Sunday, July 03, 2005

News from Tenable and Sourcefire

Last week I was fortunate to visit two outstanding security companies in Columbia, MD. I spent most of the day with Tenable Network Security. I participated in a class taught by Marcus Ranum and Ron Gula. They familiarized the attendees with several products which I will briefly mention here.

First we used the vulnerability scanner Nessus and its Windows counterpart NeWT. The 2.2.0 version of NeWT was just released, so I recommend downloading it if you're looking for a powerful Windows-based vulnerability scanner. This free version of NeWT is limited to scanning a single class C network. If you want to scan more addresses on Windows, you can upgrade to NeWT Pro for $6,000.

The free version features rotating banners that are downloaded along with the plug-ins. In the following screen shot, you can see that the TaoSecurity banner even makes an appearance!



After using NeWT we tried NeVO, the "Network Vulnerability Observer". NeVO is a passive vulnerability assessment tool. Unlike Nessus and NeWT, NeVO does not send packets to targets to enumerate vulnerabilities. Rather, NeVO observes traffic and silently assesses target characteristics.

In the following screen shot, I'm running NeVO on my Windows 2000 system as I browse various Web sites.



I've highlighted an alert that shows 128.178.42.93 is running a Web server with a potentially vulnerable version of PHP. You may also see 216.133.72.171 is running a potentially vulnerable version of PostNuke. I say "potentially" in both cases, because NeVO makes its decision on the information it sees the Web server report. For example:

orr:/home/richard$ nc -v 128.178.42.93 80
Connection to 128.178.42.93 80 port [tcp/http] succeeded!
HEAD / HTTP/1.0

HTTP/1.1 200 OK
Date: Sun, 03 Jul 2005 22:05:31 GMT
Server: Apache/1.3.28 (Linux/SuSE) PHP/4.3.3
Last-Modified: Tue, 20 Nov 2001 10:40:36 GMT
ETag: "2c3a3-a7-3bfa3324"
Accept-Ranges: bytes
Content-Length: 167
Connection: close
Content-Type: text/html

If we trust the banner reported above, we know 128.178.42.93 is vulnerable.

I think passive vulnerability assessment is a powerful tool. It's a continuous way to discover assets, enumerate services, and identify vulnerabilities. It uses zero bandwidth and has no adverse affects on targets. It's completely silent so no one knows it is working. NeVO doesn't just watch servers; it also watches clients. In this age of client-side exploitation, identifying vulnerable Web browsers or mail clients is critical.

I expect to see increased use of passive methods, especially in large networks. It makes sense to do as much vulnerability assessment as possible using passive methods, and finish the enumeration process actively.

Next we turned to Tenable's log aggregation product Thunder. If you're looking for a way to collect and make sense of large volumes of log data, Thunder may suit your needs. Thunder features a scripting language similar to NASL called TASL, or Tenable Application Scripting Language. TASL allows analysts to create rules that in many ways "keep state" from rule to rule. For example, one could write a TASL rule to generate an alert if an analyst-defined number of unsuccessful login attempts occur. For more information on TASL, I recommend reading Tenable's Security Event Management (.pdf) white paper.

Thunder is paired with Lightning, Tenable's unifying console. Lightning takes feeds from all of Tenable's products to populate a cumulative database of enterprise asset data. Both Thunder and Lightning will feature some cool enhancements for their 3.0 release, which should occur in the coming weeks.

After Tenable I headed down the street to Sourcefire and meet with Jennifer Steffens. She told me about Sourcefire's new certification program. The Snort Certified Professional (SnortCP) sounds interesting. We also talked about the upcoming Open Source Snort Rules Consortium (OSSRC) meeting on Thursday 7 July at 1200 EDT in irc.freenode.net, #ossrc.

As Snort product manager, Jennifer shared with me that Snort 2.4.0 will be released soon. I also got a look at Sourcefire's new HQ, which is a two-building affair down the street from the old campus I visited several months ago. They needed two buildings to accommodate the large data center where hundreds of rack-mounted servers are housed -- many of which build Snort and its rules, for you, for free!

Speaking of rules, Jennifer says we can expect to see the new Snort rules language some time next year, paired with a release of Snort 3.0. I am particularly excited by that development.

2 comments:

Anonymous said...

Tools like these make me wish I worked for a company with a bigger budget. :)
-LonerVamp

Anonymous said...

ditto