Red Hat NETWORK BASIC - USER REFERENCE GUIDE 4.0 Guide de l'utilisateur

Passive Vulnerability Scanner 4.0 User Guide September 18, 2014 (Revision 12)

10 Once completed, an “Update Complete” dialog will be displayed indicating that PVS has been updated to version 4.0. Select the “Finish” button to

11 Upgrading PVS on Mac OS X Before upgrading, the PVS services must be stopped. Failure to do so may result in errors. See the “Starting and Stop

12 The next screen displays the End User License Agreement (EULA). The text of the agreement can be copied and pasted into a separate document file

13

14 Click “Install” to begin the upgrade: Next, the installation process will ask for authentication for permission to install the software. The in

15 The installation will then be completed. Immediately after the successful upgrade of PVS, the Installer will automatically launch the Safari br

16

17 Initial Installation This section describes the steps required for an initial installation of PVS on Linux, Mac OS X, and Windows platforms. Linu

18 Unless otherwise noted, perform all commands as a local administrator user. When UAC is enabled, right click on the installer program and select

19 The InstallShield Wizard will walk you through the installation process and any required configuration. At any point prior to completion, configu

2 Table of Contents Introduction ...

20

21 The installation process will then verify the path where the PVS binaries will be installed. Clicking on “Change…” will allow you to specify a cu

22 The final screen of the PVS installation configuration options provides the opportunity to go back to make any edits to information supplied on

23 Once PVS has been installed, it will determine if WinPcap is already installed on the system. If the current version of WinPcap is installed and

24

25 You must agree to the WinPcap end-user license agreement in order to complete the installation: WinPcap can be configured to start during boot t

26 Once the license has been agreed to and the configuration option specified, click “Install” to complete the process. After WinPcap is installed,

27 Double click on the Install PVS.pkg file to launch the Installer: This will launch the Tenable PVS Installer, which will walk you through the in

28

29 Click “Install” to begin the installation: Next, the installation process will ask for authentication for permission to install the software. T

3 Define Unknown or Customized Ports ... 53 PVS Re

30 The installation will then be completed. Immediately after the successful installation of PVS, the Installer will automatically launch the Safa

31

32 Starting and Stopping PVS for Mac OS X The preferred method to start and stop the PVS service on Mac OS X is to use the “PVS Preferences” tab und

33 This will open the InstallShield Wizard. Follow the directions in this wizard to completely remove PVS. If you select “Yes”, the PVS program and

34 After the initial login, a quick setup process begins. The first step is to change the default admin password. At a minimum, the new password mus

35 selected. The “Monitored Network IP Addresses and Ranges” option determines the IP address ranges that PVS will monitor. The “Excluded Network IP

36 PVS version, Web Server Version, HTML client version, links to support and documentation, and license and feed status can be viewed by selecting

37 The notification icon will change from blue to red making the user aware that there are unread alerts in the notification area. Each individual n

38 The “Sort Hosts” drop-down provides an option to sort the host either by hostname or by the count of severity items found on the hosts. These sor

39 Name Description Bugtraq ID Filter the results of discovered vulnerabilities based on their Bugtraq identification. CPE Filter the results of dis

4 The Passive Vulnerability Scanner is Real-Time ... 74 Appendix 2

40 See Also Filter the results of the discovered vulnerabilities based on the text available in the “See Also” field of the plugin. Solution Filter

41 The Applications tab provides a list of discovered applications and their affected vulnerabilities. The summary page displays a list sorted by t

42 Users The Users screen provides a list of the available users on the PVS server. This screen is only available to Administrator level users. User

43 The Activation Code and manual plugin update buttons are only used when using PVS in a stand-alone mode (not attached to a SecurityCenter). The A

44 Monitored Network IP Addresses and Ranges Specifies the network(s) to be monitored. The default setting is to monitor all IPv4 addresses with the

45 PVS Web Server Idle Session Timeout This setting is the number of minutes after which a web session becomes idle. The default setting for this ti

46 New Asset Discovery Interval PVS listens to network traffic and attempts to discover when a new host has been added. To do this, the PVS constant

47 Command Line Operation The PVS engine provides many options to update and configure PVS from the command line in both Windows and Linux versions.

48 /opt/pvs/etc (deprecated) Configuration files for PVS and the PVS Proxy /opt/pvs/bin Location of the PVS and PVS Proxy executables, plus several

49 Command Line Operations for Windows This section describes some operations that are performed on the PVS server from a command line in Windows. C

5 Introduction This document describes the Passive Vulnerability Scanner 4.0 (Patent 7,761,918 B2) architecture, installation, operation, integratio

50 pvs-proxy Parent folder for files used/created by the PVS proxy logs Contains PVS proxy and PVS proxy service logs scans By default, PVS create

51 directories db This directory contains the database files relating to the configuration, reports, and users for PVS. kb This directory stores t

52 C:\Program Files\Tenable\PVS>pvs.exe The PVS binary for Mac OS X is located at: # /Library/PVS/bin The PVS binary for Linux is located at: # /

53 --config --add "custom_paramater name" "parameter value" Add a custom configuration parameter for PVS or PVS Proxy. The doubl

54 In the above picture, three sessions labeled A, B, and C are shown communicating to, from, and inside a focus network. In session A, the PVS only

55  SSH 2001:DB8::AE59:3FC2 -> SSH Using the “connections-to-services” option lets you know that the system at 1.1.1.1 and 2001:DB8::AE59:3FC2 u

56 Windows C:\ProgramData\Tenable\PVS\pvs\ Mac OS X /Library/PVS/var/pvs If the PVS is being managed by the SecurityCenter, it will automatically

57 Initially, the PVS has no knowledge of your network’s active hosts. The first packets that the PVS sniffs would send an alert. To avoid this, the

58 00008 Outbound Encrypted Session The PVS has detected one or more encrypted network sessions originating from within your focus network and desti

59 have an even number of alphanumeric characters. clientissue If a vulnerability is determined in a network client such as a web browser or an emai

6 Pre-Installation To ensure a streamlined installation process, it is important to ensure that the appropriate hardware, software, and licensing re

60 see a simple pattern, the entire plugin will not match. name This is the name of the vulnerability the PVS has detected. Multiple PVS plugins can

61 timed-dependency With this keyword, the functionality of the “noplugin” and “dependency” keywords is slightly modified such that the evaluation m

62 nid=10382 cve=CVE-2000-0318 bid=1144 hs_sport=143 name=Atrium Mercur Mailserver description=The remote imap server is Mercur Mailserver 3.20. The

63 Passive Vulnerability Scanner Network Client Detection id=1010 hs_dport=25 clientissue name=Buffer overflow in multiple IMAP clients description

64 Contents of password file: root:.*:0:0:.*:.* 2) client <------------------------- server:port 80 Our match pat

65 In each of these cases, the plugin would not match if the patterns contained in these “not” statements were present. For example, in the first pm

66 Writing Passive Vulnerability Scanner Real-Time Plugins Real-Time Plugin Model PVS real-time plugins are exactly the same as PVS vulnerability pl

67 # Look for failed logins into an FreeBSD telnet server id=0400 hs_sport=23 dependency=1903 realtimeonly name=Failed login attempt description=PVS

68 risk=HIGH match=!<HTML> match=!<html> match=^root:x:0:0:root:/root:/bin/bash match=^bin:x:1:1:bin: match=^daemon:x:2:2:daemon: The p

69 In this case, a user has attempted to use the “cd” command to change directories within a file system and the attempt was not allowed. This is a

7 Obtain a License Key for SecurityCenter When using a PVS with SecurityCenter, a license key may be purchased as an upgrade to an existing Security

70  tunneling software or applications like Tor, GoToMyPC and LogMeIn Detecting Custom Activity Prohibited by Policy The plugins provided with PVS

71 Finally, we have a match and regex statement that detects the user’s login credentials: match=email= regex=email=.*%40[^&]+ Putting it all to

72 dependency=2004 dependency=2005 hs_dport=25 description=POLICY - Confidential data passed outside the corporate network. The Confidential file d

73 The PVS has the ability to identify the likely operating system of a host by looking at the packets it generates. Specific combinations of TCP pa

74 Appendix 1: Working with SecurityCenter Architecture One mode PVS operates under is under the control of a SecurityCenter that provides it with p

75 Appendix 2: Syslog Message Formats PVS provides options to send real-time and vulnerability data as syslog messages. There are four formats of sy

76 plugin_id The reported PVS plugin id triggered by the reported traffic. Some examples: 0 for open port alert 2 for service connection alert 3 f

77 Appendix 3: PVS Activation without Internet Access If your PVS installation cannot reach the Internet directly, use the following procedure to re

78 Platform Command Red Hat Linux / CentOS # /opt/pvs/sbin/pvs --update-plugins /path/to/sc-passive.tar.gz Mac OS X # /Library/PVS/bin/pvs --update-

79 About Tenable Network Security Tenable Network Security provides continuous network monitoring to identify vulnerabilities, reduce ris

8 # service pvs start After starting PVS, navigate to https://<ipaddress or hostname>:8835, which will display the PVS web frontend to log in

9 This will start the upgrade process by launching the InstallShield Wizard: Clicking the “Next” button will begin the automated upgrade process. I