TOC & Recently Viewed

Recently Viewed Topics

Real-Time Plugin Examples

Failed Telnet Login Plugin

The easiest way to learn about PVS real-time plugins is to evaluate some of those included by Tenable. Below is a plugin that detects a failed Telnet login to a FreeBSD server.

# Look for failed logins into an FreeBSD telnet server

id=79400

hs_sport=23

dependency=1903

realtimeonly

name=Failed login attempt

description=PVS detected a failed login attempt to a telnet server

risk=LOW

match=Login incorrect

This plugin has many of the same features as a vulnerability plugin. The ID of the plugin is 79400. The high-speed port is 23. We need to be dependent on plugin 1903 (which detects a Telnet service). The realtimeonly keyword tells PVS that if it observes this pattern, then it should alert on the activity, but not record any vulnerability.

Under SecurityCenter CV, events from PVS are recorded alongside other IDS tools.

Finger User List Enumeration Plugin

The finger daemon is an older Internet protocol that allowed system users to query remote servers to get information about a user on that box. There have been several security holes in this protocol that allowed an attacker to elicit user and system information that could be useful to attackers.

id=79500

dependency=1277

hs_sport=79

track-session=10

realtimeonly

name=App Subversion - Successful finger query to multiple users

description=A response from a known finger daemon was observed which indicated that the attacker was able to retrieve a list of three or more valid user names.

risk=HIGH

match=Directory:

match=Directory:

match=Directory:

This plugin looks for these patterns only on systems where a working finger daemon has been identified (dependency #1277). However, the addition of the track-session keyword means that if this plugin is launched with a value of 10, the session data from the next 10 packets is tracked and logged in either the SYSLOG or real-time log file.

During a normal finger query, if only one valid user is queried, then only one home directory will be returned. However, many of the exploits for finger involve querying for users such as NULL, .., or 0. This causes vulnerable finger daemons to return a listing of all users. In that case, this plugin would be activated because of the multiple “Directory:” matches.

Unix Password File Download Web Server Plugin

This plugin below looks for any download from a web server that does not look like HTML traffic, but does look like the contents of a generic Unix password file.

id=79300

dependency=1442

hs_sport=80

track-session=10

realtimeonly

name=Web Subversion - /etc/passwd file obtained

description=A file which looks like a Linux /etc/passwd file was downloaded from a web server.

risk=HIGH

match=!<HTML>

match=!<html>

match=^root:x:0:0:root:/root:/bin/bash

match=^bin:x:1:1:bin:

match=^daemon:x:2:2:daemon:

The plugin is dependent on PVS ID 1442, which detects web servers. In the match statements, we are attempting to ignore any traffic that contains valid HTML tags, but also has lines that start with common Unix password file entries.

Generic Buffer Overflow Detection on Windows Plugin

One of PVS’s strongest intrusion detection features is its ability to recognize specific services, and then to look for traffic occurring on those services that should never occur unless they have been compromised. Since PVS can keep track of both sides of a conversation and make decisions based on the content of each, it is ideal to look for Unix and Windows command shells occurring in services that should not have those command shells in them. Here is an example plugin:

# look for Windows error when a user tries to

# switch to a drive that doesn't exist

id=79201

include=services.inc

trigger-dependency

track-session=10

realtimeonly

name=Successful shell attack detected - Failed cd command

description=The results of an unsuccessful attempt to change drives on a Windows machine occurred in a TCP session normally used for a standard service. This may indicate a successful compromise of this service has occurred.

risk=HIGH

pmatch=!>GET

pregexi=cd

match=!>550

match=^The system cannot find the

match=specified.

This plugin uses the include keyword that identifies a file that lists several dozen PVS IDs, which identify well known services such as HTTP, DNS, and NTP. The plugin will not even get evaluated unless the target host is running one of those services.

The keyword trigger-dependency is needed to ensure the plugin is evaluated even if there is only one match in the services.inc file. Otherwise, PVS would evaluate this plugin only if the target host was running all PVS IDs present in the services.inc file. The trigger-dependency keyword basically says that at least one PVS ID specified by one or more dependency or include rules must be present.

Finally, the logic of plugin detection is looking for the following type of response on a Windows system:

In this case, a user has attempted to use the cd command to change directories within a file system and the attempt was not allowed. This is a common event that occurs when a remote hacker compromises a Windows 2000 or Windows 2003 server with a buffer overflow. The PVS plugin looks for a network session that should not be there.

Looking at the plugin logic, there are pmatch and pregexi statements that attempt to ensure that the session is not an HTTP session, and that the previous side of the session contains the string cd.

Tip: The pregexi statement could be expanded to include the trailing space after the “d” character and also the first character.

The plugin then looks for the expected results of the failed cd command. The first match statement makes sure this pattern is not part of the FTP protocol. It turns out that looking for “cd” in one side of a session and the error of attempting to change to a directory in an FTP session would cause false positives for this plugin. Adding a rule to ignore if a line starts with “550” avoids this. While writing and testing this plugin, Tenable considered having a different set of plugins just for FTP, but the additional filter statement took care of any false positives. Finally, the last two match statements look for the results of the failed change directory attempt. They are spread across two match statements and could have been combined into one regular expression statement, but there was enough content in the basic message to have them split into higher-speed matching.

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.