Pattern Matching

Tenable Nessus Network Monitor Can Match "Previous" Packets

Tenable Nessus Network Monitor allows matching on patterns in the current packet as well as patterns in the previous packet in the current session. This plugin shows how we can make use of this feature to determine if a Unix password file is sent by a web server:

id=79175

name=Password file obtained by HTTP (GET)

family=Generic

sport=80

description=It seems that a Unix password file was sent by the remote web server when the following request was made :\n%P\nWe saw : \n%L

pmatch=>GET /

pmatch=HTTP/1.

match=root

match=daemon

match=bin

regex=root:.*:0:0:.*:.*

Here we see match patterns for a root entry in a Unix password file. We also see pmatch patterns that match against a packet that makes an HTTP GET request to a web server. The match patterns apply the current packet in a session and the pmatch patterns apply to the packet that was captured immediately before the one in the current session. To explain this visually, we are looking for occurrences of the following:

GET / HTTP/1.*

1) client -------------------------> server:port 80

Contents of password file:

root:.*:0:0:.*:.*

2) client <------------------------- server:port 80

Our match pattern would focus on the contents in packet 2) and our pmatch pattern would focus on packet 1) payload contents.

Tenable Nessus Network Monitor Can Match Binary Data

Tenable Nessus Network Monitor also allows matching against binary patterns. Here is an example plugin that makes use of binary pattern matching to detect the usage of the well-known community string “public” in SNMPv1 response packets (The “#” is used to denote a comment):

###

# SNMPv1 response

#

# Matches on the following:

# 0x30 - ASN.1 header

# 0x02 0x01 0x00 - (integer) (byte length) (SNMP version - 1)

# 0x04 0x06 public - (string) (byte length) (community string - "public")

# 0xa2 - message type - RESPONSE

# 0x02 0x01 0x00 - (integer) (byte length) (error status - 0)

# 0x02 0x01 0x00 - (integer) (byte length) (error index - 0)

###

id=71975

udp

sport=161

name=SNMP public community string

description=The remote host is running an SNMPv1 server that uses a well-known community string - public

bmatch=>0:30

bmatch=>2:020100

bmatch=>5:04067075626c6963a2

bmatch=020100020100

Binary match patterns take the following form:

bmatch=[<>[off]:]<hex>

Binary match starts at <off>’th offset of the packet or at the last <offset> of the packet, depending on the use of > (start) or < (end). <hex> is a hex string we look for.

bmatch=<:ffffffff

This matches any packet whose last four bytes are set to 0xFFFFFFFF.

bmatch=>4:41414141

This matches any packet that contains the string “AAAA” (0x41414141 in hex) starting at its fourth byte.

bmatch=123456789ABCDEF5

This matches any packet that contains the hex string above.

Negative Matches

Tenable Nessus Network Monitor plugins can also be negated. Here are two examples:

pmatch=!pattern

pbmatch=>0:!414141

In each of these cases, the plugin does not match if the patterns contained in these “not” statements are present. For example, in the first pmatch statement, if the pattern named “pattern” is present, then the plugin does not match. In the second statement, the binary pattern of “AAA” (the letter “A” in ASCII hex is 0x41) only matches if it does not present the first three characters.