Detecting Custom Activity Prohibited by Policy
The plugins provided with NNM are useful for detecting generally inappropriate activities, but there may be times when more specific activities need to be detected. For example, a company may want to generate an alert when email is sent to a competitor’s mail service or if users are managing their Facebook accounts from the corporate network.
Tenable provides the ability for users to write their own custom plugins, as documented in NNM Plugin Syntax. These plugins are saved as
The following example shows how to create a custom plugin to detect users logging into their Facebook accounts. First, a unique plugin ID is assigned, in this case 79420. So, the first line of our plugin is:
Next, we want a description of what the vulnerability detects:
description=The remote client was observed logging into a Facebook account. You should ensure that such behavior is in alignment with corporate policies and guidelines. For your information, the user account was logged as:\n %L
%L is the results of our regular expression statement that is created later. We want to log the source address of the offending computer as well as the user ID that was used to log in. Next, we create a distinct name for our plugin.
name=POLICY - Facebook usage detection
Note that the name begins with the string POLICY. This makes all POLICY violations easily searchable from the Tenable.sc interface.
You can also define a Tenable.sc dynamic asset that contains only POLICY violators.
The next field defines a family. For this example, the application is a web browser, so the family ID is defined as follows:
Since this is a web browser, a dependency can be assigned that tells NNM to look at only those clients that have been observed surfing the web:
Furthermore, since we are looking at client traffic, we define:
Next, we assign a risk rating for the observed behavior:
In the final section we create
regex statements that NNM looks for passively. We want all of these statements to be true before the client is flagged for inappropriate usage:
The web request must begin with a POST verb. This weeds out all “GET” requests.
The statement above ensures that they are posting a host with a domain of
Finally, we have a
regex statement that detects the user’s login credentials:
Altogether, we have a single plugin as follows:
description=The remote client was observed logging into a Facebook account.
You should ensure that such behavior is in alignment with
Corporate Policies and guidelines. For your information, the user account
was logged as:
solution=Stay off of Facebook.
This plugin could be named
Facebook.prm and added into the
/opt/NNM/var/nnm/plugins/ directory. If Tenable.sc is used to manage one or more NNM systems, use the plugin upload dialog to add the new
If you wish to create a policy file that includes multiple checks, use the reserved word NEXT within the policy file. For example:
rest of plugin