TOC & Recently Viewed

Recently Viewed Topics

Detecting Specific Server and Client Port Usage

The Show Connections configuration parameter keeps track of host communication within the focus network. When the Show Connections configuration parameter is enabled, if one of the hosts is in the defined focus network, PVS records the client, server, and server port every time a host connects to another host. It does not track the frequency or time stamp of the connections – just that a connection was made.

The Show Connections configuration parameter provides a greater level of detail than the Connections to Services configuration parameter. For example, if your IPv4 address is 1.1.1.1 or your IPv6 address is 2001:DB8::AE59:3FC2 and you use the SSH service to connect to “some_company.com” then the use of these options records the following:

 

Show Connections

some_company.com:SSH

2001:DB8::AE59:3FC2 -> some_company.com

 

Connections to Services

SSH

2001:DB8::AE59:3FC2 -> SSH

 

Using the Connections to Services configuration parameter lets you know that the system at 1.1.1.1 and 2001:DB8::AE59:3FC2 uses the SSH protocol. This information may be useful regardless of where the service is used.

PVS does not log a session-by-session list of communications. Instead, it logs the relationship between the systems. For example, if system A is detected using the SSH protocol on port 22 connecting to system B, and both systems are within the focus network, PVS would log:

  • System A browses on port 22
  • System B offers a service (listens) on port 22
  • System A communicates with System B on port 22

If system B were outside of the focus network, PVS would not record anything about the service System B offers, and would also log that System A browses outside of the focus network on port 22. PVS does not log how often a connection occurs, only that it occurred at least once. For connections outside of the focus network, PVS logs only which ports are browsed, not the actual destinations.

Note: If logging session-by-session network events is a requirement for your network analysis, Tenable offers the LCE product, which can log firewall, web server, router, and sniffer logs.

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.