PVS 3.2 Released – Enhanced vulnerability discovery, real-time forensics and file share and database activity monitoring

Tenable Network Security is proud to announce the release of version 3.2 of the Passive Vulnerability Scanner (PVS). This product is a network sniffer that scans for real-time vulnerability data and transmits it to Tenable’s Security Center management console along with real-time user and forensic activity transmitted to Tenable’s Log Correlation Engine (LCE). This blog entry describes many of the new features and enhancements in this release.

Enhanced Vulnerability Discovery

PVS 3.2 enables Tenable’s research team to write sophisticated rules that can track the state of many different types of services and protocols. Building on the robust vulnerability discovery features of PVS 3.0, this new release provides enhanced analysis capabilities of web client traffic, web server traffic, Microsoft file sharing, email, DNS, operating system identification and much more.

For example, two vulnerabilities normally detected by an active vulnerability scanner, such as Nessus, can now be detected with PVS: insecure usage of the “VIEWSTATE” hidden form field in web based .NET applications and insecure Active X components hosted on IIS web servers.

Real-time File Sharing Monitoring

A major new feature of PVS 3.2 is the addition of deeper logic to perform protocol analysis. In the same way that Nessus receives plugin updates, PVS is continually updated by Tenable’s Research team. Recently our research team has written plugins for PVS 3.2 that can parse complex file sharing protocols such as SMB, NFS, HTTP and FTP.

For example, if a host uploads or downloads a file to a Windows network share, to or from the Internet using web services or over traditional Unix services such as FTP and NFS, a PVS deployed to watch network traffic can log these events in real-time. When these logs are sent to the LCE, they are immediately available for searching, tracking and reporting by user, trending and can contribute to any type of incident or forensics investigation.

The following is a screen shot of PVS events related to users obtaining files at a major university over a period of five days:

 

Database Activity Monitoring

Tenable products have had the ability to scan databases for vulnerabilities and configuration issues for a long time. This release of PVS 3.2 now provides the ability to monitor database activity in real-time. The PVS can now look at SQL database traffic that has originated from end user or web applications and send a real-time log to the LCE.

This enables users the ability to search or perform forensic analysis of database transactions over a long period of time. The databases events obtained by the PVS can be used for intrusion detection event correlation and access control analysis for compliance and for anomaly detection.

Since the PVS is passively sniffing between the applications and the SQL database, there is no impact on system, network or database performance.

Finally, if the database server has not been subject to patch audits or vulnerability scans, the traffic to and from the server will be used by the PVS to identify client and server vulnerabilities in real-time.

Real time Forensics

PVS 3.2 includes many new plugins that detect the resources attached to your network and create logs that can be sent to the LCE in real time. For example, the screen shot below shows all web user agent strings observed by the PVS for a single host:

Data from these plugins centralize many different types of software, operating systems, web browsers, web browser plugins and media players in one report. The PVS performs this type of analysis in real-time for thousands of hosts.

Additional data now available for discovery with this release of PVS includes: