Recently Viewed Topics
This plugin illustrates the basic concepts of PVS plugin writing:
description=An IMAP server is running on this port. Its banner is :\n %L
This example uses the following fields:
id- A unique number assigned to this plugin.
nid- The Nessus ID of the corresponding Nessus NASL script.
hs_sport- The source port to key on if High Performance mode is enabled.
name- The name of the plugin.
description- A description of the problem or service.
match- The set of match patterns that must be found in the payload of the packet before the regular expression can be evaluated.
regex- The regular expression to apply to the packet payload.
Tip: The description contains the %L macro. If this plugin evaluates successfully, then the string pattern in the payload that matched the regular expression is stored in %L and prints out at report time.
name=Atrium Mercur Mailserver
description=The remote imap server is Mercur Mailserver 3.20. There is a flaw in this server (present up to version 3.20.02) which allow any authenticated user to read any file on the system. This includes other user mailboxes, or any system file. Warning : this flaw has not been actually checked but was deduced from the server banner
solution=There was no solution ready when this vulnerability was written; Please contact the vendor for updates that address this vulnerability.
regex=^\* OK.*MERCUR IMAP4-Server.*v3\.20\..*$
Tip: The first match pattern makes use of the > symbol. The > symbol indicates that the subsequent string must be at the beginning of the packet payload. Use of the > symbol is encouraged where possible as it is an inexpensive operation.
There is a tool called SmartDownLoader that uploads and downloads large files. Unfortunately, versions 0.1 through 1.3 use the capitalization SmartDownloader, versions 1.4 through 2.7 use smartdownloader and versions 2.8 through current use SMARTdownloader. Searching for the various combinations of this text with purely the
regex command would cause us to use a statement that looks like this:
However, with the
regexi command, the search string is much less complex and less prone to creating an error:
regexi, we can more quickly match on all three versions as well as future permutations of the string
smartdownloader. In a case such as this,
regexi is the logical choice.
description=The remote host is running SmartDownLoader, a tool for performing rudimentary uploads and downloads of large binary files.
solution=Ensure that this application is in keeping with Corporate policies and guidelines
A complete example PVS plugin using the
regexi keyword is shown above. The use of the
match keyword searching for the string ownloader is not a typo. By searching for network sessions that have this string in them first, PVS can avoid invoking the expensive
regexi search algorithm unless the ownloader pattern is present.