You are here: Additional Resources > PVS Plugins > PVS Corporate Policy Plugins > Detecting Custom Activity Prohibited by Policy

Detecting Custom Activity Prohibited by Policy

The plugins provided with PVS are useful for detecting generally inappropriate activities, but there may be times when more specific activities need to be detected. For example, a company may want to have an alert generated when email is sent to a competitor’s mail service or if users are managing their Facebook accounts from the corporate network.

Tenable provides the ability for users to write their own custom plugins, as documented in PVS Plugin Syntax. These plugins are saved as prm files.

The following example shows how to create a custom plugin to detect users logging into their Facebook accounts. First, a unique plugin ID is assigned, in this case 79420. So, the first line of our plugin will be:

id=79420

Next, we will want to have a description of what the vulnerability detects:

description=The remote client was observed logging into a Facebook account. You should ensure that such behavior is in alignment with corporate policies and guidelines. For your information, the user account was logged as:\n %L

The %L will be the results of our regular expression statement that will be created later. Basically, we want to log the source address of the offending computer as well as the user ID that was used to log in. Next, we create a distinct name for our plugin.

name=POLICY - Facebook usage detection

Note that the name begins with the string POLICY. This will make all POLICY violations easily searchable from the SecurityCenter CV interface.

You could also define a SecurityCenter CV dynamic asset list that contains only POLICY violators.

The next field defines a family. For this example, the application is a web browser, so the family ID is defined as follows:

family=Web Clients

Since this is a web browser, a dependency can be assigned that will tell PVS to look at only those clients that have been observed surfing the web:

dependency=1735

Further, since we are looking at client traffic, we will define:

clientissue

Next, we assign a risk rating for the observed behavior:

risk=MEDIUM

In the final section we create match and regex statements that PVS will look for passively. We want all of these statements to be true before the client is flagged for inappropriate usage:

match=>POST /

The web request must begin with a POST verb. This will weed out all “GET” requests.

match=^Host: *.facebook.com

The statement above ensures that they are posting a host with a domain of *.facebook.com.

Finally, we have a match and regex statement that detects the user’s login credentials:

match=email=

regex=email=.*%40[^&]+

Putting it all together, we have a single plugin as follows:

id=79420

family=Web Clients

clientissue

dependency=1735

name=Facebook_Usage

description=The remote client was observed logging into a Facebook account.

You should ensure that such behavior is in alignment with

Corporate Policies and guidelines. For your information, the user account

was logged as:

risk=MEDIUM

solution=Stay off of Facebook.

match=>POST /

match=^Host: *.facebook.com

match=email=

regex=email=.*%40[^&]+

This plugin could be named Facebook.prm and added into the /opt/pvs/var/pvs/plugins/ directory. If SecurityCenter CV is being used to manage one or more PVS systems, use the plugin upload dialog to add the new .prm file.

If you wish to create a policy file that includes multiple checks, use the reserved word NEXT within the policy file. For example:

id=79420

rest of plugin

NEXT

id=79421

etc.

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.