Pattern Matching
Tenable Nessus Network Monitor Can Match "Previous" Packets
Tenable Nessus Network Monitor allows matching on patterns in the current packet as well as patterns in the previous packet in the current session. This plugin shows how we can make use of this feature to determine if a Unix password file is sent by a web server:
id=79175
name=Password file obtained by HTTP (GET)
family=Generic
sport=80
description=It seems that a Unix password file was sent by the remote web server when the following request was made :\n%P\nWe saw : \n%L
pmatch=>GET /
pmatch=HTTP/1.
match=root
match=daemon
match=bin
regex=root:.*:0:0:.*:.*
Here we see match
patterns for a root entry in a Unix password file. We also see pmatch
patterns that match against a packet that makes an HTTP GET request to a web server. The match
patterns apply the current packet in a session and the pmatch
patterns apply to the packet that was captured immediately before the one in the current session. To explain this visually, we are looking for occurrences of the following:
GET / HTTP/1.*
1) client -------------------------> server:port 80
Contents of password file:
root:.*:0:0:.*:.*
2) client <------------------------- server:port 80
Our match
pattern would focus on the contents in packet 2) and our pmatch
pattern would focus on packet 1) payload contents.
Tenable Nessus Network Monitor Can Match Binary Data
Tenable Nessus Network Monitor also allows matching against binary patterns. Here is an example plugin that makes use of binary pattern matching to detect the usage of the well-known community string “public” in SNMPv1 response packets (The “#” is used to denote a comment):
###
# SNMPv1 response
#
# Matches on the following:
# 0x30 - ASN.1 header
# 0x02 0x01 0x00 - (integer) (byte length) (SNMP version - 1)
# 0x04 0x06 public - (string) (byte length) (community string - "public")
# 0xa2 - message type - RESPONSE
# 0x02 0x01 0x00 - (integer) (byte length) (error status - 0)
# 0x02 0x01 0x00 - (integer) (byte length) (error index - 0)
###
id=71975
udp
sport=161
name=SNMP public community string
description=The remote host is running an SNMPv1 server that uses a well-known community string - public
bmatch=>0:30
bmatch=>2:020100
bmatch=>5:04067075626c6963a2
bmatch=020100020100
Binary match patterns take the following form:
bmatch=[<>[off]:]<hex>
Binary match starts at <off>’th offset of the packet or at the last <offset> of the packet, depending on the use of > (start) or < (end). <hex> is a hex string we look for.
bmatch=<:ffffffff
This matches any packet whose last four bytes are set to 0xFFFFFFFF.
bmatch=>4:41414141
This matches any packet that contains the string “AAAA” (0x41414141 in hex) starting at its fourth byte.
bmatch=123456789ABCDEF5
This matches any packet that contains the hex string above.
Negative Matches
Tenable Nessus Network Monitor plugins can also be negated. Here are two examples:
pmatch=!pattern
pbmatch=>0:!414141
In each of these cases, the plugin does not match if the patterns contained in these “not” statements are present. For example, in the first pmatch
statement, if the pattern named “pattern” is present, then the plugin does not match. In the second statement, the binary pattern of “AAA” (the letter “A” in ASCII hex is 0x41) only matches if it does not present the first three characters.