TOC & Recently Viewed

Recently Viewed Topics

PVS Settings Section

The PVS Settings section provides options for configuring the network settings for PVS, including what network(s) are monitored or excluded, how to monitor those networks, and what network interfaces PVS has identified for monitoring. If your PVS is licensed to run in High Performance mode, you can also change the performance mode.

Note: The Network Interfaces Settings view only shows network interfaces that don't have IP addresses assigned to them. As a result, if all interfaces have assigned IP addresses, in High Performance mode, the list is empty.

Name Description
ACAS Classification

ACAS

Support for ACAS banners may be enabled from the command line of the PVS server service using the command /opt/pvs/bin/pvs --config --add "ACAS Classification" "SECRET". SECRET may be replaced by UNCLASSIFIED, CONFIDENTIAL, TOP SECRET, or NOFORN. Once enabled, a drop-down menu for the ACAS option appears in the GUI front end.

Support for ACAS banners may be disabled from the command line of the PVS server using the command /opt/pvs/bin/pvs --config --delete "ACAS Classification" from the binary directory on the server.

Advanced

Login Banner

A text box in which you can specify a login banner.

Analysis Modules

Enable SCADA/ICS Analysis Module

A check box that, when selected, enables the SCADA/ICS Analysis Module. Click the caret button to the left of the setting name to display a list of individual module detections within the module. Click on individual module detections within the list to disable/enable them. Disabling a SCADA/ICS module detection enables the legacy PASL. See SCADA/ICS Analysis Module for more information.

Enable Connection Analysis Module

A check box that, when selected, enables the Connection Analysis Module. Click the caret button to the left of the setting name to display a list of individual module detections within the module. Click on individual module detections within the list to disable/enable them. See Connection Analysis Module for more information.

DNS Query

DNS Cache Lifetime Analysis Module

A text box in which you can specify the amount of time PVS retains and stores a given host’s DNS record, in seconds. By default, this option is set to 43200 (12 hours), but can be set to any value between 3600 and 172800 (48 hours).

DNS Query Time Interval

A text box in which you can specify the delay between sets of DNS queries, in seconds. By default, this option is set to 5, but can be set to any value between 1 and 120.

DNS Queries per Interval

A text box in which you can specify the maximum number of concurrent DNS requests made at the time of the DNS Query, in seconds. By default, this option is set to 5, but can be set to any value between 0 and 1000. Setting this value to 0 disables this feature and prevent further DNS queries from being made.

Database
Enable Malformed Database Recovery A check box that, when selected, allows PVS to recover a malformed database.
Memory

Sessions Cache Size

A text box in which you can specify the size, in megabytes, of the session table. Adjust the session size as needed for the local network. By default, this option is set to 50.

Packet Cache Size

A text box in which you can specify the maximum size, in megabytes, of the cache used to store the contents of the packets collected before processing. By default, this option is set to 128 MB with a maximum size of 512 MB. When the cache is full, any subsequent packets captured are dropped until space in the cache becomes available.

Monitoring

Monitored Network Interfaces

A list of the network device(s) used for sniffing packets. Devices may be selected individually or in multiples. At least one interface must be selected from the list of available devices.

Note: High Performance mode does not support e1000 NICs as monitored interfaces on VMs. If you are running PVS on a VM in High Performance mode and select an e1000 monitored interface, PVS automatically reverts to Standard mode.

Monitored Network IP Addresses and Ranges

A text box in which you can specify the network(s) monitored. The default setting is 0.0.0.0/0, which instructs PVS to monitor all IPv4 addresses. This should be changed to monitor only target networks; otherwise PVS may quickly become overwhelmed. Multiple addresses must be separated by commas. When monitoring VLAN networks, you must use the syntax vlan ipaddress/subnet.

Example: 192.168.1.0/24,2001:DB8::/64,10.2.3.0/22,vlan 172.16.0.0/16,192.168.3.123/32

Excluded Network IP Addresses and Ranges

A text box in which you can specify, in CIDR notation, any network(s) to specifically exclude from PVS monitoring. This option accepts both IPv4 and IPv6 addresses. Multiple addresses must be separated by commas. When excluding VLAN networks, you must use the syntax vlan ipaddress/subnet. If this text box is left blank, no addresses will be excluded.

Example: 192.168.1.0/24,2001:DB8::/64,10.2.3.0/22,vlan 172.16.0.0/16,192.168.3.123/32

Extended Packet Filter

A text box in which you can specify a BPF primitive.

The net, IP, IPv6, and VLAN primitives are not supported by this feature. Additionally, the protochain primitive is not supported on Windows platforms.

Click here for further information about the available primitives.

PVS Proxy

PVS Restart Attempts

A text box in which you can specify the number of times the PVS proxy attempts to restart the PVS engine in the event the engine stops running. By default, this option is set to 10, but can be set to any value between 1 and 15. Once the restart attempt limit is reached, the proxy stops trying for 30 minutes.

PVS Restart Interval

A text box in which you can specify the amount of time, in minutes, between PVS restart attempts. By default, this option is set to 10, but can be set to any value between 1 and 3600.

PVS Web Server

Enable SSL for Web Server

A check box that, when selected, enables SSL protection for connections to the web server. This check box is selected by default. Clearing the check box is not recommended, as it will allow unencrypted traffic to be sent between a web browser and PVS. Custom SSL certificates may be installed in the /opt/pvs/var/pvs/ssl directory. Changes to this setting require that PVS be restarted.

Note: Changing this option while PVS is running makes communication between the client and server either encrypted or unencrypted. If you select or clear the Enable SSL for Web Server check box, the Web Server automatically ends your current PVS session.

Minimum Password Length

A text box in which you can specify the lowest number of characters a password may contain. By default, this option is set to 5, but can be set to any value between 5 and 32.

PVS Web Server Address

A text box in which you can specify a IPv4 or IPv6 address on which the PVS web server listens. The default setting is 0.0.0.0, which instructs the web server to listen on all available IPv4 and 1Pv6 addresses.

Note: Link-local addresses are not supported for IPv6 addresses.

PVS Web Server Port

A text box in which you can specify the PVS web server listening port. The default setting is 8835, but can be changed as appropriate for the local environment.

Note: If you change the value in this field, the Web Server automatically ends your current PVS session.

PVS Web Server Idle Session Timeout

A text box in which you can specify the number of minutes of inactivity before a web session becomes idle. By default, this option is set to 30, but can be set to any value between 5 and 60.

Enable SSL Client Certificate Authentication

A check box that, when selected, allows the web server to accept only SSL client certificates for user authentication.

Enable Debug Logging for PVS Web Server

A check box that, when selected, allows the web server to include debug information in the logs for troubleshooting issues related to the web server. The logs become very large if this option is routinely enabled.

Maximum User Login Attempts

A text box in which you can specify the number of times a user can enter an incorrect password in a 24 hour period before the user’s account is locked.

Max Sessions per User

A text box in which you can specify the number of concurrent sessions a user can have running at one time.

Enforce Complex Passwords

A check box that, when selected, forces the user’s passwords to contain at least one uppercase character, one lower case character, one digit, and one special character from the following: !@#$%^&*().

Restrict Access to TLS 1.2 or higher A check box that, when selected, forces the PVS Web server to use TLS 1.2 or higher communications.
Plugins

Process High Speed Plugins Only

PVS is designed to find various protocols on non-standard ports. For example, PVS can easily find an Apache server running on a port other than 80. However, on a high traffic network, PVS can be run in High Performance mode, which allows it to focus certain plugins on specific ports. When High Performance mode is enabled and this check box is selected, any plugin that utilizes the keywords hs_dport or hs_sport are executed only on traffic traversing the specified ports.

Enable Automatic Plugin Updates

A check box that, when selected, allows PVS to update its plugins automatically from the Tenable website on a daily basis. If the PVS server is not connected to the Internet, it is recommended that you disable this option.

Tip: When the HTML Client updates, the web browser needs to be refreshed to utilize the new client. In some cases, the web browser’s cache must be deleted to view the new client.

Realtime Events

Realtime Events File Size

A text box in which you can specify the maximum amount of data from real-time events that is stored in one text file. The option must be specified in kilobytes, megabytes, or gigabytes by appending a K, M, or G, respectively, to the value.

Log Realtime Events to Realtime Log File

A check box that, when selected, allows PVS detected real-time events to be recorded to a log file in the following location:

/opt/pvs/var/pvs/logs/realtime-logs-##.txt

This option can be configured via the CLI.

Enable Realtime Event Analysis

A check box that, when selected, allows PVS to analyze real-time events.

Maximum Viewable Realtime Events

A text box in which you can specify the maximum number of most recent events cached by the PVS engine. This setting is in effect only when Realtime Event Analysis is enabled.

Maximum Realtime Log Files

A text box in which you can specify the maximum number of realtime log files written to the disk.

Reports

Report Threshold

A text box in which you can specify the number of times the encryption detection algorithm executes during a session. Once the threshold is reached, the algorithm no longer executes during the session. By default, this option is set to 3.

Report Lifetime

A text box in which you can specify, in days, how long vulnerabilities and snapshot reports are cached. After the configured number of days is met, PVS's discovered vulnerabilities and snapshot reports are removed. This option can be set to a maximum value of 90 days. By default, this option is set to 7 and cannot be set higher than the Host Lifetime value.

Host Lifetime

A text box in which you can specify, in days, how long hosts are cached. After the configured number of days is met, PVS's discovered hosts are removed. This option can be set to a maximum value of 365 days. By default, this option is set to 7 and cannot be set lower than the Report Lifetime value.

Report Frequency

A text box in which you can specify, in minutes, how often PVS writes a report. By default, this option is set to 15. SecurityCenter 4.6 and higher retrieve the PVS report every 15 minutes.

Knowledgebase Lifetime

A text box in which you can specify, in seconds, the maximum length of time that a knowledgebase entry remains valid after its addition. By default, this option is set to 864000.

New Asset Discovery Interval

A text box in which you can specify, in days, how long PVS monitors traffic before detecting new hosts. PVS listens to network traffic and attempts to discover when a new host has been added. To do this, PVS constantly compares a list of hosts that have generated traffic in the past to those currently generating traffic. If it finds a new host generating traffic, it issues a “new host alert” via the real-time log. For large networks, PVS can be configured to run for several days to gain knowledge about which hosts are active. This prevents PVS from issuing an alert for hosts that already exist. For large networks, Tenable recommends that PVS operate for at least two days before detecting new hosts. By default, this option is set to 2.

Connections to Services

A check box that, when selected, enables PVS to log which clients attempt to connect to servers on the network and to what port they attempt to connect. They indicate only that an attempt to connect was made, not whether the connection was successful. Events detected by PVS of this type are logged as PVS internal plugin ID 2.

Show Connections

A check box that, when selected, instructs PVS to record clients in the focus network that attempt to connect to a server IP address and port and receive a positive response. The record contains the client IP address, the server IP address, and the server port that the client attempted to connect to. For example, if four different hosts within the focus network attempted to connect with a server IP over port 80 and received a positive response, then a list of those hosts are reported under PVS internal plugin ID 3 and port 80.

Known Hosts File

Note: You can only configure this feature via the command line interface.

A configuration parameter in which you can enter the location of the known-hosts.txt file. You must manually create the Known Hosts file.

This feature supports a single row for each IP (IPv4 or IPv6). Hyphenated ranges and CIDR notation are not supported. New host alerts no longer appear for the hosts listed in this file.

Note: Blank rows are ignored, and invalid entries are noted in the PVS log file. If you make any changes to the Known Hosts file, you must restart PVS .

Session Analysis

Encrypted Sessions Dependency Plugins

A text box in which you can specify the Plugin IDs, separated by commas, used to detect encrypted traffic.

Encrypted Sessions Excluded Network Ranges

A text box in which you can specify the IPv4 and IPv6 addresses and ports, in CIDR notation, excluded from monitoring for encrypted traffic.

Example: 192.168.1.0/24,2001:DB8::/64,10.2.3.0/22,vlan 172.16.0.0/16,192.168.3.123/32

Interactive Sessions Dependency Plugins

A text box in which you can specify the Plugin IDs, separated by commas, used to detect interactive sessions.

Interactive Sessions Excluded Network Ranges

A text box in which you can specify the IPv4 and IPv6 addresses and ports, in CIDR notation, excluded from monitoring for interactive sessions.

Example: 192.168.1.0/24,2001:DB8::/64,10.2.3.0/22,vlan 172.16.0.0/16,192.168.3.123/32

Syslog

Realtime Syslog Server List

A text box in which you can specify the IPv4 or IPv6 address and port of a Syslog server to receive real-time events from PVS. A local Syslog daemon is not required. Syslog items can be specified to Standard or CEF formats as well as UDP or TCP protocols.

Example: 192.168.1.12:4567,10.10.10.10:514,[2001:DB8::23B4]:514

Vulnerability Syslog Server List

A text box in which you can specify the IPv4 or IPv6 address and port of a Syslog server to receive vulnerability data from PVS. A local Syslog daemon is not required. Syslog items can be specified to Standard or CEF formats as well as UDP or TCP protocols.

Example: 192.168.1.12:4567,10.10.10.10:514,[2001:DB8::23B4]:514

Note: While PVS may display multiple log events related to one connection, it sends only a single event to the remote Syslog server(s).

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.