
dependency=2004
dependency=2005
hs_dport=25
description=POLICY - Confidential data passed outside the
corporate network. The Confidential file don'tshare.doc was
just observed leaving the network via email.
name=Confidential file misuse
family=Generic
clientissue
risk=HIGH
bmatch=de1d7f362734c4d71ecc93a23bb5dd4c
bmatch=747f029fbf8f7e0ade2a6198560c3278
These binary codes were created by simply generating md5 hashes of the following strings:
"Copyright 2006 BigCorp, file: don'tshare.doc"
"file: don'tshare.doc"
The security compliance group maintains the list of mappings (confidential file to md5 hash). The md5 hash can be
embedded within the binary file and could then be tracked as it traversed the network.
Similar checks can be performed against ASCII strings to detect, for example, if confidential data was cut-and-pasted into
an email. Simply create text watermarks that appear benign to the casual observer and map to a specific file name. For
example:
"Reference data at \\192.168.0.2\c$\shares\employmentfiles for HR data regarding Jane
Mcintyre" could be a string which maps to a file named Finances.xls.
A PVS plugin could look for the string as follows:
id=9006
trigger-dependency
dependency=2004
dependency=2005
hs_dport=25
description=POLICY - Confidential data passed outside the
corporate network. Data from the confidential file Finances.xls was just
observed leaving the network via email.
name=Confidential file misuse
family=Generic
clientissue
risk=HIGH
match=Reference data at
match=192.168.0.2\c$\shares\employmentfiles
match=for HR data regarding Jane Mcintyre
The two example plugins above (IDs 9005 and 9006) would detect files leaving the network via email. Most corporations
have a list of ports that are allowed outbound access. SMTP is typically one of these ports. Other ports may include FTP,
Messenger client ports (e.g., AIM, Yahoo and ICQ), or Peer2Peer (e.g., GNUTELLA and bittorrent). Depending on your
specific network policy, you may wish to clone plugins 9005 and 9006 to detect these strings on other outbound protocols.
Passive Vulnerability Scanner Operating System Fingerprints
Passive Operating System Fingerprinting
Tenable uses a hybrid approach to operating system fingerprinting. Primarily, plugins are used to detect and identify the
OS of a host. If this is not possible, PVS will use detected packets to identify the OS.
Comentarios a estos manuales