Real-Time Plugin Examples
Failed Telnet Login Plugin
The easiest way to learn about NNM real-time plugins is to evaluate some of those included by Tenable. Below is a plugin that detects a failed Telnet login to a FreeBSD server.
# Look for failed logins into an FreeBSD telnet server
name=Failed login attempt
description=NNM detected a failed login attempt to a telnet server
This plugin has many of the same features as a vulnerability plugin. The ID of the plugin is 79400. The high-speed port is 23. We need to be dependent on plugin 1903 (which detects a Telnet service). The
realtimeonly keyword tells NNM that if it observes this pattern, then it should alert on the activity, but not record any vulnerability.
In Tenable.sc, events from NNM are recorded alongside other IDS tools.
Finger User List Enumeration Plugin
finger daemon is an older Internet protocol that allowed system users to query remote servers to get information about a user on that box. There have been several security holes in this protocol that allowed an attacker to elicit user and system information that could be useful to attackers.
name=App Subversion - Successful finger query to multiple users
description=A response from a known finger daemon was observed which indicated that the attacker was able to retrieve a list of three or more valid user names.
This plugin looks for these patterns only on systems where a working
finger daemon has been identified (dependency #1277). However, the addition of the
track-session keyword means that if this plugin is launched with a value of 10, the session data from the next 10 packets is tracked and logged in either the SYSLOG or real-time log file.
During a normal finger query, if only one valid user is queried, then only one home directory is returned. However, many of the exploits for finger involve querying for users such as NULL, .., or 0. This causes vulnerable
finger daemons to return a listing of all users. In that case, this plugin would be activated because of the multiple “Directory:” matches.
Unix Password File Download Web Server Plugin
This plugin below looks for any download from a web server that does not look like HTML traffic, but does look like the contents of a generic Unix password file.
name=Web Subversion - /etc/passwd file obtained
description=A file which looks like a Linux /etc/passwd file was downloaded from a web server.
The plugin is dependent on NNM ID 1442, which detects web servers. In the match statements, we attempt to ignore any traffic that contains valid HTML tags, but also has lines that start with common Unix password file entries.
Generic Buffer Overflow Detection on Windows Plugin
One of NNM’s strongest intrusion detection features is its ability to recognize specific services, and then to look for traffic occurring on those services that should never occur unless they have been compromised. Since NNM can keep track of both sides of a conversation and make decisions based on the content of each, it is ideal to look for Unix and Windows command shells occurring in services that should not have those command shells in them. Here is an example plugin:
# look for Windows error when a user tries to
# switch to a drive that doesn't exist
name=Successful shell attack detected - Failed cd command
description=The results of an unsuccessful attempt to change drives on a Windows machine occurred in a TCP session normally used for a standard service. This may indicate a successful compromise of this service has occurred.
match=^The system cannot find the
This plugin uses the
include keyword that identifies a file that lists several dozen NNM IDs, which identify well known services such as HTTP, DNS, and NTP. The plugin is not evaluated unless the target host is running one of those services.
trigger-dependency is needed to ensure the plugin is evaluated even if there is only one match in the
services.inc file. Otherwise, NNM evaluates this plugin only if the target host was running all NNM IDs present in the
services.inc file. The
trigger-dependency keyword says that at least one NNM ID must be specified by one or more dependency or include rules must be present.
Finally, the logic of plugin detection looks for the following type of response on a Windows system:
In this case, a user has attempted to use the cd command to change directories within a file system and the attempt was not allowed. This is a common event that occurs when a remote hacker compromises a Windows 2000 or Windows 2003 server with a buffer overflow. The NNM plugin looks for a network session that should not be there.
In the plugin logic, there are
pregexi statements that attempt to ensure that the session is not an HTTP session, and that the previous side of the session contains the string
Tip: The pregexi statement could be expanded to include the trailing space after the “d” character and also the first character.
The plugin then looks for the expected results of the failed cd command. The first match statement makes sure this pattern is not part of the FTP protocol. Looking for “cd” in one side of a session and the error of attempting to change to a directory in an FTP session causes false positives for this plugin. Adding a rule to ignore if a line starts with “550” avoids this. While writing and testing this plugin, Tenable considered having a different set of plugins just for FTP, but the additional filter statement took care of any false positives. Finally, the last two match statements look for the results of the failed change directory attempt. They are spread across two match statements and could have been combined into one regular expression statement, but there was enough content in the basic message to split them into higher-speed matching.