Detecting Custom Activity Prohibited by Policy

The plugins provided with Tenable Nessus Network Monitor are useful for detecting generally inappropriate activities, but there may be times when more specific activities need to be detected. For example, a company may want to generate an alert when email is sent to a competitor’s mail service or if users are managing their Facebook accounts from the corporate network.

Tenable provides the ability for users to write their own custom plugins, as documented in Tenable Nessus Network Monitor Plugin Syntax. These plugins are saved as prm files.

The following example shows how to create a custom plugin to detect users logging into their Facebook accounts. First, a unique plugin ID is assigned, in this case 79420. So, the first line of our plugin is:

id=79420

Next, we want a description of what the vulnerability detects:

description=The remote client was observed logging into a Facebook account. You should ensure that such behavior is in alignment with corporate policies and guidelines. For your information, the user account was logged as:\n %L

The %L is the results of our regular expression statement that is created later. We want to log the source address of the offending computer as well as the user ID that was used to log in. Next, we create a distinct name for our plugin.

name=POLICY - Facebook usage detection

Note that the name begins with the string POLICY. This makes all POLICY violations easily searchable from the Tenable Security Center interface.

You can also define a Tenable Security Center dynamic asset that contains only POLICY violators.

The next field defines a family. For this example, the application is a web browser, so the family ID is defined as follows:

family=Web Clients

Since this is a web browser, a dependency can be assigned that tells Tenable Nessus Network Monitor to look at only those clients that have been observed surfing the web:

dependency=1735

Furthermore, since we are looking at client traffic, we define:

clientissue

Next, we assign a risk rating for the observed behavior:

risk=MEDIUM

In the final section we create match and regex statements that Tenable Nessus Network Monitor looks for passively. We want all of these statements to be true before the client is flagged for inappropriate usage:

match=>POST /

The web request must begin with a POST verb. This weeds out all “GET” requests.

match=^Host: *.facebook.com

The statement above ensures that they are posting a host with a domain of *.facebook.com.

Finally, we have a match and regex statement that detects the user’s login credentials:

match=email=

regex=email=.*%40[^&]+

Altogether, we have a single plugin as follows:

This plugin could be named Facebook.prm and added into the /opt/nnm/var/nnm/plugins/ directory. If Tenable Security Center is used to manage one or more Tenable Nessus Network Monitor systems, use the plugin upload dialog to add the new .prm file.

If you wish to create a policy file that includes multiple checks, use the reserved word NEXT within the policy file. For example: