port Usage
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
Working with SecurityCenter CV
Selecting Rule Libraries and Filtering Rules
Detecting Encrypted and Interactive Sessions
Vulnerability and Passive Fingerprinting
PVS Can Match "Previous" Packets
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
Finger User List Enumeration Plugin
Unix Password File Download Web Server Plugin
Generic Buffer Overflow Detection on Windows Plugin
Detecting Custom Activity Prohibited by Policy
Detecting Confidential Data in Motion
Working with SecurityCenter CV
Updating the PVS Management Interface
SSL Client Certificate Authentication
Configure PVS for Certificates
Create a Custom CA and Server Certificate
Create PVS SSL Certificates for Login
Connect with a Certificate Enabled Browser
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
You are here: About PVS
About PVS
Passive vulnerability scanning is the process of monitoring network traffic at the packet layer to determine topology, clients, applications, and related security issues. Tenable has expanded the Passive Vulnerability
Scanner’s functionality to include traffic profiling and system compromise detection.
PVS can: l detect when systems are compromised based on application intrusion detection.
l highlight all interactive and encrypted network sessions.
l detect when new hosts are added to a network.
l track which systems are communicating and on which ports.
l detect which ports are served and which are browsed by each system.
l detect the number of hops to each monitored host.
Getting Started with PVS
To ensure a streamlined installation process, it is important to ensure the appropriate hardware, software, and licensing requirements are in place prior to installation.
l
l
l
Introduction
This user guide describes Tenable Network Security’s Passive Vulnerability Scanner 4.4 (Patent
7,761,918 B2) architecture, installation, operation, integration with SecurityCenter CV and Nessus Cloud, and export of data to third parties. Please email any comments and suggestions to [email protected]
.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 1 -
You are here: Hardware Requirements
Standards and Conventions
Throughout the documentation, filenames, daemons, and executables are indicated with a
bold mono-
space font, such as: l
gunzip
l
https
l
/etc/passwd
Command line options and keywords are also indicated with the bold monospace font. Command line examples may or may not include the command line prompt and output text from the results of the command. Command line examples will display the command being run in bold monospace to indicate what the user typed while the sample output generated by the system will be indicated in courier (not bold). The following is an example running of the Unix pwd command:
# pwd
/opt/pvs/daemons
#
Note: Important notes and considerations are highlighted with this color.
Tip: Tips, examples, and best practices are highlighted with this color.
Critical: Crucial information the user must know. Ex. PVS will restart with this command
Hardware Requirements
Enterprise networks can vary in performance, capacity, protocols, and overall activity. Resource requirements to consider for PVS deployments include raw network speed, the size of the network being monitored, and the configuration of PVS.
The following chart outlines some basic hardware requirements for operating PVS:
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 2 -
You are here: Hardware Requirements
Scenario
Passive Vulnerability Scanner managing up to 50,000 hosts * (**)
Passive Vulnerability Scanner managing more than
50,000 hosts **
Passive Vulnerability Scanner running in High Performance mode
Minimum Recommended Hardware
CPU: 1 dual-core 2GHz CPU
Memory: 2 GB RAM (4
GB RAM recommended)
CPU: 1 dual-core 3 GHz CPU (2 dual-core recommended)
Memory: 4 GB RAM (8 GB RAM recommended)
CPU: 10 CPUs, with hyper-threading enabled
Memory: 16 GB RAM
HugePages memory: 2 GB
*The ability to monitor a given number of hosts depends on the bandwidth, memory, and processor power available to the system running PVS.
**For optimal data collection, PVS needs to be connected to the network segment via a hub, spanned port, or network tap to have a full, continuous view of the network traffic.
Note: Please research your VM software vendor for comparative recommendations, as VMs typically see up to a 30% loss in efficiency compared with dedicated servers.
Processor requirements will increase with greater throughput and higher number of network interfaces.
Memory requirements will increase for networks with more hosts. The requirements for both of these components are affected by configurable options, like setting a long report lifetime.
Disk space requirements for PVS vary depending on the amount of data and length of time that data is stored on the system.
High Performance Mode
To run PVS in High Performance mode, a minimum of two of the following types of Intel NICs are required; one as a management interface and at least one as a monitoring interface:
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 3 -
You are here: Software Requirements l e1000 (82540, 82545, 82546) l e1000e (82571. 82574, 82583, ICH8..ICH10, PCH..PCH2) l igb (82575..82576, 82580, I210, I211, I350, I354, DH89xx) l ixgbe (82598..82599, X540, X550) l i40e (X710, XL710)
In addition, the following virtual environments are supported: l
VMware ESXi/ESX 5.5
l
VMXNET3 network adapter
Software Requirements
PVS 4.4 is available for the following platforms: l
Red Hat Linux ES 5 / CentOS 5 64-bit l
Red Hat Linux ES 6 / CentOS 6 64-bit l
Red Hat Linux ES 7 / CentOS 7 64-bit l
Mac OS X 10.8 and 10.9 64-bit l
Microsoft Windows Vista, 7, 8, Server 2008, and Server 2012
Note: High Performance mode is available only on CentOS 6.x 64-bit, Red Hat ES 6.3+ 64-bit, CentOS
7.x 64-bit, and Red Hat ES 7.x 64-bit.
To run PVS in High Performance mode, you must enable HugePages support. HugePages is a performance feature of the Linux kernel and is necessary for the large memory pool allocation used for packet buffers. If your Linux kernel does not have HugePages configured at all, PVS will automatically configure
HugePages per the appropriate settings. Otherwise, if your Linux kernel does have defined HugePages, refer to the
instructions within this user guide.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 4 -
You are here: Licensing Requirements
Licensing Requirements
PVS Subscription
A PVS subscription Activation Code is available to enable PVS to operate in Standalone mode. This mode enables PVS results to be viewed from a HTML interface enabled on the PVS server.
Activation Code
To obtain a Trial Activation Code for PVS, contact [email protected]
. Trial Activation Codes are handled the same way by PVS as a full Activation Code, except that a Trial Activation Code will allow monitoring for only 30 days. During a trial of PVS, all of the features are available.
SecurityCenter Continuous View
SecurityCenter Continuous View includes PVS as part of a bundled license package with SecurityCenter.
This license allows an unlimited number of PVS deployments to monitor an unlimited number of networks.
SecurityCenter CV’s IP view will be constrained by the license purchased with it.
Nessus Cloud
Nessus Cloud will push down plugins to PVS. The number of PVS deployments is determined by your Nessus Cloud licensing.
High Performance Mode
PVS running in High Performance Mode can be licensed in Standalone mode or bundled with SecurityCenter CV.
Install, Upgrade, Configure, and Remove PVS
This section includes the following instructions on machines running Linux, Windows, and Mac OS X:
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 5 -
You are here: Download PVS l
l
l
l
Download PVS
Steps
1. Access the Tenable Support Portal .
2. On the left side of the page, in the Main Menu section, click Downloads.
3. Click Passive Vulnerability Scanner, and select the correct version for your operating system.
After you accept the license agreement, a download will begin.
Note: To ensure binary compatibility, make sure to download the correct build for your operating environment.
4. Confirm the integrity of the installation package by comparing the downloaded MD5 checksum with the one listed in the product release notes .
Install PVS
This section describes how to perform an initial installation of PVS on the following platforms: l
l
l
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 6 -
You are here: Install PVS on Linux
Install PVS on Linux
Before You Begin
These steps assume you are running all commands with root privileges. To ensure audit record time stamp consistency between PVS and SecurityCenter CV, make sure the underlying OS makes use of NTP as described in the following document: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sect-Date_ and_Time_Configuration-Command_Line_Configuration-Network_Time_Protocol.html
The software license agreement for PVS is located in the directory
/opt/pvs/docs. It is also available online in the following location: http://static.tenable.com/prod_docs/Master_Software_License_and_Services_Agreement.pdf
Steps
1. Install the PVS
.rpm file downloaded from the
Tenable Support Portal on RedHat or CentOS with the following command. The specific filename will vary depending on your platform and version.
# rpm –ivh pvs-4.4.x-esx.x86_64.rpm
Preparing... ########################################### [100%]
1:pvs ########################################### [100%]
[*] PVS installation completed.
#
The installation will create the directory /opt/pvs, which initially contains the PVS software, default plugins, and directory structure.
2. Start PVS for Red Hat and CentOS systems using the following command:
# service pvs start
3. Navigate to
https://<IP address or hostname>:8835, which will display the PVS web front end to log in for the first time.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 7 -
You are here: Install PVS on Windows
Refer to
Configure PVS to complete the initial login.
Tip: Ensure that organizational firewall rules permit access to port 8835 on the PVS server.
Install PVS on Windows
Before You Begin
These steps assume you are running all programs as a local user with administrative privileges. To do so, when UAC is enabled, right-click on the installer program and select Run as Administrator.
Additionally, you must ensure the latest version of Microsoft Visual C++ 2010 Redistributable Package is installed for your 64-bit platform and architecture. Be sure to stop any other programs on your system that are utilizing WinPcap.
Steps
1. Double-click the .exe file downloaded from the Tenable Support Portal . The specific filename will vary depending on your platform and version.
This will launch the InstallShield Wizard, which will walk you through the installation process and required configuration steps.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 8 -
You are here: Install PVS on Windows
2. Click the Next button.
The License Agreement screen appears. You must agree to the terms to continue the installation process and use PVS.
Tip: You can copy the text of the agreement into a separate document for reference, or you can click the Print button to print the agreement directly from this screen.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 9 -
You are here: Install PVS on Windows
3. Click the Next button.
The Customer Information screen appears. The User Name and Company Name fields are used to customize the installation, but are not related to any configuration options (e.g., for interfacing with SecurityCenter CV).
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 10 -
You are here: Install PVS on Windows
4. Click the Next button.
The Choose Program Location screen appears, where you can verify the location in which the
PVS binaries will be installed. You can click the Change button to specify a custom path.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 11 -
You are here: Install PVS on Windows
5. Click the Next button.
The Choose Data Location screen appears, where you can verify the location in which user data generated by PVS will be stored. You can click the Change button to specify a custom path.
Tip: If you are connecting PVS to SecurityCenter CV, altering the data path will make SecurityCenter CV unable to retrieve reports.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 12 -
You are here: Install PVS on Windows
6. Click the Next button.
The Ready to Install the Program screen appears, where you can review and edit the information supplied on previous screens.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 13 -
You are here: Install PVS on Mac OS X
Click the Install button.
The Setup Status screen appears. If the most recent version of WinPcap is already installed on the system, the PVS installation process will ask if you want to force or cancel installation of WinPcap. If it does not detect WinPcap, or detects and older version, a second installer will launch to install or upgrade the software.
Tip: We suggest you use the provided version of WinPcap or newer. PVS has been designed and tested using the supplied version of WinPcap.
7.
.
Install PVS on Mac OS X
Before You Begin
These steps assume you are running all programs as a root user or with equivalent privileges.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 14 -
You are here: Install PVS on Mac OS X
Steps
1. Double-click the
.dmg file downloaded from the Tenable Support Portal to mount the disk image PVS
Install. The specific filename will vary, depending on your version.
2. Double-click the
Install PVS.pkg file.
The Install Tenable PVS window will appear, which will walk you through the installation process and any required configuration steps.
3. Click the Continue button.
The Software License Agreement screen appears. You must agree to the terms to continue the installation process and use PVS.
Tip: You can copy the text of the agreement into a separate document for reference, or you can click the Print button to print the agreement directly from this screen.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 15 -
You are here: Install PVS on Mac OS X
4. Click Install to begin the installation.
A window will appear, asking for authentication for permission to install the software.
5. Click the Install Software button.
A window will appear, requesting permission to allow PVS to accept incoming network connections. If this option is denied, PVS will be installed but will have severely reduced functionality.
Immediately after the successful installation of PVS, the Installer will automatically launch the Safari web browser to allow configuration of PVS for the environment. When the identity dialog box appears, click
Continue.
Tip: Once the installation process is complete, it is suggested to eject the PVS install volume.
Start and Stop PVS for Mac OS X
1. Access the System Preferences, and select PVS.Preferences.
The PVS.Preferences window appears.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 16 -
You are here: Upgrade PVS
2. Select the Start PVS or Stop PVS button as needed.
Tip: You can also issue a command from terminal to manually start or stop PVS.
Upgrade PVS
This section describes how to upgrade an existing PVS instance on the following platforms: l
l
l
Upgrade PVS on Linux
Before You Begin
These steps assume you have backed up your custom SSL certificates. It is also assumed that you are running all commands with root privileges.
Additionally, if you have used a PVS RPM to install PVS previously, an upgrade retains configuration settings. You must transfer the PVS RPM package to the system on which it is being installed. Confirm the integrity of the installation package by comparing the download MD5 checksum with the one listed in the product release notes.
Steps
1. Stop PVS with the following command:
# service pvs stop
2. Install the PVS
.rpm file downloaded from the Tenable Support Portal with the following command. Note that the specific filename will vary, depending on your version:
# rpm -Uvh pvs-4.4.x-esx.x86_64.rpm
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 17 -
You are here: Upgrade PVS on Windows
Preparing... ########################################### [100%]
1:pvs ########################################### [100%]
[*] PVS installation completed.
#
3. Once the upgrade is complete, start PVS with the following command:
# service pvs start
4. Navigate to
https://<ip address or hostname>:8835, which will display the PVS web frontend to log in.
Tip: Ensure that organizational firewall rules permit access to port 8835 on the PVS server.
Upgrade PVS on Windows
Before You Begin
These steps assume you have backed up your custom SSL certificates. It is also assumed that you are running all programs as a local user with administrative privileges. To do so, when UAC is enabled, right-click on the installer program and select Run as Administrator.
Additionally, you must ensure the latest version of the Microsoft Visual C++ 2010 Redistributable Package is installed for your 64-bit platform and architecture. Be sure to stop any other programs on your system that are utilizing WinPcap.
Steps
1. Stop the Tenable PVS Proxy Service from the Windows Services control panel.
2. Double-click the
.exe file downloaded from the Tenable Support Portal . Note that the specific filename will vary, depending on your platform and/or version
This will start the upgrade process by launching the InstallShield Wizard.
3. Click the Next button.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 18 -
You are here: Upgrade PVS on Mac OS X
The automated upgrade process will begin.
Note: If the version of WinPcap is not at the appropriate level during the upgrade process, an upgrade window will be displayed to begin the process of upgrading WinPcap. Failure to install the recommended version of WinPcap may result in errors with PVS monitoring.
4. When the upgrade is complete,
5. Navigate to
https://<ip address or hostname>:8835 to display the PVS web frontend to log in.
Tip: Ensure that organizational firewall rules permit access to port 8835 on the PVS server.
Upgrade PVS on Mac OS X
Before You Begin
These steps assume that you have backed up your custom SSL certificates and you are running all programs with root privileges.
Steps
1.
.
2. Double-click the .dmg file downloaded from the Tenable Support Portal to mount the disk image
PVS Install. The specific filename will vary, depending on your version.
3. Double-click the
Install PVS.pkg file.
The Install Tenable PVS window will appear, which walks you through the upgrade process and any required configuration steps.
4. Click the Continue button.
The Software License Agreement screen appears. You must agree to the terms to continue the installation process and use PVS.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 19 -
You are here: Configure PVS
Tip: You can copy the text of the agreement into a separate document for reference, or you can click the Print button to print the agreement directly from this screen.
5. Click the Install button.
A window will appear, asking for authentication for permission to install the software.
6. Click the Install Software button.
A window will appear, requesting permission to allow PVS to accept incoming network connections. If this option is denied, PVS will be installed but will have severely reduced functionality.
7. Click the Allow button.
After the upgrade is complete, your default web browser will appear, displaying the PVS web frontend to log in. When the web browser appears, you can eject the PVS install volume.
Configure PVS
PVS configuration follows the same steps for all operating systems. This section provides instructions for the following: l
l
Register PVS Offline via the PVS Interface
l
Register PVS Offline via the CLI
l
Configure High Performance Mode
Initial Configuration for PVS
Steps
1. In a web browser, navigate to
https://<ip address or hostname>:8835. The default username and password are both admin. Enter these credentials and click the Sign In To Continue button.
2. The Change Default Password screen of the Quick Setup window appears, where you can change the
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 20 -
You are here: Initial Configuration for PVS default password. The new password must be at least 5 characters long, contain one capital letter, one lowercase letter, one numeric digit, and one special character from the following list:
!@#$%^&*().
3. Click the Next Step button.
The Set Activation Code screen appears.
4. In the Activation Code box, enter the appropriate text based on your setup: l
If PVS will be acting as a standalone device, enter an Activation Code.
l
If PVS will be managed by Nessus Cloud, enter the text
Cloud.
Four configuration options will appear: Cloud Host, Cloud Port, Cloud Key, and PVS Name. Refer to the Cloud Settings section for more information.
l
If PVS will be managed by SecurityCenter CV, enter the text SecurityCenter.
-or-
If PVS will be registered offline, select the Register Offline check box and follow the
Register PVS Offline instructions
.
5. Click the Next Step button.
The Monitoring Configuration screen appears.
l
The Monitored Network Interfaces box displays those monitored interfaces PVS has identified.
You can select one or more of the defined interfaces. The caret icon displays additional information about each interface.
l
The Monitored Network IP Addresses and Ranges box displays the IP address ranges PVS will monitor.
l
The Excluded Network IP Addresses and Ranges box displays the IP address ranges PVS will not monitor.
The Monitored Network IP Addresses and Ranges and Excluded Network IP Addresses and
Ranges boxes accept both IPv4 and IPv6 CIDR address definitions. When multiple addresses are used, separate the entries using commas or new lines.
6. Click the Finish button.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 21 -
You are here: Register PVS Offline via the PVS Interface
The Monitoring page appears. Once PVS has started monitoring traffic, the page will display a list of hosts in a table, with each row containing the host’s IP and a stacked bar chart of its severity distribution relative to other hosts.
Register PVS Offline via the PVS Interface
Steps
1. In Step 4 of the
, on the Quick Setup window, select the Register Offline check box.
A challenge code and the Activation Key box appear.
2. Copy the challenge code, and in a web browser, navigate to https://plugins.nessus.org/v2/offline-pvs.php
.
3. In the appropriate boxes, paste your challenge code and enter the Activation Code you received previously from Tenable, and click the Submit button.
The page will generate a URL to download the PVS plugins tarball. Save this URL, as it will be used every time you update your plugins. In addition, a license key will appear.
4. Copy the license key, navigate to the PVS interface, and paste the license key into the Activation Key box on the Quick Setup window.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 22 -
You are here: Register PVS Offline via the CLI
5. Click the Next Step button, and then continue with Step 5 of the
Initial Configuration instructions
.
Note: After configuring PVS, upload the plugins tarball in the Offline Update area of the
.
Register PVS Offline via the CLI
If your PVS installation cannot reach the Internet directly, use the following procedure to register and update plugins:
On the system running PVS, type the following command:
Platform
Red Hat Linux / CentOS
Windows
Mac OS X
Command to Run
# /opt/pvs/bin/pvs --challenge
C:\Program Files\Tenable\PVS\pvs --challenge
# /Library/PVS/bin/pvs --challenge
This will produce a challenge code that appears similar to the following:
569ccd9ac72ab3a62a3115a945ef8e710c0d73b8
Go to https://plugins.nessus.org/v2/offline-pvs.php
and paste the challenge code as well as the Activation
Code you received previously from Tenable into the appropriate text boxes. This will produce a URL that will give you direct access to the PVS plugins. Save this URL, as it will be used every time you update your plugins. In addition, a license key and the associated pvs.license file will be produced. Copy this file to the host running PVS in the appropriate directory:
Once the
pvs.license file has been copied, run the pvs --register-offline command to install the file:
Platform
Red Hat Linux /
CentOS
Windows
Directory
# /opt/pvs/bin/pvs --register-offline /path/to/pvs.license
C:\Program Files\Tenable\PVS\pvs --register-offline
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 23 -
You are here: Configure High Performance Mode
Platform Directory
"C:\path\to\pvs.license"
Mac OS X
# /Library/PVS/bin/pvs --register-offline /path/to/pvs.license
The newest plugins can be obtained by going to the URL that was provided in the previous step. Here, you will receive a TAR file (e.g., sc-passive.tar.gz). Copy the file to PVS and then type the appropriate command for your platform:
Platform
Red Hat Linux /
CentOS
Windows
Command
# /opt/pvs/bin/pvs --update-plugins /path/to/sc-passive.tar.gz
Mac OS X
C:\Program Files\Tenable\PVS\pvs --update-plugins
C:\path\to\sc-passive.tar.gz
# /Library/PVS/bin/pvs --update-plugins /path/to/sc-passive.tar.gz
Configure High Performance Mode
Before You Begin
The following steps are required to operate PVS in High Performance mode. Alternatively, a user with administrative privileges can enable
High Performance mode via the UI
.
You must have a High Performance Activation Code in order to run PVS in High Performance mode.
PVS uses multiple cores to process packets received from the monitored interfaces. These cores are known as worker cores, and the default number of worker cores is 8. This number can be changed using the configuration parameter Number of Worker Cores.
Note: If you set the Number of Worker Cores parameter to 0, PVS will automatically change the value to the minimum number of worker cores needed to run PVS in High Performance mode.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 24 -
You are here: Remove PVS
Suppose you have 20 available logical cores. Four of those cores are used by the system for internal processing and the kernel. If you want to use the 16 available cores for PVS, then you would change the value for the parameter Number of Worker Cores to 16.
Steps
1. Stop PVS with the following command:
# service pvs stop
2. Enable High Performance mode with the following command:
/opt/pvs/bin/pvs --config "Enable High Performance Mode" "1"
3. Confirm that the management network interface is different from the monitoring network interface that you configured initially.
Note: If the configured monitored interface has bound IPv4 addresses, you will not be able to complete the Quick Setup Wizard to configure PVS, because no usable NICs will appear in the Monitored Network Interfaces list.
4. Start PVS with the following command:
# service pvs start
Remove PVS
The following instructions describe how to remove PVS from the following platforms: l
l
l
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 25 -
You are here: Remove PVS from Linux
Remove PVS from Linux
Steps
1. Stop PVS with the following command:
# service pvs stop
2. Determine the name of the RPM file with the following command:
# rpm -qa | grep pvs
The name of the RPM file will appear.
3. Remove the PVS RPM with the following command:
# rpm -e <RPM name>
4. Some user-created and -modified files are not removed with the
-e command. Remove any remaining files with the following command:
# rm -rf /opt/pvs
PVS is removed
Remove PVS from Windows
Steps
1. On the Control Panel, under Programs, click Programs and Features, or Add or Remove Programs, depending on the Windows version.
2. Select Tenable Passive Vulnerability Scanner and then click Change/Remove.
The InstallShield Wizard appears.
3. Follow the directions in this wizard to completely remove PVS.
4. Select Yes to remove the PVS program and all its files, folders, and features from the system.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 26 -
You are here: Remove PVS from Mac OS X
-or-
Select No to remove only the PVS program. All user-created files and relevant file folders will remain on the system.
5. Restart your machine to complete the removal.
6. Follow the same instructions to remove WinPcap.
Remove PVS from Mac OS X
Steps
1. Stop PVS.
2. Delete the following directories (including subdirectories) and files with either sudo root or root privileges using the command line:
# rm /Library/LaunchDaemons/com.tenablesecurity.pvs*
# rm -r /Library/PVS
# rm -r /Library/PreferencePanes/PVS*
# rm -r /Applications/PVS
PVS is removed from your Mac OS X system.
PVS Features
The PVS web interface allows PVS to monitor network traffic and report results without needing SecurityCenter CV or another third party tool to analyze the data. The web interface is supported for web browsers that support HTML5, including the following: l
Microsoft Internet Explorer 9 and later l
Firefox 24 and later l
Google Chrome 30 and later
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 27 -
You are here: PVS Navigation
This section describes the following features in the PVS web interface: l
l
l
l
l
PVS Navigation
The top navigation menu displays the four main pages: Monitoring, Results, Users, and Configuration. All of PVS’s primary analysis tasks can be performed using these four pages. Clicking a page name will open that page.
Clicking the username will display a drop-down menu with three options: Change Password, Help
& Support, and Sign Out.
Note: The Users and Configuration pages are available only to users with administrative privileges.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 28 -
You are here: PVS Navigation
The bell ( ) icon toggles the Notification History box, which displays a list of notifications, successful or unsuccessful login attempts, errors, and system information generated by PVS. The color of the bell changes based on the nature of the notifications in the list. If there are no alerts, or all notifications are information alerts, then the bell will be blue ( ). If there are error alerts in the notification list, then the bell will be red ( ). The Notification History box displays up to 1,000 alerts, and once the limit is reached, will add no new alerts until old ones are cleared.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 29 -
You are here: Monitoring Page
Notifications can be removed individually by clicking the button to the right of the description of each event, or the entire notification history can be deleted by clicking the Clear History button in the bottom right corner of the box.
Note: Notifications are not preserved between sessions. Unread notifications will be removed from the list when the user logs out.
Monitoring Page
The Monitoring page provides a centralized view of the vulnerabilities discovered by PVS. On this page, the vulnerabilities may be viewed in several categories, including hosts, vulnerabilities, applications, operating systems, connections, and mobile devices. The results may also be exported to different formats for use in other programs.
Across all of the viewable methods available on the Monitoring page, filter options are available to increase granularity when viewing results. Items within each section of the Monitoring page can be sorted in ascending or descending order by clicking on the heading of the column on which you want to sort.
The Actions drop-down menu allows you to export results, delete results, or launch a Nessus scan.
The Filter <section name> box allows for quick filtering based on entered text for the Monitoring page. To view a list of filterable plugin attributes, click the down arrow for any quick filter text field. Results are displayed based on a match of Any or All entered fields. The search field contains example hints when empty, but if an incorrect filter value is entered, the field will display a red border.
Note: The Filter <section name> box is not available in the Dashboards section.
Filter Text
Name
Bugtraq ID
CPE
CVE
Description
Filter the results of discovered vulnerabilities based on their Bugtraq identifications.
Filter the results of discovered vulnerabilities based on their CPE identifiers.
Filter the results of discovered vulnerabilities based on their CVE identifiers.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 30 -
You are here: Monitoring Page
Name Description
CVSS Base Score Filter the results of discovered vulnerabilities based on the base CVSS score as reported by the vulnerability plugins.
CVSS Temporal
Score
Filter the results of discovered vulnerabilities based on the temporal CVSS score as reported by the vulnerability plugins.
CVSS Temporal
Vector
CVSS Vector
Filter the results of discovered vulnerabilities based on the CVSS temporal vector as reported by the vulnerability plugins.
Filter the results of discovered vulnerabilities based on the CVSS vector as reported by the vulnerability plugins.
CVSS v3.0 Base
Score
Filter the results of discovered vulnerabilities based on the CVSS v3.0 base score as reported by the vulnerability plugins.
CVSS v3.0 Temporal Score
Filter the results of discovered vulnerabilities based on the temporal CVSS v3.0 score as reported by the vulnerability plugins.
CVSS v3.0 Temporal Vector
Filter the results of discovered vulnerabilities based on the temporal CVSS v3.0 vector as reported by the vulnerability plugins.
CVSS v3.0 Vector Filter the results of discovered vulnerabilities based on the CVSS v3.0 vector as reported by the vulnerability plugins.
Host Filter the results of discovered vulnerabilities based on the discovered IP address of the device.
IAVA ID
IAVB ID
Filter the results of discovered vulnerabilities based on the IAVA IDs of the vulnerabilities.
Filter the results of discovered vulnerabilities based on the IAVB IDs of the vulnerabilities.
IAVT ID Filter the results of discovered vulnerabilities based on the IAVT IDs of the vulnerabilities.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 31 -
You are here: Monitoring Page
Name Description
OSVDB ID Filter the results of discovered vulnerabilities based on the discovered
OSVDB identifiers.
Plugin Description Filter the results of discovered vulnerabilities based on text available in the descriptions of the vulnerabilities.
Plugin Family Filter the results of discovered vulnerabilities based on a family of discovered vulnerabilities.
Plugin ID
Plugin Name
Filter the results of discovered vulnerabilities based on the IDs of the plugins that identified the vulnerabilities.
Filter the results of discovered vulnerabilities based on text available in the names of the plugins that identified the vulnerabilities.
Plugin Output
Port
Protocol
See Also
Severity
Filter the results of discovered vulnerabilities based on text contained in the output of the plugin that discovered the vulnerability.
Filter the results of discovered vulnerabilities based on the port the vulnerability was discovered on.
Filter the results of discovered vulnerabilities based on the detected protocol: tcp, udp, or icmp.
Filter the results of discovered vulnerabilities based on the text available in the See
Also field of the plugin.
Filter the results of discovered vulnerabilities based on the identified severity.
Solution
STIG Severity
Synopsis
Filter the results of discovered vulnerabilities based on text available in the solution section of the plugin.
Filter the results of discovered vulnerabilities based on STIG severity level in the plugin.
Filter the results of discovered vulnerabilities based on text available in the synopsis
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 32 -
You are here: Hosts Section
Name Description section of the plugin.
Hosts Section
The Hosts section of the Monitoring page displays a list of the discovered hosts, along with a stacked bar chart that is labeled and color-coded to indicate the number and severity levels of vulnerabilities detected on the host.
Selecting a host from the list will display the host’s attributes and discovered vulnerabilities. In the drop-down menu at the top of the section, you can select one of the following options to view:
Vulnerabilities
Vulnerabilities detected on this host are shown in descending order of severity. The vulnerabilities list displays the name of each vulnerability, vulnerability family, and the number discovered. Selecting a vulnerability from the list will display vulnerability details including a synopsis, description, solution, plugin information, risk information, reference information, and affected ports and services for the host.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 33 -
You are here: Hosts Section
Applications
Applications are shown in descending order of severity. The applications list displays the name and number of each application. Selecting an application from the list will display information about the application observed on this host.
Client Connections
Hosts to which the selected host has connected are shown grouped by port. The client connections list displays information about connections from the selected host to other hosts, which port(s) were used, and the services, if known.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 34 -
You are here: Vulnerabilities Section
Server Connections
Hosts that have connected to the selected host are shown grouped by port. The server connections list displays information about connections to the selected host from other hosts, which port(s) were used, and the services, if known.
Vulnerabilities Section
The Vulnerabilities section of the Monitoring page provides a list of the vulnerabilities detected by PVS, along with the families and number detected of each vulnerability.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 35 -
You are here: Applications Section
Applications Section
The Applications section displays a list of discovered applications. Selecting an application will present a list of affected hosts with the name and number of discoveries, the affected port and protocol, the software and version, and the service as available.
Operating Systems Section
The Operating Systems section displays a list of discovered operating systems. The summary page lists the severity, operating system name as detected, and the number of discoveries. Selecting an operating system name from the list will display the severity, the version of the operating system, and service as available.
Connections Section
The Connections section displays information in two tabs: l
The Client Connections tab displays a list of hosts. Clicking on a host will display connections from the selected host to other hosts, which port(s) were used, and the services, if known.
l
The Server Connections tab displays a list of hosts. Clicking on a host will display connections to the selected host from other hosts, which port(s) were used, and the services, if known.
Mobile Devices Section
The Mobile Devices section displays a list of discovered mobile devices. The summary page displays the IP address, model, operating system, and last seen timestamp for each mobile device within the monitored network range. Selecting a device name from the list will display the device’s list of vulnerabilities. You can also view the list of applications for the mobile device.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 36 -
You are here: Dashboards Section
Dashboards Section
The Dashboards section displays the contents of the vulnerability tab in a graphical layout. The default dashboard layout displays the following chart types: l
Distribution by Operating System l
Distribution of Mobile Applications by Application l
Top 10 Mobile Devices by Hardware l
Distribution of Mobile Devices by Operating System l
Top 10 Hosts l
Top 10 Talkers l
Top 10 Vulnerabilities l
Top 5 Applications
Clicking the button on a chart will temporarily remove that chart from the Dashboards section for the duration of your page session. Clicking the button on a chart will refresh the chart. Alternatively, clicking the button in the upper right corner of the Dashboards section will refresh all the charts on the page.
Vulnerabilities Tab
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 37 -
You are here: Dashboards Section
From this screen you can click the All Time drop-down menu to apply filtering based the last 24 hours, last 3 days, last 7 days, last 30 days, all time, or you can create a custom time frame for filtering.
Events Tab
The Events tab displays a graphical representation of the number of maximum viewable real-time events as defined in the Realtime Events setting type in the PVS Settings section.
The Event Details chart can be customized by sorting on columns, showing or hiding columns, or filtering on content using the Filter Events drop-down menu or by clicking underlined columns in the table.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 38 -
You are here: Results Page
Mobile Tab
The Mobile tab displays the following default charts: l
Distribution of Mobile Devices by Operating System l
Top 10 Mobile Devices by Hardware l
Distribution of Mobile Applications by Application
These are static charts that are not configurable via the Chart Settings section; however, you can use the
All Time drop-down menu to apply filtering to the data displayed on the charts.
Results Page
The Results page contains snapshots of monitored data, results from Pcap files entered manually via the command line or the client GUI, and uploaded PVS reports. The Monitored Data snapshots are generated
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 39 -
You are here: Users Page regularly based on the Report Frequency setting. They are stored until deleted or the Report Lifetime setting is put into effect. When a result grouping is selected, it may be viewed using the same analysis tools described in the Monitoring section of this user guide. Additionally, by checking the desired Snapshot results and then using the Diff Snapshots option from the Actions drop-down menu, two snapshots may be compared.
Users Page
The Users page provides a list of the available users on the PVS server, and account configuration options for each. This page is visible only to users with administrative privileges.
Configuration Page
The Configuration page allows users with administrative privileges to configure PVS for the local environment. There are seven sections available: l
l
l
l
l
l
l
PVS Settings Section
The PVS Settings section provides options for configuring the network settings for PVS, including what network(s) are monitored or excluded, how to monitor those networks, and what network interfaces PVS has
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 40 -
You are here: PVS Settings Section identified for monitoring. If your PVS is licensed to run in High Performance mode, you can also
in this section.
Name
ACAS Classification
ACAS
Description
Support for ACAS banners may be enabled from the command line of the PVS server service using the command
/opt/pvs/bin/pvs --config --add
"ACAS Classification" "SECRET". SECRET may be replaced by
UNCLASSIFIED, CONFIDENTIAL, TOP SECRET, or NOFORN. Once enabled, a drop-down menu for the ACAS option will appear in the GUI front end.
Support for ACAS banners may be disabled from the command line of the PVS server using the command
/opt/pvs/bin/pvs --config --delete "ACAS
Classification" from the binary directory on the server.
Advanced
Login Banner
DNS Query
DNS Cache Lifetime
A text box in which you can specify a login banner.
DNS Query
Time Interval
DNS Queries per Interval
A text box in which you can specify the amount of time PVS will retain and store a given host’s DNS record, in seconds. By default, this option is set to 43200
(12 hours), but can be set to any value between 3600 and 172800 (48 hours).
A text box in which you can specify the delay between sets of DNS queries, in seconds. By default, this option is set to 5, but can be set to any value between
1 and 120.
A text box in which you can specify the maximum number of concurrent DNS requests made at the time of the DNS Query, in seconds. By default, this option is set to 5, but can be set to any value between 0 and 1000. Setting this value to 0 will disable this feature and prevent further DNS queries from being made.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 41 -
You are here: PVS Settings Section
Name Description
Memory
Sessions Cache
Size
Packet Cache
Size
A text box in which you can specify the size, in megabytes, of the session table.
Adjust the session size as needed for the local network. By default, this option is set to 50
A text box in which you can specify the maximum size, in megabytes, of the cache that will be used to store the contents of the packets collected before processing. By default, this option is set to 128 MB with a maximum size of 512
MB. When the cache is full, any subsequent packets captured will be dropped until space in the cache becomes available.
Monitoring
Monitored Network Interfaces
A list of the network device(s) used for sniffing packets. Devices may be selected individually or in multiples. At least one interface must be selected from the list of available devices.
Note: High Performance mode does not support e1000 NICs as monitored interfaces on VMs. If you are running PVS on a VM in High Performance mode and select an e1000 monitored interface, PVS will automatically fall back to Standard mode.
Monitored Network IP
Addresses and
Ranges
Excluded Net-
A text box in which you can specify the network(s) to be monitored. The default setting is 0.0.0.0/0, which instructs PVS to monitor all IPv4 addresses. This should be changed to monitor only target networks; otherwise PVS may quickly become overwhelmed. It may contain both IPv4 and IPv6 addresses. Multiple addresses must be separated by commas. When monitoring VLAN networks, you must use the syntax vlan ipaddress/subnet.
Example: 192.168.1.0/24,2001:DB8::/64,10.2.3.0/22,vlan
172.16.0.0/16,192.168.3.123/32
A text box in which you can specify any network(s), in CIDR notation, to spe-
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 42 -
You are here: PVS Settings Section
Name Description work IP
Addresses and
Ranges cifically exclude from PVS monitoring. This option accepts both IPv4 and IPv6 addresses. Multiple addresses must be separated by commas. When excluding VLAN networks, you must use the syntax vlan ipaddress/subnet. If this text box is left blank, no addresses will be excluded.
Example: 192.168.1.0/24,2001:DB8::/64,10.2.3.0/22,vlan
172.16.0.0/16,192.168.3.123/32
PVS Proxy
PVS Restart
Attempts
PVS Restart
Interval
A text box in which you can specify the number of times the PVS proxy will attempt to restart the PVS engine in the event that the engine stops running. By default, this option is set to 10, but can be set to any value between 1 and 15.
Once the restart attempt limit is reached, the proxy will stop trying for 30 minutes.
A text box in which you can specify the amount of time, in minutes, between
PVS restart attempts. By default, this option is set to 10, but can be set to any value between 1 and 3600.
PVS Web Server
Enable SSL for
Web Server
A check box that, when selected, enables SSL protection for connections to the web server. This check box is selected by default, and clearing the check box is not recommended, as it will allow traffic to be sent between a web browser and
PVS unencrypted. Custom SSL certificates may be installed in the
/op-
t/pvs/var/pvs/ssl directory. Changes to this setting require that PVS be restarted.
Note: Changing this option while PVS is running makes communication between the client and server either encrypted or unencrypted. If you select or clear the Enable SSL for Web Server check box, the Web Server will automatically kill your current PVS session.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 43 -
You are here: PVS Settings Section
Name Description
Minimum Password Length
A text box in which you can specify the lowest number of characters a password may contain. By default, this option is set to 5, but can be set to any value between 5 and 32.
PVS Web
Server Address
PVS Web
Server Port
A text box in which you can specify the IPv4 and/or IPv6 addresses on which the PVS web server will listen. The default setting is 0.0.0.0, which instructs the web server to listen on all available IPv4 addresses. This may be changed to listen on a specific address or multiple addresses separated by commas.
A text box in which you can specify the PVS web server listening port. The default setting is 8835, but can be changed as appropriate for the local environment.
Note: If you change the value in this field, the Web Server will automatically kill your current PVS session.
PVS Web
Server Idle Session Timeout
Enable SSL Client Certificate
Authentication
Enable Debug
Logging for
PVS Web
Server
Maximum User
Login Attempts
Max Sessions per User
A text box in which you can specify the number of minutes of inactivity before a web session becomes idle. By default, this option is set to 30, but can be set to any value between 5 and 60.
A check box that, when selected, allows the web server to accept only SSL client certificates for user authentication.
A check box that, when selected, allows the web server to include debug information in the logs for troubleshooting issues related to the web server. The logs will become very large if this option is routinely enabled.
A text box in which you can specify the number of times a user can enter an incorrect password in a 24 hour period before the user’s account is locked out.
A text box in which you can specify the number of concurrent sessions a user can have running at any one time.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 44 -
You are here: PVS Settings Section
Name Description
Enforce Complex Passwords
A check box that, when selected, forces the user’s passwords to contain at least one uppercase character, one lower case character, one digit, and one special character from the following: !@#$%^&*().
Plugins
Process High
Speed Plugins
Only
PVS is designed to expect to find various protocols on non-standard ports. For example, PVS can easily find an Apache server running on a port other than
80. However, on a high traffic network, PVS can be run in High Performance mode, which allows it to focus certain plugins on specific ports. When
is enabled and this check box is selected, any plugin that utilizes the keywords hs_dport or hs_sport will be executed only on traffic traversing the specified ports.
Enable Automatic Plugin
Updates
A check box that, when selected, allows PVS to update its plugins automatically from the Tenable website on a daily basis. If the PVS server is not connected to the Internet, it is recommended that you disable this option.
Tip: When the HTML Client is updated the web browser needs to be refreshed to utilize the new client. In some cases, the web browser’s cache must be deleted to view the new client.
Realtime Events
Realtime
Events File Size
Log Realtime
Events to Realtime Log File
A text box in which you can specify the maximum amount of data from real-time events that will be stored in one text file. The option must be specified in kilobytes, megabytes, or gigabytes by appending a K, M, or G, respectively, to the value.
A check box that, when selected, allows PVS detected real-time events to be recorded to a log file in the following location:
/opt/pvs/var/pvs/logs/realtime-logs-##.txt
This option can be configured via the CLI.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 45 -
You are here: PVS Settings Section
Name Description
Enable Realtime Event Analysis
A check box that, when selected, allows PVS to analyze real-time events.
Maximum Viewable Realtime
Events
Maximum Realtime Log Files
Reports
A text box in which you can specify the maximum number of most recent events cached by the PVS engine. This setting is in effect only when Realtime Event
Analysis is enabled.
A text box in which you can specify the maximum number of realtime log files written to the disk.
Report
Threshold
Report Lifetime
Report Frequency
Knowledgebase
Lifetime
New Asset Dis-
A text box in which you can specify the number of times the encryption detection algorithm is executed during a session. Once the threshold is reached, the algorithm is no longer executed during the session. By default, this option is set to 3.
A text box in which you can specify, in days, for how long reports are cached.
After the configured number of days is met, PVS’s entire model of a discovered network is completely removed. PVS starts over again learning about the hosts that are involved on the network. This value can be set to a maximum value of
90 days, if this behavior is not desired. However, it is very useful to have fresh reports on a weekly or monthly basis. By default, this option is set to 7.
A text box in which you can specify, in minutes, how often PVS will write a report. By default, this option is set to 15. SecurityCenter 4.6 and higher will retrieve the PVS report every 15 minutes.
A text box in which you can specify, in seconds, the maximum length of time that a knowledgebase entry remains valid after its addition. By default, this option is set to 864000.
A text box in which you can specify, in days, how long PVS should monitor
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 46 -
You are here: PVS Settings Section
Name Description covery Interval traffic before detecting new hosts. PVS listens to network traffic and attempts to discover when a new host has been added. To do this, PVS constantly compares a list of hosts that have generated traffic in the past to those currently generating traffic. If it finds a new host generating traffic, it will issue a “new host alert” via the real-time log. For large networks, PVS can be configured to run for several days to gain knowledge about which hosts are active. This prevents
PVS from issuing an alert for hosts that already exist. For large networks, Tenable recommends that PVS operate for at least two days before detecting new hosts. By default, this option is set to 2.
Connections to
Services
Show Connections
A check box that, when selected, enables PVS to log which clients are attempting to connect to servers on the network and what port they are attempting to connect to. They indicate only that an attempt to connect was made, not whether the connection was successful. Events detected by PVS of this type are logged as PVS ID 00002.
A check box that, when selected, instructs PVS to record the clients in the focus network that attempt to connect to a server IP address and port and receive a positive response from the server. The record will contain the client IP address, the server IP address, and the server port that the client was attempting to connect to. For example, if four different hosts within the focus network attempted to connect with a server IP over port 80 and received a positive response, then a list of those hosts would be reported under event 00003 and port 80.
Session Analysis
Encrypted Sessions Dependency Plugins
Encrypted Sessions Excluded
Network
A text box in which you can specify the Plugin IDs, separated by commas, that will be used to detect encrypted traffic.
A text box in which you can specify the IPv4 and IPv6 addresses and ports, in
CIDR notation, that will be excluded from monitoring for encrypted traffic.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 47 -
You are here: PVS Settings Section
Name Description
Ranges
Interactive Sessions Dependency Plugins
Example: 192.168.1.0/24,2001:DB8::/64,10.2.3.0/22,vlan
172.16.0.0/16,192.168.3.123/32
A text box in which you can specify the Plugin IDs, separated by commas, that will be used to detect interactive sessions.
Interactive Sessions Excluded
Network
Ranges
A text box in which you can specify the IPv4 and IPv6 addresses and ports, in
CIDR notation, that will be excluded from monitoring for interactive sessions.
Example: 192.168.1.0/24,2001:DB8::/64,10.2.3.0/22,vlan
172.16.0.0/16,192.168.3.123/32
Syslog
Realtime Syslog
Server List
Vulnerability
Syslog Server
List
A text box in which you can specify the IPv4 or IPv6 address and port of a Syslog server that will receive real-time events from PVS. A local Syslog daemon is not required. Syslog items can be specified to Standard or CEF formats as well as UDP or TCP protocols.
Example: 192.168.1.12:4567,10.10.10.10:514,[2001:DB8::23B4]:514
A text box in which you can specify the IPv4 or IPv6 address and port of a Syslog server that will receive vulnerability data from PVS. A local Syslog daemon is not required. Syslog items can be specified to Standard or CEF formats as well as UDP or TCP protocols.
Example: 192.168.1.12:4567,10.10.10.10:514,[2001:DB8::23B4]:514
Note: While PVS may display multiple log events related to one connection, it will send only a single event to the remote Syslog server(s).
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 48 -
You are here: Feed Settings Section
Feed Settings Section
The Feed Settings section allows you to update the Activation Code, plugins, perform offline updates, and configure a custom plugin feed host. The Activation Code will need to be updated only when it expires.
The Offline Update allows a user with administrative privileges to manually update the plugins when the
PVS host is not able to connect to the Internet. After
downloading the plugin update archive
from Tenable, click Choose File and select the archive tarball to upload. Click the Upload Archive button to send the file to the PVS host, and click the Upload Archive button again, which will update the plugins. If a new client is part of the update, you must refresh the web browser to see the updated client.
The Custom Plugin Feed host is an alternate feed host. These are typically hosted on a local network to provide custom PVS plugins.
When running Standalone PVS or PVS in High Performance mode as Managed by SecurityCenter or Managed by Nessus Cloud, you must enter an Activation Code before clicking the Update button. The button schedules a plugin update when PVS is running in Standalone mode. Additionally, when registering PVS in
Offline mode, the Activation Code is needed to obtain the Activation Key.
Web Proxy Settings Section
The Web Proxy Settings section configures the settings for a web proxy if one is needed for plugin updates.
These settings include the proxy host IP address, port, username, password, and a user-agent field if a custom agent string is needed.
Chart Settings Section
The Chart Settings section displays all the charts available, provides options for
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 49 -
You are here: Email Settings Section
Email Settings Section
The Email Settings section provides options for
for PVS, including the recipients of the email notifications, what charts appear in email notifications, and the time and frequency with which email notifications are sent. If you hover over an existing email notification in the list in the Email Settings section, a paper airplane icon will appear, which you can click to send a report immediately.
When you select SMTP Server in the Setting Type drop-down menu, the following options for configuring the SMTP server will appear:
Name
Host
Port
From
PVS Location
Auth Method
Description
The host or IP of the SMTP server (e.g., smtp.example.com).
The port of the SMTP server (e.g., 25).
The name that will appear in the "From" line of the email report.
The IP address or hostname for your PVS server. This will work only if the PVS host is reachable to the user that receives the email report.
The method by which the SMTP server will be authenticated. Supported methods are None, Plain, NTLM, Login, and CRAM-MD5.
Note: If this option is set to None, the Username and Password fields are hidden.
Username
Password
The username used to authenticate to the SMTP server.
The password associated with the username, provided that a password is required by the SMTP server.
Plugin Settings Section
The Plugin Settings section allows the user to enable and disable existing plugins and PASLs, and create custom plugins.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 50 -
You are here: Plugin Settings Section
The Plugin Settings section contains the following subsections: l
The Enable/Disable Plugins subsection displays a list each of enabled and disabled plugins, respectively, and the options to move plugins between those lists.
l
The Enable/Disable PASLs subsection displays a list each of enabled and disabled PASLs, respectively, and the options to move PASLs between those lists.
l
The Create Plugin subsection displays configurable options for creating custom plugins in the GUI.
In addition to the default plugin fields in the Create Plugin subsection, there is also the option for the user to create a new plugin field by clicking the Add Plugin Field button in the upper right corner of the Plugin Settings section.
The following table provides a brief summary of each plugin field available for creating custom plugins.
Custom Plugin
Field
ID
Name
Description
Synopsis
Purpose
The unique numeric ID of the plugin.
Name of the plugin. The plugin name should start with the vendor name.
Full text description of the vulnerabilitiy.
Brief description of the plugin or vulnerability.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 51 -
You are here: Plugin Settings Section
Custom Plugin
Field
Purpose
Solution
See Also
Remediation information for the vulnerability.
External references to additional information regarding to the vulnerability.
Info, Low, Medium, High, or Critical risk factor.
Displays dynamic data in PVS plugin reports.
Risk
Plugin Output
Family
Dependency
NoPlugin
Family to which the plugin belongs.
Other dependencies required to trigger the custom plugin.
Prevent a plugin from being evaluated if another plugin has already matched. For example, it may make sense to write a plugin that looks for a specific anonymous
FTP vulnerability, but have it disabled if another plugin that checked for anonymous FTP had already failed.
No Output
Client Issue
Plugin Type cve bid osvdb nid
For plugins that are written specifically to be used as part of a dependency with another plugin, this keyword will cause PVS to not report anything for any plugin with this keyword enabled.
Indicates the vulnerability is located on the client side.
Vuln, realtime, or realtimeonly plugin type.
CVE reference.
Bugtraq ID (BID) reference.
External reference (e.g., OSVDB, Secunie, MS Advisory).
To track compatibility with the Nessus vulnerability scanner, Tenable has attempted to associate PVS vulnerability checks with relevant Nessus vulnerability checks. Multiple Nessus IDs can be listed under one nid entry such as nid-
d=10222,10223.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 52 -
You are here: Nessus Scanner Settings Section
Custom Plugin
Field
Purpose cpe
Match
Filter the result of discovered vulnerabilities based on their CPE identifier.
This keyword specifies a set of one or more simple ASCII patterns that must be present in order for the more complex pattern analysis to take place. The
match
keyword gives PVS a lot of its performance and functionality.
Regex
Revision
Raw Text
Preview
This keyword specifies a complex regular expression search rule that will be applied to the network session.
Revision number associated with custom plugin.
A preview of the custom plugin in raw text. Example of a custom plugin created to find a IMAP Banner of Tenable Rocks: id=79000 name=IMAP Banner description=An IMAP server is running on this port. Its banner is Tenable Rocks risk=NONE match=OK match=IMAP match=server ready regex=^.*OK.*IMAP.*Tenable Rocks
Nessus Scanner Settings Section
The Nessus Scanner Settings Section provides a list of the available Nessus 6.4+ scanners and the ability to add, edit, or remove a Nessus scanner. Each Nessus scanner must be configured with the following parameters:
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 53 -
You are here: How To
Name Description
The domain name or IP address of the Nessus server.
Scanner
Host
Scanner
Port
The port of the Nessus server.
Access
Key
Secret
Key
The first half of a Nessus API Key, which is used to authenticate with the Nessus REST
API.
The second half of a Nessus API Key, which is used to authenticate with the Nessus
REST API.
Note: For details on how to obtain an API Key (Access Key and Secret Key), refer to the Nessus user guide .
How To
This section includes step-by-step instructions for performing the actions available in each page within the
PVS web interface: l
l
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 54 -
You are here: Monitoring Page l
l
Monitoring Page
The topics in this section explain how to perform the actions available on the Monitoring page.
Filter Results
Steps
1. In the Hosts, Vulnerabilities, Applications, Operating Systems, Connections, or Mobile Devices section, in the upper right corner, click the Filter <section name> drop-down box.
2. Type the criteria by which you want to filter results directly into the box.
-or-
Click the button in the box.
The Filter Results window appears.
3. Configure the filter options as necessary, and click the Apply Filters button.
Note: On-the-fly filter results cannot be exported. If you want to export filter results, you will need to configure the filter(s) in the Filter Results window. Additionally, on-the-fly filter results are not stored when a user navigates to another page in PVS.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 55 -
You are here: Export Results
Export Results
Steps
1. On the Monitoring page, in the upper right corner, click the Actions drop-down box.
2. Select Export Results.
The Export Results screen appears.
3. Select the export format and chapter layout and click the Export button.
An automatic download will begin, and you can save the report from the web browser.
Note: On-the-fly filter results cannot be exported. If you want to export filter results, you will need to configure the filter(s) in the Filter Results window.
Launch a Nessus Scan
Steps
1. On the Monitoring page, in the upper right corner, click the Actions drop-down box.
-or-
In the Hosts or Mobile Devices section, select the check boxes for the hosts or devices you want to scan, and in the upper right corner, in the Actions menu, select Launch Scan.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 56 -
You are here: Delete a Vulnerability
2. Select Launch Scan.
The Launch Basic Nessus Scan window appears.
3. Configure the scan options as necessary, and click the Launch button.
The scan will open in the Nessus interface. Refer to the Nessus documentation for further instructions.
Delete a Vulnerability
Steps
To delete one vulnerability:
1. In the Vulnerabilities section, hover over the vulnerability that you want to delete.
2. On the right side of the row, click the button.
The vulnerability is deleted.
To delete multiple vulnerabilities:
1. On the Vulnerabilities page, on the left side of the row for the vulnerability you want to delete, select the check box. Repeat this step for each vulnerability you want to delete.
2. In the upper right corner of the page, click the Actions drop-down box, and select Delete Vulerabilities.
The vulnerabilities are deleted.
Rearrange Charts
Steps
1. In the Dashboards section, select the heading of the chart that you want to reposition.
2. Move the chart to a different location on the dashboard, and release the pointer.
The chart is moved, and the dashboard configuration is saved for the duration of your session.
Note: You cannot move the Client Connections, Network Bandwidth, or Event Trending charts.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 57 -
You are here: Set a Range for a Dashboard
Set a Range for a Dashboard
Steps
1. In the Dashboards section, in the upper left corner, click the drop-down box.
2. In the drop-down menu, you can do one of the following: l
Select one of the preset time intervals.
l
Select a start and end date from the available calendars, and specify a time associated with each date.
l
Manually enter dates in the two text boxes with the format YYYY/MM/DD, and specify a time associated with each date.
All the charts on the page are refreshed to reflect the selected time interval.
Refresh a Dashboard
Steps
1. In the Dashboards section, in the upper right corner, click the button.
All of the charts on the page are refreshed.
Tip: Additionally, selecting Dashboards on the left side of the Monitoring page or refreshing your web browser will refresh all the charts on the page.
Refresh a Chart
Steps
1. In the Dashboards section, in the upper right corner of the chart that you want to refresh, click the button.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 58 -
You are here: Remove a Chart from a Dashboard
The selected chart is refreshed.
Remove a Chart from a Dashboard
Steps
1. In the Dashboards section, in the upper right corner of the chart that you want to remove, click the button.
The selected chart is removed from the dashboard for the duration of your session.
Results Page
The topics in this section explain how to perform the actions available on the Results page.
Upload a Report/Pcap
Before You Begin
The maximum file size for an uploaded pcap is 20 MB. Running a pcap will pause live monitoring.
Steps
1. On the Results page, in the upper right corner, click the Upload drop-down box.
2. Select Report or Pcap.
Depending on your selection, the Upload Results or Upload Pcap window appears, where you can select a file to upload.
3. After you have selected a file, click the Upload button.
The report or pcap appears at the top of the Listing Results list on the Results page.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 59 -
You are here: Filter Results
Filter Results
Steps
1. On the Results page, in the upper right corner, click the Filter Results drop-down box.
2. Select Snapshot, Manual, or Pcap.
The Listing Results list will be filtered by the report type that you selected.
Users Page
The topics in this section explain how to perform the actions available on the Users page. In order to see this page, you must access PVS using an account with administrative privileges.
Create a New User
Steps
1. On the Users page, in the upper right corner, click the New User button.
The New User window appears.
2. Enter the new user's information.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 60 -
You are here: Modify a User Account
Note: The username is case sensitive, and the password must conform to the PVS password policy.
3. If the new user should have administrative privileges, select the Administrator check box.
Tip: When a user is created, which will authenticate with SSL Client Certificates, the user name must match the Common Name in the certificate.
4. Click the Create User button.
The user is saved, and appears in the Listing Users list.
Modify a User Account
Steps
1. On the Users page, select a user from the list.
The Edit User <username> window appears.
2. Modify the properties as needed, and click the Update button.
Note: You can reset user account passwords via the command line using the following command from the
pvs binary directory:
/opt/pvs/bin/pvs --users --chpasswd <username>
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 61 -
You are here: Reset a Locked Account
Reset a Locked Account
Steps
1. Depending on your operating system, use the following command:
Operating System
Command
Linux
Windows
Mac OS X
# rm /opt/pvs/var/pvs/users/<locked account name>/hash.lockedout
del C:\ProgramData\Tenable\PVS\pvs\users\<locked_account_ name>\hash.lockedout
# rm /Library/PVS/var/pvs/users/<locked account name>/hash.lockedout
Tip: Alternatively, a user with administrative privileges can navigate to this directory and manually delete the hash.lockedout file.
2. After deleting the hash.lockedout file, if needed, a user with administrative privileges can follow the steps under
to reset the user's password.
Delete a User
Steps
To delete one user:
1. On the Users page, hover over the user you want to delete.
On the right side of the row, the button appears.
2. Click the button.
A dialog box appears, confirming your selection to delete the user.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 62 -
You are here: Configuration Page
3. Click the Delete button.
The user is deleted.
To delete multiple users:
1. On the Users page, on the left side of the row for the user you want to delete, select the check box. Repeat this step for each user you want to delete.
2. In the upper right corner of the page, click the Actions drop-down box, and select Delete Users.
A dialog box appears, confirming your selection to delete the user.
3. Click the Delete button.
The users are deleted.
Configuration Page
The topics in this section explain how to perform the actions available on the Configuration page.
Configure the Performance Mode
Before You Begin
This option will appear only when PVS is licensed to run in High Performance mode and the machine running PVS meets the
and
requirements for High Performance mode. By default, all instances of PVS run in Standard mode.
PVS must restart when switching between performance modes.
Steps
1. Access the PVS Settings section.
2. Under the Performance Mode heading, click the Enable High Performance Mode box to toggle between
Yes and No. If you select Yes, continue to step 3. If you select No, continue to step 4.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 63 -
You are here: Download New Vulnerability Plugins
3. In the Number of Worker Cores drop-down menu, select the appropriate number of worker cores.
Note: This option cannot be changed when PVS is already running in High Performance mode.
4. Click the Update button.
A dialog box will appear, confirming your selection to change the performance mode.
5. Click the Confirm button.
PVS will restart and the login screen will appear. When the PVS server resumes, a notification will appear, indicating whether the configuration change was successful.
Note: PVS may use a different number of cores than the number you select. Based on system constraints and your selection, PVS will select the closest number of worker cores that it can feasibly support.
6. Log in to PVS.
The performance mode is updated.
Download New Vulnerability Plugins
Before You Begin
When PVS is registered in Standalone mode using an Activation code, plugins are updated automatically every 24 hours after the service is started.
If SecurityCenter CV or Nessus Cloud is being used to manage PVS, new plugins for PVS will automatically be sent at scheduled intervals.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 64 -
You are here: Create a Custom Chart
Steps
1. Access the Feed Settings section.
2. In the Feed Registration & Plugin Update heading, click the button.
Tip: The plugins can also be updated by using the following command:
# /opt/pvs/bin/pvs --update-plugins
Create a Custom Chart
Steps
1. Access the Chart Settings section.
2. In the upper right corner, click the Create Chart button.
The Create Chart window appears.
3. Enter a name and description for the chart.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 65 -
You are here: Create a Custom Chart
In this example, we are creating a dashboard to display the top vulnerabilities for machines reporting associated BitTorrent activity.
4. In the Chart Type section, select the type of chart that you want to display.
5. In the Dashboard Family section, enter a numeric value between 1 and 20 that will represent the number of items returned for this chart. Click the text Top to add this value to the Current Chart Query section.
6. In the Category section, select a chart category, which will determine the type of items that will be displayed on the chart, such as hosts, vulnerabilities, applications, operating systems, or connections.
7. In the Filter section, configure the options by which you want to filter the results, and then select the
+ button to apply the rule to the chart.
In this example, a filter based on the Plugin ID 3920 was created, which triggers when BitTorrent client activity is detected.
8. In the Viewable section, select whether you want the chart to be viewable on the main dashboard.
The configured options will look like this:
9. Click the Create Chart button. The chart will appear in the Dashboards section of the Monitoring page.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 66 -
You are here: Delete a Chart
Delete a Chart
Steps
To delete one chart:
1. In the Chart Settings section, hover over the chart you want to delete.
On the right side of the row, click the button.
2. Click the button.
A dialog box appears, confirming your selection to delete the chart.
3. Click the Delete button.
The chart is deleted.
To delete multiple charts:
1. In the Chart Settings section, on the left side of the row for the chart you want to delete, select the check box. Repeat this step for each chart you want to delete.
2. In the upper right corner of the page, click the Actions drop-down box, and select Delete Charts.
A dialog box appears, confirming your selection to delete the charts.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 67 -
You are here: Create an Email Notification
3. Click the Delete button.
The charts are deleted.
Note: You cannot delete default charts.
Create an Email Notification
Steps
1. Access the Email Settings section.
2. In the upper right corner, click the Create Email Notification button.
The Create Email Notification window appears.
3. Enter a name and description for the email notification, and click the Next Step button.
The Add Charts screen appears.
4. Select the check boxes that correspond to the charts you want to add to the email notification, and reorder the charts by clicking and dragging the appropriate button.
5. Click the Next Step button.
6. Select the frequency, date, and time at which you want the email notification to be sent. Depending on the option you select in the Frequency box, the following additional options will appear:
Frequency Options
Once
Hourly
Daily
Weekly
Monthly
None
Repeat Every - a drop-down box that includes options from 1 to 20 hours.
Repeat Every - a drop-down box that includes options from 1 to 20 days.
Repeat Every - a drop-down box that includes options from 1 to 20 weeks.
Repeat On - a multi-selectable list of the days of the week.
Repeat Every - a drop-down box that includes options from 1 to 20 months.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 68 -
You are here: Delete an Email Notification
Frequency Options
Yearly
Repeat By - a drop-down box that includes the options Week of Month and Day of
Month.
Repeat Every - a drop-down box that includes options from 1 to 20 years.
The Summary field updates automatically depending on your selection.
7. After making your selection, click the Next Step button.
The Add Recipients screen appears.
8. In the Recipients box, enter an email address and click the ients. Click the Next Step button.
button until you have added all desired recip-
The Review Email Notification screen appears, which displays a summary of your email notification configuration.
9. Review the notification details, and click the Finish button.
Delete an Email Notification
Steps
1. Access the Email Settings section.
2. For the email notifications that you want to delete, select the corresponding button.
-or-
For the email notifications that you want to delete, select the corresponding check boxes, and in the upper right corner, in the Actions drop-down menu, select Delete Notifications.
Additional Resources
This section describes the following information about PVS that is not included in the Features and How To sections:
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 69 -
You are here: Command Line Operations l
l
l
Real-Time Traffic Analysis Configuration Theory
l
l
l
l
l
l
Configure PVS for Certificates
Command Line Operations
The PVS engine provides many options to update and configure PVS from the command line in Linux, Windows, and Mac OS X. All command lines should be run by users with root or administrative privileges.
l
Common Command Line Operations
l
l
Windows Command Line Operations
l
Mac OS X Command Line Operations
Common Command Line Operations
PVS can be run from the command line to update plugins, perform configuration tasks, and analyze Pcap files to generate a report file for use with SecurityCenter CV or other programs. Running the PVS binary with the –h option will display a list of available options.
Note: You must stop PVS before running command line operations.
PVS Binary Locations
The PVS binary for Windows can be found in the following location:
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 70 -
You are here: Common Command Line Operations
C:\Program Files\Tenable\PVS\pvs.exe
The PVS binary for Mac OS X can be found in the following location:
# /Library/PVS/bin/pvs
The PVS binary for Linux can be found in the following location:
# /opt/pvs/bin/pvs
PVS Command Line Options
Option Purpose
-a <activation code>
Enter the Activation Code to activate PVS to enable plugin updates and monitoring functions.
If your PVS system is managed by SecurityCenter and running in Standard mode, you can use the following command:
-a SecurityCenter
If your PVS system is managed by SecurityCenter and running in High Performance mode, you can use the following command:
-a SecurityCenter
<activation code>
If your PVS system is managed by Nessus Cloud and running in Standard mode, you can use the following command:
-a Cloud
If your PVS system is managed by Nessus Cloud and running in High Performance mode, you can use the following command:
-a Cloud <activation code>
Note: Before running the -a command for PVS that is managed by Nessus
Cloud, you should first configure the Cloud Host, Cloud Port, Cloud Key, and PVS Name parameters.
--config -add "custom_paramater name"
Add a custom configuration parameter for PVS or PVS Proxy. The double quote characters are required, although single quotes may be used when special characters are required.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 71 -
-h
-k
-L
-l
-m
You are here: Common Command Line Operations
Option Purpose
"parameter value"
--config -delete "custom_parameter name"
The delete command may be used to remove custom configuration parameters.
--config -list
Lists the current PVS and PVS Proxy configuration parameters. Parameter values are listed to the left of the colon character and are case sensitive. The value of the parameter is displayed to the right of the colon character.
--config
"parameter name"
["parameter value"]
-d debug mode
Displays the defined parameter value. If a value is added at the end of the command, the parameter is updated with the new setting. The double quote characters are required, and single quotes may be used when special characters are required.
-f packet_ dump_file
Runs PVS in debug mode for troubleshooting purposes. This option will cause the system to use more resources and should be enabled only when directed by a Tenable Support Technician.
Replace
packet_dump_file with the path to the Pcap file you want PVS to process.
Note: The
pcapng format is not supported in Windows
Displays the command line options help file.
Displays the PVS activation status.
Displays a list of the license declarations.
Displays a list of the plugin IDs that are loaded by PVS.
Shows various aspects of memory usage during the processing of the pvs com-
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 72 -
You are here: Linux Command Line Operations
Option Purpose
-p packet_ dump_file pvs --users
--add
mand.
Replace
packet_dump_file with the local file name or path to file name to write out the captured packets to a file.
Used to add a new user to PVS with the expected values of: ["username" "password" admin]: add new user. Expected values for “admin” flag are either 1 - grant user administrative privileges, or 0 - don’t grant user administrative privileges.
Used to change a PVS user's password.
pvs --users
--chpasswd pvs --users
--delete
--registeroffline
<license file>
--updateplugins
<plugins tarball>
Used to remove a user from PVS.
Registers PVS in offline mode when you insert the license file obtained from Tenable.
If PVS is not running in offline mode, the tarball is optional. When no file is provided with this command, PVS will contact a plugin feed server to download plugins directly.
When using PVS in offline mode, updating the plugins requires downloading a tarball from Tenable. When updating the plugins from the command line, this command is used to identify the file to use for updating the plugins.
-v
Shows the version information about the installed instance of PVS.
Linux Command Line Operations
You must run all commands with root privileges.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 73 -
You are here: Linux Command Line Operations
Start, Stop, or Restart PVS
Action
Start
Stop
Restart
Command to Manage PVS
# service pvs start
then
# ps aux|grep pvs
# service pvs start
# service pvs restart
Once a day, as scheduled, if SecurityCenter CV has received new PVS plugins from Tenable, it will install them in the PVS plugin directory. PVS will detect the change and automatically reload and begin using the new plugins.
Real-time PVS data is communicated to the configured Log Correlation Engine server or syslog server(s) in real-time.
Configure HugePages
Before You Begin
These steps assume that your system meets the
hardware and software requirements
necessary for running PVS in High Performance mode.
Steps
1. Check that your HugePages settings are correct by using the following command:
# grep Huge /proc/meminfo
AnonHugePages: 0kB
HugePages_Total: 1024
HugePages_Free: 1024
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 74 -
You are here: Linux Command Line Operations
HugePages_Rsvd: 0
HugePages_Surp: 0
Hugepagesize: 2048kB
The Hugepagesize parameter is set to 2048 kB by default, but this option is configurable. PVS requires a minimum of 1024 HugePages that are at least 2048 kB in size.
Note: In some cases, the HugePages_Free parameter may be set to 0, however, this does not necessarily indicate insufficient HugePage memory.
2. Reserve a certain amount of memory to be used as HugePages by using the following command to update the kernel parameter manually:
/bin/echo 1024 > /sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages
The number of HugePages reserved by the kernel is changed to 1024, and HugePages become available.
Note: If the kernel does not have enough memory available to satisfy this request, the command may fail without notifying the user. After running this command, the HugePages configuration should be checked again using the command in step 1.
3. To ensure that your HugePages configuration persists across system reboots, refer to the following section that corresponds to your Linux kernel version.
Linux Kernel Version 6
Update the persistent kernel configuration files using one of the following commands:
In the
/etc/sysctl.conf file, add the vm.nr_hugepages=1024 parameter and reload the kernel configuration with the sysctl -p command. Alternatively, you can reboot the system.
-or-
In the /etc/grub.conf file, on the kernel startup line, add the hugepages=1024 parameter and reboot the system.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 75 -
You are here: Linux Command Line Operations
Linux Kernel Version 7
Update the persistent kernel configuration files using one of the following commands:
In the /etc/sysctl.conf file, add the vm.nr_hugepages=1024 parameter and reload the kernel configuration with the sysctl -p command. Alternatively, you can reboot the system.
-or-
In the
/etc/sysconfig/grub file, on the kernel startup command (GRUB_CMDLINE_LINUX), add the hugepages=1024 parameter. Reload the kernel configuration with the grub2-mkconfig -o /etc/-
grub2 command, and reboot the system.
4. Connect the file system to the HugePages subsystem using the following steps: a. Execute the
/bin/mkdir -p /mnt/pvs_huge command.
b. Execute the
/bin/mount -t hugelbfs nodev /mnt/pvs_huge command.
c. Additionally, open the
/etc/fstab file location and add the following record:
nodev /mnt/pvs_huge hugetlbfs rw 0 0
File Locations
PVS installs its files in the following locations:
Path
/opt/pvs
/opt/pvs/bin
/opt/pvs/docs
/opt/pvs/var
/opt/pvs/var/pvs db
Purpose
Base directory.
Location of the PVS and PVS Proxy executables, plus several helper tools for the PVS Proxy daemon.
Contains the software license agreement for PVS.
Contains the folders for PVS and the PVS-Proxy.
Contains plugins, discovered vulnerabilities, log files, keys, and other miscellaneous items.
This directory contains the database files relating to the configuration,
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 76 -
You are here: Linux Command Line Operations
Path Purpose reports, and users for PVS.
kb logs plugins
This directory stores the PVS knowledge base, if used.
Contains PVS logs.
Contains the PVS plugins delivered via SecurityCenter, Nessus Cloud, the PVS Feed, or updated via the command line or web interface if PVS is running in Offline mode.
Note: Do not change this path from the default /opt/pvs/var/pvs if
SecurityCenter CV is being used to manage the plugins.
pvs-services reports scripts ssl users www
/opt/pvs/var/pvsproxy logs scans
A file PVS uses to map service names to ports. This file may be edited by the user. Plugin updates will not overwrite modifications to the file.
Contains reports generated by PVS with the exception of .nsr. This folder contains the .nessus file generated by default.
Contains the files for the PVS Web server.
Contains SSL certificates used by the proxy and web server for the
SSL connection between itself and SecurityCenter CV or the web browser.
Contains folders for user files and reports.
Contains the files for the PVS web front-end.
Parent folder for files used/created by the PVS proxy.
Contains the PVS proxy and PVS proxy service logs.
By default, PVS creates the .nsr file in the scans directory. The proxy is then responsible for handing the report to SecurityCenter CV when Secur-
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 77 -
You are here: Windows Command Line Operations
Path Purpose ityCenter CV attempts to pull it.
Windows Command Line Operations
You must run all programs as a local user with administrative privileges. To do so, when UAC is enabled, right-click on the installer program and select Run as Administrator.
Start or Stop PVS
Action Command to Manage PVS
Start
Stop
net start "Tenable PVS Proxy" net stop "Tenable PVS Proxy"
Alternatively, PVS can be managed via the Services control panel utility. Under the list of services, find Tenable PVS Proxy Service. Right clicking on the service will provide a list of options for the services, including the ability to start or stop the Tenable PVS or Tenable PVS Proxy service.
File Locations
PVS installs its files in the following locations:
Path
C:\Program Files\Tenable\PVS
C:\ProgramData\Tenable\PVS
Purpose
Contains PVS binaries and dependent libraries.
Contains all data files consumed and output by PVS and PVS
Proxy (e.g., configuration, plugins, logs, and reports).
Note: This directory will not appear unless the Windows Hidden Files and Folders option is enabled.
The following table contains the folder layout under C:\ProgramData\Tenable\PVS:
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 78 -
You are here: Windows Command Line Operations
Purpose Folder
docs
Contains the software license agreement for PVS.
pvs
Parent folder for PVS logs, reports, plugins, and scripts directories. Also contains the pvs-services file.
db
This directory contains the database files relating to the configuration, reports, and users for PVS.
kb logs plugins
This directory stores the PVS knowledge base, if used.
Contains PVS logs.
Contains the PVS plugins delivered via SecurityCenter, Nessus Cloud, the PVS
Feed, or updated via the command line or web interface if PVS is running in Offline mode.
Note: Do not change this path from the default
C:\Pro-
gramData\Tenable\PVS\pvs if SecurityCenter CV is being used to manage the plugins.
pvs-services reports scripts ssl users www pvsproxy
A file PVS uses to map service names to ports. This file may be edited by the user.
Plugin updates will not overwrite modifications to the file.
Contains reports generated by PVS with the exception of .nsr. This folder contains the .nessus file generated by default.
Contains the files for the PVS Web server.
Contains SSL certificates used by the proxy and web server for the SSL connection between itself and SecurityCenter CV or the web browser.
Contains folders for user files and reports.
Contains the files for the PVS web front-end.
Parent folder for files used/created by the PVS proxy.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 79 -
You are here: Mac OS X Command Line Operations
Purpose Folder
logs
Contains PVS proxy and PVS proxy service logs.
scans run
By default, PVS creates the
.nsr file in the scans folder. The proxy is then responsible for handling the report to SecurityCenter CV when SecurityCenter CV attempts to pull it.
Contains process ID temporary files.
Mac OS X Command Line Operations
You must run all programs as a root user or with equivalent privileges.
Start or Stop PVS
Action Command to Manage PVS
Start
Stop
# launchctl load -w /Library/LaunchDaemons/com.tenablesecurity.pvsproxy.plist
# launchctl unload -w /Library/LaunchDaemons/com.tenablesecurity.pvsproxy.plist
File Locations
PVS installs its files in the following locations:
Path
/Library/PVS
/Library/PVS/docs
/Library/PVS/bin
Purpose
Base directory.
This directory contains the PVS license agreement in various file formats.
Location of the PVS and PVS Proxy executables, plus several helper
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 80 -
You are here: Mac OS X Command Line Operations
Path Purpose
/Library/PVS/var/pvs
tools for the PVS Proxy daemon.
Contains plugins, discovered vulnerabilities, log files, keys, and other miscellaneous items.
db
This directory contains the database files relating to the configuration, reports, and users for PVS.
kb logs plugins
This directory stores the PVS knowledge base, if used.
Contains PVS logs.
Contains the PVS plugins delivered via SecurityCenter, Nessus
Cloud, the PVS Feed, or updated via the command line or web interface if PVS is running in Offline mode.
Note: Do not change this path from the default
/Library/PVS/var/pvs if SecurityCenter CV is being used to manage the plugins.
pvs-services reports scripts ssl users www
A file PVS uses to map service names to ports. This file may be edited by the user. Plugin updates will not overwrite modifications to the file.
Contains reports generated by PVS with the exception of .nsr. This folder contains the
.nessus file generated by default.
Contains the files for the PVS Web server.
Contains SSL certificates used by the proxy and web server for the
SSL connection between itself and SecurityCenter CV or the web browser.
Contains files and reports for PVS users.
Contains the files for the PVS web front-end.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 81 -
You are here: Unknown or Customized Ports
Path Purpose
/Library/PVS/var/pvsproxy logs
Parent folder for files used/created by the PVS proxy.
Contains PVS proxy and PVS proxy service logs.
scans
By default, PVS creates the
.nsr file in the scans folder. The proxy is then responsible for handing the report to SecurityCenter CV when
SecurityCenter CV attempts to pull it.
Unknown or Customized Ports
Many networks will contain traffic on ports PVS has defined as different traffic types or alternate ports. If the port is not defined at all, it will be displayed as Unknown. The pvs-services file may be edited to either customize or add the port information to provide accurate reporting for the ports on the network.
For example, by default, there are two lines in the pvs-services file that define SMTP traffic. They read smtp 25/tcp and smtp 25/udp. If the organization routinely sends SMTP data over port 2525 those lines can be changed to or have lines added to the file that reads smtp 2525/tcp and smtp 2525/udp.
Real-Time Traffic Analysis Configuration Theory
This section describes how configuration options affect PVS operation and provides the following details on
PVS architecture: l
l
Detecting Server and Client Ports
l
Detecting Specific Server and Client Port Usage
l
l
l
Selecting Rule Libraries and Filtering Rules
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 82 -
You are here: Focus Network l
Detecting Encrypted and Interactive Sessions
l
l
Focus Network
When a focus network is specified via the networks keyword, only one side of a session needs to be matched on the list. For example, if you have a DMZ that is part of the focus network list, PVS will report on vulnerabilities of the web server there, but not on web clients visiting from outside the network. However, a web browser within the DMZ visiting the same web server would be reported.
In the diagram above, three sessions labeled A, B, and C are shown communicating to, from, and inside a focus network. In session A, PVS analyzes only those vulnerabilities observed on the server inside the focus network and does not report client side vulnerabilities. In session B, PVS ignores vulnerabilities on the destination server, but reports client side vulnerabilities. In session C, both client and server vulnerabilities are reported.
There is one more filter that PVS uses while looking for unique sessions. This is a dependency that requires the host to be running a major service. These dependencies are defined by a list of PVS plugin IDs that identify SSL, FTP and several dozen other services.
Finally, the entire process of detecting these sessions can be filtered by specific network ranges and ports.
For example, if a University ran a public FTP server that had thousands of downloads each hour, it would make sense to disable interactive sessions on port 21 on that FTP server. Similarly, disabling encryption detection on ports such as 22 and 443 will also eliminate some noise for PVS.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 83 -
You are here: Detecting Server and Client Ports
Detecting Server and Client Ports
The method used by TCP connections to initiate communication is known as the “three-way handshake.”
This method can be compared to how a common telephone conversation is initiated. If Bob calls Alice, he has effectively sent her a “SYN” packet, in TCP terms. She may or may not answer. If Alice answers, she has effectively sent a “SYN-ACK” packet. The communication is still not established, since Bob may have hung up as she was answering. The communication is established when Bob replies to Alice, sending her an “ACK.”
The PVS configuration option “connections to services” enables PVS to log network client to server activity.
Whenever a system within the monitored network range tries to connect to a server over TCP, the connecting system will emit a TCP “SYN” packet. If the port the client is connecting on is open, then the server will respond with a TCP “SYN/ACK” packet. At this point, PVS will record both the client address and the server port the client is connecting to. If the port on the server is not open, then the server will not respond with a TCP “SYN/ACK” packet. In this case, since PVS never sees a TCP “SYN/ACK” response from the server, PVS will not record the fact that the client tried to connect to the server port, since the port is not available to that client.
The
connections-to-services option does not track how many times the connection was made. If the same host browses the same web server a million times, or browses a million different web servers once, the host will still be marked as having browsed on port 80. This data is logged as PVS ID #00002.
PVS detects many applications through plugin and protocol analysis. At a lower level, PVS also detects open ports and outbound ports in use on the monitored networks. By default, PVS will detect any TCP server on the protected network if it sees a TCP “SYN-ACK” packet.
In combination, the detection of server ports and client destination ports allows a network administrator to see who on their network is serving a particular protocol and who on their network is speaking that protocol.
Detecting Specific Server and Client Port Usage
The show-connections keyword on the Configuration page keeps track of host communication within the focus network. When the show-connections option is enabled, every time a host connects to another host,
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 84 -
You are here: Detecting Specific Server and Client Port Usage
PVS records the client, server, and server port, if one of the hosts is in the defined focus network. It does not track the frequency or time stamp of the connections – just that a connection was made.
The
show-connections option provides a greater level of detail than the connections-to-services option. For example, if your IPv4 address is 1.1.1.1 or your IPv6 address is 2001:DB8::AE59:3FC2 and you use the SSH service to connect to “some_company.com” then the use of these options would record the following: show-connections: some_company.com:SSH
2001:DB8::AE59:3FC2 -> some_company.com
connections-to-services
SSH
2001:DB8::AE59:3FC2 -> SSH
Using the
connections-to-services option lets you know that the system at 1.1.1.1 and
2001:DB8::AE59:3FC2 uses the SSH protocol. This information may be useful to know regardless of where the service is being used.
PVS does not log a session-by-session list of communications. Instead, it logs the relationship between the systems. For example, if system A is detected using the SSH protocol on port 22 connecting to system B, and both systems are within the focus network, PVS would log: l
System A browses on port 22 l
System B offers a service (listens) on port 22 l
System A communicates with System B on port 22
If system B were outside of the focus network, PVS would not record anything about the service System B offers, and would also log that System A browses outside of the focus network on port 22. PVS does not log how often a connection occurs, only that it occurred at least once. For connections outside of the focus network, PVS will log only which ports are browsed, not the actual destinations.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 85 -
You are here: Firewall Rules
Note: If logging session-by-session network events is a requirement for your network analysis, Tenable offers the Log Correlation Engine product, which can be used to log firewall, web server, router, and sniffer logs.
Firewall Rules
If PVS is placed immediately behind a firewall, such that all of the traffic presented to PVS is flowing through the firewall, then the list of served ports and client side ports and the respective IP addresses of the users is readily available. By using tools such as SecurityCenter CV’s Vulnerability Analysis interface, information about these ports (both client and server) can be browsed, sorted, and reported on. Lists of IP addresses and networks using these client and server ports can also be viewed.
Working with SecurityCenter CV
When multiple PVS sensors are managed by SecurityCenter CV, users of SecurityCenter CV are able to analyze the aggregate types of open ports, browsed ports, and communication activity occurring on the focus network. Since SecurityCenter CV has several different types of users and privileges, many different
IT and network engineering accounts can be created across an enterprise so they can share and benefit from the information detected by PVS.
Selecting Rule Libraries and Filtering Rules
Tenable ships an encrypted library of passive vulnerability detection scripts. This file cannot be modified by the end users of PVS. However, if certain scripts need to be disabled, they can be specified by the PASL ID and “.pasl” appended, such as 1234.pasl, to disable the PASL with the ID of 1234 on a single line in the dis-
abled-scripts.txt file.
If a plugin needs to be disabled, enter its ID on a single line in the
disabled-plugins.txt file. If a plugin needs to be made real-time, enter its ID on a single line in the realtime-plugins.txt file.
Note: When adding PVS plugins to the disabled plugin list, ensure that a return carriage is entered after
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 86 -
You are here: Detecting Encrypted and Interactive Sessions entering in the last line of the plugin to be disabled. Failure to return to the next line could result in a nonfunctional disabled plugin list.
Example: 1234 [return]
If any of the referenced files do not exist, simply create them using the appropriate method for the operating system. The file locations are in the following table for each operating system.
Operating System
Linux
Windows
Mac OS X
File Path
/opt/pvs/var/pvs
C:\ProgramData\Tenable\PVS\pvs
/Library/PVS/var/pvs
Detecting Encrypted and Interactive Sessions
PVS can be configured to detect both encrypted and interactive sessions. An encrypted session is a TCP or
UDP session that contains sufficiently random payloads. An interactive session uses timing and statistical profiling of the packets in a session to determine if the session involves a human typing at a command line prompt.
In both cases, PVS will identify these sessions for the given port and IP protocol. It will then list the detected interactive or encrypted session as vulnerabilities.
PVS has a variety of plugins to recognize telnet, Secure Shell (SSH), Secure Socket Layer (SSL), and other protocols. In combination with the detection of the interactive and encryption algorithms, it is likely that PVS will log multiple forms of identification for the detected sessions.
For example, with a SSH service running on a high port, it is likely that PVS would not only recognize this as an encrypted session, it would also recognize the version of SSH and determine if there were any vulnerabilities associated with it.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 87 -
You are here: Routes and Hop Distance
Routes and Hop Distance
For active scans, one host can find the default route and an actual list of all routers between it and a target platform. To do this, it sends one packet after another with a slightly larger TTL (time to live) value. Each time a router receives a packet, it decrements the TTL value and sends it on. If a router receives a packet with a
TTL value of one, it sends a message back to the originating server that the TTL has expired. The server simply sends packets to the target host with greater and greater TTL values, and collects the IP addresses of the routers in-between when they send their expiration messages.
Since PVS is entirely passive, it cannot send or elicit packets from the routers or target computers. It can however, record the TTL value of a target machine. The TTL value is an 8-bit field, meaning it can contain a value between 0 and 255. Most machines use an initial TTL value of 32, 64, 128, or 255. Since there is a maximum of 16 hops between your host and any other host on the internet, it is a simple algorithm that PVS uses to map any TTL to the number of hops.
For example, if PVS sniffed a server sending a packet with a TTL of 126, this is closest to 128 and two hops away. PVS does not know the IP address of the in-between routers.
Note: Modern networks have many devices such as NAT firewalls, proxies, load balancers, intrusion prevention, routers, and VPNs that will rewrite or reset the TTL value. In these cases, PVS can report some very odd hop counts.
Alerting
When PVS detects a real-time event, it can send the event to a local log file or send it via Syslog to a log aggregator such as Tenable’s Log Correlation Engine, internal log aggregation servers, and third party security event management vendors.
New Host Alerting
PVS can be configured to detect when a new host has been added to the network. This is not as simple as it sounds, and several parameters can be configured within PVS to increase or decrease the accuracy of detecting true change.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 88 -
You are here: Internal PVS Plugin IDs
Initially, PVS has no knowledge of your network’s active hosts. The first packets PVS sniffs would trigger an alert. To avoid this, PVS can be configured to learn the network over a period of days. Once this period is over, any “new” traffic would be from a host that has not communicated during the initial training.
To prevent PVS from having to relearn the network each time it starts, a file can be generated that saves the active host information. This file contains a list of all the current active hosts for PVS, and is updated based on a specified interval. Tenable recommends an update interval of at least one day (1440 minutes).
Note: When PVS logs a new host, the Ethernet address is saved in the message. When PVS is more than one hop away from the sniffed traffic, the Ethernet address will be that of the local switch, and not the actual host. If the scanner is deployed in the same collision domain as the sniffed server, then the Ethernet address will be accurate.
For DHCP networks, PVS will detect a “new” host very often. Tenable recommends deploying this feature on non-volatile networks such as demilitarized zones (DMZ). Users should also consider analyzing
PVS “new” host alerts with Tenable’s SecurityCenter CV, which can sort real-time PVS events by networks.
Internal PVS Plugin IDs
Each vulnerability and real-time check PVS performs has a unique associated ID. PVS IDs are within the range 0 to 10000.
Internal PVS IDs
Some of PVS’s checks, such as detecting open ports, are built in. The following chart lists some of the more commonly encountered internal checks and describes what they mean:
PVS ID
0
1
Name
Detection of Open
Port
Operating System
Fingerprint
Description
PVS has observed a SYN-ACK leave from a server.
PVS has observed enough traffic about a server to perform a guess of the operating system.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 89 -
You are here: Internal PVS Plugin IDs
PVS ID Name
2 Service Connection
3
4
5
6
7
8
9
12
14
Internal Client Trusted Connections
Internal Interactive
Session
Outbound Interactive Sessions
Inbound Interactive
Sessions
Internal Encrypted
Session
Outbound Encrypted
Session
Inbound Encrypted
Session
Number of Hops
Accepts External
Connections
Description
PVS has observed browsing traffic from a host.
PVS has logged a unique network session of source IP, destination IP and destination port.
PVS has detected one or more interactive network sessions between two hosts within your focus network.
PVS has detected one or more interactive network sessions originating from within your focus network and destined for one or more addresses on the Internet.
PVS has detected one or more interactive network sessions originating from one or more addresses on the Internet to this address within your focus network.
PVS has detected one or more encrypted network sessions between two hosts within your focus network.
PVS has detected one or more encrypted network sessions originating from within your focus network and destined for one or more addresses on the Internet.
PVS has detected one or more encrypted network sessions originating from one or more addresses on the Internet to this address within your focus network.
PVS logs the number of hops away each host is located.
PVS detects an external connection to this host. Specific IP addresses are not reported by this plugin, but it does track which destination port and protocol was used. Full connection details can be seen in the real-time event log. This is the opposite of plugin 16, which reports on outbound connections.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 90 -
You are here: PVS Plugins
PVS ID Name
15 Internal Server Trusted Connections
16
Description
PVS has logged a unique network session of source IP, destination IP, and destination port. Specific IP addresses are not reported by this plugin, but it does track which destination port and protocol was used. Full connection details can be seen in the real-time event log. This is the opposite of plugin 14, which reports on inbound connections.
PVS has detected an external connection from this host.
17
Outbound External
Connection
TCP Session
18
PVS identifies TCP sessions and reports the number of bytes of data downloaded, start time, and end time of these sessions. This plugin is reported at the end of each TCP session.
PVS detects all layer 4 IP protocols.
19
20
Layer 4 Protocol
Detection
VLAN ID Reporting
IPv6 Tunneling
PVS reports all observed VLAN tags per host.
PVS identifies and processes tunneled IPv6 traffic.
PVS Plugins
This section provides the following information about PVS plugins: l
Vulnerability and Passive Fingerprinting
l
l
l
and
l
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 91 -
You are here: Vulnerability and Passive Fingerprinting
Vulnerability and Passive Fingerprinting
PVS has two sources of plugin information: the
.prmx and .prm plugin libraries in the plugins directory.
Tenable distributes its passive vulnerability plugin database in an encrypted format. This file is called
ten-
able_plugins.prmx and can be updated on a daily basis, if necessary. PVS plugins written by the customer or third parties have the extension of .prm.
Tenable has also implemented passive fingerprinting technology based on the open-source SinFP tool.
With permission from the author, Tenable has also included the database of passive operating system fingerprints for the fingerprinting technology in this distribution of PVS.
Writing Custom Plugins
PVS customers can write their own passive plugins, which are added into the plugins directory in PVS’s installation directory. The plugin must end with a .prm extension for PVS to see it. You must restart PVS to use new custom plugins that are added to the plugins directory.
PVS Fingerprinting
Tenable uses a hybrid approach to operating system fingerprinting. Primarily, plugins are used to detect and identify the OS of a host. If this is not possible, PVS will use detected packets to identify the OS.
PVS has the ability to identify the likely operating system of a host by looking at the packets it generates. Specific combinations of TCP packet entries, such as the window size and initial time-to-live (TTL) values, allow
PVS to predict the operating system generating the traffic.
These unique TCP values are present when a server makes or responds to a TCP request. All TCP traffic is initiated with a “SYN” packet. If the server accepts the connection, it will send a response known as a “SYN-
ACK” packet. If the server cannot or will not communicate, it will send a reset (RST) packet. When a server sends a “SYN” packet, PVS will apply the list of operating system fingerprints and attempt to determine the type of the operating system.
Tenable Network Security has received permission to re-distribute the passive operating fingerprints from the author of SinFP open source project .
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 92 -
You are here: PVS Plugin Syntax
PVS Plugin Syntax
Plugins
PVS plugins allow spaces and comment fields that start with a number (#) sign. Each plugin must be separated with the word “NEXT” on a single line. Simply creating a .prm file in the plugins directory will make it available for use. You must restart PVS to use new custom plugins.
Plugin Keywords
There are several keywords available for writing passive vulnerability plugins for PVS. Some of these keywords are mandatory and some are optional. The mandatory keywords are highlighted in blue.
Name bid bmatch clientissue cve dependency
Description
Tenable assigns SecurityFocus Bugtraq IDs (BID) to PVS plugins. This allows a user reading a report generated by PVS to link to more information available at http://www.securityfocus.com/bid . Multiple Bugtraq entries can be entered on one line separated by commas.
This is the same as
match but can look for any type of data. A bmatch must always have an even number of alphanumeric characters.
If a vulnerability is determined in a network client such as a web browser or an email tool, a server port will be associated with the reported vulnerability.
Tenable also assigns Common Vulnerability and Exposure (CVE) tags to each PVS plugin. This allows a user reading a report generated by PVS to link to more information available at http://cve.mitre.org/ . Multiple CVE entries can be entered on one line separated by commas.
This is the opposite of noplugin. Instead of specifying another plugin that has failed, this keyword specifies which plugin has to have succeeded. This keyword specifies a PVS ID that should exist in order for the plugin to be evaluated. In addition, this plugin can take the form of
depend-
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 93 -
You are here: PVS Plugin Syntax
Name Description description
ency=ephemeral-server-port, which means that the server being evaluated must have an open port above port 1024.
This field describes on one line the nature of the detected vulnerability. This data is printed out by PVS when printing the vulnerability report. Macros are available that allow for the printing of matched network traffic such as banner information and are discussed in the examples below. For line breaks, the characters “\n” can be used to invoke a new line.
Same as
sport, but for destination ports.
dport
Exploitability: canvas core cvsstemporal metasploit
Displays exploitability factors for the selected vulnerability. For example, if the vulnerability is exploitable via both Canvas and Core and has a unique
CVSS temporal score, the following tags might be displayed in the plugin output:
CANVAS : D2ExploitPack
CORE : true
CVSSTEMPORAL : CVSS2#E:F/RL:OF/RC:C
Note: These keywords are displayed in vulnerabilities detected only by
PVS 3.4 and later.
family hs_dport hs_sport
Each Tenable plugin for PVS is included in a family. This designation allows
Tenable to group PVS plugins into easily managed sets that can be reported on individually.
Same as hs_sport except for destination ports.
Normally, when PVS runs its plugins, they are either free ranging looking for matches on any port, or fixed to specific ports with the sport or dport keywords. In very high speed networks, many plugins have a fallback port, known as a high-speed port, which focuses the plugin only on one specific port. In High Performance mode, the performance of a PVS plugin with an
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 94 -
You are here: PVS Plugin Syntax
Name Description id
hs_sport keyword is exactly the same as if the plugin was written with the
sport keyword.
Each PVS plugin needs a unique rule ID. Tenable assigns these 16 bit numbers within the overall PVS range of valid entries. Current plugin IDs can be listed at Tenable’s website for PVS.
match name nid
This keyword specifies a set of one or more simple ASCII patterns that must be present in order for the more complex pattern analysis to take place. The
match keyword gives PVS a lot of its performance and functionality. With this keyword, if it does not see a simple pattern, the entire plugin will not match.
This is the name of the vulnerability PVS has detected. Multiple PVS plugins can have the same name, but this is not encouraged.
To track compatibility with the Nessus vulnerability scanner, Tenable has attempted to associate PVS vulnerability checks with relevant Nessus vulnerability checks. Multiple Nessus IDs can be listed under one nid entry such as
nid=10222,10223.
nooutput
For plugins that are written specifically to be used as part of a dependency with another plugin, the
nooutput keyword will cause PVS to not report anything for any plugin with this keyword enabled.
noplugin pbmatch
This keyword will prevent a plugin from being evaluated if another plugin has already matched. For example, it may make sense to write a plugin that looks for a specific anonymous FTP vulnerability, but have it disabled if another plugin that checked for anonymous FTP had already failed.
Same as bmatch except for binary data on the previous side of the reconstructed network session.
plugin_output
This keyword displays dynamic data for a given vulnerability or event. The
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 95 -
You are here: PVS Plugin Syntax
Name Description dynamic data is usually represented using %L or %P, and its value is obtained from the regular expressions defined using regex, regexi, pregex, or pregexi.
pmatch pregex pregexi protocol_id regex regexi risk
This keyword is the same as match but is applied against the previous packet on the other side of the reconstructed network session.
Same as regex except the regular expression is applied to the previous side of the reconstructed network session.
Same as pregex except the pattern matching is case insensitive.
This keyword is used to specify the protocol number of the protocol causing the plugin to fire.
This keyword specifies a complex regular expression search rule that will be applied to the network session.
Same as regex except the pattern matching is case insensitive.
All PVS plugins need a risk setting. Risks are classified as INFO, LOW,
MEDIUM, HIGH, and CRITICAL. An INFO risk is an informational vulnerability such as client or server detection. A LOW risk is an informational vulnerability such as an active port or service. A MEDIUM risk is something that may be exploitable or discloses information. A HIGH risk is something that is easily exploitable. A CRITICAL risk is something that is very easily exploitable and allows for malicious attacks.
seealso
If one or more URLs are available, this keyword can be used to display them.
Multiple URLs can be specified on one line with commas. Example entries for this could include CERT advisories and vendor information websites.
Note: PVS 3.0.x will display only the last seealso defined in the PRM.
PVS 3.2 and later will display multiple seealso directives.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 96 -
You are here: Network Client Detection
Description Name solution
If a solution is available, it can be described here. The report section will highlight the solution with different text.
sport
This setting applies the PVS plugin to just one port. For example, it may make sense to write a SNMP plugin that just looks for activity on port 162.
However, for detection of off-port services like a web server running on port
8080, a
sport field would not be used in the plugin.
timed-dependency udp
With this keyword, the functionality of the keywords is slightly modified such that the evaluation must have occurred within the last N seconds.
noplugin and dependency
All plugins are assumed to be based on the TCP protocol unless this keyword is specified.
Tip: In addition to tcp or udp, the following protocols are supported: sctp, icmp, igmp, ipip, egp, pup, idp, tp, rsvp, gre, pim, esp, ah, mtp, encap, comp, raw or other.
Related Information l
l
l
l
Network Client Detection
Match patterns that begin with the ^ symbol mean that at least one line in the packet payload must begin with the following pattern. Match patterns that begin with the ! symbol indicate that the string must NOT match anything in the packet payload. In this case, the ! and ^ symbols are combined to indicate that we should not evaluate any packet whose payload contains a line starting with the pattern Received:.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 97 -
You are here: Pattern Matching
The ^ is more expensive to evaluate than the > symbol. So, while both match patterns ^<pattern> and
><pattern> would find <pattern> at the beginning of a packet payload, the use of > is more desirable as it is less costly. Use ^ when looking for the occurrence of a string at the beginning of a line, but not at the beginning of the packet payload. In the latter case, use the > character instead.
id=1010 hs_dport=25 clientissue name=Buffer overflow in multiple IMAP clients description=The remote e-mail client is Mozilla 1.3 or 1.4a which is vulnerable to a boundary condition error whereby a malicious IMAP server may be able to crash or execute code on the client.
solution=Upgrade to either 1.3.1 or 1.4a
risk=HIGH match=^From: match=^To: match=^Date: match=^User-Agent: Mozilla match=!^Received: regex=^User-Agent: Mozilla/.* \(.*rv:(1\.3|1\.4a)
Pattern Matching
PVS Can Match "Previous" Packets
PVS allows matching on patterns in the current packet as well as patterns in the previous packet in the current session. This plugin shows how we can make use of this feature to determine if a Unix password file is sent by a web server:
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 98 -
You are here: Pattern Matching id=1001 name=Password file obtained by HTTP (GET) family=Generic sport=80 description=It seems that a Unix password file was sent by the remote web server when the following request was made :\n%P\nWe saw : \n%L pmatch=>GET / pmatch=HTTP/1.
match=root match=daemon match=bin regex=root:.*:0:0:.*:.*
Here we see match patterns for a root entry in a Unix password file. We also see pmatch patterns that would match against a packet that makes an HTTP GET request to a web server. The
match patterns apply the current packet in a session and the pmatch patterns apply to the packet that was captured immediately before the current one in the current session. To explain this visually, we are looking for occurrences of the following:
GET / HTTP/1.*
1) client -------------------------> server:port 80
Contents of password file: root:.*:0:0:.*:.*
2) client <------------------------- server:port 80
Our match pattern would key on the contents in packet 2) and our pmatch pattern would key on packet 1)
payload contents.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 99 -
You are here: Pattern Matching
PVS Can Match Binary Data
PVS also allows matching against binary patterns. Here is an example plugin that makes use of binary pattern matching to detect the usage of the well-known community string “public” in SNMPv1 response packets
(The “#” is used to denote a comment):
###
# SNMPv1 response
#
# Matches on the following:
# 0x30 - ASN.1 header
# 0x02 0x01 0x00 - (integer) (byte length) (SNMP version - 1)
# 0x04 0x06 public - (string) (byte length) (community string - "public")
# 0xa2 - message type - RESPONSE
# 0x02 0x01 0x00 - (integer) (byte length) (error status - 0)
# 0x02 0x01 0x00 - (integer) (byte length) (error index - 0)
###
id=1001 udp sport=161 name=SNMP public community string description=The remote host is running an SNMPv1 server that uses a wellknown community string - public bmatch=>0:30 bmatch=>2:020100 bmatch=>5:04067075626c6963a2 bmatch=020100020100
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 100
You are here: Time Dependent Plugins
Binary match patterns take the following form: bmatch=[<>[off]:]<hex>
Binary match starts at <off>’th offset of the packet or at the last <offset> of the packet, depending on the use of > (start) or < (end). <hex> is a hex string we look for.
bmatch=<:ffffffff
This will match any packet whose last four bytes are set to 0xFFFFFFFF.
bmatch=>4:41414141
This will match any packet that contains the string “AAAA” (0x41414141 in hex) starting at its fourth byte.
bmatch=123456789ABCDEF5
This will match any packet that contains the hex string above.
Negative Matches
PVS plugins can also be negated. Here are two examples: pmatch=!pattern
pbmatch=>0:!414141
In each of these cases, the plugin would not match if the patterns contained in these “not” statements were present. For example, in the first pmatch statement, if the pattern “pattern” were present, then the plugin would not match. In the second statement, the binary pattern of “AAA” (the letter “A” in ASCII hex is 0x41) would match only if it were not presenting the first three characters.
Time Dependent Plugins
The last plugin example shows some more advanced features of the PVS plugin language that allows a plugin to be time dependent as well as make use of the evaluation of other plugins. The plugin shows how PVS can detect an anonymous FTP server. The NEXT keyword is used to separate plugins in the plugin file.
id=1018 nooutput
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 101
You are here: Time Dependent Plugins hs_sport=21 name=Anonymous FTP (login: ftp) pmatch=^USER ftp match=^331
NEXT #----------------------------------------------------------id=1019 dependency=1018 timed-dependency=5 hs_sport=21 name=Anonymous FTP enabled description=The remote FTP server has anonymous access enabled.
risk=LOW pmatch=^PASS match=^230
Since we are trying to detect an anonymous FTP server we are going to be looking for the following traffic pattern:
USER ftp
1) FTP client -----------------------> FTP server
331 Guest login ok, ...
2) FTP client <----------------------- FTP server
PASS [email protected]
3) FTP client -----------------------> FTP server
230 Logged in
4) FTP client <----------------------- FTP server
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 102
You are here: Plugin Examples
Here we cannot use a single plugin to detect this entire session. So, instead we use two plugins: the first plugin looks for packets 1) and 2) and the second plugin looks for packets 3) and 4).
A review of the above plugin shows that plugin 1018 matches 1) and 2) in the session by keying on the patterns “USER ftp” and the 331 return code. Plugin 1019 matches on 3) and 4) by keying on the patterns
“PASS” and the 230 return code.
Notice that plugin 1019 has the following field: dependency=1018. This field indicates the plugin 1018 must first evaluate successfully before plugin 1019 may be evaluated (i.e., that plugin 1019 depends on plugin
1018’s success before it can be evaluated).
One more step is needed to complete the plugin for the anonymous FTP session. We need to ensure both plugins are actually evaluating the same FTP session. We can do this by attaching a time dependency to plugin 1019. The field time-dependency=5 indicates that plugin 1018 must have evaluated successfully in the last five seconds for 1019 to be evaluated. In this way we can ensure that both plugins are evaluating the same FTP session.
Plugin Examples
Basic Example
This plugin illustrates the basic concepts of PVS plugin writing: id=1001 nid=11414 hs_sport=143 name=IMAP Banner description=An IMAP server is running on this port. Its banner is :\n %L risk=NONE match=OK match=IMAP match=server ready
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 103
You are here: Plugin Examples regex=^.*OK.*IMAP.*server ready
In this example, the following fields are used: l
id - a unique number assigned to this plugin.
l
nid - the Nessus ID of the corresponding Nessus NASL script.
l
hs_sport - the source port to key on if High Performance mode is enabled.
l
name - the name of the plugin.
l
description - a description of the problem or service.
l
match - the set of match patterns we must find in the payload of the packet before we evaluate the regular expression.
l
regex - the regular expression to apply to the packet payload.
Tip: The description contains the %L macro. If this plugin evaluates successfully, then the string pattern in the payload that matched the regular expression is stored in %L and is printed out at report time.
Complex Example id=1004 nid=10382 cve=CVE-2000-0318 bid=1144 hs_sport=143 name=Atrium Mercur Mailserver description=The remote imap server is Mercur Mailserver 3.20. There is a flaw in this server (present up to version 3.20.02) which allow any authenticated user to read any file on the system. This includes other user mailboxes, or any system file. Warning : this flaw has not been actually checked but was deduced from the server banner solution=There was no solution ready when this vulnerability was written;
Please contact the vendor for updates that address this vulnerability.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 104
You are here: Plugin Examples risk=HIGH match=>* OK match=MERCUR match=IMAP4-Server regex=^\* OK.*MERCUR IMAP4-Server.*v3\.20\..*$
Tip: The first match pattern makes use of the > symbol. The > symbol indicates that the subsequent string must be at the beginning of the packet payload. Use of the > symbol is encouraged where possible as it is an inexpensive operation.
Case-Insensitive Example
There is a tool called SmartDownLoader that uploads and downloads large files. Unfortunately, versions 0.1
through 1.3 use the capitalization SmartDownloader, versions 1.4 through 2.7 use smartdownloader and versions 2.8 through current use SMARTdownloader. Searching for the various combinations of this text with purely the regex command would cause us to use a statement that looks like this: regex=[sS][mM][aA][rR][tT][dD]own[lL]oader
However, with the regexi command, the search string is much less complex and less prone to creating an error: regexi=smartdownloader
By using regexi, we can more quickly match on all three versions as well as future permutations of the string smartdownloader. In a case such as this, regexi is the logical choice.
id=8800 dependency=1442 hs_sport=6789 name=SmartDownLoader Detection description=The remote host is running SmartDownLoader, a tool for performing rudimentary uploads and downloads of large binary files.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 105
You are here: PVS Real-Time Plugin Syntax solution=Ensure that this application is in keeping with Corporate policies and guidelines risk=MEDIUM family=PeerToPeer match=ownloader regexi=smartdownloader
A complete example PVS plugin using the
regexi keyword is shown above. The use of the match keyword searching for the string ownloader is not a typo. By searching for network sessions that have this string in them first, PVS can avoid invoking the expensive regexi search algorithm unless the ownloader pattern is present.
PVS Real-Time Plugin Syntax
Real-Time Plugin Model
PVS real-time plugins are exactly the same as PVS vulnerability plugins with two exceptions: l
They can occur multiple times.
l
Their occurrence may not be recorded as a vulnerability.
For example, an attacker may attempt to retrieve the source code for a Perl script from an Apache web server. If PVS observes this event, it would be logical to send a real-time alert. It would also be logical to mark that the Apache server is potentially vulnerable to some sort of Perl script source code download. In other cases, it may be more logical to just log the attempt as an event, but not a vulnerability. For example, a login failure over FTP is an event that may be worth logging, but does not indicate a vulnerability.
As the real-time plugins are written, there are two keywords that indicate to PVS that these are not regular vulnerability plugins. These are the real-time and realtimeonly keywords.
In the previous example, the FTP user login failure would be marked as a realtimeonly event because we would like real-time alerting, but not a new entry into the vulnerability database.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 106
You are here: Real-Time Plugin Examples
Real-Time Plugin Keywords
Name real-time realtimeonly track-session triggerdependency
Description
If a plugin has this keyword, then PVS will generate a SYSLOG message or real-time log file entry the first time this plugin matches. This prevents vulnerabilities that are worm related from causing millions of events. For example, the plugins for the Sasser worm generate only one event. Output from plugins with this keyword will show up in the vulnerability report.
If a plugin has this keyword, then PVS will generate a SYSLOG message or real-time log file entry each time the plugin evaluates successfully. These plugins never show up in the report file.
This keyword will cause the contents of a session to be reported (via SYSLOG or the real-time log file) a specified number of times after the plugin containing this keyword was matched. This is an excellent way to discover what a hacker
“did next” or possibly what the contents of a retrieved file were real-time.
Normally if a plugin has multiple dependencies, then all of those dependencies must be successful for the current plugin to evaluate. However, the
trigger-
dependency keyword allows a plugin to be evaluated as long as at least one of its dependencies is successful.
Real-Time Plugin Examples
Failed Telnet Login Plugin
The easiest way to learn about PVS real-time plugins is to evaluate some of those included by Tenable.
Below is a plugin that detects a failed Telnet login to a FreeBSD server.
# Look for failed logins into an FreeBSD telnet server id=0400
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 107
You are here: Real-Time Plugin Examples hs_sport=23 dependency=1903
Realtimeonly name=Failed login attempt description=PVS detected a failed login attempt to a telnet server risk=LOW match=Login incorrect
This plugin has many of the same features as a vulnerability plugin. The ID of the plugin is 0400. The highspeed port is 23. We need to be dependent on plugin 1903 (which detects a Telnet service). The
real-
timeonly keyword tells PVS that if it observes this pattern, then it should alert on the activity, but not record any vulnerability.
Under SecurityCenter CV, events from PVS are recorded alongside other IDS tools.
Finger User List Enumeration Plugin
The
finger daemon is an older Internet protocol that allowed system users to query remote servers to get information about a user on that box. There have been several security holes in this protocol that allowed an attacker to elicit user and system information that could be useful to attackers.
id=0500 dependency=1277 hs_sport=79 track-session=10 realtimeonly name=App Subversion - Successful finger query to multiple users description=A response from a known finger daemon was observed which indicated that the attacker was able to retrieve a list of three or more valid user names.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 108
You are here: Real-Time Plugin Examples risk=HIGH match=Directory: match=Directory: match=Directory:
This plugin looks for these patterns only on systems where a working finger daemon has been identified
(dependency #1277). However, the addition of the
track-session keyword means that if this plugin is launched with a value of 10, the session data from the next 10 packets is tracked and logged in either the
SYSLOG or real-time log file.
During a normal finger query, if only one valid user is queried, then only one home directory will be returned.
However, many of the exploits for finger involve querying for users such as NULL, .., or 0. This causes vulnerable
finger daemons to return a listing of all users. In that case, this plugin would be activated because of the multiple “Directory:” matches.
Unix Password File Download Web Server Plugin
This plugin below looks for any download from a web server that does not look like HTML traffic, but does look like the contents of a generic Unix password file.
id=0300 dependency=1442 hs_sport=80 track-session=10 realtimeonly name=Web Subversion - /etc/passwd file obtained description=A file which looks like a Linux /etc/passwd file was downloaded from a web server.
risk=HIGH match=!<HTML> match=!<html>
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 109
You are here: Real-Time Plugin Examples match=^root:x:0:0:root:/root:/bin/bash match=^bin:x:1:1:bin: match=^daemon:x:2:2:daemon:
The plugin is dependent on PVS ID 1442, which detects web servers. In the match statements, we are attempting to ignore any traffic that contains valid HTML tags, but also has lines that start with common Unix password file entries.
Generic Buffer Overflow Detection on Windows Plugin
One of PVS’s strongest intrusion detection features is its ability to recognize specific services, and then to look for traffic occurring on those services that should never occur unless they have been compromised.
Since PVS can keep track of both sides of a conversation and make decisions based on the content of each, it is ideal to look for Unix and Windows command shells occurring in services that should not have those command shells in them. Here is an example plugin:
# look for Windows error when a user tries to
# switch to a drive that doesn't exist id=0201 include=services.inc
trigger-dependency track-session=10 realtimeonly name=Successful shell attack detected - Failed cd command description=The results of an unsuccessful attempt to change drives on a Windows machine occurred in a TCP session normally used for a standard service. This may indicate a successful compromise of this service has occurred.
risk=HIGH pmatch=!>GET pregexi=cd
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 110
You are here: Real-Time Plugin Examples match=!>550 match=^The system cannot find the match=specified.
This plugin uses the include keyword that identifies a file that lists several dozen PVS IDs, which identify well known services such as HTTP, DNS, and NTP. The plugin will not even get evaluated unless the target host is running one of those services.
The keyword trigger-dependency is needed to ensure the plugin is evaluated even if there is only one match in the services.inc file. Otherwise, PVS would evaluate this plugin only if the target host was running all PVS IDs present in the services.inc file. The trigger-dependency keyword basically says that at least one PVS ID specified by one or more dependency or include rules must be present.
Finally, the logic of plugin detection is looking for the following type of response on a Windows system:
In this case, a user has attempted to use the cd command to change directories within a file system and the attempt was not allowed. This is a common event that occurs when a remote hacker compromises a Windows 2000 or Windows 2003 server with a buffer overflow. The PVS plugin looks for a network session that should not be there.
Looking at the plugin logic, there are pmatch and pregexi statements that attempt to ensure that the session is not an HTTP session, and that the previous side of the session contains the string
cd.
Tip: The pregexi statement could be expanded to include the trailing space after the “d” character and also the first character.
The plugin then looks for the expected results of the failed cd command. The first match statement makes sure this pattern is not part of the FTP protocol. It turns out that looking for “cd” in one side of a session and the error of attempting to change to a directory in an FTP session would cause false positives for this plugin.
Adding a rule to ignore if a line starts with “550” avoids this. While writing and testing this plugin, Tenable considered having a different set of plugins just for FTP, but the additional filter statement took care of any false positives. Finally, the last two match statements look for the results of the failed change directory attempt.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 111
You are here: PVS Corporate Policy Plugins
They are spread across two match statements and could have been combined into one regular expression statement, but there was enough content in the basic message to have them split into higher-speed matching.
PVS Corporate Policy Plugins
Most companies have an “Acceptable Use Policy” that defines appropriate use of the company’s IT facilities.
Often, this policy is abused to some extent since detecting abuse can be difficult.
PVS can help in this regard through use of PVS Corporate Policy plugins. These plugins can be used to look for policy violations and items such as credit card numbers, Social Security numbers, and other sensitive content in motion.
Tenable ships PVS with a large number of plugins that are frequently updated. The primary focus of these plugins is to discover hosts, applications and their related client/server vulnerabilities. The list of built-in PVS checks is available at the following location: http://static.tenable.com/dev/tenable_plugins.pdf
Many of the available plugins already detect activities that would fall into the “Inappropriate Use” category in most companies. Some of the activities that are detected through these plugins include (but are not limited to): l
Game servers l
Botnet clients and servers l
Peer to peer file sharing l
IRC clients and servers l
Chat clients l
Tunneling software or applications like Tor, GoToMyPC, and LogMeIn
Related Information l
Detecting Custom Activity Prohibited by Policy
l
Detecting Confidential Data in Motion
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 112
You are here: Detecting Custom Activity Prohibited by Policy
Detecting Custom Activity Prohibited by Policy
The plugins provided with PVS are useful for detecting generally inappropriate activities, but there may be times when more specific activities need to be detected. For example, a company may want to have an alert generated when email is sent to a competitor’s mail service or if users are managing their Facebook accounts from the corporate network.
Tenable provides the ability for users to write their own custom plugins, as documented in
. These plugins are saved as
prm files.
The following example shows how to create a custom plugin to detect users logging into their Facebook accounts. First, a unique plugin ID is assigned, in this case
9000. So, the first line of our plugin will be: id=9000
Next, we will want to have a description of what the vulnerability detects: description=The remote client was observed logging into a Facebook account. You should ensure that such behavior is in alignment with corporate policies and guidelines. For your information, the user account was logged as:\n %L
The %L will be the results of our regular expression statement that will be created later. Basically, we want to log the source address of the offending computer as well as the user ID that was used to log in. Next, we create a distinct name for our plugin.
name=POLICY - Facebook usage detection
Note that the name begins with the string POLICY. This will make all POLICY violations easily searchable from the SecurityCenter CV interface.
You could also define a SecurityCenter CV dynamic asset list that contains only POLICY violators.
The next field defines a family. For this example, the application is a web browser, so the family ID is defined as follows: family=Web Clients
Since this is a web browser, a dependency can be assigned that will tell PVS to look at only those clients that have been observed surfing the web: dependency=1735
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 113
You are here: Detecting Custom Activity Prohibited by Policy
Further, since we are looking at client traffic, we will define: clientissue
Next, we assign a risk rating for the observed behavior: risk=MEDIUM
In the final section we create match and regex statements that PVS will look for passively. We want all of these statements to be true before the client is flagged for inappropriate usage: match=>POST /
The web request must begin with a POST verb. This will weed out all “GET” requests.
match=^Host: *.facebook.com
The statement above ensures that they are posting a host with a domain of
*.facebook.com.
Finally, we have a
match and regex statement that detects the user’s login credentials: match=email= regex=email=.*%40[^&]+
Putting it all together, we have a single plugin as follows: id=9000 family=Web Clients clientissue dependency=1735 name=Facebook_Usage description=The remote client was observed logging into a Facebook account.
You should ensure that such behavior is in alignment with
Corporate Policies and guidelines. For your information, the user account was logged as: risk=MEDIUM solution=Stay off of Facebook.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 114
You are here: Detecting Confidential Data in Motion match=>POST / match=^Host: *.facebook.com
match=email= regex=email=.*%40[^&]+
This plugin could be named Facebook.prm and added into the /opt/pvs/var/pvs/plugins/ directory. If
SecurityCenter CV is being used to manage one or more PVS systems, use the plugin upload dialog to add the new .prm file.
If you wish to create a policy file that includes multiple checks, use the reserved word NEXT within the policy file. For example: id=9000
… rest of plugin
…
NEXT id=9001
… etc.
Detecting Confidential Data in Motion
Many organizations want to ensure that confidential data does not leave the network. PVS can aid in this by looking at binary patterns within observed network traffic. If critical documents or data can be tagged with a binary string, such as an MD5 checksum, PVS will have the ability to detect these files being passed outside the network. For example:
Create a document that has a binary string of:
0xde1d7f362734c4d71ecc93a23bb5dd4c and 0x747f029fbf8f7e0ade2a6198560c3278
A PVS plugin could then be created to look for this pattern as follows:
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 115
You are here: Detecting Confidential Data in Motion id=9005 trigger-dependency dependency=2004 dependency=2005 hs_dport=25 description=POLICY - Confidential data passed outside the corporate network. The Confidential file don'tshare.doc was just observed leaving the network via email.
name=Confidential file misuse family=Generic clientissue risk=HIGH bmatch=de1d7f362734c4d71ecc93a23bb5dd4c bmatch=747f029fbf8f7e0ade2a6198560c3278
These binary codes were created by simply generating md5 hashes of the following strings:
"Copyright 2006 BigCorp, file: don'tshare.doc"
"file: don'tshare.doc"
The security compliance group maintains the list of mappings (confidential file to md5 hash). The md5 hash can be embedded within the binary file and could then be tracked as it traversed the network.
Similar checks can be performed against ASCII strings to detect, for example, if confidential data was cutand-pasted into an email. Simply create text watermarks that appear benign to the casual observer and map to a specific file name. For example:
"Reference data at \\192.168.0.2\c$\shares\employmentfiles for HR data regarding
Jane Mcintyre" could be a string which maps to a file named Finances.xls.
A PVS plugin could look for the string as follows: id=9006
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 116
You are here: Working with SecurityCenter CV trigger-dependency dependency=2004 dependency=2005 hs_dport=25 description=POLICY - Confidential data passed outside the corporate network. Data from the confidential file Finances.xls was just observed leaving the network via email.
name=Confidential file misuse family=Generic clientissue risk=HIGH match=Reference data at match=192.168.0.2\c$\shares\employmentfiles match=for HR data regarding Jane Mcintyre
The two example plugins above (IDs 9005 and 9006) would detect files leaving the network via email. Most corporations have a list of ports that are allowed outbound access. SMTP is typically one of these ports.
Other ports may include FTP, Messenger client ports (e.g., AIM, Yahoo and ICQ), or Peer2Peer (e.g.,
GNUTELLA and BitTorrent). Depending on your specific network policy, you may wish to clone plugins
9005 and 9006 to detect these strings on other outbound protocols.
Working with SecurityCenter CV
One mode PVS operates under is under the control of SecurityCenter, which provides PVS with passive vulnerability data and retrieves scanned data. SecurityCenter has a variety of reporting, remediation, and notification mechanisms to efficiently distribute vulnerability information across large enterprises. In addition, it can also control a distributed set of Nessus active vulnerability scanners. By combining active and passive
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 117
You are here: Managing Vulnerabilities vulnerability scanning, SecurityCenter can be used to efficiently and accurately manage security across large networks.
This section contains the following information about PVS integration with SecurityCenter.
l
l
Updating the PVS Management Interface
Managing Vulnerabilities
A screen capture of SecurityCenter CV displaying a summary of vulnerabilities detected by PVS is shown below. These vulnerabilities can be independently viewed by many different users with different access control. SecurityCenter CV also enables security managers to issue recommendations that help guide network administrators as to which vulnerabilities should be mitigated.
PVS is Real-Time
Since PVS’s vulnerability data is constantly being fed into SecurityCenter CV and PVS’s plugins are updated by Tenable, the accuracy of the passive vulnerability data in SecurityCenter CV greatly enhances the quality of the security information available to SecurityCenter CV’s users.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 118
You are here: Updating the PVS Management Interface
Updating the PVS Management Interface
On occasion, the PVS management interface needs to be updated to provide new or updated features.
When managed by SecurityCenter 4.8.1 or earlier, the PVS web server and interface are not updated automatically by the plugins provided through SecurityCenter CV. Therefore, when the web components are to be updated, it must be performed manually on each PVS.
To manually update the plugins, first download the latest plugins using the URL created during the offline registration process. Next, log in to the PVS interface as a user with administrative privileges and navigate to the Configuration page, and then the Feed Settings section. The Offline Update section contains Browse, which opens a dialog box to allow you to select the archive file to upload. Click Upload Archive to send the file to the PVS host, which will then update the plugins. After stopping and starting PVS on the host, the new interface will be available for use.
Syslog Message Formats
PVS provides options to send real-time and vulnerability data as syslog messages. There are four formats of syslog files sent from PVS as described here.
l
Syslog message format for entries in the real-time syslog generated by PRMs:
<priority>timestamp pvs: src_ip:src_port|dst_ip:dst_port|protocol|plugin_id|plugin_name|matched_text_ current_packet|matched_text_previous_packet|risk l
Syslog message format for vulnerability syslog and entries in the real-time syslog generated by real-time
PASLs:
<priority>timestamp pvs: src_ip:src_port|dst_ip:dst_port|protocol|plugin_id|plugin_name|plugin_ description|risk l
Syslog message format for Open Port alert, Service Connection alert, Client and Server Connection
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 119
You are here: Syslog Message Formats alerts, Tracked Sessions alert, New Host alert, and Accepts External Connection alert:
<priority>timestamp pvs: src_ip:src_port|dst_ip:dst_port|protocol|plugin_id|plugin_name|plugin_specific_data|risk l
Encrypted/Interactive session alert:
<priority>timestamp pvs: src_ip:src_port|dst_ip:dst_port|protocol|plugin_id|plugin_name|risk
Plugin Fields
Name dst_ip dst_port matched_ text_current_ packet plugin_id
Description
This field is the destination IP address for the reported traffic.
This field is the destination port for the reported traffic.
Reports the payload which causes a match in the packet to trigger the PVS event.
The reported PVS plugin ID triggered by the reported traffic.
Examples
0 for open port alert
2 for service connection alert
3 for client connection alert
4 for internal interactive session
5 for outbound interactive session
6 for inbound interactive session
7 for internal encrypted session
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 120
You are here: Syslog Message Formats
Name Description
8 for outbound encrypted session
9 for inbound encrypted session
10 for tracked sessions
13 for new host alert
14 for accepts external connection alert
15 for server connection alert
16 for outbound external connection alert
17 for TCP session plugin_ name
The name of the PVS plugin triggered by the reported traffic.
Examples
'new-open-port' for open port alert
'connection-to-service' for service connection alert
'connection' for client connection alert
'tracked-session' for tracked session alert
'new-host-alert' for new host alert
'accepts-external-connections' for accepts external connection alert
'server-connection' for server connection alert plugin_specific_data
The data provided is determined by the type of data reported.
Examples:
‘new host alert’ is the value of the MAC address of the host
‘tracked session alert’ is the value of the payload of packet
This field is not applicable for service connection alerts, client connection alerts, server connection alerts, open port alerts, and accepts external connection alerts.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 121
You are here: Custom SSL Certificates
Description Name priority
The syslog facility level of the message.
protocol risk
This reports the protocol used for the reported traffic.
The associated risk level of the reported vulnerability. This can be NONE, LOW,
MEDIUM, HIGH, or INFO.
This field is the source IP address reported for the traffic.
src_ip src_port timestamp
This field is the source port for the reported traffic.
This field provides the date and time of the syslog message.
Custom SSL Certificates
By default, PVS is installed and managed using HTTPS and SSL support and uses port 8835, and default installation of PVS uses a self-signed SSL certificate.
To avoid browser warnings, a custom SSL certificate specific to your organization can be used. During the installation, PVS creates two files that make up the certificate: servercert.pem and serverkey.pem. These files must be replaced with certificate files generated by your organization or a trusted Certificate Authority
(CA).
Before replacing the certificate files, stop the PVS server. Replace the two files and re-start the PVS server.
Subsequent connections to the scanner should not display an error if the certificate was generated by a trusted CA.
Certificate File Locations
Operating System
Linux
Directory
/opt/pvs/var/pvs/ssl/servercert.pem
/opt/pvs/var/pvs/ssl/serverkey.pem
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 122
You are here: Configure PVS for Certificates
Operating System
Directory
Windows
Mac OS X
C:\ProgramData\Tenable\PVS\pvs\ssl\servercert.pem
C:\ProgramData\Tenable\PVS\pvs\ssl\serverkey.pem
/Library/PVS/var/pvs/ssl/servercert.pem
/Library/PVS/var/pvs/ssl/serverkey.pem
Tip: You can also use the /getcert switch to install the root CA in your browser, which will remove the warning: https://<IP address>:8835/getcert
To set up an intermediate certificate chain, a file named serverchain.pem must be placed in the same directory as the servercert.pem file.
This file contains the 1-n intermediate certificates (concatenated public certificates) necessary to construct the full certificate chain from the PVS server to its ultimate root certificate (one trusted by the user’s browser).
SSL Client Certificate Authentication
PVS supports use of SSL client certificate authentication. This allows use of SSL client certificates when the browser is configured for this method.
PVS allows for password-based or SSL Certificate authentication methods for user accounts. When creating a user for SSL certificate authentication, the pvs-make-cert-client utility is used through the command line on the PVS server.
Configure PVS for Certificates
The first step to allow SSL certificate authentication is to configure the PVS web server with a server certificate and CA.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 123
You are here: Create a Custom CA and Server Certificate
This process allows the web server to trust certificates created by the Certificate Authority (CA) for authentication purposes. Generated files related to certificates must be owned by root:root, and have the correct permissions by default.
This section contains the following instructions: l
Create a Custom CA and Server Certificate
l
Create PVS SSL Certificates for Login
l
Connect with Certificate Enabled Browser
Create a Custom CA and Server Certificate
Steps
1. (Optional) Create a new custom CA and server certificate for the PVS server using the
pvs-make-cert
command. This will place the certificates in the correct directories.
When prompted for the host name, enter the DNS name or IP address of the server in the browser (eg., https://hostname:8835/ or https://ipaddress:8835/). The default certificate uses the host name.
2. If a CA certificate is to be used instead of the PVS generated one, make a copy of the self-signed
CA certificate using the appropriate command for your OS:
Operating
System
Command
Linux
# cp /opt/pvs/var/pvs/ssl/cacert.pem /opt/pvs/var/pvs/ssl/ORIGcacert.pem
Windows
C:\> copy \ProgramData\Tenable\PVS\pvs\ssl\cacert.pem C:\ProgramData\Tenable\PVS\pvs\ssl\ORIGcacert.pem
Mac OS X
cp /Library/PVS/var/pvs/ssl/cacert.pem
/Library/PVS/var/pvs/ssl/ORIGcacert.pem
3. If the certificates to be used for authentication are created by a CA other than the PVS server, the
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 124
You are here: Create PVS SSL Certificates for Login
CA certificate must be installed on the PVS server. Copy the organization's CA certificate to the appropriate location for your OS:
Operating System
Linux
Windows
Mac OS X
File Location
/opt/pvs/var/pvs/ssl/cacert.pem
C:\ProgramData\Tenable\PVS\pvs\ssl\cacert.pem
/Library/PVS/var/pvs/ssl/cacert.pem
4. Once the CA is in place, restart the PVS services.
After PVS has been configured with the proper CA certificate(s), users may log in to PVS using SSL client certificates.
Create PVS SSL Certificates for Login
To log in to a PVS server with SSL certificates, the certificates must be created with the proper utility. For this process, the pvs-make-cert command line utility is used on the system. The six questions asked are to set defaults for the creation of users during the current session. These include certificate lifetime, country, state, location, organization, and organizational unit. The defaults for these options may be changed during the actual user creation if desired. The user(s) will then be created one at a time as prompted. At the end of the process the certificates are copied appropriately and are used to log in to the PVS server.
Note: When you are asked if you want to create a server certificate, you should select no in order to be prompted for the user certificate information.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 125
You are here: Create PVS SSL Certificates for Login
Steps
1. On the PVS server, run the
pvs-make-cert command.
Operating System
Linux
Windows
Mac OS X
Command
# /opt/pvs/bin/pvs-make-cert
C:\Program Files\Tenable\PVS\pvs-make-cert
/Library/PVS/bin/pvs-make-cert
2. Fill in the fields as prompted. The process is identical on a Linux or Windows server.
The client certificates will be placed in the temporary directory in PVS:
Operating System
Directory
Linux
Windows
Mac OS X
/tmp/
C:\users\<username>\AppData\Local\Temp, where <username> is the user currently logged in.
/tmp/
3. Two files are created in the temporary directory. In an example where the user name is adminuser, the files cert_adminuser.pem and key_adminuser.pem will be created. These two files must be combined and exported into a format that may be imported into the web browser, such as .pfx. This may be accomplished with the openssl program and the following command:
#openssl pkcs12 -export -out combined_adminuser.pfx -inkey key_adminuser.pem
-in cert_adminuser.pem -chain -CAfile /opt/pvs/com/pvs/CA/cacert.pem -passout 'pass:password' -name 'PVS User Certificate for: adminuser'
The resulting file combined adminuser.pfx will be created in the directory from which the command is launched. This file must then be imported into the web browser’s personal certificate store.
4. In the PVS web frontend, navigate to the
Users page , and ensure that the user for which you made the
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 126
You are here: Connect with a Certificate Enabled Browser certificate was created in PVS.
5. Configure the PVS server for certificate authentication using the appropriate command for your OS. Once certificate authentication is enabled, username and password login is disabled.
Operating
System
Linux
Command
Windows
Mac OS X
# /opt/pvs/bin/pvs --config "Enable SSL Client Certificate
Authentication" "1"
C:\Program Files\Tenable\PVS\pvs --config "Enable SSL Client Certificate Authentication" "1"
/Library/PVS/bin/pvs --config "Enable SSL Client Certificate
Authentication" "1"
Connect with a Certificate Enabled Browser
Steps
1. In your browser, navigate to the PVS server.
The browser will display a list of available certificate identities.
2. Select a certificate.
A dialog box appears, prompting for the password for the certificate.
3. Enter the password.
The certificate is available for the current session with PVS.
4. Navigate to the PVS web interface.
You will automatically be logged in (after clicking the Sign In button) as the designated user, and PVS can be used normally.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 127
You are here: Connect with a Certificate Enabled Browser
Note: If you log out of PVS, the standard PVS login screen will appear. If you want to log in with the same certificate, refresh your browser. If you want to use a different certificate, restart your browser session.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
- 128
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
advertisement
Table of contents
- 11 About PVS
- 11 Getting Started with PVS
- 11 Introduction
- 12 Standards and Conventions
- 12 Hardware Requirements
- 13 High Performance Mode
- 14 Software Requirements
- 15 Licensing Requirements
- 15 PVS Subscription
- 15 Activation Code
- 15 SecurityCenter Continuous View
- 15 Nessus Cloud
- 15 High Performance Mode
- 15 Install, Upgrade, Configure, and Remove PVS
- 16 Download PVS
- 16 Steps
- 16 Install PVS
- 17 Install PVS on Linux
- 17 Before You Begin
- 17 Steps
- 18 Install PVS on Windows
- 18 Before You Begin
- 18 Steps
- 24 Install PVS on Mac OS X
- 24 Before You Begin
- 25 Steps
- 26 Start and Stop PVS for Mac OS X
- 27 Upgrade PVS
- 27 Upgrade PVS on Linux
- 27 Before You Begin
- 27 Steps
- 28 Upgrade PVS on Windows
- 28 Before You Begin
- 28 Steps
- 29 Upgrade PVS on Mac OS X
- 29 Before You Begin
- 29 Steps
- 30 Configure PVS
- 30 Initial Configuration for PVS
- 30 Steps
- 32 Register PVS Offline via the PVS Interface
- 32 Steps
- 33 Register PVS Offline via the CLI
- 34 Configure High Performance Mode
- 34 Before You Begin
- 35 Steps
- 35 Remove PVS
- 36 Remove PVS from Linux
- 36 Steps
- 36 Remove PVS from Windows
- 36 Steps
- 37 Remove PVS from Mac OS X
- 37 Steps
- 37 PVS Features
- 38 PVS Navigation
- 40 Monitoring Page
- 40 Filter Text
- 43 Hosts Section
- 43 Vulnerabilities
- 44 Applications
- 44 Client Connections
- 45 Server Connections
- 45 Vulnerabilities Section
- 46 Applications Section
- 46 Operating Systems Section
- 46 Connections Section
- 46 Mobile Devices Section
- 47 Dashboards Section
- 47 Vulnerabilities Tab
- 48 Events Tab
- 49 Mobile Tab
- 49 Results Page
- 50 Users Page
- 50 Configuration Page
- 50 PVS Settings Section
- 59 Feed Settings Section
- 59 Web Proxy Settings Section
- 59 Chart Settings Section
- 60 Email Settings Section
- 60 Plugin Settings Section
- 63 Nessus Scanner Settings Section
- 64 How To
- 65 Monitoring Page
- 65 Filter Results
- 65 Steps
- 66 Export Results
- 66 Steps
- 66 Launch a Nessus Scan
- 66 Steps
- 67 Delete a Vulnerability
- 67 Steps
- 67 Rearrange Charts
- 67 Steps
- 68 Set a Range for a Dashboard
- 68 Steps
- 68 Refresh a Dashboard
- 68 Steps
- 68 Refresh a Chart
- 68 Steps
- 69 Remove a Chart from a Dashboard
- 69 Steps
- 69 Results Page
- 69 Upload a Report/Pcap
- 69 Before You Begin
- 69 Steps
- 70 Filter Results
- 70 Steps
- 70 Users Page
- 70 Create a New User
- 70 Steps
- 71 Modify a User Account
- 71 Steps
- 72 Reset a Locked Account
- 72 Steps
- 72 Delete a User
- 72 Steps
- 73 Configuration Page
- 73 Configure the Performance Mode
- 73 Before You Begin
- 73 Steps
- 74 Download New Vulnerability Plugins
- 74 Before You Begin
- 75 Steps
- 75 Create a Custom Chart
- 75 Steps
- 77 Delete a Chart
- 77 Steps
- 78 Create an Email Notification
- 78 Steps
- 79 Delete an Email Notification
- 79 Steps
- 79 Additional Resources
- 80 Command Line Operations
- 80 Common Command Line Operations
- 80 PVS Binary Locations
- 81 PVS Command Line Options
- 83 Linux Command Line Operations
- 84 Start, Stop, or Restart PVS
- 84 Configure HugePages
- 84 Before You Begin
- 84 Steps
- 85 Linux Kernel Version 6
- 86 Linux Kernel Version 7
- 86 File Locations
- 88 Windows Command Line Operations
- 88 Start or Stop PVS
- 88 File Locations
- 90 Mac OS X Command Line Operations
- 90 Start or Stop PVS
- 90 File Locations
- 92 Unknown or Customized Ports
- 92 Real-Time Traffic Analysis Configuration Theory
- 93 Focus Network
- 94 Detecting Server and Client Ports
- 94 Detecting Specific Server and Client Port Usage
- 96 Firewall Rules
- 96 Working with SecurityCenter CV
- 96 Selecting Rule Libraries and Filtering Rules
- 97 Detecting Encrypted and Interactive Sessions
- 98 Routes and Hop Distance
- 98 Alerting
- 98 New Host Alerting
- 99 Internal PVS Plugin IDs
- 99 Internal PVS IDs
- 101 PVS Plugins
- 102 Vulnerability and Passive Fingerprinting
- 102 Writing Custom Plugins
- 102 PVS Fingerprinting
- 103 PVS Plugin Syntax
- 103 Plugins
- 103 Plugin Keywords
- 107 Related Information
- 107 Network Client Detection
- 108 Pattern Matching
- 108 PVS Can Match Previous Packets
- 110 PVS Can Match Binary Data
- 111 Negative Matches
- 111 Time Dependent Plugins
- 113 Plugin Examples
- 113 Basic Example
- 115 Case-Insensitive Example
- 116 PVS Real-Time Plugin Syntax
- 116 Real-Time Plugin Model
- 117 Real-Time Plugin Keywords
- 117 Real-Time Plugin Examples
- 117 Failed Telnet Login Plugin
- 118 Finger User List Enumeration Plugin
- 119 Unix Password File Download Web Server Plugin
- 120 Generic Buffer Overflow Detection on Windows Plugin
- 122 PVS Corporate Policy Plugins
- 122 Related Information
- 123 Detecting Custom Activity Prohibited by Policy
- 125 Detecting Confidential Data in Motion
- 127 Working with SecurityCenter CV
- 128 Managing Vulnerabilities
- 128 PVS is Real-Time
- 129 Updating the PVS Management Interface
- 129 Syslog Message Formats
- 130 Plugin Fields
- 132 Custom SSL Certificates
- 132 Certificate File Locations
- 133 SSL Client Certificate Authentication
- 133 Configure PVS for Certificates
- 134 Create a Custom CA and Server Certificate
- 134 Steps
- 135 Create PVS SSL Certificates for Login
- 136 Steps
- 137 Connect with a Certificate Enabled Browser
- 137 Steps