Red Hat NETWORK 3.6 - Guía de usuario descargar pdf (Pagina 40)

Notice that plugin 1019 has the following field: dependency=1018. This field indicates the

plugin 1018 must first evaluate successfully before plugin 1019 may be evaluated (i.e., that

plugin 1019 depends on plugin 1018’s success before it can be evaluated).

One more step is needed to complete the plugin for the anonymous FTP session. We need to

ensure that both plugins are actually evaluating the same FTP session. We can do this by

attaching a time dependency to plugin 1019. The field time-dependency=5 indicates that

plugin 1018 must have evaluated successfully in the last five seconds for 1019 to be

evaluated. In this way we can ensure that both plugins are evaluating the same FTP

session.

WRITING PASSIVE VULNERABILITY SCANNER REAL-TIME PLUGINS

Real-Time Plugin Model

PVS real-time plugins are exactly the same as PVS vulnerability plugins with two

exceptions:

> they can occur multiple times

> their occurrence may not be recorded as a vulnerability

For example, an attacker may attempt to retrieve the source code for a Perl script from an

Apache web server. If the PVS observes this event, it would be logical to send a real-time

alert. It would also be logical to mark that the Apache server is potentially vulnerable to

some sort of Perl script source code download. In other cases, it may be more logical to just

log the attempt as an event, but not a vulnerability. For example, a login failure over FTP is

an event that may be worth logging, but does not indicate a vulnerability.

As the real-time plugins are written, there are two keywords that indicate to the PVS that

these are not a regular vulnerability plugin. These are the “realtime” and “realtimeonly”

keywords. All keywords will be covered more in-depth in the next session, but the basic

difference of the “realtime” and “realtimeonly” keywords is that “realtime” events go

into the vulnerability database and the “realtimeonly” events do not.

In the previous example, the FTP user login failure would be marked as a “realtimeonly”

event because we would like real-time alerting, but not a new entry into the vulnerability

database.

New Keywords

Name

Description

include

The PVS supports dependencies where one plugin depends on

a list of other plugins. The “include” keyword specifies a file

that contains a list of other PVS IDs to be dependent.

Tenable includes a services.inc file with the PVS that lists

the major applications such as SMTP, NTP, FTP, etc.

realtime

If a plugin has this keyword, then the PVS will generate a

SYSLOG message or real-time log file entry the first time this

plugin matches. This prevents vulnerabilities that are worm

1 2 ... 35 36 37 38 39 40 41 42 43 44 45 ... 60 61

Sin comentarios

Red Hat NETWORK 3.6 - Guía de usuario Pagina 40