Recently Viewed Topics
Detecting Custom Activity Prohibited by Policy
The plugins provided with NNM are useful for detecting generally inappropriate activities, but there may be times when more specific activities need to be detected. For example, a company may want to have an alert generated when email is sent to a competitor’s mail service or if users are managing their Facebook accounts from the corporate network.
Tenable provides the ability for users to write their own custom plugins, as documented in NNM Plugin Syntax. These plugins are saved as
The following example shows how to create a custom plugin to detect users logging into their Facebook accounts. First, a unique plugin ID is assigned, in this case 79420. So, the first line of our plugin will be:
Next, we will want to have a description of what the vulnerability detects:
description=The remote client was observed logging into a Facebook account. You should ensure that such behavior is in alignment with corporate policies and guidelines. For your information, the user account was logged as:\n %L
%L will be the results of our regular expression statement that will be created later. Basically, we want to log the source address of the offending computer as well as the user ID that was used to log in. Next, we create a distinct name for our plugin.
name=POLICY - Facebook usage detection
Note that the name begins with the string POLICY. This will make all POLICY violations easily searchable from the SecurityCenter CV interface.
You could also define a SecurityCenter CV dynamic asset list that contains only POLICY violators.
The next field defines a family. For this example, the application is a web browser, so the family ID is defined as follows:
Since this is a web browser, a dependency can be assigned that will tell NNM to look at only those clients that have been observed surfing the web:
Further, since we are looking at client traffic, we will define:
Next, we assign a risk rating for the observed behavior:
In the final section we create
regex statements that NNM will look for passively. We want all of these statements to be true before the client is flagged for inappropriate usage:
The web request must begin with a POST verb. This will weed out all “GET” requests.
The statement above ensures that they are posting a host with a domain of
Finally, we have a
regex statement that detects the user’s login credentials:
Putting it all together, we have a single plugin as follows:
description=The remote client was observed logging into a Facebook account.
You should ensure that such behavior is in alignment with
Corporate Policies and guidelines. For your information, the user account
was logged as:
solution=Stay off of Facebook.
This plugin could be named
Facebook.prm and added into the
/opt/NNM/var/nnm/plugins/ directory. If SecurityCenter CV is being used to manage one or more NNM systems, use the plugin upload dialog to add the new
If you wish to create a policy file that includes multiple checks, use the reserved word NEXT within the policy file. For example:
rest of plugin