Real-Time Plugin Examples

Failed Telnet Login Plugin

The easiest way to learn about Tenable Nessus Network Monitor real-time plugins is to evaluate some of those included by Tenable. Below is a plugin that detects a failed Telnet login to a FreeBSD server.

This plugin has many of the same features as a vulnerability plugin. The ID of the plugin is 79400. The high-speed port is 23. We need to be dependent on plugin 1903 (which detects a Telnet service). The realtimeonly keyword tells Tenable Nessus Network Monitor that if it observes this pattern, then it should alert on the activity, but not record any vulnerability.

In Tenable Security Center, events from Tenable Nessus Network Monitor are recorded alongside other IDS tools.

Finger User List Enumeration Plugin

The finger daemon is an older Internet protocol that allowed system users to query remote servers to get information about a user on that box. There have been several security holes in this protocol that allowed an attacker to elicit user and system information that could be useful to attackers.

This plugin looks for these patterns only on systems where a working finger daemon has been identified (dependency #1277). However, the addition of the track-session keyword means that if this plugin is launched with a value of 10, the session data from the next 10 packets is tracked and logged in either the SYSLOG or real-time log file.

During a normal finger query, if only one valid user is queried, then only one home directory is returned. However, many of the exploits for finger involve querying for users such as NULL, .., or 0. This causes vulnerable finger daemons to return a listing of all users. In that case, this plugin would be activated because of the multiple “Directory:” matches.

Unix Password File Download Web Server Plugin

This plugin below looks for any download from a web server that does not look like HTML traffic, but does look like the contents of a generic Unix password file.

The plugin is dependent on Tenable Nessus Network Monitor ID 1442, which detects web servers. In the match statements, we attempt to ignore any traffic that contains valid HTML tags, but also has lines that start with common Unix password file entries.

Generic Buffer Overflow Detection on Windows Plugin

One of Tenable Nessus Network Monitor’s strongest intrusion detection features is its ability to recognize specific services, and then to look for traffic occurring on those services that should never occur unless they have been compromised. Since Tenable Nessus Network Monitor can keep track of both sides of a conversation and make decisions based on the content of each, it is ideal to look for Unix and Windows command shells occurring in services that should not have those command shells in them. Here is an example plugin:

This plugin uses the include keyword that identifies a file that lists several dozen Tenable Nessus Network Monitor IDs, which identify well known services such as HTTP, DNS, and NTP. The plugin is not evaluated unless the target host is running one of those services.

The keyword trigger-dependency is needed to ensure the plugin is evaluated even if there is only one match in the services.inc file. Otherwise, Tenable Nessus Network Monitor evaluates this plugin only if the target host was running all Tenable Nessus Network Monitor IDs present in the services.inc file. The trigger-dependency keyword says that at least one Tenable Nessus Network Monitor ID must be specified by one or more dependency or include rules must be present.

Finally, the logic of plugin detection looks for the following type of response on a Windows system:

In this case, a user has attempted to use the cd command to change directories within a file system and the attempt was not allowed. This is a common event that occurs when a remote hacker compromises a Windows 2000 or Windows 2003 server with a buffer overflow. The Tenable Nessus Network Monitor plugin looks for a network session that should not be there.

In the plugin logic, there are pmatch and pregexi statements that attempt to ensure that the session is not an HTTP session, and that the previous side of the session contains the string cd.

Tip: The pregexi statement could be expanded to include the trailing space after the “d” character and also the first character.

The plugin then looks for the expected results of the failed cd command. The first match statement makes sure this pattern is not part of the FTP protocol. Looking for “cd” in one side of a session and the error of attempting to change to a directory in an FTP session causes false positives for this plugin. Adding a rule to ignore if a line starts with “550” avoids this. While writing and testing this plugin, Tenable considered having a different set of plugins just for FTP, but the additional filter statement took care of any false positives. Finally, the last two match statements look for the results of the failed change directory attempt. They are spread across two match statements and could have been combined into one regular expression statement, but there was enough content in the basic message to split them into higher-speed matching.