Time Dependent Plugins

The last plugin example shows some more advanced features of the NNM plugin language that allows a plugin to be time dependent as well as make use of the evaluation of other plugins. The plugin shows how NNM detects an anonymous FTP server. Use the NEXT keyword to separate plugins in the plugin file.




name=Anonymous FTP (login: ftp)

pmatch=^USER ftp


NEXT #-----------------------------------------------------------





name=Anonymous FTP enabled

description=The remote FTP server has anonymous access enabled.




Since we want to detect an anonymous FTP server, we must look for the following traffic pattern:

USER ftp

1) FTP client -----------------------> FTP server

331 Guest login ok, ...

2) FTP client <----------------------- FTP server

PASS [email protected]

3) FTP client -----------------------> FTP server

230 Logged in

4) FTP client <----------------------- FTP server

Here we cannot use a single plugin to detect this entire session. So, instead we use two plugins: the first plugin looks for packets 1) and 2) and the second plugin looks for packets 3) and 4).

A review of the above plugin shows that plugin 79200 matches 1) and 2) in the session by keying on the patterns “USER ftp” and the 331 return code. Plugin 79201 matches on 3) and 4) by keying on the patterns “PASS” and the 230 return code.

Notice that plugin 79201 contains the following field: dependency=79200. This field indicates the plugin 79200 must evaluate successfully before plugin 79201 may be evaluated.

To complete the plugin for the anonymous FTP session, we must ensure both plugins are evaluating the same FTP session. To do this, we attach a time dependency to plugin 79201. The field time-dependency=5 indicates that plugin 79200 must evaluate successfully in the last five seconds for 79201 to evaluate. This way, we can ensure that both plugins evaluate the same FTP session.