Red Hat NETWORK BASIC - USER REFERENCE GUIDE 4.0 Guía de usuario Pagina 66

  • Descarga
  • Añadir a mis manuales
  • Imprimir
  • Pagina
    / 79
  • Tabla de contenidos
  • MARCADORES
  • Valorado. / 5. Basado en revisión del cliente
Vista de pagina 65
Writing Passive Vulnerability Scanner Real-Time Plugins
Real-Time Plugin Model
PVS real-time plugins are exactly the same as PVS vulnerability plugins with two exceptions:
they can occur multiple times
their occurrence may not be recorded as a vulnerability
For example, an attacker may attempt to retrieve the source code for a Perl script from an Apache web server. If the PVS
observes this event, it would be logical to send a real-time alert. It would also be logical to mark that the Apache server is
potentially vulnerable to some sort of Perl script source code download. In other cases, it may be more logical to just log
the attempt as an event, but not a vulnerability. For example, a login failure over FTP is an event that may be worth
logging, but does not indicate a vulnerability.
As the real-time plugins are written, there are two keywords that indicate to the PVS that these are not a regular
vulnerability plugin. These are the “realtime” and “realtimeonly” keywords. All keywords will be covered more in-
depth in the next session, but the basic difference of the “realtime” and “realtimeonly” keywords is that realtime
events go into the vulnerability database and the “realtimeonly” events do not.
In the previous example, the FTP user login failure would be marked as a “realtimeonly” event because we would like
real-time alerting, but not a new entry into the vulnerability database.
New Keywords
Name
Description
include
The PVS supports dependencies where one plugin depends on a list of other plugins.
The “include” keyword specifies a file that contains a list of other PVS IDs to be
dependent. Tenable includes a services.inc file with the PVS that lists the major
applications such as SMTP, NTP, FTP, etc.
realtime
If a plugin has this keyword, then the PVS will generate a SYSLOG message or real-
time log file entry the first time this plugin matches. This prevents vulnerabilities that
are worm related from causing millions of events. For example, the plugins for the
Sasser worm only generate one event. Output from plugins with this keyword will show
up in the vulnerability report.
realtimeonly
If a plugin has this keyword, then the PVS will generate a SYSLOG message or real-
time log file entry each time the plugin evaluates successfully. These plugins never
show up in the report file.
track-session
This keyword will cause the contents of a session to be reported (via SYSLOG or the
real-time log file) a specified number of times after the plugin containing this keyword
was matched. This is an excellent way to discover what a hacker “did next” or possibly
what the contents of a retrieved file were.
trigger-dependency
Normally if a plugin has multiple dependencies, then all of those dependencies must
be successful for the current plugin to evaluate. However, the “trigger-
dependency” keyword allows a plugin to be evaluated as long as at least one of its
dependencies is successful.
Example Failed Telnet Login Plugin
The easiest way to learn about PVS real-time plugins is to evaluate some of those included by Tenable. Below is a plugin
that detects a failed Telnet login to a FreeBSD server.
Vista de pagina 65
1 2 ... 61 62 63 64 65 66 67 68 69 70 71 ... 78 79

Comentarios a estos manuales

Sin comentarios