Search Examples
The following examples describe how to search for specific .tns and .doc documents.
Example 1: Search for .tns documents that contain the word “Nessus”
Following is a simple .audit file that looks for any .tns file that contains the word “Nessus” anywhere in the document.
<check_type:"WindowsFiles">
<item>
type: FILE_CONTENT_CHECK
description: "TNS File that Contains the word Nessus"
file_extension: "tns"
expect: "Nessus"
</item>
</check_type>
When running this command, the following output is expected:
"TNS File that Contains the word Nessus" : [FAILED]
- error message:
The following files do not match your policy :
Share: C$, path: \share\new folder\tenable_content.tns
These results show that we found a match. The report says we “failed” because we found data we were not looking for. For example, if you are doing an audit for a Social Security number and had a positive match of the Social Security number on the public computer, although the match is positive, it is logged as a failure for compliance reasons.
Example 2: Search for .tns documents that contain the word “France”
Following is a simple .audit file that looks for any .tns file that contains the word “France” anywhere in the document.
<check_type:"WindowsFiles">
<item>
type: FILE_CONTENT_CHECK
description: "TNS File that Contains the word France"
file_extension: "tns"
expect: "France"
</item>
</check_type>
The output we get this time is as follows:
"TNS File that Contains the word France" : [PASSED]
We were able to “pass” the audit because none of the .tns files we audited had the word “France” in them.
Example 3: Search for .tns and .doc documents that contain the word “Nessus”
Adding a second extension for file searches of Microsoft Word documents is very easy and shown below:
<check_type:"WindowsFiles">
<item>
type: FILE_CONTENT_CHECK
description: "TNS or DOC File that Contains the word Nessus"
file_extension: "tns" | "doc"
expect: "Nessus"
</item>
</check_type>
The results (on our test computer) were as follows:
"TNS or DOC File that Contains the word Nessus" : [FAILED]
- error message:
The following files do not match your policy :
Share: C$, path: \share\new folder\tenable_content.tns
Share: C$, path: \documents and settings\jsmith\desktop\tns_roadmap.doc
We have the same “failure” as before with our test .tns file, but in this case, there was a second file that was a .doc that also had the word “Nessus” in it. If you are performing these tests on your own systems, you may or may not have a Word file that contains the word “Nessus” in it.
Example 4: Search for .tns and .doc documents that contain the word “Nessus” and have an 11 digit number in them
Now we will add in our first regular expression to match an 11-digit number. We just need to add in the regular expression with the regex keyword to the same .audit file as before.
<check_type:"WindowsFiles">
<item>
type: FILE_CONTENT_CHECK
description: "TNS or DOC File that Contains the word Nessus"
file_extension: "tns" | "doc"
regex: " ([0-9]{11})"
expect: "Nessus"
</item>
</check_type>
Running this produces the following output:
"TNS or DOC File that Contains the word Nessus" : [FAILED]
- error message:
The following files do not match your policy :
Share: C$, path: \share\new folder\tenable_content.tns (01234567890)
The .doc file that matched in the last example is still being searched. Since it does not have the 11-digit number in it, it is not showing up anymore. Also, note that since we are using the regex keyword, we also get a match displayed in the data.
What if we needed to find a 10 digit number? The 11-digit number above has two 10-digit numbers in it (0123456789 and 1234567890). If we wanted to write a more exact match for just 11 digits, what we really want then is a regular expression that says:
“Match any 11 digit number not preceded or followed by any other numbers”.
To do this in regular expressions we can add the “not” operator like this:
<check_type:"WindowsFiles">
<item>
type: FILE_CONTENT_CHECK
description: "TNS or DOC File that Contains the word Nessus"
file_extension: "tns" | "doc"
regex: "([^0-9]|^)([0-9]{11})([^0-9]|$)"
expect: "Nessus"
</item>
</check_type>
Reading from left to right, we also see the “^” character and the dollar sign character a few times. The “^” sometimes means the start of a line and other times it means to match the negative. The dollar sign means the end of a line. The above regular expression basically means to look for any patterns that do not start with a number but potentially start on a new line, contains 11 numbers and then are not followed by any more numbers or has a line end. Regular expressions treat the beginning and end of a line as special cases, hence requiring the use of the “^” or “$” characters.
Example 5: Search for .tns and .doc documents that contain the word “Nessus” and have an 11 digit number in them, but only display last 4 bytes
Adding the keyword only_show to our .audit file can limit the output. This can limit the auditors to only having access to the sensitive data they are looking for.
<check_type:"WindowsFiles">
<item>
type: FILE_CONTENT_CHECK
description: "TNS or DOC File that Contains the word Nessus"
file_extension: "tns" | "doc"
regex: "([^0-9]|^)([0-9]{11})([^0-9]|$)"
expect: "Nessus"
only_show: "4"
</item>
</check_type>
When matched, the data is obscured with “X” characters as shown below:
"TNS or DOC File that Contains the word Nessus" : [FAILED]
- error message:
The following files do not match your policy :
Share: C$, path: \share\new folder\tenable_content.tns (XXXXXXX7890)
Example 6: Search for .tns documents that contain the word “Correlation” in the first 50 bytes
In this example, we will examine the use of the max_size keyword. In our test file, the word “Correlation” is more than 50 bytes into the file.
<check_type:"WindowsFiles">
<item>
type: FILE_CONTENT_CHECK
description: "TNS File that Contains the word Correlation"
file_extension: "tns"
expect: "Correlation"
max_size: "50"
</item>
</check_type>
When running this, we get a passing match:
"TNS File that Contains the word Correlation" : [PASSED]
Change the max_size value from “50” to “50K” and rerun the scan. Now we get an error:
"TNS File that Contains the word Correlation" : [FAILED]
- error message:
The following files do not match your policy :
Share: C$, path: \share\new folder\tenable_content.tns
Example 7: Controlling what is displayed in output
In this example, we will examine the use of the regex_replace keyword. Consider the following .audit file:
<check_type:"WindowsFiles">
<item>
type: FILE_CONTENT_CHECK
description: "Seventh Example"
file_extension: "tns"
regex: "Passive Vulnerability Scanner"
expect: "Nessus"
</item>
</check_type>
This check outputs as follows:
"Seventh Example" : [FAILED]
- error message:
The following files do not match your policy :
Share: C$, path: \share\new folder\tenable_content.tns (Passive Vulnerability Scanner)
However, consider what can occur if we really needed to have a regular expression that matched on the “Passive” and “Scanner” parts, but we were only interested in returning the “Vulnerability” part. A new regular expression would look like this:
<check_type:"WindowsFiles">
<item>
type: FILE_CONTENT_CHECK
description: "Seventh Example"
file_extension: "tns"
regex: "(Passive) (Vulnerability) (Scanner)"
expect: "Nessus"
</item>
</check_type>
The check still returns the entire match of “Passive Vulnerability Scanner” because the regular expression statement treats the entire string as the first match. To get only the second match, we need to add in the regex_replace keyword.
<check_type:"WindowsFiles">
<item>
type: FILE_CONTENT_CHECK
description: "Seventh Example"
file_extension: "tns"
regex: "(Passive) (Vulnerability) (Scanner)"
regex_replace: "\3"
expect: "Nessus"
</item>
</check_type>
The output from the scan is as follows:
"Seventh Example" : [FAILED]
- error message:
The following files do not match your policy :
Share: C$, path: \share\new folder\tenable_content.tns (Vulnerability)
We use a “\3” to indicate the second item in our matching because the first (“\1”) is the entire string. If we had used “\2”, we would have returned “Passive” and a “\4” would have returned “Scanner”.
Why does this feature exist? When searching for complex data patterns, such as credit card numbers, it is not always possible to get the first match to be the desired data. This keyword provides more flexibility in capturing the desired data with greater accuracy.
Example 8: Using the file name as a filter
If you consider the .audit file from the third example, it returned a result for both a .tns file and a .doc file.
<check_type:"WindowsFiles">
<item>
type: FILE_CONTENT_CHECK
description: "TNS or DOC File that Contains the word Nessus"
file_extension: "tns" | "doc"
expect: "Nessus"
</item>
</check_type>
The results (on our test computer) were as follows:
"TNS or DOC File that Contains the word Nessus" : [FAILED]
- error message:
The following files do not match your policy :
Share: C$, path: \share\new folder\tenable_content.tns
Share: C$, path: \documents and settings\jsmith\desktop\tns_roadmap.doc
The file_name keyword can also be used to filter out files we want or do not want. Adding it to the .audit file and asking it to only consider files with “tenable” in their name looks like this:
<check_type:"WindowsFiles">
<item>
type: FILE_CONTENT_CHECK
description: "TNS or DOC File that Contains the word Nessus"
file_extension: "tns" | "doc"
file_name: "tenable"
expect: "Nessus"
</item>
</check_type>
The output is as follows:
"TNS or DOC File that Contains the word Nessus" : [FAILED]
- error message:
The following files do not match your policy :
Share: C$, path: \share\new folder\tenable_content.tns
The matching .doc file is not present because it did not have the word “tenable” in its path.
The matching string is a regular expression, so it can be very flexible to match a wide variety of files we want and do not want. For example, we could have used the string “[Tt]enable” to match the word “Tenable” or “tenable”. Similarly, if we want to match an extension or a partial extension, we need to escape the dot with a slash such as “\.t” to look for any extensions that start with “t”.
Example 9: Using the inclusion/exclusion keywords
The “include_paths” and “exclude_paths” keywords may be used to filter searches based on drive letter, directory and even file name exclusion.
<item>
type: FILE_CONTENT_CHECK
description: "Does the file contain a valid VISA Credit Card Number"
file_extension: "xls" | "pdf" | "txt"
regex: "([^0-9-]|^)(4[0-9]{3}( |-|)([0-9]{4})( |-|)([0-9]{4})( |-|)([0-9]{4}))([^0-9-]|$)"
regex_replace: "\3"
expect:"."
max_size: "50K"
only_show: "4"
include_paths: "c:\" | "g:\" | "h:\"
exclude_paths: "g:\dontscan"
</item>
The output is as follows:
Windows File Contents Compliance Checks
"Determine if a file contains a valid VISA Credit Card Number" : [FAILED]
- error message:
The following files do not match your policy :
Share: C$, path: \documents and settings\administrator\desktop\ccn.txt (XXXXXXXXXXXX0552)
Nessus ID : 24760
Note that the output does not differ from a standard Windows file content search result, but, excludes the excluded path. If a single path is included using “include_paths” (e.g., “c:\”), all other paths are excluded automatically. Also, if a drive letter is excluded (e.g., “d:\”), but, a folder under that drive is included (e.g., “d:\users”), the “exclude_paths” keyword takes precedence and the drive will not be searched. However, you can include a drive C:\ and then exclude a subfolder within the drive (e.g., C:\users:).