There are many consultants that use Nessus to scan a customer network for vulnerabilities and report a laundry list of security issues which need to be fixed. Another valuable service that can be performed by a consultant is to audit where sensitive data resides in an organization and what sort of access can be gained to it. This blog entry discusses what can be accomplished with the Nessus scanner and what additional types of data analysis can be performed with the sensitive content checks available with the Nessus Direct Feed.

What is "Sensitive Data"?

In the government and military, there are in-depth standards for classifying the sensitivity of data such as "SECRET", "TOP SECRET" and so on. This classification details who can have access to the data and what level of security assurance should be invoked to protect inadvertent disclosure.

For the rest of the world, classifying data may not be as simple. An organization may draw data classification requirements from the compliance regulations it is under. A public and private company both governed by PCI will likely treat their customer credit card data the same way. However, the public company may consider emails about projected revenues, mergers and such, much more seriously than a private company due to SOX requirements. Other companies may have unique requirements to protect the secret beverage drink recipe, plans for the new stealth bomber or conceal the latest marketing campaign.

As a consultant, asking the customer what their data controls and concerns are is a very good place to start. There is always a very strong possibility that an executive's or manager's view of data classification and access controls may be different than what is actually occurring in the organization. As an "outsider" to the organization, the consultant may also have different views as to how data is classified which is based on common sense, prior experience and general industry practice.

With an understanding of what may be sensitive or damaging to an organization if it were lost, Nessus can be used to scan a network from many vantage points and discover where this information is located at.

Finding the Data with Nessus

Information stored on the network is accessed over the network. The following Nessus plugins and families will identify a wide variety of services which enable information sharing on a network:

• Office Files List - scans web servers for the presence of "office" files.
• SMB Shares Enumeration - lists the directories and folder names available for file sharing.
• SMB Share hosting Office Files - scans for servers with a network SMB file share that host .doc, .xls, .ppt and other types of "office" files.
• SMB Share hosting Copyrighted Material -  scans for SMB shares hosting MP3s, AVIs and other types of media.
• Web Server hosting Copyrighted Material -  scans for web servers which are hosting MP3s, AVIs and other types of media.
• FTP Server hosting Copyrighted Material -  scans for FTP servers which are hosting MP3s, AVIs and other types of media.
• USB Drives Enumeration - lists all USB disk drives present on a Windows server.
• NFS Exports - lists all NFS directories that are available.
• Peer to  Peer  file sharing - this set of plugins not only identifies vulnerabilties in common P2P applications, it also identifies the mere presence of them.
• Databases - this set of plugins not only identifies vulnerabilities in common SQL database applications, it also identifies where they are located.
• And last but not least, there are 100s of Nessus plugins which identify basic data hosting services such as HTTP, FTP, NFS and so on.   

Of course, data can be obtained many other ways including the "sneaker network", screen captures through RDP/VNC sessions, sniffing network traffic, copying snapshots of VMWare systems and so on. The point of this exercise with Nessus is to analyze the local network for the "easy" things an average employee may come across without the use of any special tools. I also chose to include the search for potentially illegal music and movie content as part of the sensitive data search because it can highlight certain types of data that management or executives may not know about.

Analyzing the Results

When providing an analysis of the discovered types of data with Nessus, I recommend the following strategies:

• Does the discovered data "look" interesting? When Nessus finds a file share, it will generally list as many of the file names or directory titles found in the scan report. Analyzing this data is a manual process, however, as a consultant you may find enough interesting file or directory names that you can raise a concern. If the share or access is "open" you may even be able to pull back the documents and analyze them yourself. In the next section, we will consider how the Direct Feed can be used to look for specific types of sensitive data by actually looking at the content of the files themselves.
• Who can access this data? Depending on where you performed your Nessus scan, you may have been able to identify data that was obtainable from "outside" of an organization. Keep in mind that "outside" could be mean someone on the Internet, or perhaps could simply mean someone from the accounting group being able to access private human resources data. Performing multiple scans from vantage points across a network could reveal different levels of access or trust that various groups have with each other.
  
• Does the underlying server have vulnerabilities? When you find a server hosting office files, if it has major vulnerabilities it may be exploitable. This may be irrelevant information or it may not. A vulnerable web server with 1000 sensitive PDF documents on it may be just as damaging to an organization if the web server was fully patched but had the documents available to everyone. On the other hand, a vulnerability on an office automation system such as Lotus Notes, Share Point or a Wiki could allow circumvention of the security controls in those applications.  A consultant should be able to differentiate these to situations and recommend where vulnerabilities need to be fixed or more fine-tuned access be added to information sharing resources.
• Does a network of trust have vulnerabilities? If access to data is found through a certain location in the network, such as being able to see sales or customer data from the accounting group, then the vulnerabilities of that location should be considered.  The idea is to look for organizations that are "trusted" to access the sensitive data, but are also vulnerable to attack.
• Does the network service serve a purpose? Lastly, Nessus will highlight any type of network service it can find. This includes temporary shares, file services and other types of daemons. As a consultant, if you can ask (and get answers) about where servers are supposed to be, what types of servers are supposed to be there and what types of servers should not be running. As a consultant performing an audit, you may find discrepancies in what should be happening and what actually is happening.

Scanning for Known Sensitive Data Types

The Nessus Direct Feed includes a set of content auditing plugins which open up Word, Excel, PDF, text and other types of files to look for patterns that indicate the presence of credit cards, social security numbers and many other types of content.

The Tenable Support Portal offers several dozen polices that can be used with Nessus to look for sensitive file names, to look for various key words and watermarks and to also identify intellectual property at rest. These audit polices are writen in a simple XML type language which specifies what file extensions to look at, how much of a file should be analyzed, and which keywords and pattern matches should be searched for. These policies can be modified and customized as well as written from scratch.

The example below looks at the first 5000 bytes of each PDF,  Word and Excel file for phone numbers. One of the words such as "FAX", "Phone", "Cell" or "Mobile" must be present and if so a regular expression which matches a phone number such as 123-456-7890 as well as 123.456.7890 will be performed.

<item>
     type: FILE_CONTENT_CHECK
     description: "Determine if server is hosting phone contact info"
     file_extension: "pdf" | "doc" | "xls"
     regex: "[0-9]{3}[ \.\-][0-9]{3}[ \.\-][0-9]{4}"
     expect: "FAX" | "Fax" | "Phone" | "PHONE" | "CELL" | "Cell" | "Mobile" | "MOBILE"
     max_size : "5k"
</item>

When Nessus performs these scans it not only lists the servers which did have matching content, it also lists the servers which "passed" and did not have any types of content on them.

There are many obvious uses for this technology such as:

• Scanning for credit card information on systems that should not have that type of data.
• Finding employee information,  customer information and other types of data useful for identity theft.
• Looking for source code, text, manuals, .etc which are proprietary in nature and should not be available throughout or outside of a company.
• Leveraging an organization's existing copyright, data classification guides or watermarks to find data on servers or systems that should not exist.
• Finding data stores for employees which have nothing to do with the organization. For example, finding an employee's personal tax, credit card, health, insurance and other types of  information stored in a "public" place.
• Finding lists of customers, their contact information and existing or projected revenues

Conclusion

As a consultant, the ability to look for sensitive data where it should not be is a valuable service that can be provided to your customers in addition to security auditing. For more information, please consider these other blog entries and demonstration videos:

• Searching for Classified Content in documents
• Scanning your network for Copyrighted material
• Configuration and Content audit video

There are a few events occurring before the end of the year that Tenable will be participating in:

2007 DHS Security Conference and Workshop
Baltimore Maryland, August 27-30, 2007
I will be speaking at 3:45 this Monday, August 27 about how configuration management changes the way network security monitoring and incident response occur in non-obvious manners. Many of these sessions are only open to the US government.

"Hack In The Box" SecConf 2007
Kuala Lumpur, Malaysia, September 3-6, 2007
Several members of Tenable's research team will be attending the conference. We're traveling from all over the world to attend -- you should to.

NIST IT Security Automation Conference
Gaithersburg, Maryland, September 19-20, 2007
Tenable will be exhibiting at this conference which focuses on how the SCAP program is being used by government agencies and commercial vendors to audit computer systems against government best practice standards. Several Tenable customers will be at this event as well as members of our research team. I will also be speaking about current and future Tenable efforts in this area.

New England  Information Security Forum
Boston, Massachusetts , September 17-18, 2007
I highly recommend this event for anyone in the Boston region who is a technical manager. You'll get to meet with other experienced peers and then meet with vendors in a non-marketing, very technical venue.

7th annual Fall Cyber Security Symposium on the UNCC campus
Charlotte, North Carolina, October 10, 2007
Tenable will be exhibiting on campus, answering questions about Nessus, different types of compliance  auditing and demonstrating our products. If you would like to attend this event, please email neclarke@uncc.edu.

Day Con 2007
Dayton, Ohio, October 12-13, 2007
Several members of Tenable's research team will be attending the conference. We will also be participating in monitoring of the "HackSec International" competition.

Midwest Information Security Forum
Chicago, Illinois, October 29-30, 2007
I highly recommend this event for anyone in the Chicago region who is a technical manager. You'll get to meet with other experienced peers and then meet with vendors in a non-marketing, very technical venue.

Techno Forensics 2007
Gaithersburg, Maryland, October 29-31, 2007
Tenable will be exhibiting at this network forensics event. I will also have a chance to speak about how new types of network and event monitoring are changing how organizations monitor users and collect forensics.

Tenable Network Security has released a Solaris audit policy for PCI 1.1 configurations. We've also released a new SuSE Linux best practices audit policy and have updated several others. These are all available to Tenable Direct Feed and Security Center customers through the Tenable Support Portal.  A specific list of what is now available is as follows:

• PCI_Linux.audit (Version 1.0.7) This is an update to the existing .audit file which checks for a few more settings, such as if the network time protocol is enabled. It is available under 'Downloads' and then 'Download Configuration Audit Policies'.
• PCI_Solaris.audit (Version 1.0.0) This audit policy tests for many of the PCI 1.1 configuration requirements for the Solaris 9 operating system. It is available under 'Downloads' and then 'Download Configuration Audit Policies'.
• PCI_Windows.audit (Version 1.0.3) This is an update to the existing .audit file which checks for a few more settings, such as if the network time protocol is enabled. It is available under 'Downloads' and then 'Download Configuration Audit Policies'.
• CIS_Redhat_ES4_105.audit (Version 1.0.5) This is an update to the existing  CIS .audit policy file which fixes a few audit checks and bugs. It is available under 'Downloads' and then 'Download CIS Compliance and Audit Files'.
• SuSE_EL_Best_practice.audit (Version 1.0.0) This is a set of Tenable content to audit SuSE 9 for best practice secure configurations. It is available under 'Downloads' and then 'Download Configuration Audit Policies'.

To use these policies, Security Center users should download these audit files and place them in their /opt/sc3/admin/nasl directory and then make them part of new or existing Vulnerability Polices. Nessus Direct Feed users should download these policies to the system they are operating the Nessus client from and add them to new or existing Nessus scan policies.

Several weeks ago, a good friend of my family who is a lawyer for an application hosting company and I were speaking about network security and I brought up Nessus. "Can you scan one of our hosted sites?" he asked. A short while later, especially after asking the right sort of legal questions, we were looking at the results of a non-credentialed Nessus scan for a high traffic web site.

His web site didn't have any "application" content and hosted static HTML web pages. The only odd thing to note was an SSH server found on a very high port.

"Is that bad?" asked my friend.

"Well, it doesn't have any publicly known vulnerabilities." I said.

"So that's good, right?".

I told him I had two thoughts.

First, if the administrator thought to actually put the SSH server on a port other than 22, they might also want to take some extra steps and perhaps lock down SSH a bit tighter, or even mask it from generic access to the Internet. They may have been able to disabled some unneeded functionality of SSH, avoid using passwords or potentially use some sort of firewall or VPN so I couldn't connect to their SSH daemon.

Second, my friend should ask the administrator of that site if they noticed any unauthorized login attempts through SSH or from the other services. Nessus tries all sorts of things to the various services it probes and this activity generates logs in the form of failed login attempts and error messages. If there is any type of monitoring activity ongoing, it should alert on some part of the Nessus scan.

"I had heard them say that SSH was secure." he commented.

I then pulled up all the SSH vulnerabilties and patch audits that Nessus can check for and showed him. He was initially concerned that SSH wasn't secure, period. I had to spend a short bit of time explaining vulnerability life-cycles and how an undiscovered vulnerability can be latent in operating systems and applications right now.

These statements didn't provide much comfort.

On a lark, I showed him some Nessus scans of web sites that had many different types of vulnerabilities. This had the opposite effect I was intending in that he was somewhat comforted by the fact his web site was better off than others.

What I felt was really interesting about our conversation was that we never once mentioned things like CVSS or NSA Best Practice hardening guides. What he really wanted to know was if they were secure or not. Is there something someone on their staff was doing wrong or something else they could do better? Although not an IT or network security practitioner, as a lawyer, he was putting everything in terms of risk to the business which is a good thing.

Tenable Network Security was recently awarded Center for Internet Security (CIS) certification to perform audits of Windows 2003 Member Servers through Nessus Direct Feed and/or Security Center agent-less scans. Windows 2003 Member Servers are Windows 2003 operating systems which host applications or data and are part of a domain, but are not the actual domain controllers. Tenable has previously received certification to perform certified CIS audits of Windows 2003 Domain Controllers.

To obtain these policies, Security Center users should download these audit files and place them in their /opt/sc3/admin/nasl directory and then make them part of new or existing Vulnerability Polices. Nessus Direct Feed users should download these policies to the system they are operating the Nessus client from and add them to new or existing Nessus scan policies.

The polices are available for download from the Tenable Support Portal by clicking on the 'Downloads' button, and then the 'Download CIS Compliance Audit Policies' button. These policies are available alongside other CIS audit policies. Below is a screen shot of what the current download page looks like:

A short video of the Nessus vulnerability scanner for Windows being used to scan a Windows 2003 with a CIS audit policy is available here.

Tenable Network Security also offers CIS certified audit polices for these "best practice" guides:

• FreeBSD v1.0.5
• Level 1 RedHat EL v1.0.5
• Windows 2003 Domain Controllers
• Windows 2003 Member Servers

Many more CIS audit policies are in development. Tenable also offers audit content that has been generated from the NIST SCAP program, as well as content developed in-house based on guidelines from the Payment Card Industry (PCI), US CERT, Microsoft, NSA, the DISA STIG guide and customer feedback.

The Office of Management and Budget recently released new configuration guidelines for Windows XP and Vista that all Federal agencies need to adopt by February 1, 2008. The guidelines are known as the "Federal Desktop Core Configurations" (FDCC) and have been published as part of the NIST Security Content Automation Protocol (SCAP) program.

Tenable has published two new audit files for Nessus Direct Feed and Security Center users to audit Windows systems against these required configurations settings. The polices are available for download from the Tenable Support Portal by clicking on the 'Downloads' button, and then the 'Download NIST Compliance Audit Policies' button. These policies are available alongside other audit policies based on existing NIST SCAP content for Windows XP Pro and Windows 2003 operating systems.

To use these policies, Security Center users should download these audit files and place them in their /opt/sc3/admin/nasl directory and then make them part of new or existing Vulnerability Polices. Nessus Direct Feed users should download these policies to the system they are operating the Nessus client from and add them to new or existing Nessus scan policies.

A short video of the Security Center being used for a NIST compliance audit against a Windows 2003 server is available here. A short video of Nessus being used to scan for NIST compliance is also available here.

For more information about Tenable's support of NIST configuration auditing standards, please consider these previous blog entries:

• NIST Audit Policies for Nessus 3
• CVSS Version 2 Scoring With Nessus and the Passive Vulnerabiltiy Scanner

"30 Days" seems to be the default amount of time organizations look for vulnerabilities to be patched by. Version 1.1 of the Payment Card Industry standard specifically states a 30 day time period. Of course the actual age of a vulnerability has nothing to do with how easy it may or may not be to exploit, but politically, old vulnerabilities can indicate broken policies, bad IT processes and lapses in compliance.

This blog entry discusses how networks can be monitored for vulnerabilities with Nessus, the Passive Vulnerability Scanner and the Security Center in such a way, that vulnerabilities older than 30 days can be easily identified.

The Vulnerability and Patch Life Cycle

IT organizations that "get it" run their networks with the expectation that there are vulnerabilities in their required technology that have not been found or publicized yet. As such they use compensating controls such as firewalls, auditing, system hardening and intrusion prevention to mitigate these risks.

When a specific vulnerability is discovered and a patch has been published, a political "clock" can start ticking which measure how long it takes to get this security patch applied.

In some organizations, all security patches are required, even if there are other mitigating controls. I've seen organizations require applying a patch for Apache on a production Red Hat server, even though the system wasn't actually running the web server. The idea is that if a web server is enabled one day, it should be patched ahead of time. Other organizations only require security patches for technologies they are exposed to.

Ensuring Nessus has the Most Recent Checks and Credentials

If you are scanning with Nessus to look for out-of-date vulnerabilities, you should realize two major concepts:

• If you are using the registered feed, your checks are already 7 days old
• If you are not using credentials you won't be able to do a patch audit

If you are measuring the age of your vulnerabilities, you should be doing this with the most recent plugins available to you. I've spoken with customers who only update their plugins once a month or even less often. They take comfort in that Nessus gives them very useful data without being updated. This is sort of like getting your car's brakes checked, but then telling the mechanic not to check the oil.

Just because Nessus is finding very useful information, doesn't mean that it is testing for everything that  it could. Regardless if you are using the real-time Direct Feed or the seven-day delayed registered feed, updating your Nessus plugins before a scan will always provide a more complete audit than not doing so.

If you are updating your plugins and using the registered feed, all of your checks are one week old. There is great value in the more than 15,000 plugin checks Tenable provides for free to the Nessus community, consultants and MSPs, but if you are using it to find vulnerabilities older than 30 days, you need to actually look for vulnerabilities older than 23 days.

And lastly, when you use Nessus to audit a host or network, unless you give it credentials of the target systems, it won't perform a full security patch audit. Depending on the vulnerability, Nessus may identify a specific missing patch, but it is not performing a full audit. Other security patches may only be found with credentials, especially client-side applications such as Internet Explorer or Thunderbird.

Using Nessus to audit missing patches is a great way to see if your patch management system is working, to perform a more complete vulnerability audit and to also gather many configuration parameters which also impact security.

Manually Finding 30-day Old Vulnerabilities With Nessus

There are many manual methods for using Nessus to find vulnerabilities older than 30 days.

Determining this strictly from one single scan is doable but difficult. Technically, someone can take the results of a scan and check when each plugin ID was first released. This can be manually intensive and actually tests when Tenable releases a plugin and not when a vulnerability was first discovered. Consider a situation where someone enables an older Apache 1.3 server for which has vulnerabilities that are several years old. Your organization may still allow this system to be patched within 30 days. If you are being governed by PCI, compliance requires all security patches to be installed  based on patch availability, not on discovery of vulnerabilities. 

A more common technique is to look at how a network's discovered vulnerabilities changes over time. Differential analysis from two or more scans measures what has been fixed (patched), what vulnerabilities are still present and which are new.

If you are performing these types of scans, remember to scan often. If your scan period is once a week, and you are looking for 30-day old vulnerabilities, a new vulnerability may have been discoverable the day after your last scan.

On larger networks, which have many different types of assets, manually keeping track of which scan policies go with which targets, which credentials go with which targets and how often each target can be scanned can be difficult. I've spoken with several organizations who've developed their own scan tracking and management solutions, and I've also worked with many Tenable customers who use the Security Center to tackle this problem.

Some Nessus clients support some level of scan differential reporting. This process takes the results of two scans and shows what is different about them. This is helpful if you are scanning the same target, with the same plugins. If you are not performing the same type of scan (such as performing a basic OS fingerprint scan as compared to a full patch audit), then your results will certainly be different.

Below is a screen shot of the Nessus 3.0 scanner for Windows:

Multiple reports can be selected and a differential report produced.

When differences are found, the systems with older vulnerabilities or missing patches should be tracked in a report, spreadsheet, ticketing system or some other method.

Manually Finding 30-day Old Vulnerabilities With the Passive Vulnerability Scanner

The Passive Vulnerability Scanner (PVS) can also be used to monitor networks for 30-day old vulnerabilities. Compared to active scanning with Nessus, the PVS has very little configuration or on-going management and it does not require credentials or scan management. Once set up, it continuously sniffs vulnerabilities in your servers, applications and clients.

The Windows version of this tool can be used to take a "snapshot" of the existing vulnerability report. Any two reports can be "diffed" to see what has changed. Choosing two reports that are 30 days apart can easily show which vulnerabilities have not been addressed.

Below is a screen shot of the Windows PVS report differential options:

Automatically finding and reporting 30-day Old Vulnerabilities with the Security Center

Performing this process of discovery on the Security Center (SC3) is very easy. SC3 can be used for automated scan scheduling. Multiple scan policies, scan targets (networks or assets) and scan schedules can be configured and automatically spread across multiple Nessus scanners. The results of these scans are always automatically "diffed" with the current cumulative set of discovered vulnerabilities.

The "cumulative database" inside SC3 is its key to making vulnerability discovery, trending and reporting very simple. It uses the results of different types of one-time and ongoing scans to build up an accurate model of the entire set of vulnerabilities on the network. 

When analyzing this set of vulnerabilities under SC3, there are simple  filters which can be used to display when a vulnerability was first discovered. Since only "live" vulnerabilities are stored in the cumulative database, this filter is an easy way to show which vulnerabilities are 30 days old. Below is a screen shot all existing vulnerabilties which were discovered on a live SC3 system more than 30 days ago:

Also in the above screen shot that the [CVS] link can be used to get a list of all vulnerabilities older than 30 days into a convenient spreadsheet.

This sort of filtering can show which assets are out of date, can be used to download a list of hosts as a spread sheet, and can be combined with other filters such as Nessus plugin family or vulnerability severity.  If your assets are aligned with your political organizations, this can also show which groups aren't patching on time. And lastly, SC3 can be used to automatically email reports of this type to one or more recipients and asset owners.

If multiple Nessus scanners or multiple Passive Vulnerability Scanners are used, SC3 automatically combines the results of these into one cumulative view. This can help compensate if network monitoring or network scanning isn't as comprehensive as it could be.

The ability to find systems with vulnerabilities discovered within a certain set number of days can also be used to create a Dynamic Asset List. These lists can be used for reporting, filtering vulnerabilities and also scan scheduling. Having SC3 perform full daily scans of just the systems with older vulnerabilities is a good way to automatically clean up older vulnerabilties. With this sort of asset list, automatic ticketing or even re-casting of existing vulnerabilities can be accomplished.

For More Information

If you felt the content of this blog was useful, please consider these other blog entries:

• Testing The Effectiveness of your Patch Management System
• Security and IT Controls
• Reporting Vulnerabilities in an IT Managed Environment
• Knowing When to Patch

Over the past few weeks, we've released several new tools, Nessus audit policies, Log Correlation Engine log parsers and Log Correlation Engine TASL scripts. A summary of these releases is provided below.

New Product Releases and Updates

• Nessus 3.0.6.1 for Windows - This release fixes a security hole for users running Internet Explorer 6. All users are strongly encouraged to upgrade. Nessus plugin #25799 checks Windows systems for this vulnerability. Direct Feed customers can download 3.0.6.1 directly from the Tenable Support Portal and it can also be downloaded from http://nessus.org.
• Security Center 3.2.3 - This release improves a wide variety of performance, user management,  reporting and distributed scanning issues. The maximum size of "managed" vulnerability data has been increased from 4GB to 16GB. Also, dynamic asset list computation has been reduced from more than 30 minutes in some cases to less than 1 minute. Builds for RedHat ES3 and ES4, along with a complete list of issues resolved with this release are available for download from the Tenable Support Portal.
• NessusClient 3.0.0 beta 2 - A new release of this Windows and Linux Nessus client is now available for download from http://nessus.org.
• Nessus 3.2 beta 4 - For users testing the Nessus 3.2 beta, a 4th release (Nessus 3.1.4) has been made available for Linux, FreeBSD and Solaris. 

New and Updated Audit Polices

• CIS Certified FreeBSD Audit - Tenable was recently awarded certification to perform Center for Internet Security audits according to the best practice consensus guide of securing FreeBSD systems. This .audit policy is available for download from the Tenable Support Portal by choosing the "Downloads" button and then the "Download CIS Audit and Compliance Files" button.
• PCI Configuration Audit Updates - Version 1.0.2 of the Windows and version 1.0.3 of the Linux Payment Card Industry 1.1 audit polices are now available. This update relaxes some of the more specific checks to accommodate more stringent settings. These .audit policies are available for download from the Tenable Support Portal by choosing the "Downloads" button and then the "Download Configuration Audit Polices" button.

Updated and New Event Correlation TASL Scripts

• blacklist.tasl - Similar to the blacklist_domain.tasl script, which was blogged about here, this IP based blacklist lookup correlation script can now accept two "black lists". The second list is for users who want to maintain their own static list of "bad" IP addresses which is not updated based on content from Arbor, SANS or the Bleeding Threat project.
• long_tcp_sessions.tasl - Previously, Tenable had been maintaining two separate TASL scripts which would monitor the length, bandwidth and ports of each TCP session obtained through NetFlow or direct sniffing. This new TASL script accepts both event types.
• new_user.tasl - Support to automatically recognize new user names from MS SQL Server logins.
  
• successful_login_after_multiple_failures.tasl - Added several new login event IDs and removed account names associated with normal system processes.
• windows_logon_unknown_network.tasl - Added several new login event IDs and removed common account names associated with normal system processes.

Updated and New Log Parsing PRM Files

• nids_snort.prm - More in-depth parsing for Bleeding Threat Snort event names is now supported.
• prm_map.prm - This PRM contains the latest list of all event names and it is parsed by several TASL scripts, such as the Never Before Seen script.
• sql_mssql.prm - Additional log parsing rules for Microsoft SQL Server.
• ssh_dropbear.prm - The Dropbear application is a very small SSH client and server.
• tenable_network_monitor.prm - This PRM is required to parse events from the new long_tcp_sessions.tasl script.
• web_apache.prm - There are several new rules to parse script errors and file handle activity.
• web_w3c_extended_log_format.prm - Bugfixes for Apache '402' Payment Received rules.

Note: To install any of these TASL or PRM files for the Log Correlation Engine, download these files to your /usr/thunder/daemons/plugins directory and then restart the thunderd service.