Alerting

When PVS detects a real-time event, it can:

Send the event to a local log file.
Send the event via Syslog to a log aggregator such as Tenable’s LCE, an internal log aggregation server.
Send the event to a third party security event management vendor.

New Host Alerting

You can configure PVS to detect when a new host has been added to the network. By default, PVS has no knowledge of your network’s active hosts, so the first packets PVS sniffs trigger an alert. To avoid this, you can configure PVS to learn the network over a period of days. Once this period is over, any “new” traffic must be from a host that has not communicated during the initial training.

To prevent PVS from triggering new host alerts on known hosts, you can create a known hosts file in the location to which the Known Hosts File configuration parameter is set. Each line of the known hosts file supports a single IPv4 or IPv6 address. Hyphenated ranges and CIDR notation are not supported. PVS must be restarted after creating or making any changes to the known hosts file.

When PVS logs a new host, the Ethernet address saves in the message. When PVS is more than one hop away from the sniffed traffic, the Ethernet address is that of the local switch and not the actual host. If the scanner is deployed in the same collision domain as the sniffed server, then the Ethernet address is accurate.

For DHCP networks, PVS often detects a “new” host. Tenable recommends deploying this feature on non-volatile networks such as DMZ. Users should also consider analyzing PVS “new” host alerts with SecurityCenter CV, which can sort real-time PVS events by networks.

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.