You are here: Additional Resources > PVS Plugins > PVS Plugin Syntax > Time Dependent Plugins

Time Dependent Plugins

The last plugin example shows some more advanced features of the PVS plugin language that allows a plugin to be time dependent as well as make use of the evaluation of other plugins. The plugin shows how PVS detects an anonymous FTP server. Use the NEXT keyword to separate plugins in the plugin file.

id=79200

nooutput

hs_sport=21

name=Anonymous FTP (login: ftp)

pmatch=^USER ftp

match=^331

NEXT #-----------------------------------------------------------

id=79201

dependency=79200

timed-dependency=5

hs_sport=21

name=Anonymous FTP enabled

description=The remote FTP server has anonymous access enabled.

risk=LOW

pmatch=^PASS

match=^230

Since we want to detect an anonymous FTP server, we must look for the following traffic pattern:

USER ftp

1) FTP client -----------------------> FTP server

331 Guest login ok, ...

2) FTP client <----------------------- FTP server

PASS joe@fake.com

3) FTP client -----------------------> FTP server

230 Logged in

4) FTP client <----------------------- FTP server

Here we cannot use a single plugin to detect this entire session. So, instead we use two plugins: the first plugin looks for packets 1) and 2) and the second plugin looks for packets 3) and 4).

A review of the above plugin shows that plugin 79200 matches 1) and 2) in the session by keying on the patterns “USER ftp” and the 331 return code. Plugin 79201 matches on 3) and 4) by keying on the patterns “PASS” and the 230 return code.

Notice that plugin 79201 contains the following field: dependency=79200. This field indicates the plugin 79200 must evaluate successfully before plugin 79201 may be evaluated.

To complete the plugin for the anonymous FTP session, we must ensure both plugins are evaluating the same FTP session. To do this, we attach a time dependency to plugin 79201. The field time-dependency=5 indicates that plugin 79200 must evaluate successfully in the last five seconds for 79201 to evaluate. This way, we can ensure that both plugins evaluate the same FTP session.

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.