NNM 5.4 User Guide - Tenable Documentation Center · l CentOS7.x64-bit l RedHatES6.6+64-bit l RedHatES7.x64-bit YoucanuseERSPANtomirrortrafficfromoneormoresourceportsonavirtualswitch,physical

Nessus Network Monitor 5.4 UserGuide

Last Updated: May 10, 2018

Table of Contents

Welcome to Nessus Network Monitor 8

NNM Workflow 9

System Requirements 10

Hardware Requirements 11

Software Requirements 13

Licensing Requirements 16

Download NNM 17

Install NNM 18

Install NNM on Linux 19

Install NNM on Windows 21

Install NNM on macOS 28

Upgrade NNM 31

Upgrade NNM on Linux 32

Upgrade NNM on Windows 33

Upgrade NNM on macOS 34

Set up NNM 35

Configure NNM 36

Register NNM Offline via the NNM Interface 38

Register NNM Offline via the CLI 40

Register High Performance Mode NNM for SecurityCenter in an Air-gapped Envir-onment 42

Configure High Performance Mode 45

Copyright 2017-2018 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc. Tenable,

Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.

Remove NNM 46

Remove NNM from Linux 47

Remove NNM from Windows 48

Remove NNM from macOS 49

NNM Features 50

NNM Navigation 51

Monitoring Page 53

Dashboards Section 57

Hosts Section 60

Vulnerabilities Section 65

Applications Section 66

Operating Systems Section 67

Connections Section 68

Mobile Devices Section 69

Results Page 70

Users Page 72

Configuration Page 73

NNM Settings Section 74

Feed Settings Section 84

Offline Update 85

Cloud Settings Section 87

Industrial Security Settings Section 88

Web Proxy Settings Section 89

Chart Settings Section 90



Email Settings Section 91

Plugin Settings Section 93

Nessus Scanner Settings Section 96

How To 97

Monitoring Page 98

Rearrange Charts 99

Set a Range for the Dashboards Section 100

Refresh a Chart 101

Remove a Chart from a Dashboard 102

Export Results 103

Filter Results 104

Launch a Nessus Scan 105

Delete a Vulnerability 106

Results Page 107

Upload a Report 108

Upload a Pcap 109

Filter Results 110

Delete Results 111

Users Page 112

Create a New User 113

Modify a User Account 114

Reset a Locked Account 115

Delete a User 116

Configuration Page 117



Configure the Performance Mode 118

Download New Vulnerability Plugins 120

Updating the NNM Management Interface 121

Configure NNM for use with Industrial Security 122

Create a Custom Chart 128

Delete a Chart 131

Create an Email Notification 132

Delete an Email Notification 134

Add a Plugin Field 135

Delete a Custom Plugin 136

Add a Nessus Scanner 137

Delete a Nessus Scanner 138

Additional Resources 139

Command Line Operations 140

Common Command Line Operations 141

Linux Command Line Operations 145

Windows Command Line Operations 149

macOS Command Line Operations 151

Unknown or Customized Ports 153

Real-Time Traffic Analysis Configuration Theory 154

Focus Network 155

Detecting Server and Client Ports 156

Detecting Specific Server and Client Port Usage 157

Firewall Rules 159



Working with SecurityCenter CV 160

Selecting Rule Libraries and Filtering Rules 161

Detecting Encrypted and Interactive Sessions 162

Routes and Hop Distance 163

Alerting 164

Modules 165

Connection Analysis Module 166

SCADA/ICS Analysis Module 169

Internal NNM Plugin IDs 222

NNM Plugins 224

About NNM Plugins 225

NNM Fingerprinting 226

NNM Plugin Syntax 227

Network Client Detection 232

Pattern Matching 233

Time Dependent Plugins 236

Plugin Examples 238

NNM Real-Time Plugin Syntax 241

Real-Time Plugin Examples 243

NNM Corporate Policy Plugins 247

Detecting Custom Activity Prohibited by Policy 248

Detecting Confidential Data in Motion 251

Working with SecurityCenter CV 253

Managing Vulnerabilities 254



Syslog Messages 255

Standard Syslog Message Types 256

CEF Syslog Message Types 258

Custom SSL Certificates 259

Configure NNM for Certificates 261

Create a Custom CA and Server Certificate 262

Create NNM SSL Certificates for Login 264

Connect to NNM with a User Certificate 266



- 8 -

Welcome to Nessus Network Monitor

This user guide describes the Tenable™ Nessus Network Monitor™ 5.4 (Patent 7,761,918 B2) archi-tecture, installation, operation, and integration with SecurityCenter CV, Industrial Security, and Ten-able.io, and export of data to third parties. Please email any comments and suggestions [email protected].

Tip: If you are new to NNM, see the Workflow.

Passive vulnerability scanning is the process of monitoring network traffic at the packet layer todetermine topology, clients, applications, and related security issues. NNM also profiles traffic anddetects compromised systems.

NNM can:

l Detect when systems are compromised with application intrusion detection.

l Highlight all interactive and encrypted network sessions.

l Detect when new hosts are added to a network.

l Track which systems are communicating on which ports.

l Detect which ports are served and which are browsed by each system.

l Detect the number of hops to each monitored host.

Tip: For security purposes, Tenable™ does not recommend configuring NNM as internet facing software.

Copyright 2017-2018 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable,

Inc. Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.

mailto:[email protected]

- 9 -

NNM Workflow

1. Ensure that your setup meets the minimum system requirements:

l Hardware requirements

l Software requirements

2. Obtain the proper license or Activation Code for NNM for your configuration.

Note: See special activation code instructions for integration withSecurityCenter, Industrial Secur-ity, or Tenable.io.

3. Follow the installation steps for your operating system:

l Linux

l Windows

l macOS

4. Perform the initial configuration steps for NNM in the web interface.

After configuration, NNM begins scanning immediately.

Note: If you wish to register NNM offline or run NNM in High Performance mode, you must fol-low several additional configuration steps.

5. Create users in NNM and set administrative privileges as necessary.

6. You can view live scan results in dashboards on the Monitoring page and historical data insnapshots and reports on the Results page.



- 10 -

System Requirements

This section describes the following system requirements for NNM:

l Hardware Requirements

l Software Requirements

l Licensing Requirements



- 11 -

Hardware Requirements

Enterprise networks can vary in performance, capacity, protocols, and overall activity. Resourcerequirements to consider for NNM deployments include raw network speed, the size of the networkbeing monitored, and the configuration of NNM.

The following chart outlines some basic hardware requirements for operating NNM:

VersionInstallationscenario

RAM ProcessorHardDisk

All Ver-sions

NNM managingup to 50,000hosts * (**)

2 GB RAM (4GB RAM recom-mended)

2 2GHz cores 20 GBHDD min-imum

NNM managingmore than50,000 hosts **

4 GB RAM (8GB RAM recom-mended)

4 2GHz cores 20 GBHDD min-imum

NNM runningin High Per-formancemode

16 GB RAM(HugePagesmemory: 2 GB)

10 CPUs with hyper-threading enabled

20 GBHDD min-imum

*The ability to monitor a given number of hosts depends on the bandwidth, memory, and processingpower available to the system running NNM.

**For optimal data collection, NNM must be connected to the network segment via a hub, spannedport, or network tap to have a full, continuous view of network traffic.

Note: Please research your VM software vendor for comparative recommendations, as VMs typically seeup to a 30% loss in efficiency compared to dedicated servers.

High Performance ModeTo run NNM in High Performance mode, a minimum of two of the following types of Intel NICs arerequired; one as a management interface and at least one as a monitoring interface:

l e1000 (82540, 82545, 82546)

l e1000e (82571, 82574, 82583, ICH8.ICH10, PCH.PCH2)

l igb (82575, 82576, 82580, I210, I211, I350, I354, DH89xx)



- 12 -

l ixgbe (82598, 82599, X540, X550)

l i40e (X710, XL710)



- 13 -

Software Requirements

The Nessus Network Monitor is available for the following platforms:

Version Software Requirements

5.2+

l Red Hat Linux ES 5 / CentOS 5 64-bit



l Mac OS X 10.9-10.12 64-bit

l Microsoft Windows Vista, 7, 8, Server 2008, and Server 2012

l Microsoft Visual C++ 2010 Redistributable Package

High Performance mode only available on:

l CentOS 6.x 64-bit

l CentOS 7.x 64-bit

l Red Hat ES 6.6+ 64-bit

l Red Hat ES 7.x 64-bit

l Linux kernel version 2.6.34

Previous Versions

5.1




l Mac OS X 10.8 and 10.9 64-bit


l Microsoft Visual C++ 2010 Redistributable Package


l CentOS 6.x 64-bit

l CentOS 7.x 64-bit




- 14 -

Version Software Requirements


l Linux kernel version 2.6.34

4.4.x to5.0




l Mac OS X 10.8 and 10.9 64-bit



l CentOS 6.x 64-bit

l CentOS 7.x 64-bit



You can use ERSPAN to mirror traffic from one or more source ports on a virtual switch, physicalswitch, or router and send the traffic to a destination IP host running NNM. NNM supports the fol-lowing ERSPAN virtual environments:

l VMware ERSPAN (Transparent Ethernet Bridging)

l Cisco ERSPAN (ERSPAN Type II)

Tip: Refer to the Configuring Virtual Switches for Use with NNM document for details on configuringyour virtual environment.

High Performance ModeTo run NNM in High Performance mode, you must enable HugePages support. HugePages is a per-formance feature of the Linux kernel and is necessary for the large memory pool allocation used forpacket buffers. If your Linux kernel does not have HugePages configured, NNM automatically con-figures HugePages per the appropriate settings. Otherwise, if your Linux kernel has definedHugePages, refer to the Configuring HugePages instructions.

The following virtual environments are supported for running NNM in High Performance mode:



http://static.tenable.com/prod_docs/PVS_virtual_switch.pdf

- 15 -

l VMware ESXi/ESX 5.5

l VMXNET3 network adapter

l VMware ESXi/ESX 6.x



- 16 -

Licensing Requirements

NNM SubscriptionAn NNM subscription Activation Code is available that enables NNM to operate in Standalone mode.Use this mode to view results from an HTML interface enabled on the NNM server.

Activation CodeTo obtain a Trial Activation Code for NNM, contact [email protected]. Trial Activation Codes arehandled the same way by NNM as full Activation Codes, except that Trial Activation Codes allow mon-itoring for only 30 days. During a trial of NNM, all features are available.

SecurityCenter Continuous ViewSecurityCenter Continuous View includes NNM as part of a bundled license package with Secur-ityCenter. This license allows an unlimited number of NNM deployments to monitor an unlimited num-ber of networks. SecurityCenter CV’s IP view is constrained by the license with which it is purchased.

Tenable.ioTenable.io pushes plugins down to NNM. Your Tenable.io licensing determines the number of NNMdeployments.

High Performance ModeNNM in High Performance Mode can be licensed in Standalone mode or bundled with SecurityCenterCV.



mailto:[email protected]

- 17 -

Download NNM

Steps

1. Access the Tenable Support Portal.

2. On the left side of the page, click Main Menu > Downloads.

3. Click Nessus Network Monitor.

4. Select the correct version for your operating system.

After you accept the license agreement, a download begins.

Note: To ensure binary compatibility, be sure to download the correct build for your operatingenvironment.

4. Confirm the integrity of the installation package by comparing the downloaded MD5 checksumwith the one listed in the product release notes.



https://support.tenable.com/

http://static.tenable.com/prod_docs/upgrade_pvs.html

- 18 -

Install NNM

This section describes how to perform an initial installation of NNM on the following platforms:

l Linux

l Windows

l macOS



- 19 -

Install NNM on Linux

Before You BeginThese steps assume you have downloaded NNM and are running all commands with root privileges.To ensure audit record time stamp consistency between NNM and SecurityCenter CV, ensure the under-lying OS makes use of NTP as described in the following document:

http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sect-Date_and_Time_Configuration-Command_Line_Configuration-Network_Time_Pro-tocol.html

The software license agreement for NNM is located in the /opt/NNM/docs directory. It is also avail-able online in the following location:

http://static.tenable.com/prod_docs/Master_Software_License_and_Services_Agreement.pdf

Tip: Ensure that organizational and OS firewall rules permit access to port 8835 on the NNM server.

Steps

1. Install the NNM .rpm file downloaded from the Tenable Support Portal on RedHat or CentOSwith the following command. The specific filename varies depending on your platform and ver-sion.

# rpm –ivh NNM-5.x.x-esx.x86_64.rpmPreparing... ########################################### [100%]1:NNM ########################################### [100%][*] NNM installation completed.#

The installation creates the /opt/nnm directory, which contains the NNM software, default plu-gins, and directory structure.

2. Start NNM for Red Hat and CentOS systems using the following command:

# service nnm start

3. Navigate to https://<IP address or hostname>:8835, which displays the NNM web front



http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sect-Date_and_Time_Configuration-Command_Line_Configuration-Network_Time_Protocol.html



http://static.tenable.com/prod_docs/Master_Software_License_and_Services_Agreement.pdf

https://support.tenable.com/support-center/

- 20 -

end to log in for the first time.

Refer to Configure NNM to complete the initial login.



- 21 -

Install NNM on Windows

Before You BeginThese steps assume you have downloaded NNM and are running all programs as a local user withadministrative privileges. To do so, when UAC is enabled, right-click on the installer program andselect Run as Administrator.

Additionally, you must ensure the latest version of Microsoft Visual C++ 2010 Redistributable Packageis installed for your 64-bit platform and architecture. Be sure to stop any other programs on your sys-tem that utilize WinPcap.

Steps

1. Double-click the .exe file downloaded from the Tenable Support Portal. The specific filenamevaries depending on your version.

The InstallShield Wizard launches, which walks you through the installation process andrequired configuration steps.




- 22 -

2. Click the Next button.

The License Agreement screen appears.



- 23 -

3. Agree to the terms to continue the installation process and use NNM.

Tip: You can copy the text of the agreement into a separate document for reference, or you canclick the Print button to print the agreement directly from this screen.


The Customer Information screen appears. The User Name and Company Name fields areused to customize the installation, but are not related to any configuration options (e.g., forinterfacing with SecurityCenter CV).



- 24 -


The Choose Program Location screen appears, where you can verify the location in which theNNM binaries are installed.



- 25 -

6. Click the Change button to specify a custom path.


The Choose Data Location screen appears, where you can verify the location in which userdata generated by NNM is stored.



- 26 -

8. Click the Change button to specify a custom path.

Tip: If you connect NNM to SecurityCenter CV, altering the data path disables SecurityCenter CVfrom retrieving reports.


The Ready to Install the Program screen appears, where you can review and edit the inform-ation supplied on previous screens.



- 27 -

10. Click the Install button.

The Setup Status screen appears. If the most recent version of WinPcap is already installed onthe system, the NNM installation process asks if you want to force or cancel installation of WinP-cap. If it does not detect WinPcap, or detects and older version, a second installer launches toinstall or upgrade the software.

Tip:Use the provided version of WinPcap or newer. NNM has been designed and tested using thesupplied version of WinPcap.

11. Start NNM.



- 28 -

Install NNM on macOS

Before You BeginThese steps assume you have downloaded NNM and are running all programs as a root user or withequivalent privileges.

Steps

1. Double-click the .dmg file downloaded from the Tenable Support Portal to mount the diskimage NNM Install. The specific filename varies depending on your version.

2. Double-click the Install NNM.pkg file.

The Install Tenable NNM window appears, which walks you through the installation processand any required configuration steps.




- 29 -

3. Click the Continue button.

The Software License Agreement screen appears.



4. Click Install to begin the installation.

A window appears asking for authentication permission to install the software.

5. Click the Install Software button.

A window appears, requesting permission to allow NNM to accept incoming network con-nections. If this option is denied, NNM is installed but functionality is severely reduced.



- 30 -

6. When the identity dialog box appears, click Continue.

Tip: Once the installation process is complete, eject the NNM install volume.

Start and Stop NNM for macOS

1. Access System Preferences > NNM.Preferences.

The NNM.Preferences window appears.

2. Select the Start NNM or Stop NNM button.

Tip: You can also issue a command from the terminal to manually start or stop NNM.



- 31 -

Upgrade NNM

This section describes how to upgrade an existing NNM instance on the following platforms:

l Linux

l Windows

l macOS



- 32 -

Upgrade NNM on Linux

Before You BeginThese steps assume you have backed up your custom SSL certificates. They also assume that you arerunning all commands with root privileges.

Additionally, if you have used an NNM RPM to install NNM previously, an upgrade retains configurationsettings. You must transfer the NNM RPM package to the system on which it is being installed. Confirmthe integrity of the installation package by comparing the download MD5 checksum with the one listedin the product release notes.

Steps1. Stop NNM with the following command:

# service nnm stop

2. Install the NNM .rpm file downloaded from the Tenable Support Portal with the following com-mand. The specific filename varies depending on your version:

# rpm -Uvh NNM-5.x.x-esx.x86_64.rpmPreparing... ########################################### [100%]1:NNM ########################################### [100%][*] NNM installation completed.#

3. Once the upgrade is complete, start NNM with the following command:

# service nnm start

4. Navigate to https://<ip address or hostname>:8835, which displays the NNM web frontend to log in.

Tip: Ensure that organizational firewall rules permit access to port 8835 on the NNM server.




- 33 -

Upgrade NNM on Windows

Before You BeginThese steps assume you have backed up your custom SSL certificates. They also assume that you arerunning all programs as a local user with administrative privileges. To do so, when UAC is enabled,right-click on the installer program and select Run as Administrator.

Additionally, you must ensure the latest version of the Microsoft Visual C++ 2010 Redistributable Pack-age is installed for your 64-bit platform and architecture. Be sure to stop any other programs on yoursystem that are utilizing WinPcap.

Steps1. Stop the Tenable NNM Proxy Service from the Windows Services control panel.

2. Double-click the .exe file downloaded from the Tenable Support Portal. The specific filenamevaries depending on your platform and/or version.

The InstallShield Wizard launches and begins the upgrade process.


The automated upgrade process begins.

Note: If the version of WinPcap is not at the appropriate level during the upgrade process, anupgrade window appears and begins the process of upgrading WinPcap. Failure to install therecommended version of WinPcap may result in errors with NNM monitoring.

4. When the upgrade is complete, start NNM.

5. Navigate to https://<ip address or hostname>:8835 to display the NNM web front endto log in.

Tip: Ensure that organizational firewall rules permit access to port 8835 on the NNM server.




- 34 -

Upgrade NNM on macOS

Before You BeginThese steps assume that you have backed up your custom SSL certificates and are running all pro-grams with root privileges.

Steps

1. Stop NNM.

2. Double-click the .dmg file downloaded from the Tenable Support Portal to mount the diskimage NNM Install. The specific filename varies depending on your version.

3. Double-click the Install NNM.pkg file.

The Install Tenable NNM window appears, which walks you through the upgrade process and anyrequired configuration steps.

4. Click the Continue button.

The Software License Agreement screen appears.



6. Click the Install button.

A window appears asking for authentication permission to install the software.

7. Click the Install Software button.

A window appears requesting permission to allow NNM to accept incoming network connections.If this option is denied, NNM is installed but functionality is severely reduced.

8. Click the Allow button.




- 35 -

Set up NNM

NNM configuration follows the same steps for all operating systems. This section provides instructionsfor the following:

l Configure NNM

l Register NNM Offline via the NNM Interface

l Register NNM Offline via the CLI

l Configure High Performance Mode



- 36 -

Configure NNM

Steps1. In a web browser, navigate to https://<ip address or hostname>:8835.

2. Enter the the default username and password, which are both admin.

3. Click Sign In To Continue.

4. The Change Default Password screen of the Quick Setup window appears, where you canchange the default password. The new password must meet the following minimum require-ments:

l Minimum 5 characters long

l One capital letter

l One lowercase letter

l One numeric digit

l One special character from the following list: !@#$%^&*()

5. Click Next Step.

The Set Activation Code screen appears.

6. In the Activation Code box, enter the appropriate text based on your setup:

l If NNM is acting as a standalone device, enter an Activation Code.

l If NNM is managed by Tenable.io or Tenable.io on-prem, enter the text Cloud.

Four configuration options appear: Cloud Host, Cloud Port, Cloud Key, and NNM Name.Refer to the Cloud Settings section for more information.

l If NNM is managed by SecurityCenter, enter the text SecurityCenter.

-or-

To register NNM offline, select the Register Offline check box and follow the RegisterNNM Offline instructions.

7. Click Next Step.



- 37 -

The Monitoring Configuration screen appears.

l The Monitored Network Interfaces box displays the monitored interfaces identified byNNM. You can select one or more of the defined interfaces. The caret icon displays addi-tional information about each interface.

l The Monitored Network IP Addresses and Ranges box displays the IP address rangesNNM monitors.

l The Excluded Network IP Addresses and Ranges box displays the IP address rangesNNM does not monitor.

The Monitored Network IP Addresses and Ranges and Excluded Network IP Addressesand Ranges boxes accept both IPv4 and IPv6 CIDR address definitions. When using multipleaddresses, separate the entries using commas or new lines.

Note: Tenable Network Security does not recommend entering large ranges such as 0.0.0.0/0.Because this indicates to NNM that any and all network addresses belong in the network, per-formance may be severely impacted. Please only include addresses in your network, as eachaddress undergoes in-depth processing.

8. Click Finish.

The Monitoring page appears. Once NNM starts monitoring traffic, the page displays varioushigh-level charts about the vulnerabilities, assets, connections, and bandwidth usage that NNMhas detected, as well as real-time events that NNM has triggered.



- 38 -

Register NNM Offline via the NNM Interface

Steps

1. In Step 4 of the Initial Configuration, on the Quick Setup window, select the Register Offlinecheck box.

A challenge code and the Activation Key box appear.

2. Copy the challenge code and, in a web browser, navigate to https://plu-gins.nessus.org/v2/offline-NNM.php.

3. In the appropriate boxes, paste your challenge code and enter the Activation Code you receivedfrom Tenable.

4. Click Submit.

The page generates a URL to download the NNM plugins tarball. Save this URL, as it is used everytime you update your plugins. Additionally, a license key appears.

5. Copy the license key.

6. Navigate to the NNM interface.



https://plugins.nessus.org/v2/offline-pvs.php


- 39 -

7. Paste the license key into the Activation Key box on the Quick Setup window.

8. Click the Next Step button.

9. Continue with Step 5 of the Initial Configuration instructions.

Note: After configuring NNM, upload the plugins tarball in the Offline Update area of the FeedSettings section.



- 40 -

Register NNM Offline via the CLI

If your NNM installation cannot reach the Internet directly, use the following procedure to register andupdate plugins:

1. On the system running NNM, type the following command:

Platform Command to Run

Red Hat Linux / CentOS # /opt/nnm/bin/nnm --challenge

Windows C:\Program Files\Tenable\NNM\nnm --challenge

macOS # /Library/NNM/bin/nnm --challenge

This produces a challenge code similar to the following:

569ccd9ac72ab3a62a3115a945ef8e710c0d73b8

2. Go to https://plugins.nessus.org/v2/offline-NNM.php.

3. Paste the challenge code as well as the Activation Code you received previously from Tenableinto the appropriate text boxes.

This produces a URL that gives you direct access to the NNM plugins.

4. Save the URL as it is used every time you update your plugins.

Additionally, a license key and the associated NNM.license file are produced.

5. Copy this file to the host running NNM in the appropriate directory.

6. Once the NNM.license file is copied, run the NNM --register-offline command to installthe file:

Platform Directory

Red Hat Linux /CentOS

# /opt/nnm/bin/nnm --register-offline /path/to/NNM.li-cense

Windows C:\Program Files\Tenable\NNM\nnm --register-offline"C:\path\to\NNM.license"




- 41 -

Platform Directory

macOS # /Library/NNM/bin/nnm --register-offline/path/to/NNM.license

7. To obtain the newest plugins, navigate to the URL provided in the previous step.

You receive a TAR file (e.g., sc-passive.tar.gz).

8. Copy the file to NNM and then type the appropriate command for your platform:

Platform Command

Red Hat Linux/ CentOS

# /opt/nnm/bin/nnm --update-plugins /path/to/sc-pass-ive.tar.gz

Windows C:\Program Files\Tenable\NNM\nnm --update-pluginsC:\path\to\sc-passive.tar.gz

macOS # /Library/NNM/bin/nnm --update-plugins /path/to/sc-passive.tar.gz



- 42 -

Register High Performance Mode NNM for SecurityCenter in anAir-gapped Environment

To register NNM for SecurityCenter in an air-gapped environment, you must either update your currentinstall or configure a fresh install of NNM

Note: These steps apply to High Performance, 10G mode.

Update the Current Install

From NNM:

1. From a CLI on NNM, stop the NNM service.

2. Run the following command:

/opt/nnm/bin/nnm --config "Enable High Performance Mode" "1"

3. Start the NNM service.

4. In a browser, open NNM.

5. Click Configuration > Feed Settings.

6. In the Activation Code text box enter ‘XXXX’.

Note: This allows the (required) High Performance license to persist and enables the Fetch Plu-gins From drop-down box.

7. From the Fetch Plugins From drop-down box, select SecurityCenter.

8. Click Update.

From SecurityCenter:

1. Open a browser and connect to SecurityCenter.

2. Click Resources > Passive Vulnerability Scanners.

3. If you previously added NNM to SecurityCenter, click the gear icon and select Delete next to theNNM instance.

4. Click Add.



https://docs.tenable.com/sccv/Content/LaunchWebInterface.htm

- 43 -

5. Fill in the appropriate fields to configure the NNM instance.

6. Click Submit.

The system adds NNM to SecurityCenter and displays the NNM instance on the Passive Vul-nerability Scanners screen.

Note: The NNM status changes to Plugins Out of Sync while the plugins are first downloaded toNNM from SecurityCenter. The next time SecurityCenter polls NNM, the status updates to Work-ing.

Configure a Fresh Install

From NNM:

1. From a CLI on NNM, run the following command:

/opt/nnm/bin/nnm --config "Enable High Performance Mode" "1"

2. Start the NNM service.

3. In a browser, open NNM.

4. In Step 2 of the Quick Setup steps, check the Register Offline check box.

5. In a browser, navigate to https://plugins.nessus.org/v2/offline.php .

6. Type the NNM challenge code.

7. Type the activation code.

8. In NNM complete the Quick Setup steps.


10. In the Activation Code text box enter ‘XXXX’.

Note: This allows the (required) High Performance license to persist and enables the Fetch Plu-gins From drop-down box.

11. From the Fetch Plugins From drop-down box, select SecurityCenter.

12. Click Update.



https://docs.tenable.com/sccv/Content/PassiveVulnerabilityScanners.htm

https://plugins.nessus.org/v2/offline.php

- 44 -

From SecurityCenter:

1. Open a browser and connect to SecurityCenter.

2. Click Resources > Passive Vulnerability Scanners.

3. If you previously added NNM to SecurityCenter, click the gear icon and select Delete next to theNNM instance.

4. Click Add.

5. Fill in the appropriate fields to configure the NNM instance.

6. Click Submit.

The system adds NNM to SecurityCenter and displays the NNM instance on the Passive Vul-nerability Scanners screen.

Note: The NNM status changes to Plugins Out of Sync while the plugins are first downloaded toNNM from SecurityCenter. The next time SecurityCenter polls NNM, the status updates to Work-ing.



https://docs.tenable.com/sccv/Content/LaunchWebInterface.htm

https://docs.tenable.com/sccv/Content/PassiveVulnerabilityScanners.htm

- 45 -

Configure High Performance Mode

Before You BeginThe following steps are required to operate NNM in High Performance mode. Alternatively, a user withadministrative privileges can enable High Performance mode via the UI.

You must have a High Performance Activation Code in order to run NNM in High Performance mode.

NNM uses multiple cores to process packets received from monitored interfaces. These are known asworker cores. The default number of worker cores is 8. This number can be changed using the con-figuration parameter Number Of Worker Cores.

Note: If you set the Number Of Worker Cores parameter to 0, NNM automatically changes the value tothe minimum number of worker cores needed to run NNM in High Performance mode.

For example, suppose you have 20 available logical cores. Four of those cores are used by the systemfor internal processing and the kernel. If you want to use the 16 available cores for NNM, then you maychange the value for the parameter Number Of Worker Cores to 16.


# service nnn stop

2. Enable High Performance mode with the following command:

/opt/NNM/bin/nnm --config "Enable High Performance Mode" "1"

3. Confirm that the management network interface is different from the monitoring network inter-face that you configured initially.

Note: If the configured monitored interface has bound IPv4 addresses, you cannot complete theQuick Setup Wizard to configure NNM because no usable NICs appear in the Monitored NetworkInterfaces list.

4. Start NNM with the following command:

# service nnm start



- 46 -

Remove NNM

The following instructions describe how to remove NNM from the following platforms:

l Linux

l Windows

l macOS



- 47 -

Remove NNM from Linux


# service nnm stop

2. Determine the name of the RPM file with the following command:

# rpm -qa | grep nnm

The name of the RPM file appears.

3. Remove the NNM RPM with the following command:

# rpm -e <RPM name>

4. Some user-created and user-modified files are not removed with the -e command. Remove anyremaining files with the following command:

# rm -rf /opt/nnm

NNM is removed.



- 48 -

Remove NNM from Windows

Steps

1. Depending on your version of Windows, in the Control Panel, under Programs, click one of thefollowing:

l Programs and Features

l Add or Remove Programs

2. Select Tenable Nessus Network Monitor.

3. Click Change/Remove.

The InstallShield Wizard appears.

4. Follow the directions in this wizard to completely remove NNM.

5. Select Yes to remove the NNM program and all its files, folders, and features from the system.

-or-

Select No to remove only the NNM program. All user-created files and relevant file foldersremain on the system.

6. Restart your machine to complete the removal.

7. Follow the same instructions to remove WinPcap.



- 49 -

Remove NNM from macOS

Steps

1. Stop NNM.

2. Delete the following directories (including subdirectories) and files with either sudo root or rootprivileges using the command line:

# rm /Library/LaunchDaemons/com.tenablesecurity.nnm*# rm -r /Library/NNM# rm -r /Library/PreferencePanes/NNM*# rm -r /Applications/NNM

NNM is removed from your macOS system.



- 50 -

NNM Features

The NNM web interface allows NNM to monitor network traffic and report results without needingSecurityCenter CV or another third party tool to analyze the data. The web interface can be used onweb browsers that support HTML5, including the following:

l Microsoft Internet Explorer 9 and later

l Firefox 24 and later

l Google Chrome 30 and later

This section describes the following features in the NNM web interface:

l Navigation

l Monitoring

l Results

l Users

l Configuration



- 51 -

NNM Navigation

The top navigation menu displays two main pages: Monitoring and Results. All of NNM’s primary ana-lysis tasks can be performed using these two pages. Click a page name to open that page.

On the right side of the top navigation menu, you can see both the icon and the username of thecurrently logged in user.

1. Click the icon to display the Users and Configuration options, where you can make admin-istrative changes to NNM.

Note: The Users and Configuration pages are available only to users with administrative priv-ileges.

2. Click the username to display a drop-down menu with three options: Change Password, Help& Support, and Sign Out.

The bell ( ) icon toggles the Notification History box, which displays a list of notifications, successfulor unsuccessful login attempts, errors, and system information generated by NNM. The color of thebell changes based on the nature of the notifications in the list. If there are no alerts, or all noti-fications are information alerts, then the bell is blue ( ). If there are error alerts in the notification list,then the bell is red ( ). The Notification History box displays up to 1,000 alerts. Once the limit isreached, no new alerts can be listed until old ones are cleared.



- 52 -

To remove notifications individually, click the button to the right of the description of each event.Alternatively, click the Clear History button in the bottom right corner of the box to delete the entirenotification history.

Note: Notifications are not preserved between sessions. Unread notifications are removed from the listwhen the user logs out.



- 53 -

Monitoring Page

The Monitoring page provides a centralized view of vulnerabilities discovered by NNM. On this page,vulnerabilities may be viewed in several categories, including Dashboards, Hosts, Vulnerabilities,Applications, Operating Systems, Connections, and Mobile Devices. The results may also beexported in different formats for use in other programs.

Across all of the viewable methods available on the Monitoring page, filter options are available toincrease granularity when viewing results. Click the heading of a column to sort items within that sec-tion of the Monitoring page in ascending or descending order.

The Actions drop-down menu allows you to export results, delete results, or launch a Nessus scan.

Note: After deleting results, you must restart NNM to see the most up-to-date information.

The Filter <section name> box allows for quick filtering based on entered text for the Monitoringpage. To view a list of filterable plugin attributes, click the down arrow for any quick filter text field.Results display based on a match of Any or All entered fields. The search field contains example hintswhen empty, but if an incorrect filter value is entered, the field displays a red border.

Note: The Filter <section name> box is not available in the Dashboards section.

Tip: For instructions on performing the actions available on the Monitoring page, see the related HowTo section of this guide.



- 54 -

Filter Text

Name Description

Bugtraq ID Filter the results of discovered vulnerabilities based on their Bugtraq iden-tifications.

CPE Filter the results of discovered vulnerabilities based on theirCPE identifiers.

CVE Filter the results of discovered vulnerabilities based on their CVE identifiers.

CVSS BaseScore

Filter the results of discovered vulnerabilities based on the base CVSS scoreas reported by vulnerability plugins.

CVSS TemporalScore

Filter the results of discovered vulnerabilities based on the temporalCVSS score as reported by vulnerability plugins.

CVSS TemporalVector

Filter the results of discovered vulnerabilities based on the CVSS temporalvector as reported by vulnerability plugins.

CVSS Vector Filter the results of discovered vulnerabilities based on the CVSS vector asreported by vulnerability plugins.



- 55 -

Name Description

CVSS v3.0 BaseScore

Filter the results of discovered vulnerabilities based on the CVSS v3.0 basescore as reported by vulnerability plugins.

CVSS v3.0 Tem-poral Score

Filter the results of discovered vulnerabilities based on the temporal CVSSv3.0 score as reported by vulnerability plugins.

CVSS v3.0 Tem-poral Vector

Filter the results of discovered vulnerabilities based on the temporal CVSSv3.0 vector as reported by vulnerability plugins.

CVSS v3.0Vector

Filter the results of discovered vulnerabilities based on the CVSS v3.0 vectoras reported by vulnerability plugins.

Host Filter the results of discovered vulnerabilities based on the discovered IPaddress of the device.

IAVA ID Filter the results of discovered vulnerabilities based on the IAVA IDs of thevulnerabilities.

IAVB ID Filter the results of discovered vulnerabilities based on the IAVB IDs of thevulnerabilities.

IAVT ID Filter the results of discovered vulnerabilities based on the IAVT IDs of thevulnerabilities.

OSVDB ID Filter the results of discovered vulnerabilities based on the discoveredOSVDB identifiers.

Plugin Descrip-tion

Filter the results of discovered vulnerabilities based on text available in thedescriptions of the vulnerabilities.

Plugin Family Filter the results of discovered vulnerabilities based on a family of dis-covered vulnerabilities.

Plugin ID Filter the results of discovered vulnerabilities based on the IDs of the plu-gins that identified the vulnerabilities.

Plugin Name Filter the results of discovered vulnerabilities based on text available in thenames of the plugins that identified the vulnerabilities.

Plugin Output Filter the results of discovered vulnerabilities based on text contained inthe output of the plugin that discovered the vulnerability.



- 56 -

Name Description

Port Filter the results of discovered vulnerabilities based on the port on whichthe vulnerability was discovered.

Protocol Filter the results of discovered vulnerabilities based on the detected pro-tocol: tcp, udp, or icmp.

STIG Severity Filter the results of discovered vulnerabilities based on STIG severity levelof the plugin.

See Also Filter the results of discovered vulnerabilities based on the text available inthe See Also field of the plugin.

Severity Filter the results of discovered vulnerabilities based on the identified sever-ity.

Solution Filter the results of discovered vulnerabilities based on text available in thesolution section of the plugin.

Synopsis Filter the results of discovered vulnerabilities based on text available in thesynopsis section of the plugin.

System Type Filter the results of discovered vulnerabilities based on the system type ofthe device.

VLAN ID Filter the results of discovered vulnerabilities based on the VLAN ID of thedevice.



- 57 -

Dashboards Section

The Dashboards section displays the contents of the vulnerability tab in a graphical layout. Thedefault dashboard layout displays the following charts:

l Top 10 Hosts

l Top 10 Vulnerabilities

l Top 5 Applications

l Distribution by Operating System

l Top 10 Talkers

l Top 10 Mobile Devices

l Distribution of Mobile Devices by Operating System

l Top 10 Mobile Devices by Hardware

l Distribution of Mobile Applications by Application

l SCADA Vulnerability Distribution by Severity

l Top 10 SCADA Hosts

l SCADA Host Distribution by Protocol

l SCADA Host Distribution by System Type

l Client Connections

l Network Bandwidth by Byte Count

l Event Trending

Note: Depending on your NNM configuration, some charts may not display.

Drag-and-drop charts to rearrange them on the dashboard for the duration of your session. The Cli-ent Connections, Network Bandwidth by Byte Count, and Event Trending charts cannot bemoved.



- 58 -

The following table describes the options available in the Dashboards section:

Option Description

<click on thechart>

Opens a Details section with more information about the data displayedin a chart.

Note: You cannot click on the Top 10 Mobile Devices by Hardware chart.

button Removes the chart from the Dashboards section for the duration of yoursession.

button Refreshes the chart.

button Provides options to Export Results, Delete Results, or Launch Scan.

button Provides options to filter chart data based on a specified date range.

Events DashboardClick on the Event Trending chart to Access the Events dashboard. Alternatively, click on the Net-work Bandwidth by Byte Count chart to access the Events dashboard. The Events dashboard



- 59 -

displays a graphical representation of the number of maximum viewable real-time events as defined inthe Realtime Events setting type in the NNM Settings section.

The Event Details table can be customized by sorting columns, showing or hiding columns, filteringcontent by clicking View Active Filters, or by clicking underlined columns in the table.



- 60 -

Hosts Section

The Hosts section of the Monitoring page displays a list of the discovered hosts, the system type ofthe hosts, and a stacked bar chart. The chart is labeled and color-coded to indicate both the numberand severity level of vulnerabilities detected on the host.

Select a host from the list to display the host’s attributes and discovered vulnerabilities. In the drop-down menu at the top of the section, select one of the following options to view relevant information.

VulnerabilitiesVulnerabilities detected on this host appear in descending order of severity. The Vulnerabilities listdisplays the name of each vulnerability, the vulnerability family, and the number of vulnerabilities dis-covered. Select a vulnerability from the list to display vulnerability details including a synopsis, adescription, a solution, plugin details, risk information, reference information, and affected hosts andservices for the host.



- 61 -

ApplicationsApplications appear in descending order of severity. The Applications list displays the name and num-ber of each application. Select an application from the list to display information about the applicationobserved on this host. The list includes the name and number of discoveries, the affected port and pro-tocol, the software and version, and the services available.



- 62 -

Client ConnectionsHosts to which the selected host has connected are grouped by port. The Client Connections list dis-plays information about connections from the selected host to other hosts, which port(s) were used,and, if known, the services. Click on a client connection to display a Connections sidebar that displaysHost Details, a Client Connections diagram, and, where applicable, a Recent Sessions table.



- 63 -

Server ConnectionsHosts that have connected to the selected host are grouped by port. The Server Connections list dis-plays information about connections to the selected host from other hosts, which port(s) were used,and, if known, the services. Click on a server connection to display a Connections sidebar that dis-plays Host Details, a Server Connections diagram, and, where applicable, a Recent Sessions table.



- 64 -Copyright 2017-2018 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable,


- 65 -

Vulnerabilities Section

The Vulnerabilities section of the Monitoring page provides a list of the vulnerabilities detected byNNM. Additionally, you can view a vulnerability's plugin family and the number of detected vul-nerabilities.

Select a vulnerability from the list to display vulnerability details including a synopsis, a description, asolution, plugin details, risk information, reference information, and affected hosts and services forthe host.



- 66 -

Applications Section

The Applications section displays a list of discovered applications. Select an application to display alist of affected hosts. The list includes the name and number of discoveries, the affected port and pro-tocol, the software and version, and the services available.



- 67 -

Operating Systems Section

The Operating Systems section displays a list of discovered operating systems. The summary pagelists the severity, operating system name as detected, and the number of discoveries. Select an oper-ating system name from the list to display the severity, the version of the operating system, and serviceas available.



- 68 -

Connections Section

The Connections section displays information in two tabs:

l The Client Connections tab displays a list of hosts. Click on a host to display connections fromthe selected host to other hosts, the port(s) used, and, if known, the services. Click on a clientconnection to display a Connections sidebar that displays Host Details, a Client Connectionsdiagram, and, where applicable, a Recent Sessions table.

l The Server Connections tab displays a list of hosts. Click on a host to display connections tothe selected host from other hosts, the port(s) used, and, if known, the services. Click on aserver connection to display a Connections sidebar that displays Host Details, a Server Con-nections diagram, and, where applicable, a Recent Sessions table.



- 69 -

Mobile Devices Section

The Mobile Devices section displays a list of discovered mobile devices. The summary page displaysthe IP address, model, operating system, and last seen timestamp for each mobile device within themonitored network range. Select a device name from the list to display the device’s list of vul-nerabilities and a list of applications for the mobile device.



- 70 -

Results Page

The Results page contains snapshots of monitored data, results from Pcap files entered manually viathe command line or the client UI, and uploaded NNM reports. The Monitoring Snapshots generateregularly based on the Report Frequency setting. They are stored until deleted or the Report Life-time setting removes them. Select a result grouping to view it using the same analysis tools describedin the Monitoring section of this user guide:

l Hosts

l Vulnerabilities

l Applications

l Operating Systems

l Connections

l Mobile Devices

Additionally, to compare two snapshots, check the desired snapshot results and select the Diff Snap-shots option from the Actions drop-down menu.

Tip: For instructions on performing the actions available on the Results page, see the related How Tosection of this guide.





- 72 -

Users Page

The Users page provides a list of the available users on the NNM server. Additionally, you can viewaccount configuration options for each user. This page is visible only to users with administrative priv-ileges. Click on a user to edit the user's information.

Tip: For instructions on performing the actions available on the Users page, see the related How Tosection of this guide.



- 73 -

Configuration Page

The Configuration page allows users with administrative privileges to configure NNM for their localenvironment. The following sections are available:

l NNM Settings

l Feed Settings

l Cloud Settings

l Web Proxy Settings

l Chart Settings

l Email Settings

l Plugin Settings

l Nessus Scanner Settings

Tip: For instructions on performing the actions available on the Configuration page, see the relatedHow To section of this guide.



- 74 -

NNM Settings Section

The NNM Settings section provides options for configuring the network settings for NNM Thisincludes what network(s) are monitored or excluded, how to monitor those networks, and what net-work interfaces NNM has identified for monitoring. If your NNM is licensed to run in High Performancemode, you can also change the performance mode.

Note: The Network Interfaces Settings view only shows network interfaces that don't have IPaddresses assigned to them. As a result, if all interfaces have assigned IP addresses, in High Per-formance mode, the list is empty.

Name Description

ACAS Classification

ACAS Support for ACAS banners may be enabled from the command line ofthe NNM server service using the /opt/NNM/bin/NNM --config --



- 75 -

Name Description

add "ACAS Classification" "SECRET" command. SECRET may bereplaced by UNCLASSIFIED, CONFIDENTIAL, TOP SECRET, or NOFORN.Once enabled, a drop-down menu for the ACAS option appears in the UIfront end.

Support for ACAS banners may be disabled from the command line ofthe NNM server using the /opt/NNM/bin/NNM --config --delete"ACAS Classification" command from the binary directory on theserver.

Advanced

Maximum PluginsUpdate Frequency

A text box in which you can specify the maximum frequency with whichplugins update.

Login Banner A text box in which you can specify a login banner.

Analysis Modules

Enable SCADA/ICSAnalysis Module

A check box that, when selected, enables the SCADA/ICS Analysis Mod-ule. Click the caret button to the left of the setting name to display a listof individual module detections within the module. Click on individualmodule detections within the list to disable/enable them. Disabling aSCADA/ICS module detection enables the legacy PASL. See theSCADA/ICS Analysis Module for more information.

Enable ConnectionAnalysis Module

A check box that, when selected, enables the Connection Analysis Mod-ule. Click the caret button to the left of the setting name to display a listof individual module detections within the module. Click on individualmodule detections within the list to disable/enable them. See the Con-nection Analysis Module for more information.

DNS Query

DNS Cache LifetimeAnalysis Module

A text box in which you can specify the amount of time NNM retains andstores a given host’s DNS record, in seconds. By default, this option isset to 43200 (12 hours), but can be set to any value between 3600 and172800 (48 hours).

DNS Query Time A text box in which you can specify the delay between sets of DNS quer-



- 76 -

Name Description

Interval ies, in seconds. By default, this option is set to 5, but can be set to anyvalue between 1 and 120.

DNS Queries perInterval

A text box in which you can specify the maximum number of concurrentDNS requests made at the time of the DNS Query, in seconds. Bydefault, this option is set to 5, but can be set to any value between 0 and1000. Setting this value to 0 disables this feature and prevents furtherDNS queries from being made.

Database

Enable MalformedDatabase Recovery

A check box that, when selected, allows NNM to recover a malformeddatabase.

Memory

Sessions Cache Size A text box in which you can specify the size, in megabytes, of the sessiontable. Adjust the session size as needed for the local network. Bydefault, this option is set to 50.

Packet Cache Size A text box in which you can specify the maximum size, in megabytes, ofthe cache used to store the contents of the packets collected before pro-cessing. By default, this option is set to 128 MB with a maximum size of512 MB. When the cache is full, any subsequent packets captured aredropped until space in the cache becomes available.

Monitoring

Monitored NetworkInterfaces

A list of the network device(s) used for sniffing packets. Devices may beselected individually or in multiples. At least one interface must be selec-ted from the list of available devices.

Note: High Performance mode does not support e1000 NICs as mon-itored interfaces on VMs. If you are running NNM on a VM in High Per-formance mode and select an e1000 monitored interface, NNMautomatically reverts to Standard mode.

Monitored NetworkIP Addresses andRanges

A text box in which you can specify the network(s) monitored. Thedefault setting is 0.0.0.0/0, which instructs NNM to monitor all IPv4addresses. This should be changed to monitor only target networks; oth-



- 77 -

Name Description

erwise NNM may quickly become overwhelmed. Separate multipleaddresses by commas. When monitoring VLAN networks, you must usethe syntax vlan ipaddress/subnet.

Example: 192.168.1.0/24,2001:DB8::/64,10.2.3.0/22,vlan172.16.0.0/16,192.168.3.123/32

Excluded NetworkIP Addresses andRanges

A text box in which you can specify, in CIDR notation, any network(s) tospecifically exclude from NNM monitoring. This option accepts both IPv4and IPv6 addresses. Separate multiple addresses by commas. Whenexcluding VLAN networks, you must use the syntax vlan ipad-dress/subnet. If this text box is left blank, no addresses are excluded.

Example: 192.168.1.0/24,2001:DB8::/64,10.2.3.0/22,vlan172.16.0.0/16,192.168.3.123/32

Extended Packet Fil-ter

A text box in which you can specify a BPF primitive.

The net, IP, IPv6, and VLAN primitives are not supported by this feature.Additionally, the protochain primitive is not supported on Windows plat-forms.

Click here for further information about the available primitives.

NNM Proxy

NNM RestartAttempts

A text box in which you can specify the number of times the NNM proxyattempts to restart the NNM engine in the event the engine stops run-ning. By default, this option is set to 10, but can be set to any valuebetween 1 and 15. Once the restart attempt limit is reached, the proxystops trying for 30 minutes.

NNM Restart Inter-val

A text box in which you can specify the amount of time, in minutes,between NNM restart attempts. By default, this option is set to 10, butcan be set to any value between 1 and 3600.

NNM Web Server

Enable SSL for WebServer

A check box that, when selected, enables SSL protection for connectionsto the web server. This check box is selected by default. Clearing thecheck box is not recommended, as it allows unencrypted traffic to be



http://www.tcpdump.org/manpages/pcap-filter.7.html

- 78 -

Name Description

sent between a web browser and NNM. Custom SSL certificates may beinstalled in the /opt/NNM/var/NNM/ssl directory. Changes to this set-ting require that NNM be restarted.

Note: Changing this option while NNM is running makes communicationbetween the client and server either encrypted or unencrypted. If youselect or clear the Enable SSL for Web Server check box, the WebServer automatically ends your current NNM session.

Minimum PasswordLength

A text box in which you can specify the lowest number of characters apassword may contain. By default, this option is set to 5, but can be setto any value between 5 and 32.

NNM Web ServerAddress

A text box in which you can specify an IPv4 or IPv6 address on which theNNM web server listens. The default setting is 0.0.0.0, which instructs theweb server to listen on all available IPv4 and 1Pv6 addresses.

Note: Link-local addresses are not supported for IPv6 addresses.

NNM Web ServerPort

A text box in which you can specify the NNM web server listening port.The default setting is 8835, but can be changed as appropriate for thelocal environment.

Note: If you change the value in this field, the Web Server auto-matically ends your current NNM session.

NNM Web ServerIdle SessionTimeout

A text box in which you can specify the number of minutes of inactivitybefore a web session becomes idle. By default, this option is set to 30,but can be set to any value between 5 and 60.

Enable SSL ClientCertificateAuthentication

A check box that, when selected, allows the web server to accept onlySSL client certificates for user authentication.

Enable Debug Log-ging for NNM WebServer

A check box that, when selected, allows the web server to include debuginformation in the logs for troubleshooting issues related to the webserver. The logs become very large if this option is routinely enabled.

Maximum User A text box in which you can specify the number of times a user can enter



- 79 -

Name Description

Login Attempts an incorrect password in a 24 hour period before the user’s account islocked.

Max Sessions perUser

A text box in which you can specify the number of concurrent sessions auser can have running at one time.

Enforce ComplexPasswords

A check box that, when selected, forces the user’s passwords to containat least one uppercase character, one lowercase character, one digit,and one special character from the following: !@#$%^&*().

Restrict Access toTLS 1.2 or higher

A check box that, when selected, forces the NNM Web server to use TLS1.2 or higher communications.

Plugins

Enable AutomaticPlugin Updates

A check box that, when selected, allows NNM to update its plugins auto-matically from the Tenable™ website on a daily basis. If the NNM serveris not connected to the Internet, it is recommended that you disable thisoption.

Tip: When the HTML Client updates, the web browser needs to berefreshed to utilize the new client. In some cases, the web browser’scache must be deleted to view the new client.

Process High SpeedPlugins Only

NNM is designed to find various protocols on non-standard ports. Forexample, NNM can easily find an Apache server running on a port otherthan 80. However, on a high traffic network, NNM can be run in High Per-formance mode, which allows it to focus certain plugins on specificports. When High Performance mode is enabled and this check box isselected, any plugin that utilizes the keywords hs_dport or hs_sportare executed only on traffic traversing the specified ports.

Realtime Events

Realtime Events FileSize

A text box in which you can specify the maximum amount of data fromreal-time events that is stored in one text file. The option must be spe-cified in kilobytes, megabytes, or gigabytes by appending a K, M, or G,respectively, to the value.

Log Realtime A check box that, when selected, allows NNM detected real-time events



- 80 -

Name Description

Events to RealtimeLog File

to be recorded to a log file in the following location:

/opt/NNM/var/NNM/logs/realtime-logs-##.txt

This option can be configured via the CLI.

Enable RealtimeEvent Analysis

A check box that, when selected, allows NNM to analyze real-timeevents.

Maximum ViewableRealtime Events

A text box in which you can specify the maximum number of mostrecent events cached by the NNM engine. This setting is in effect onlywhen Realtime Event Analysis is enabled.

Maximum RealtimeLog Files

A text box in which you can specify the maximum number of realtimelog files written to the disk.

Reports

Report Threshold A text box in which you can specify the number of times the encryptiondetection algorithm executes during a session. Once the threshold isreached, the algorithm no longer executes during the session. Bydefault, this option is set to 3.

Report Lifetime A text box in which you can specify, in days, how long vulnerabilities andsnapshot reports are cached. After the configured number of days ismet, discovered vulnerabilities and snapshot reports are removed. Thisoption can be set to a maximum value of 90 days. By default, this optionis set to 7 and cannot be set higher than the Host Lifetime value.

Host Lifetime A text box in which you can specify, in days, how long hosts are cached.After the configured number of days is met, discovered hosts areremoved. This option can be set to a maximum value of 365 days. Bydefault, this option is set to 7 and cannot be set lower than the ReportLifetime value.

Report Frequency A text box in which you can specify, in minutes, how often NNM writes areport. By default, this option is set to 15. SecurityCenter 4.6 and higherretrieve the NNM report every 15 minutes.

KnowledgebaseLifetime

A text box in which you can specify, in seconds, the maximum length oftime that a knowledgebase entry remains valid after its addition. By



- 81 -

Name Description

default, this option is set to 864000.

New Asset Dis-covery Interval

A text box in which you can specify, in days, how long NNM monitorstraffic before detecting new hosts. NNM listens to network traffic andattempts to discover when a new host has been added. To do this, NNMconstantly compares a list of hosts that have generated traffic in thepast to those currently generating traffic. If it finds a new host gen-erating traffic, it issues a “new host alert” via the real-time log. For largenetworks, NNM can be configured to run for several days to gain know-ledge about which hosts are active. This prevents NNM from issuing analert for hosts that already exist. For large networks, Tenable™ recom-mends that NNM operate for at least two days before detecting newhosts. By default, this option is set to 2.

Connections to Ser-vices

A check box that, when selected, enables NNM to log which clientsattempt to connect to servers on the network and to what port theyattempt to connect. They indicate only that an attempt to connect wasmade, not whether the connection was successful. Events detected byNNM of this type are logged as NNM internal plugin ID 2.

Show Connections A check box that, when selected, instructs NNM to record clients in thefocus network that attempt to connect to a server IP address and portand receive a positive response. The record contains the client IPaddress, the server IP address, and the server port that the clientattempted to connect to. For example, if four different hosts within thefocus network attempt to connect with a server IP over port 80 andreceived a positive response, then a list of those hosts are reportedunder NNM internal plugin ID 3 and port 80.

Known Hosts File Note: You can only configure this feature via the command line inter-face.

A configuration parameter in which you can enter the location of theknown-hosts.txt file. You must manually create the Known Hosts file.

This feature supports a single row for each IP (IPv4 or IPv6). Hyphenatedranges and CIDR notation are not supported. New host alerts no longerappear for the hosts listed in this file.



- 82 -

Name Description

Note: Blank rows are ignored, and invalid entries are noted in theNNM log file. If you make any changes to the Known Hosts file, youmust restart NNM .

Session Analysis

Encrypted SessionsDependency Plu-gins

A text box in which you can specify the Plugin IDs, separated by com-mas, used to detect encrypted traffic.

Encrypted SessionsExcluded NetworkRanges

A text box in which you can specify the IPv4 and IPv6 addresses andports, in CIDR notation, excluded from monitoring for encrypted traffic.

Example: 192.168.1.0/24,2001:DB8::/64,10.2.3.0/22,vlan172.16.0.0/16,192.168.3.123/32

Interactive SessionsDependency Plu-gins

A text box in which you can specify the Plugin IDs, separated by com-mas, used to detect interactive sessions.

Interactive SessionsExcluded NetworkRanges

A text box in which you can specify the IPv4 and IPv6 addresses andports, in CIDR notation, excluded from monitoring for interactive ses-sions.

Example: 192.168.1.0/24,2001:DB8::/64,10.2.3.0/22,vlan172.16.0.0/16,192.168.3.123/32

Syslog

Realtime SyslogServer List

A text box in which you can specify the IPv4 or IPv6 address and port ofa Syslog server to receive real-time events from NNM. Click Add to savethe address. A local Syslog daemon is not required. Syslog items can bespecified to Standard or CEF formats as well as UDP or TCP protocols.

Example: 192.168.1.12:4567,10.10.10.10:514,[2001:DB8::23B4]:514

Vulnerability SyslogServer List

A text box in which you can specify the IPv4 or IPv6 address and port ofa Syslog server to receive vulnerability data from NNM. Click Add to savethe address. A local Syslog daemon is not required. Syslog items can bespecified to Standard or CEF formats as well as UDP or TCP protocols.



- 83 -

Name Description

Example: 192.168.1.12:4567,10.10.10.10:514,[2001:DB8::23B4]:514

Note: While NNM may display multiple log events related to one con-nection, it sends only a single event to the remote Syslog server(s).



- 84 -

Feed Settings Section

The Feed Settings section allows you to:

Name Description

Register Offline check box A check box that allows offline registration of NNM.

Activation Code Updates the activation code. The Activation Code only needsto be updated when it expires.

Fetch Plugins From A text field in which you can specify from where you wish tofetch plugins. Click Update to fetch the plugins.

Offline Plugin Archive Uploads plugins to perform offline updates. Click UploadArchive to upload the archive.

Host Address A text field in which you can specify a custom plugin feedhost. Click Update to save the host.



- 85 -

Offline Update

The Offline Update allows a user with administrative privileges to manually update plugins when theNNM host cannot connect to the Internet.

1. Download the plugin update archive from Tenable™.

2. Click Choose File.

3. Select the archive tarball to upload.

4. Click the Upload Archive button to send the file to the NNM host.

5. Click the Upload Archive button again to update the plugins.

6. If a new client is part of the update, you must refresh the web browser to see the updated client.

The Custom Plugin Feed host is an alternate feed host. These are typically hosted on a localnetwork to provide custom NNM plugins.

When running Standalone NNM or NNM in High Performance mode as Managed by SecurityCenteror Managed by Tenable.io, you must enter an Activation Code before clicking the Update button.The button schedules a plugin update when NNM is running in Standalone mode. Additionally,when registering NNM in Offline mode, you need the Activation Code to obtain the Activation Key.





- 87 -

Cloud Settings Section

The Cloud Settings section provides options for configuring NNM to communicate with Tenable.io orTenable.io on-prem.

Name Description

Cloud Host For Tenable.io, the domain name or IP address of the Tenable.io server:cloud.tenable.com.

For Tenable.io on-prem, the static IP address or hostname you set during Ten-able.io on-prem installation.

Cloud Port The port of the Tenable.io or Tenable.io on-prem server: 443.

Cloud Key The Tenable.io key used to link this instance of NNM to a Tenable.io account.

Polling Fre-quency

The frequency, in seconds, with which NNM updates its status with Tenable.ioand asks for a list of jobs.

NNM Name The unique name used to identify this instance of NNM in Tenable.io.



- 88 -

Industrial Security Settings Section

The Industrial Security Settings section provides options for configuring Industrial Security withNNM. See Configure NNM for use with Industrial Security for more information.

Name Description

IndustrialSecurity Host

The domain name or IP address of the Industrial Security server.

IndustrialSecurity Port

The port of the Industrial Security server.

IndustrialSecurity Key

The key used to link this instance of NNM to a Industrial Security account.

Polling Fre-quency

The frequency, in seconds, with which NNM updates its status with IndustrialSecurity and asks for a list of jobs.

NNM Name The unique name used to identify this instance of NNM on Industrial Secur-ity.



- 89 -

Web Proxy Settings Section

The Web Proxy Settings section configures the settings for a web proxy if one is needed for pluginupdates. These settings include the proxy host IP address, port, username, password, and, if a customagent string is needed, a user-agent field.

Name Description

Host Address The host address of the web proxy server.

Port The port of the web proxy server.

Username The username for the web proxy server.

Password The password for the web proxy server.

User-Agent String The user-agent string for the web proxy server.



- 90 -

Chart Settings Section

The Chart Settings section displays all charts available, provides options for creating and con-figuring charts, and allows the user to add or remove charts in the Dashboards section.

In the Chart Settings section you can view:

l Chart Name

l Chart Type

l Chart Description

l Dashboard Family

l Option to view the chart in the Dashboard. Click the option to toggle between Yes and No.

Click on a chart to edit the chart.



- 91 -

Email Settings Section

The Email Settings section provides options for configuring email reporting for NNM, including therecipients of the email notifications, what charts appear in email notifications, and the time and fre-quency with which email notifications are sent. In the Email Settings section, hover over an existingemail notification and click the paper airplane icon to send a report immediately.

When you select SMTP Server in the Setting Type drop-down menu, the following options for con-figuring the SMTP server appear:

Name Description

Host The host or IP of the SMTP server (e.g., smtp.example.com).

Port The port of the SMTP server (e.g., 25).

From The name that appears in the "From" line of the email report.

NNM Location The IP address or hostname of your NNM server. This works only if the userthat receives the email report can reach the NNM host.

Auth Method The method by which the SMTP server is authenticated. Supported methodsare None, Plain, NTLM, Login, and CRAM-MD5.

Note: If this option is set to None, the Username and Password fields arehidden.

Username The username used to authenticate to the SMTP server.

Password The password associated with the username, provided that a password is



- 92 -

Name Description

required by the SMTP server.



- 93 -

Plugin Settings Section

The Plugin Settings section allows you to create custom plugins and also to enable and disable exist-ing plugins and PASLs.

The Plugin Settings section contains the following subsections:

l Plugin Management: displays a list of enabled and disabled plugins, respectively, the optionsto move plugins between those lists, and the option to delete custom plugins.

l PASL Management: displays a list] of enabled and disabled PASLs, respectively, and the optionsto move PASLs between those lists.

l Create Custom Plugin: displays options for creating custom plugins and creating new pluginfields.

The following table provides a brief summary of each plugin field available for creating custom plu-gins:

Custom Plu-gin Field

Purpose

ID The unique numeric ID of the plugin.

Name The name of the plugin. The plugin name should start with the vendor name.

Description The full text description of the vulnerability.



- 94 -


Purpose

Synopsis A brief description of the plugin or vulnerability.

Solution Remediation information for the vulnerability.

See Also External references to additional information regarding the vulnerability.

Risk Info, Low, Medium, High, or Critical risk factor.

Plugin Out-put

Displays dynamic data in NNM plugin reports.

Family The family to which the plugin belongs.

Dependency Other dependencies required to trigger the custom plugin.

NoPlugin Prevents a plugin from being evaluated if another plugin has already matched.For example, it may make sense to write a plugin that looks for a specificanonymous FTP vulnerability, but to disable it if another plugin that checked foranonymous FTP had already failed.

No Output For plugins that are written specifically to be used as part of a dependency withanother plugin. When enabled, this keyword causes NNM not to report anythingfor any plugin.

Client Issue Indicates the vulnerability is located on the client side.

Plugin Type Vuln, realtime, or realtimeonly plugin type.

cve The CVE reference.

bid The Bugtraq ID (BID) reference.

osvdb The external reference (e.g., OSVDB, Secunie, MS Advisory).

nid To track compatibility with the Nessus vulnerability scanner, Tenable™ asso-ciates NNM vulnerability checks with relevant Nessus vulnerability checks. Mul-tiple Nessus IDs can be listed under one nid entry such as nid=10222,10223.

cpe Filters the result of discovered vulnerabilities based on their CPE identifier.

Match This keyword specifies a set of one or more simple ASCII patterns that must bepresent in order for the more complex pattern analysis to take place. The



- 95 -


Purpose

match keyword gives NNM significant performance and functionality.

Regex Specifies a complex regular expression search rule applied to the network ses-sion.

Revision The revision number associated with custom plugin.

Raw TextPreview

A preview of the custom plugin in raw text. An xample of a custom plugin cre-ated to find a IMAP Banner of Tenable Rocks is:

id=79000name=IMAP Bannerdescription=An IMAP server is running on this port. Its banneris Tenable Rocksrisk=NONEmatch=OKmatch=IMAPmatch=server readyregex=^.*OK.*IMAP.*Tenable Rocks



- 96 -

Nessus Scanner Settings Section

The Nessus Scanner Settings section provides a list of the available Nessus 6.4+ scanners and theability to add, edit, or remove a Nessus scanner. Each Nessus scanner must be configured with the fol-lowing parameters:

Note: Nessus Professional 7 is not supported.

Name Description

ScannerHost

The domain name or IP address of the Nessus server.

ScannerPort

The port of the Nessus server.

Access Key The first half of a Nessus API Key, which is used to authenticate with the NessusREST API.

Secret Key The second half of a Nessus API Key, which is used to authenticate with the Nes-sus REST API.

Note: For details on how to obtain an API Key (Access Key and Secret Key), refer to the Nessus userguide.



https://docs.tenable.com/nessus/

https://docs.tenable.com/nessus/

- 97 -

How To

This section includes step-by-step instructions for performing the actions available on each pagewithin the NNM web interface:

l Monitoring

l Results

l Users

l Configuration



- 98 -

Monitoring Page

The topics in this section explain how to perform the following actions available on the Monitoringpage:

l Rearrange Charts

l Set a Range for the Dashboards Section

l Refresh a Chart

l Remove a Chart from a Dashboard

l Filter Results

l Export Results

l Launch a Nessus Scan

l Delete a Vulnerability

Tip: For more information about the Monitoring page, see the related Features section of this guide.



- 99 -

Rearrange Charts

Steps

1. In the Dashboards section, select the heading of the chart you want to reposition.

2. Drag the chart to a different location on the dashboard.

3. Release the pointer.

The chart moves and the dashboard configuration saves for the duration of your session.

Note: You cannot move the Client Connections, Network Bandwidth by Byte Count, or EventTrending charts.



- 100 -

Set a Range for the Dashboards Section

Steps

1. In the Dashboards section, in the upper right corner, click the drop-down box.

2. In the drop-down menu, do one of the following:

l Select one of the preset time intervals.

l Select a start and end date from the available calendars and specify a time associated witheach date.

l Manually enter dates in the two text boxes in YYYY/MM/DD format and specify a time asso-ciated with each date.

All the charts on the page refresh to reflect the selected time interval.



- 101 -

Refresh a Chart

Steps

1. In the Dashboards section, in the upper right corner of the chart you want to refresh, click thebutton.

The selected chart refreshes.



- 102 -

Remove a Chart from a Dashboard

Steps

1. In the Dashboards section, in the upper right corner of the chart you want to remove, click thebutton.

The selected chart is removed from the dashboard for the duration of your session.



- 103 -

Export Results

Steps

1. Click Monitoring > Actions > Export Results.

The Export Results screen appears.

2. Select the export format and chapter layout.

3. Click the Export button.

An automatic download begins. You can save the report from the web browser.

Note: On-the-fly filter results cannot be exported. If you want to export filter results, you mustconfigure the filter(s) in the Filter Results window.



- 104 -

Filter Results

Steps

1. In the Hosts, Vulnerabilities, Applications, Operating Systems, Connections, or MobileDevices section, in the upper right corner, click the Filter <section name> drop-down.

2. Type the criteria by which you want to filter results directly into the box.

-or-

Click the button in the box.

The Filter Results window appears.

3. Configure the filter options as necessary.

4. Click the Apply Filters button.

Note: On-the-fly filter results cannot be exported. If you want to export filter results, you mustconfigure the filter(s) in the Filter Results window. Additionally, on-the-fly filter results are notstored when a user navigates to another page in NNM.



- 105 -

Launch a Nessus Scan

Steps

1. Click Monitoring > Actions > Launch Scan.

-or-

Click Assets or Vulnerabilites > select the check boxes for the assets you want to scan >Actions > Launch Scan.

The Launch Basic Nessus Scan window appears.

2. Configure the scan options as necessary.

3. Click the Launch button.

The scan opens in the Nessus interface. Refer to the Nessus user guide for further instructions.

Note: To launch scans on Nessus 6.8.x or higher, NNM must be configured to restrict access to TLS 1.2 orhigher. See the NNM Settings Section for more information.



http://www.tenable.com/documentation/nessus/

- 106 -

Delete a Vulnerability

StepsTo delete one vulnerability:

1. In the Vulnerabilities section, hover over the vulnerability you want to delete.

2. On the right side of the row, click the button.

The vulnerability is deleted.

To delete multiple vulnerabilities:

1. On the Vulnerabilities page, on the left side of the row for the vulnerability you want to delete,select the check box. Repeat this step for each vulnerability you want to delete.

2. Click Actions > Delete Vulerabilities.

The vulnerabilities are deleted.



- 107 -

Results Page

The topics in this section explain how to perform the following actions available on the Results page:

l Upload a Report

l Upload a Pcap

l Filter Results

Tip: For more information about the Results page, see the related Features section of this guide.



- 108 -

Upload a Report

Steps

1. Click Results > Upload > Report.

The Upload Results window appears.

2. Select a file to upload.

3. Click the Upload Results button.

The report appears in a new row at the top of the Listing Results list on the Results page.



- 109 -

Upload a Pcap

Before You BeginThe maximum total file size for uploaded Pcaps is 100 MB. Running a Pcap pauses live monitoring.

Steps

1. Click Results > Upload > Pcaps.

The Upload Pcaps window appears.

2. Select one or more files to upload.

3. Click the Upload Pcap(s) button.

A new row for the Pcap(s) appears at the top of the Listing Results list on the Results page.



- 110 -

Filter Results

Steps

1. On the Results page, in the upper right corner, click the Filter Results drop-down box.

2. Select Snapshot, Manual, or Pcap.

The Listing Results list filters by the selected report type. Click Clear Filter to remove the filterfrom the list.



- 111 -

Delete Results

To delete one Result

1. On the Results page, hover over the result you wish to delete.

2. Click the button.

A dialog box appears confirming your selection to delete the result.

3. Click the Delete button.

The result is deleted.

To delete multiple results:

1. On the left side of the row for the result you want to delete, select the check box. Repeat thisstep for each result you want to delete.

2. Click Actions > Delete Result.

A dialog box appears confirming your selection to delete the results.


The resultss are deleted.



- 112 -

Users Page

In order to see the Users page, you must access NNM using an account with administrative privileges.

The topics in this section explain how to perform the following actions available on the Users page:

l Create a New User

l Modify a User Account

l Reset a Locked Account

l Delete a User

Tip: For more information about the Users page, see the related Features section of this guide.



- 113 -

Create a New User

Steps

1. On the Users page, in the upper right corner, click the New User button.

The New User window appears.

2. In the Username field, enter a username for the user.

3. In the Password field, enter a password for the user.

Note: The username is case sensitive and the password must conform to the NNM passwordpolicy.

4. In the Confirm Password field, enter the password for the user a second time.

5. If the new user should have administrative privileges, select the Administrator check box.

Tip: When a user is created it authenticates with SSL Client Certificates. The user name mustmatch the Common Name in the certificate.

6. Click the Create User button.

The user saves and appears in the Users list.



- 114 -

Modify a User Account

Steps

1. On the Users page, select a user from the list.

The Edit User <username> window appears.

2. Modify the properties as needed.

3. Click the Update button.

Tip: To reset user account passwords via the command line, use the following command from the NNMbinary directory:/opt/NNM/bin/nnm --users --chpasswd <username>



- 115 -

Reset a Locked Account

Steps1. Depending on your operating system, use the following command:

OperatingSystem

Command

Linux # rm /opt/nnm/var/nnm/users/<locked account name>/hash.-lockedout

Windows del C:\ProgramData\Tenable\NNM\nnm\users\<locked_account_name>\hash.lockedout

macOS # rm /Library/NNM/var/nnm/users/<locked accountname>/hash.lockedout

Tip: Alternatively, a user with administrative privileges can navigate to this directory and manu-ally delete the hash.lockedout file.

2. After deleting the hash.lockedout file, if needed, a user with administrative privileges can followthe steps under Modify a User Account to reset the user's password.



- 116 -

Delete a User

StepsTo delete one user:

1. On the Users page, hover over the user you want to delete.

On the right side of the row, the button appears.


A dialog box appears confirming your selection to delete the user.


The user is deleted.

To delete multiple users:

1. On the Users page, on the left side of the row for the user you want to delete, select the checkbox. Repeat this step for each user you want to delete.

2. Click the Actions > Delete Users.

A dialog box appears confirming your selection to delete the user.


The users are deleted.



- 117 -

Configuration Page

The topics in this section explain how to perform the following actions available on the Configurationpage:

l Configure the Performance Mode

l Download New Vulnerability Plugins

l Create a Custom Chart

l Delete a Chart

l Create an Email Notification

l Delete an Email Notification

l Add a Plugin Field

l Delete a Custom Plugin

l Add a Nessus Scanner

l Delete a Nessus Scanner

Tip: For more information about the Configuration page, see the related Features section of this guide.



- 118 -

Configure the Performance Mode

Before You BeginThis option appears only when NNM is licensed to run in High Performance mode and the machine run-ning NNM meets the hardware and software requirements for High Performance mode. By default, allinstances of NNM run in Standard mode.

NNM must restart when switching between performance modes.

Steps

1. Click Configuration > NNM Settings.

2. Under the Performance Mode heading, click the Enable High Performance Mode box totoggle between Yes and No. If you select Yes, continue to step 3. If you select No, continue tostep 4.

3. In the Number of Worker Cores drop-down menu, select the appropriate number of workercores.

Note: This option cannot be changed when NNM is already running in High Performance mode.

4. Click the Update button.

A dialog box appears confirming your selection to change the performance mode.

5. Click the Confirm button.

NNM restarts and the login screen appears. When the NNM server resumes, a notificationappears indicating whether the configuration change was successful.



- 119 -

Note: NNM may use a different number of cores than the number you select. Based on systemconstraints and your selection, NNM selects the closest number of worker cores that it can feas-ibly support.

6. Log in to NNM.

The performance mode updates.



- 120 -

Download New Vulnerability Plugins

Before You BeginWhen NNM is registered in Standalone mode using an Activation code, plugins are updated auto-matically every 24 hours after the service is started.

If SecurityCenter CV or Tenable.io is used to manage NNM, new plugins for NNM are automatically sentat scheduled intervals.

Steps


2. In the Feed Registration & Plugin Update heading, click the button.

Tip: The plugins can also be updated by using the following command:# /opt/nnm/bin/nnm --update-plugins



- 121 -

Updating the NNM Management Interface

On occasion, the NNM management interface must be updated to provide new or updated features.When managed by SecurityCenter 4.8.1 or earlier, the NNM web server and interface do not updateautomatically by the plugins provided through SecurityCenter CV. Therefore, web components must beupdated manually on each NNM instance.

To manually update the plugins:

1. Download the latest plugins using the URL created during the offline registration process.

2. Log in to the NNM interface as a user with administrative privileges.

3. Navigate to the Configuration > Feed Settings.

4. In the Offline Update section, navigate to Browse.

A dialog box appears.

5. Select the archive file to upload.

6. Click Upload Archive to send the file to the NNM host, which updates the plugins.

7. Stop and then restart NNM on the host.

The new interface is available for use.



- 122 -

Configure NNM for use with Industrial Security

1. Install Industrial Security using the following command:

$ rpm -ivh /root/is-1.0.0.rpm

2. In your browser, navigate to either of the following URLs and follow the prompts:

l https://localhost:8837

l https://127.0.0.1:8837

3. Log in to Industrial Security with the default credentials (admin/admin)



- 123 -

4. In the Quick Setup dialog, change your password.

5. Click Next Step.

6. Register your copy of Industrial Security using the Activation Code you received from Tenable,Inc..

Tip: Alternatively, this can be done from the command line by using $ /opt/industrial-secur-ity/bin/industrial-security -a <ActivationCode> in Linux or C:> cd "C:\Program Files\Ten-able\Industrial Security\" C:> industrial-security.exe -a <ActivationCode> in Windows.

7. Once activated, locate the Linking Key to connect one or more NNM sensors to Industrial Secur-ity.



- 124 -

8. On the Industrial Security home page, click Settings.

9. Click the Sensor Configuration tab.

10. Locate and copy the IS Linking Key. The IS Linking Key is a 64-character hex string used to con-nect an NNM sensor to this Industrial Security host.

11. Install the NNM application using the following command:

$ rpm -ivh /root/nnm-5.4.0.rpm

12. In your browser, navigate to either of the following URLs and follow the prompts:

l https://localhost:8835

l https://127.0.0.1:8835



- 125 -

13. Log in to NNM using the default credentials (admin/admin).

14. In the Quick Setup dialog, change your password.

15. Click Next Step.

16. In the Activation Code field, enter IndustrialSecurity.

Additional fields appear.



- 126 -

17. In the Industrial Security Host field, enter the IP address of the machine where you installedthe Industrial Security application.

18. In the Industrial Security Key field, enter the Industrial Security Linking Key you located above.

19. In the NNM Name field, enter a name for the NNM host you're setting up.

Tip: This is the name that appears in IS once a connection is established and identifies this spe-cific sensor to differentiate between this host and other NNM sensors you may install elsewhereon your network.

20. Click Next Step.



- 127 -

21. Click on the network interfaces you wish to monitor.

22. Enter the network ranges you wish to monitor on those interfaces.

Note: To monitor all network ranges including VLAN support, enter 0.0.0.0/0, vlan 0.0.0.0/0,0::/0, vlan 0::/0

23. Click Finish.

A Setup Completed Succesfully notification appears and you return to the NNM MonitoringDashboard.

Note: You must restart NNM after enabling a module for the connection to function correctlywithin NNM.

Tip: To validate your NNM sensor host and your Industrial Security application connection, returnto the Industrial Security application, click Settings > Sensor Configuration and verify that theNNM Host is in the Sensors List.



- 128 -

Create a Custom Chart

Steps

1. Click Configuration > Chart Settings > Create Chart.

The Create Chart window appears.

2. In the Name field, enter a name for the chart.

Note: In this example, we are creating a chart that displays the top vulnerabilities for machinesreporting associated BitTorrent activity.

3. In the Description field, enter a description for the chart.

4. In the Chart Type section, select the type of chart you want to display.

5. In the Dashboard Family section, enter a numeric value between 1 and 20 that represents thenumber of items returned for this chart.



- 129 -

6. Click Top to add the value to the Current Chart Query section.

7. In the Category section, select a chart category. The selected category determines the type ofitems displayed on the chart, such as hosts, vulnerabilities, applications, operating systems, orconnections.

8. In the Filters section, configure the options by which you want to filter the results.

Note: In this example, we are creating a filter based on the Plugin ID 3920. This triggers whenBitTorrent client activity is detected.

9. Click the + button to apply the rule to the chart.

10. In the Viewable section, select whether you want the chart to be viewable on the main dash-board.

The configured options look like this:

11. Click the Create Chart button. The chart appears in the Dashboards section of the Monitoringpage.





- 131 -

Delete a Chart

StepsTo delete one chart:

1. Click Configuration > Chart Settings section and hover over the chart you want to delete.


A dialog box appears confirming your selection to delete the chart.


The chart is deleted.

To delete multiple charts:

1. Click Configuration > Chart Settings.

2. On the left side of the row for the chart you want to delete, select the check box. Repeat this stepfor each chart you want to delete.

3. Click Actions > Delete Charts.

A dialog box appears confirming your selection to delete the charts.


The charts are deleted.

Note: You cannot delete default charts.



- 132 -

Create an Email Notification

Steps

1. Click Email Settings > Create Email Notification.

The Create Email Notification window appears.

2. In the Name field, enter a name for the email notification.

3. In the Description field, enter a description for the email notification.


The Add Charts screen appears.

5. Select the check boxes that correspond to the charts you want to add to the email notification.

6. Reorder the charts by clicking and dragging the appropriate button.


The Schedule Email Notification screen appears.

8. Select the frequency, date, and time at which you want the email notification to be sent. Depend-ing on the option you select in the Frequency box, the following additional options appear:

Frequency Options

Once None

Hourly Repeat Every - a drop-down box that includes options from 1 to 20hours.

Daily Repeat Every - a drop-down box that includes options from 1 to 20 days.

Weekly Repeat Every - a drop-down box that includes options from 1 to 20weeks.

Repeat On - a multi-selectable list of the days of the week.

Monthly Repeat Every - a drop-down box that includes options from 1 to 20months.



- 133 -

Frequency Options

Repeat By - a drop-down box that includes the options Week of Monthand Day of Month.

Yearly Repeat Every - a drop-down box that includes options from 1 to 20 years.

The Summary field updates automatically depending on your selection.


The Add Recipients screen appears.

10. In the Recipients box, enter an email address and click the button until you have added alldesired recipients.


The Review Email Notification screen appears, which displays a summary of your email noti-fication configuration.

12. Review the notification details.

13. Click the Finish button.



- 134 -

Delete an Email Notification

StepsTo delete one email notification:

1. Click Configuration > Email Settings section and hover over the email notification you want todelete.


A dialog box appears confirming your selection to delete the email notification.


The email notification is deleted and the corresponding notifications are no longer sent.

To delete multiple email notifications:

1. Click Configuration > Email Settings section.

2. On the left side of the row for the email notification you want to delete, select the check box.Repeat this step for each email notification you want to delete.

3. Click Actions > Delete Notifications.

A dialog box appears confirming your selection to delete the email notifications.


The email notifications are deleted and the corresponding notifications are no longer sent.



- 135 -

Add a Plugin Field

1. Click Configuration > Plugin Settings > Setting Type > Create Custom Plugin > Add PluginField.

The Add Plugin Field window appears.

2. In the Name field, enter a name for the plugin.

3. From the Value Type drop-down menu, select a value type for the plugin.

4. If you wish to allow duplicates of this plugin, select the Allow Duplicates check box.

5. If you wish to replace XML special characters, select the Replace XML Special Characterscheck box.

6. Click the Add button.

The new plugin fields appear below the No Output check box.



- 136 -

Delete a Custom Plugin

1. Click Configuration > Plugin Settings.

2. Select the custom plugin(s) that you want to delete.

3. Click Actions > Delete Custom Plugins.

A dialog box appears confirming your selection to delete the custom plugins. You can delete onlyuser-created plugins.


The custom plugins are deleted.



- 137 -

Add a Nessus Scanner

Steps

1. Click Configuration > Nessus Scanner Settings > Add Nessus Scanner.

The Add Nessus Scanner window appears.

2. In the Scanner Host field, enter the domain name or IP address of the Nessus server.

3. In the Scanner Port field, enter the port of the Nessus server.

4. In the Access Key field, enter the first half of a Nessus API Key, which is used to authenticatewith the Nessus REST API.

5. In the Secret Key field, enter the second half of a Nessus API Key, which is used to authenticatewith the Nessus REST API.

6. Click the Add Nessus Scanner button.

The Nessus scanner appears in the Nessus Scanner Settings section.



- 138 -

Delete a Nessus Scanner

StepsTo delete one Nessus Scanner:

1. Click Configuration > Nessus Scanner Settings section and hover over the scanner you wantto delete.


A dialog box appears confirming your selection to delete the scanner.


The scanner is deleted.

To delete multiple Nessus Scanners:

1. Click Configuration > Nessus Scanner Settings section.

2. On the left side of the row for the scanner you want to delete, select the check box. Repeat thisstep for each scanner you want to delete.

3. Click Actions > Delete Nessus Scanners.

A dialog box appears confirming your selection to delete the scanners.


The scanners are deleted.



- 139 -

Additional Resources

This section describes the following information about NNM that is not included in the Features andHow To sections:

l Command Line Operations

l Unknown or Customized Ports

l Real-Time Traffic Analysis Configuration Theory

l Modules

l Internal NNM Plugin IDs

l NNM Plugins

l Working with SecurityCenter

l Syslog Message Formats

l Custom SSL Certificates

l Configure NNM for Certificates



- 140 -

Command Line Operations

The NNM engine provides many options to update and configure NNM from the command line inLinux, Windows, and macOS. All command lines should be run by users with root or administrativeprivileges.

l Common Command Line Operations

l Linux Command Line Operations

l Windows Command Line Operations

l macOS Command Line Operations



- 141 -

Common Command Line Operations

NNM can be run from the command line to update plugins, perform configuration tasks, and analyzePcap files to generate a report file for use with SecurityCenter CV or other programs. Running the NNMbinary with the –h option displays a list of available options.

Note: You must stop NNM before running command line operations.

NNM Binary LocationsThe NNM binary for Linux can be found in the following location:

# /opt/nnm/bin/nnm

The NNM binary for Windows can be found in the following location:

C:\Program Files\Tenable\NNM\nnm.exe

The NNM binary for macOS can be found in the following location:

# /Library/NNM/bin/nnm

NNM Command Line Options

Option Purpose

-a <activ-ation code>

Enter the Activation Code to activate NNM to enable plugin updates andmonitoring functions.

If your NNM system is managed by SecurityCenter and is running in Stand-ard mode, you can use the following command: -a SecurityCenter

If your NNM system is managed by SecurityCenter and is running in High Per-formance mode, you can use the following command: -a Secur-ityCenter <activation code>

If your NNM system is managed by Tenable.io and is running in Standardmode, you can use the following command: -a Cloud

If your NNM system is managed by Tenable.io and is running in High Per-formance mode, you can use the following command: -a Cloud <activ-



- 142 -

Option Purpose

ation code>

Before running the -a command for NNM that is managed by Tenable.io,you should first configure the Cloud Host, Cloud Port, Cloud Key, andNNM Name parameters.

--config --add "custom_paramatername" "para-meter value"

Add a custom configuration parameter for NNM or an NNM Proxy. Thedouble quote characters are required, although single quotes may be usedwhen special characters are required.

--config --delete "cus-tom_para-meter name"

The delete command may be used to remove custom configuration para-meters.

--config --list

Lists the current NNM and NNM Proxy configuration parameters. Parametervalues are listed to the left of the colon character and are case sensitive.The value of the parameter displays to the right of the colon character.

--config"parametername" ["para-metervalue"]

Displays the defined parameter value. If a value is added at the end of thecommand, the parameter updates with the new setting. The double quotecharacters are required, although single quotes may be used when specialcharacters are required.

Note: While CLI changes to some parameters do not require restarting NNMfor the change to take effect, you must restart NNM after changing the loc-ation of the realtime log file.

-d debugmode

Runs NNM in debug mode for troubleshooting purposes. This option causesthe system to use more resources and should be enabled only when dir-ected by a Tenable Support Technician.

-f packet_dump_file

Replaces packet_dump_file with the path to the Pcap file you want NNMto process.



- 143 -

Option Purpose

Note: Windows does not support the pcapng format.

-h Displays the command line options help file.

-k Displays the NNM activation status.

-L Displays a list of the license declarations.

-l Displays a list of the plugin IDs that are loaded by NNM.

-m Shows various aspects of memory usage during the processing of the NNMcommand.

-p packet_dump_file

Replaces packet_dump_file with the local file name or path to file nameto write the captured packets to a file.

NNM --users--add

Adds a new user to NNM with the expected values of: ["username" "pass-word" admin]: add new user. Expected values for “admin” flag are either: 1 -grant user administrative privileges, or 0 - don’t grant user administrativeprivileges.

NNM --users--chpasswd

Changes an NNM user's password.

NNM --users--delete

Removes a user from NNM.

--register-offline<licensefile>

Registers NNM in offline mode when you insert the license file obtainedfrom Tenable™.

--update-plu-gins <plu-ginstarball>

If NNM is not running in offline mode, the tarball is optional. When no file isprovided with this command, NNM contacts a plugin feed server to down-load plugins directly.

When using NNM in offline mode, updating the plugins requires down-loading a tarball from Tenable. When updating the plugins from the com-mand line, this command is used to identify the file to use for updating the



- 144 -

Option Purpose

plugins.

-v Shows the version information about the installed instance of NNM.



- 145 -

Linux Command Line Operations

You must run all commands with root privileges.

Start, Stop, or Restart NNM

Action Command to Manage NNM

Start # service nnm start

then

# ps aux|grep nnm

Stop # service nnm stop

Restart # service nnm restart

Once a day, as scheduled, if SecurityCenter CV has received new NNM plugins from Tenable™, itinstalls them in the NNM plugin directory. NNM detects the change, automatically reloads, and beginsusing the new plugins.

Real-time NNM data is communicated to the configured LCE server or Syslog server(s) in real-time.

Configure HugePages

Before You Begin

These steps assume that your system meets the hardware and software requirements necessary forrunning NNM in High Performance mode.

Steps

1. Ensure your HugePages settings are correct by using the following command:

# grep Huge /proc/meminfoAnonHugePages: 0kBHugePages_Total: 1024HugePages_Free: 1024



- 146 -

HugePages_Rsvd: 0HugePages_Surp: 0Hugepagesize: 2048kB

The Hugepagesize parameter is set to 2048 kB by default, but this option is configurable. NNMrequires a minimum of 1024 HugePages that are at least 2048 kB in size.

Note: In some cases, the HugePages_Free parameter may be set to 0, however, this does notnecessarily indicate insufficient HugePage memory.

2. Reserve a certain amount of memory to be used as HugePages by using the following commandto update the kernel parameter manually:

/bin/echo 1024 > /sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages

The number of HugePages reserved by the kernel changes to 1024, and HugePages become avail-able.

Note: If the kernel does not have enough memory available to satisfy this request, the commandmay fail without notifying the user. After running this command, the HugePages configurationshould be checked again using the command in step 1.

3. To ensure that your HugePages configuration persists across system reboots, refer to the fol-lowing section that corresponds to your Linux kernel version.

Linux Kernel Version 6

Update the persistent kernel configuration files using one of the following commands:

In the /etc/sysctl.conf file, add the vm.nr_hugepages=1024 parameter and reload thekernel configuration with the sysctl -p command. Alternatively, you can reboot the system.

-or-

In the /etc/grub.conf file, on the kernel startup line, add the hugepages=1024 parameterand reboot the system.

Linux Kernel Version 7

Update the persistent kernel configuration files using one of the following commands:



- 147 -

In the /etc/sysctl.conf file, add the vm.nr_hugepages=1024 parameter and reload thekernel configuration with the sysctl -p command. Alternatively, you can reboot the system.

-or-

In the /etc/sysconfig/grub file, on the kernel startup command (GRUB_CMDLINE_LINUX),add the hugepages=1024 parameter. Reload the kernel configuration with the grub2-mkcon-fig -o /etc/grub2 command and reboot the system.

4. Connect the file system to the HugePages subsystem using the following steps:

a. Execute the /bin/mkdir -p /mnt/NNM_huge command.

b. Execute the /bin/mount -t hugetlbfs nodev /mnt/NNM_huge command.

c. Additionally, open the /etc/fstab file location and add the following record:

nodev /mnt/NNM_huge hugetlbfs rw 0 0

File LocationsNNM installs its files in the following locations:

Path Purpose

/opt/nnm Base directory.

/opt/nnm/bin Location of the NNM and NNM Proxy executables, plus several helpertools for the NNM Proxy daemon.

/opt/nnm/docs Contains the software license agreement for NNM.

/opt/nnm/var Contains the folders for NNM and the NNM-Proxy.

/opt/nnm/var/nnm Contains plugins, discovered vulnerabilities, log files, keys, and othermiscellaneous items.

db Contains the database files related to the configuration, reports, andusers for NNM.

kb Stores the NNM knowledge base, if used.

logs Contains NNM logs.

plugins Contains the NNM plugins delivered via SecurityCenter, Tenable.io,



- 148 -

Path Purpose

the NNM Feed, or updated via the command line or web interface ifNNM is running in Offline mode.

Note: If SecurityCenter CV is used to manage the plugins, do notchange this path from the default /opt/nnm/var/nnm.

nnm-services A file NNM uses to map service names to ports. This file may beedited by the user. Plugin updates do not overwrite modifications tothe file.

reports Contains reports generated by NNM. This folder contains the .nes-sus file generated by default.

scripts Contains the files for the NNM Web server.

ssl Contains SSL certificates used by the proxy and web server for theSSL connection between itself and SecurityCenter CV or the webbrowser.

users Contains folders for user files and reports.

www Contains the files for the NNM web front-end.

/opt/nnm/var/nnm-proxy

Parent folder for files used/created by the NNM proxy.

logs Contains the NNM proxy and NNM proxy service logs.



- 149 -

Windows Command Line Operations

You must run all programs as a local user with administrative privileges. To do so, when UAC isenabled, right-click on the installer program and select Run as Administrator.

Start or Stop NNM


Start net start "Tenable NNM Proxy"

Stop net stop "Tenable NNM Proxy"

Alternatively, NNM can be managed via the Services control panel utility. Under the list of services,find Tenable NNM Proxy Service. Right click on the service to provide a list of options for the ser-vices, including the ability to start or stop the Tenable NNM or Tenable NNM Proxy service.


Path Purpose

C:\Program Files\Ten-able\NNM

Contains NNM binaries and dependent libraries.

C:\ProgramData\Tenable\NNM Contains all data files consumed and output by NNM andNNM Proxy (e.g., configuration, plugins, logs, and reports).

Note: This directory does not appear unless the WindowsHidden Files and Folders option is enabled.

The following table contains the folder layout under C:\ProgramData\Tenable\NNM:

Folder Purpose

docs Contains the software license agreement for NNM.

NNM Parent folder for NNM logs, reports, plugins, and scripts directories. Also con-tains the NNM-services file.



- 150 -

Folder Purpose

db Contains the database files relating to the configuration, reports, and users forNNM.



plugins Contains the NNM plugins delivered via SecurityCenter, Tenable.io, the NNM Feed,or updated via the command line or web interface if NNM is running in Offlinemode.

Note: Do not change this path from the default C:\Pro-gramData\Tenable\NNM\nnm if SecurityCenter CV is used to manage the plugins.

nnm-ser-vices

A file NNM uses to map service names to ports. This file may be edited by theuser. Plugin updates do not overwrite modifications to the file.

reports Contains reports generated by NNM . This folder contains the .nessus file gen-erated by default.


ssl Contains SSL certificates used by the proxy and web server for theSSL connection between itself and SecurityCenter CV or the web browser.

users Contains folders for user files and reports.


nnm-proxy


logs Contains NNM proxy and NNM proxy service logs.

run Contains process ID temporary files.



- 151 -

macOS Command Line Operations

You must run all programs as a root user or with equivalent privileges.

Start or Stop NNM


Start # launchctl load -w /Library/LaunchDae-mons/com.tenablesecurity.nnm-proxy.plist

Stop # launchctl unload -w /Library/LaunchDae-mons/com.tenablesecurity.nnm-proxy.plist


Path Purpose

/Library/NNM Base directory.

/Library/NNM/docs Contains the NNM license agreement in various file formats.

/Library/NNM/bin Location of the NNM and NNM Proxy executables, plus severalhelper tools for the NNM Proxy daemon.

/Library/NNM/var/nnm Contains plugins, discovered vulnerabilities, log files, keys, andother miscellaneous items.

db Contains the database files related to the configuration, reports,and users for NNM.



plugins Contains the NNM plugins delivered via SecurityCenter, Ten-able.io, the NNM Feed, or updated via the command line or webinterface if NNM is running in Offline mode.



- 152 -

Path Purpose

Note: Do not change this path from the default/Library/NNM/var/nnm if SecurityCenter CV is used to man-age the plugins.

nnm-services A file NNM uses to map service names to ports. This file may beedited by the user. Plugin updates do not overwrite modi-fications to the file.

reports Contains reports generated by NNM . This folder contains the.nessus file generated by default.


ssl Contains SSL certificates used by the proxy and web server forthe SSL connection between itself and SecurityCenter CV or theweb browser.

users Contains files and reports for NNM users.


/Library/NNM/var/nnm-proxy


logs Contains the NNM proxy and NNM proxy service logs.



- 153 -

Unknown or Customized Ports

Many networks contain traffic on ports NNM defines as different traffic types or alternate ports. If theport is not defined, it displays as Unknown. The NNM-services file may be edited to either cus-tomize or add the port information to provide accurate reporting for ports on the network.

For example, by default, there are two lines in the NNM-services file that define SMTP traffic. Theyread smtp 25/tcp and smtp 25/udp. If the organization routinely sends SMTP data over port 2525those lines can be updated to read smtp 2525/tcp and smtp 2525/udp.



- 154 -

Real-Time Traffic Analysis Configuration Theory

This section describes how configuration options affect NNM operation and provides the followingdetails on NNM architecture:

l Focus Network

l Detecting Server and Client Ports

l Detecting Specific Server and Client Port Usage

l Firewall Rules

l Working with SecurityCenter

l Selecting Rule Libraries and Filtering Rules

l Detecting Encrypted and Interactive Sessions

l Routes and Hop Distance

l Alerting



- 155 -

Focus Network

When a focus network is specified via the networks keyword, only one side of a session must matchin the list. For example, if you have a DMZ that is part of the focus network list, NNM reports on vul-nerabilities of the web server there, but not on web clients visiting from outside the network. However,a web browser within the DMZ visiting the same web server is reported.

In the diagram above, three sessions labeled A, B, and C are shown communicating to, from, andinside a focus network. In session A, NNM analyzes only those vulnerabilities observed on the serverinside the focus network and does not report client side vulnerabilities. In session B, NNM ignores vul-nerabilities on the destination server, but reports client side vulnerabilities. In session C, both clientand server vulnerabilities are reported.

There is another filter that NNM uses while looking for unique sessions. This is a dependency thatrequires the host to run a major service. These dependencies are defined by a list of NNM plugin IDsthat identify SSL, FTP, and several dozen other services.

Finally, the entire process of detecting these sessions can be filtered by specific network ranges andports. For example, if a University ran a public FTP server that had thousands of downloads each hour,they may want to disable interactive sessions on port 21 on that FTP server. Similarly, disabling encryp-tion detection on ports such as 22 and 443 also eliminates some noise for NNM.



- 156 -

Detecting Server and Client Ports

The method used by TCP connections to initiate communication is known as the “three-way hand-shake.” This method can be compared to how a common telephone conversation is initiated. If Bobcalls Alice, he has effectively sent her, in TCP terms, a “SYN” packet. She may or may not answer. IfAlice answers, she has effectively sent a “SYN-ACK” packet. The communication is still not established,since Bob may have hung up as she was answering. The communication is established when Bobreplies to Alice, sending her an “ACK.”

The NNM configuration option “connections to services” enables NNM to log network client to serveractivity.

Whenever a system within the monitored network range tries to connect to a server over TCP, the con-necting system emits a TCP “SYN” packet. If the port the client connects on is open, then the serverresponds with a TCP “SYN/ACK” packet. At this point, NNM records both the client address and theserver port the client connects to. If the port on the server is not open, then the server does notrespond with a TCP “SYN/ACK” packet. In this case, since NNM never sees a TCP “SYN/ACK” responsefrom the server, NNM does not record the fact that the client tried to connect to the server port, sincethe port is not available to that client.

The Connections to Services configuration parameter does not track how many times the con-nection was made. If the same host browses the same web server a million times, or browses a milliondifferent web servers once, the host is still marked as having browsed on port 80. This data is loggedas NNM internal plugin ID 2.

NNM detects many applications through plugin and protocol analysis. At a lower level, NNM alsodetects open ports and outbound ports in use on the monitored networks. By default, NNM detectsany TCP server on the protected network if it sees a TCP “SYN-ACK” packet.

In combination, the detection of server ports and client destination ports allows a network admin-istrator to see who on their network is serving a particular protocol and who on their network is speak-ing that protocol.



- 157 -

Detecting Specific Server and Client Port Usage

The Show Connections configuration parameter keeps track of host communication within the focusnetwork. When the Show Connections configuration parameter is enabled, if one of the hosts is inthe defined focus network, NNM records the client, server, and server port every time a host connectsto another host. It does not track the frequency or time stamp of the connections – just that a con-nection was made.

The Show Connections configuration parameter provides a greater level of detail than the Con-nections to Services configuration parameter. For example, if your IPv4 address is 1.1.1.1 or yourIPv6 address is 2001:DB8::AE59:3FC2 and you use the SSH service to connect to “some_company.com”,then the use of these options records the following:

Show Connections

some_company.com:SSH

2001:DB8::AE59:3FC2 -> some_company.com

Connections to Services

SSH

2001:DB8::AE59:3FC2 -> SSH

Using the Connections to Services configuration parameter lets you know that the system at 1.1.1.1and 2001:DB8::AE59:3FC2 uses the SSH protocol. This information may be useful regardless of wherethe service is used.

NNM does not log a session-by-session list of communications. Instead, it logs the relationshipbetween the systems. For example, if system A is detected using the SSH protocol on port 22 con-necting to system B, and both systems are within the focus network, NNM would log:

l System A browses on port 22

l System B offers a service (listens) on port 22

l System A communicates with System B on port 22



- 158 -

If system B were outside of the focus network, NNM would not record anything about the service sys-tem B offers, and would also log that system A browses outside of the focus network on port 22. NNMdoes not log how often a connection occurs, only that it occurred at least once. For connections out-side of the focus network, NNM logs only which ports are browsed, not the actual destinations.

Note: If logging session-by-session network events is a requirement for your network analysis, Tenableoffers the LCE product, which can log firewall, web server, router, and sniffer logs.



- 159 -

Firewall Rules

If NNM is placed immediately behind a firewall such that all of the traffic presented to NNM flowsthrough the firewall, then the list of served ports, client side ports, and the respective IP addresses ofthe users are readily available. Tools such as SecurityCenter CV’s Vulnerability Analysis interface allowinformation about these ports (both client and server) to be browsed, sorted, and reported on. Youcan also view lists of IP addresses and networks using these client and server ports.



- 160 -

Working with SecurityCenter CV

When SecurityCenter CV manages multiple NNM sensors, users of SecurityCenter CV can analyze theaggregate types of open ports, browsed ports, and communication activity that occurs on the focusnetwork. Since SecurityCenter CV has several different types of users and privileges, many different ITand network engineering accounts can be created across an enterprise so they can share and benefitfrom the information detected by NNM.



- 161 -

Selecting Rule Libraries and Filtering Rules

Tenable ships an encrypted library of passive vulnerability detection scripts. This file cannot be mod-ified by the end users of NNM. However, if certain scripts must be disabled, they can be specified bythe PASL ID and “.pasl” appended. For example, 1234.pasl, disables the PASL with the ID of 1234 on asingle line in the disabled-scripts.txt file.

If a plugin must be disabled, enter its ID on a single line in the disabled-plugins.txt file. If a plu-gin must be real-time enabled, enter its ID on a single line in the realtime-plugins.txt file.

When adding NNM plugins to the disabled plugin list, be sure to leave an empty blank line after enter-ing in the last plugin to be disabled. Failure to return to the next line can result in a non-functional dis-abled plugin list.

Example: 1234 [return]

If any of the referenced files do not exist, create them using the appropriate method for the operatingsystem. The file locations are as follows:

Operating System File Path

Linux /opt/nnm/var/nnm

Windows C:\ProgramData\Tenable\NNM\nnm

macOS /Library/NNM/var/nnm



- 162 -

Detecting Encrypted and Interactive Sessions

NNM can be configured to detect both encrypted and interactive sessions. An encrypted session is aTCP or UDP session that contains sufficiently random payloads. An interactive session uses timing andstatistical profiling of the packets in a session to determine if the session involves human input at acommand line prompt.

In both cases, NNM identifies these sessions for the given port and IP protocol. It then lists the detec-ted interactive or encrypted session as vulnerabilities.

NNM has a variety of plugins to recognize telnet, Secure Shell (SSH), Secure Socket Layer (SSL), andother protocols. Combined with the detection of the interactive and encryption algorithms, NNM maylog multiple forms of identification for the detected sessions.

For example, NNM may recognize not only an SSH service running on a high port as an encrypted ses-sion, but also recognize the version of SSH and determine any vulnerabilities associated with it.



- 163 -

Routes and Hop Distance

For active scans, one host can find the default route and an actual list of all routers between it and atarget platform. To do this, it sends one packet after another with a slightly larger TTL (time to live)value. Each time a router receives a packet, it decrements the TTL value and sends it on. If a routerreceives a packet with a TTL value of one, it sends a message back to the originating server stating thatthe TTL has expired. The server sends packets to the target host with greater and greater TTL valuesand collects the IP addresses of the routers sending expiration messages in-between.

Since NNM is entirely passive, it cannot send or elicit packets from the routers or target computers. Itcan however, record the TTL value of a target machine. The TTL value is an 8-bit field, which means itcan contain a value between 0 and 255. Most machines use an initial TTL value of 32, 64, 128, or 255.Since there is a maximum of 16 hops between your host and any other host on the internet, NNM usesan algorithm to map any TTL to the number of hops.

For example, if NNM sniffed a server sending a packet with a TTL of 126, it detects that 128 is two hopsaway. NNM does not know the IP address of the in-between routers.

Note: Modern networks have many devices such as NAT firewalls, proxies, load balancers, intrusion pre-vention, routers, and VPNs that rewrite or reset the TTL value. In these cases, NNM may report incon-sistent hop counts.



- 164 -

Alerting

When NNM detects a real-time event, it can:

l Send the event to a local log file.

l Send the event via Syslog to a log aggregator such as Tenable’s LCE, an internal log aggregationserver.

l Send the event to a third party security event management vendor.

New Host AlertingYou can configure NNM to detect when a new host has been added to the network. By default, NNMhas no knowledge of your network’s active hosts, so the first packets NNM sniffs trigger an alert. Toavoid this, you can configure NNM to learn the network over a period of days. Once this period is over,any “new” traffic must be from a host that has not communicated during the initial training.

To prevent NNM from triggering new host alerts on known hosts, you can create a known hosts file inthe location to which the Known Hosts File configuration parameter is set. Each line of the Known

Hosts File supports a single IPv4 or IPv6 address. Hyphenated ranges and CIDR notation are not sup-ported. NNM must be restarted after creating or making any changes to the Known Hosts File.

When NNM logs a new host, the Ethernet address saves in the message. When NNM is more than onehop away from the sniffed traffic, the Ethernet address is that of the local switch and not the actualhost. If the scanner is deployed in the same collision domain as the sniffed server, then the Ethernetaddress is accurate.

For DHCP networks, NNM often detects a “new” host. Tenable™ recommends deploying this feature onnon-volatile networks such as DMZ. Users should also consider analyzing NNM “new” host alerts withSecurityCenter CV, which can sort real-time NNM events by networks.



- 165 -

Modules

NNM 5.4 includes analysis modules that analyze network traffic based on certain criteria. These mod-ules modularize NNM detection capabilities and provide users the ability to enable or disable them.There are two analysis modules:

l SCADA/ICS Analysis Module: This module analyzes SCADA network traffic to discover SCADAassets and their vulnerabilities. In addition, the module provides deep visibility into the type ofSCADA devices discovered. This module is enabled by default and can be disabled in envir-onments that do not contain SCADA devices.

l Connection Analysis Module: This module reports connection duration and bandwidth inform-ation including for IPv6 and tunneled traffic. This module is disabled by default.

Note: You must restart NNM after enabling a module for the module to function correctly within NNM.



- 166 -

Connection Analysis Module

ModuleDetection ID

Module Detec-tion Name

Module Detection Descrip-tion

Risk Factor

97 TCP SessionBandwidth (1 -10 MB)

NNM computes the bytesexchanged between each TCPendpoint when the sessionends. The total bytesexchanged during the lifetimeof this session is between 1and 10 MB.

INFO


NNM computes the bytesexchanged between each TCPendpoint when the sessionends. The total bytesexchanged during the lifetimeof this session is more than10 MB but less than or equalto 100 MB.

INFO


NNM computes the bytesexchanged between each TCPendpoint when the sessionends. The total bytesexchanged during the lifetimeof this session is more than10 MB but less than or equalto 100 MB.

INFO

100 TCP SessionBandwidth (> 1GB)

NNM computes the bytesexchanged between each TCPendpoint when the sessionends. The total bytesexchanged during the lifetimeof this session is more than 1GB.

INFO

101 TCP Session Dur- NNM computes the duration INFO



- 167 -

ModuleDetection ID



Risk Factor

ation (< 1minute)

of each TCP session when thesession ends. This TCP ses-sion duration is less than 1minute.

102 TCP Session Dur-ation (1 - 15minutes

NNM computes the durationof each TCP session when thesession ends. This TCP ses-sion duration is between 1minute and 15 minutes.

INFO

103 TCP Session Dur-ation (15 - 25minutes)

NNM computes the durationof each TCP session when thesession ends. This TCP ses-sion duration is more than 15but less than or equal to 25minutes.

INFO



INFO



INFO



INFO



- 168 -

ModuleDetection ID



Risk Factor

107 TCP Session Dur-ation (100minutes - 24hours)

NNM computes the durationof each TCP session when thesession ends. This TCP ses-sion duration is more than100 minutes but less than orequal to 24 hours.

INFO

108 TCP Session Dur-ation (24 - 47hours)

NNM computes the durationof each TCP session when thesession ends. This TCP ses-sion duration is more than 24hours but less than or equalto 47 hours.

INFO

109 TCP Session Dur-ation (> 47hours)

NNM computes the durationof each TCP session when thesession ends. This TCP ses-sion duration is more than 47hours.

INFO

110 UDP Activity UDP activity observed INFO

111 ICMP Activity ICMP activity observed INFO

112 IGMP Activity IGMP activity observed INFO



- 169 -

SCADA/ICS Analysis Module

ModuleDetectionID

Module DetectionName

Module Detection DescriptionRiskFactor

LegacyPASLID

0-20 - Used in pvs_core/re-port/report.h

21 Siemens S7 ServerDetection

S7 is a Siemens proprietary com-munications protocol. The S7communications protocol is usedextensively in the Siemens S7 soft-ware and device product lineincluding the S7-200, S7-300, andS7-400 programmable logic con-trollers (PLCs). S7 can be encap-sulated in several differentprotocols including PROFIBUS,MPI, and TCP. The S7 traffic detec-ted here is encapsulated in TCPusing TPKT and COTP.

INFO 7160

22 Siemens S7 ClientDetection

S7 is a Siemens proprietary com-munications protocol. The S7communications protocol is usedextensively in the Siemens S7 soft-ware and device product lineincluding the S7-200, S7-300, andS7-400 programmable logic con-trollers (PLCs). S7 can be encap-sulated in several differentprotocols including PROFIBUS,MPI, and TCP. The S7 traffic detec-ted here is encapsulated in TCPusing TPKT and COTP.

INFO 7159

23 COTP Server Detec-tion

The Connection-Oriented Trans-port Protocol (COTP) is an Open

INFO 7158



- 170 -

ModuleDetectionID



LegacyPASLID

Systems Interconnection (OSI)transport layer protocol. COTP isdefined in ISO 8073. In thisinstance, COTP is being trans-ported via TCP using TPKT.

24 COTP Client Detection The Connection-Oriented Trans-port Protocol (COTP) is an OpenSystems Interconnection (OSI)transport layer protocol. COTP isdefined in ISO 8073. In thisinstance, COTP is being trans-ported via TCP using TPKT.

INFO 7157

25 Siemens S7-200 SeriesPLC Detection

A Siemens S7-200 Series PLC hasbeen detected. The Siemens S7-200 Series is a family of PLCswhich supports the man-ufacturer's own proprietary S7protocol.

INFO 7193



INFO 7194



INFO 7195

28 Siemens S7-1200 Ser- A Siemens S7-1200 Series PLC has INFO 7196



- 171 -

ModuleDetectionID



LegacyPASLID

ies PLC Detection been detected. The Siemens S7-1200 Series is a family of PLCswhich supports the man-ufacturer's own proprietary S7protocol.

29 Siemens S7-1500 Ser-ies PLC Detection


INFO 7197

30 TPKT Client Detection ISO Transport Service on top ofTCP (TPKT) is defined in RFCs1006 and 2126. Open SystemsInterconnection (OSI) protocolsas defined by the InternationalOrganization for Standardization(ISO) can be encapsulated in TCPusing TPKT. TPKT emulates theOSI protocol Transport ServiceAccess Point (TSAP). TCP port 102is reserved for hosts which imple-ment TPKT; however, it is notrequired that port 102 be usedfor all connections. One exampleof a protocol that uses TPKT butdoes not use port 102 isMicrosoft's Remote Desktop Pro-tocol (RDP) which uses TCP port3389.

INFO 7155

31 TPKT Server Detection ISO Transport Service on top ofTCP (TPKT) is defined in RFCs

INFO 7156



- 172 -

ModuleDetectionID



LegacyPASLID

1006 and 2126. Open SystemsInterconnection (OSI) protocolsas defined by the InternationalOrganization for Standardization(ISO) can be encapsulated in TCPusing TPKT. TPKT emulates theOSI protocol Transport ServiceAccess Point (TSAP). TCP port 102is reserved for hosts which imple-ment TPKT; however, it is notrequired that port 102 be usedfor all connections. One exampleof a protocol that uses TPKT butdoes not use port 102 isMicrosoft's Remote Desktop Pro-tocol (RDP) which uses TCP port3389.

32 Siemens S7-300 SeriesPLC CPU Firmware <=3.2.11 DoS

Siemens S7-300 PLC central pro-cessing units (CPUs) contain anunspecified flaw that may allow aremote attacker to use a speciallycrafted packet to cause thedevice to enter defect mode untila cold restart is performed.

HIGH 7225

33 MODBUS/TCP DeviceIdentification ObjectDetection

MODBUS Device Identificationobjects provide informationrelated to the physical and func-tional properties of a device.Objects in the Basic Device Iden-tification include vendor name,product code, and revision num-ber. Objects in the Regular DeviceIdentification category include

INFO 7148



- 173 -

ModuleDetectionID



LegacyPASLID

the Basic Device Identification cat-egory objects in addition tovendor URL, product name,model name, and user applic-ation name.

34 Schneider ElectricModicon QuantumPLC Detection

A Schneider Electric ModiconQuantum PLC has been detected.The Schneider Electric ModiconQuantum is a large pro-grammable logic controller (PLC)for process applications and highavailability solutions.

INFO 7149

35 Schneider ElectricModicon M340 PLCDetection

A Schneider Electric ModiconM340 PLC has been detected. TheSchneider Electric Modicon M340is a compact programmable logiccontroller (PLC) suitable for awide range of automation applic-ations. The Modicon M340 issometimes deployed in con-junction with the ModiconPremium and Modicon QuantumPLCs.

INFO 7150

36 Schneider ElectricModicon PremiumPLC Detection

A Schneider Electric ModiconPremium PLC has been detected.The Schneider Electric ModiconPremium is a large pro-grammable logic controller (PLC)for discrete or process applic-ations and high availability solu-tions.

INFO 7151



- 174 -

ModuleDetectionID



LegacyPASLID

37 Multiple SchneiderElectric Modicon PLCModules DirectoryTraversal

Schneider Electric Ethernet mod-ules for Modicon M340, ModiconQuantum, and Modicon PremiumPLCs in addition to ModiconMomentum, Modicon TSX Micro,and Modicon STB modules thatprovide HTTP services contain adirectory traversal vulnerability.Attackers can remotely bypassweb server authenticationthereby achieving unau-thenticated administrative accessand control of the device.

CRITICAL 7154

38 Multiple SchneiderElectric ModiconM340 Ethernet Mod-ules Remote Denial ofService

Certain Schneider ElectricModicon M340 ProgrammableLogic Controller (PLC) Ethernetmodules contain a vulnerabilitythat allows remote, authenticatedusers to crash the Ethernet mod-ule via specially crafted FTPtraffic. This vulnerability hasbeen demonstrated using theFileZilla FTP client. Affected M340Ethernet modules are theBMXNOE0100, BMXNOE0110, andBMXP342020.

MEDIUM 7161

39 MODBUS/TCP 'ReturnQuery Data' FunctionCode Detection(SCADA)

The MODBUS/TCP client has senta MODBUS server a Return QueryData request. The Return QueryData request, function code 8(0x08) and subfunction code 0(0x00), will cause the targetserver to echo the request sent

INFO 7099



- 175 -

ModuleDetectionID



LegacyPASLID

to it. This function is typicallyimplemented only in serialdevices.

40 MODBUS/TCP 'RestartCommunications'Function Code Detec-tion (SCADA)

The MODBUS/TCP client has senta MODBUS server a Restart Com-munications request. The RestartCommunications request, func-tion code 8 (0x08) and sub-function code 1 (0x01), will causethe target server to reinitializeand restart its communicationport. This function is typicallyimplemented only in serialdevices.

INFO 7100

41 MODBUS/TCP 'ForceListen Mode' FunctionCode Detection(SCADA)

The MODBUS/TCP client has senta MODBUS server a Force ListenMode request. The Force ListenMode request, function code 8(0x08) and subfunction code 4(0x04), will cause the targetserver into listen-only mode; i.e.,it will not send any responses.This function is typically imple-mented only in serial devices.

INFO 7101

42 MODBUS/TCP 'ClearCounters and Dia-gnostic Register' Func-tion Code Detection(SCADA)

The MODBUS/TCP client has senta MODBUS server a Clear Coun-ters and Diagnostic Registerrequest. The Clear Counters andDiagnostic Register request, func-tion code 8 (0x08) and sub-function code 10 (0x0A), willcause the target server to clear

INGO 7102



- 176 -

ModuleDetectionID



LegacyPASLID

its counters and the diagnosticregister. This function is typicallyimplemented only in serialdevices.

43 MODBUS/TCP 'ReportServer ID' FunctionCode Detection(SCADA)

The MODBUS/TCP client has senta MODBUS server a Report ServerID request. The Report Server IDrequest, function code 17 (0x11),will cause the target server torespond with the server ID, runindicator status, and otherinformation. This function is typ-ically implemented only in serialdevices.

INFO 7103

44 MODBUS/TCP'CANopen' FunctionCode Detection(SCADA)

The MODBUS/TCP client is trans-porting the CANopen protocol.Function code 43 (0x2B) and sub-function code 13 (0x0D) indicatethat the CANopen protocol isencapsulated in MODBUS.

INFO 7104

45 MODBUS/TCP 'DeviceIdentification' Func-tion Code Detection(SCADA)

The MODBUS/TCP client has senta MODBUS server a Device Iden-tification request. The DeviceIdentification request, functioncode 43 (0x2B) and subfunctioncode 14 (0x0E), will cause the tar-get server to return device iden-tification information.

INFO 7105

46 MODBUS/TCP ServerDetection

A MODBUS/TCP server (alsoknown as a MODBUS/TCP slave)has been detected. MODBUS/TCPis a SCADA protocol widely used

INFO 7092



- 177 -

ModuleDetectionID



LegacyPASLID

in industrial manufacturing andother industries.

47 MODBUS/TCP ClientDetection

A MODBUS/TCP client (alsoknown as a MODBUS/TCP mas-ter) has been detected.MODBUS/TCP is a SCADA pro-tocol widely used in industrialmanufacturing and other indus-tries.

INFO 7091

48 DNP3/TCP MasterDetection

A DNP3/TCP master has beendetected. DNP3 is a com-munications protocol used inSCADA systems primarily in theelectric utility industry.

INFO 7089

49 DNP3/TCP 'ColdRestart' FunctionCode Detection(SCADA)

The DNP3/TCP master has sentan outstation the Cold Restartcommand. The Cold Restart com-mand, function code 13 (0x0D),will cause the target outstation toperform a cold restart.

INFO 7094

50 DNP3/TCP 'WarmRestart' FunctionCode Detection(SCADA)

The DNP3/TCP master has sentan outstation the Warm Restartcommand. The Warm Restartcommand, function code 14(0x0E), will cause the target out-station to perform a warmrestart.

INFO 7095

51 DNP3/TCP 'StopApplication' FunctionCode Detection(SCADA)

The DNP3/TCP master has sentan outstation the Stop Applic-ation command. The Stop Applic-ation command, function code 18

INFO 7096



- 178 -

ModuleDetectionID



LegacyPASLID

(0x12), will cause the target out-station to stop an application.

52 DNP3/TCP 'DisableUnsolicited Messages'Function Code Detec-tion (SCADA

The DNP3/TCP master has sentan outstation the Disable Unso-licited Messages command. TheDisable Unsolicited Messagescommand, function code 21(0x15), will cause the target out-station to stop sending unso-licited messages.

INFO 7097

53 Progea Movicon Cli-ent Detection via TCP

A Progea Movicon Client hasbeen detected. Progea Movicon isSCADA/HMI software for indus-trial automation, remote control,and building automation.

INFO 7119

54 Progea MoviconServer Detection viaTCP

A Progea Movicon Server hasbeen detected. Progea Movicon isSCADA/HMI software for indus-trial automation, remote control,and building automation.

INFO 7121

55 Progea Movicon Cli-ent Detection viaHTTP

A Progea Movicon Client hasbeen detected. Progea Movicon isSCADA/HMI software for indus-trial automation, remote control,and building automation.Movicon Clients use a proprietarycommunications protocol toaccess real-time data fromMovicon Servers. This proprietarycommunications protocol mayuse TCP, UDP, or HTTP as a trans-port protocol. The Movicon Client

INFO 7122



- 179 -

ModuleDetectionID



LegacyPASLID

detected is using HTTP as a trans-port protocol.

56 Progea MoviconServer Detection viaHTTP

A Progea Movicon Server hasbeen detected. Progea Movicon isSCADA/HMI software for indus-trial automation, remote control,and building automation.Movicon Clients use a proprietarycommunications protocol toaccess real-time data fromMovicon Servers. This proprietarycommunications protocol mayuse TCP, UDP, or HTTP as a trans-port protocol. The MoviconServer detected is using HTTP asa transport protocol.

INFO 7123

57 Progea Movicon Cli-ent Detection via UDP

A Progea Movicon Client hasbeen detected. Progea Movicon isSCADA/HMI software for indus-trial automation, remote control,and building automation.Movicon Clients use a proprietarycommunications protocol toaccess real-time data fromMovicon Servers. This proprietarycommunications protocol mayuse TCP, UDP, or HTTP as a trans-port protocol. The Movicon Clientdetected is using UDP as a trans-port protocol.

INFO 7124

58 Progea MoviconServer Detection viaUDP

A Progea Movicon Server hasbeen detected. Progea Movicon is

INFO 7125



- 180 -

ModuleDetectionID



LegacyPASLID

SCADA/HMI software for indus-trial automation, remote control,and building automation.Movicon Clients use a proprietarycommunications protocol toaccess real-time data fromMovicon Servers. This proprietarycommunications protocol mayuse TCP, UDP, or HTTP as a trans-port protocol. The MoviconServer detected is using UDP as atransport protocol.

59 Progea Movicon < 11.4Build 1150 Inform-ation Disclosure Vul-nerability

The detected version of ProgeaMovicon contains an informationdisclosure vulnerability. This vul-nerability is related to the TCPUp-loader module which could allowa remote and unauthenticateduser to obtain OS version inform-ation.

MEDIUM 7128

60 Progea Movicon < 11.3Memory CorruptionVulnerability

The detected version of ProgeaMovicon contains a memory cor-ruption vulnerability. This vul-nerability can be exploited bysending a specially crafted HTTPPOST request to the MoviconOPC server. The specially craftedHTTP POST will cause the applic-ation to read out-of-boundsmemory resulting in a denial ofservice.

HIGH 7129

61 Progea Movicon < 11.2 The detected version of Progea CRITICAL 7142



- 181 -

ModuleDetectionID



LegacyPASLID

Build 1086 MultipleVulnerabilities

Movicon is affected by multiplevulnerabilities: There is a remoteheap-based buffer overflow vul-nerability related to erroneousparsing of the Content-LengthHTTP request header. (CVE-2011-3491) A remote heap-based buf-fer overflow vulnerability existsrelated to HTTP requests. (CVE-2011-3498) A remote denial of ser-vice vulnerability exists related toan EIDP packet with too large of asize field. The specially craftedEIDP packet will cause the applic-ation to crash, and there is thepossibility of arbitrary code exe-cution. (CVE-2011-3499)

62 Accuenergy Acuvim IIAXM-NET 3.04 Mul-tiple Vulnerabilities

Accuenergy Acuvim II AXM-NETmodule containing multiple vul-nerabilities has been detected:The Accuenergy Acuvim AXM-NETEthernet module contains anauthentication bypass vul-nerability which can be exploitedremotely by accessing a specificweb server URL. An attackercould modify the network set-tings of the AXM-NET module, butwould not have access to the set-tings for the Acuvim II powermeter. (CVE-2-14-2373) TheAccuenergy Acuvim AXM-NET Eth-ernet module contains a pass-

HIGH 7162



- 182 -

ModuleDetectionID



LegacyPASLID

word disclosure vulnerabilityrelated to JavaScript passwordvalidation. An authenticatedattacker could modify the net-work settings of the AXM-NETmodule, but would not haveaccess to the settings for the Acu-vim II power meter. (CVE-2-14-2374)

63 Rockwell Auto-mation/Allen-BradleyMicroLogix 1400Detection

A Rockwell Automation/Allen-Bradley MicroLogix 1400 PLC hasbeen detected. The MicroLogix1400 is a PLC which supportsEtherNet/IP, DNP3/TCP, Mod-bus/TCP, Modbus/RTU, andDNP3/ASCII.

INFO 7146

64 Rockwell Auto-mation/Allen-BradleyMicroLogix 1400 Ser-ies A <= 7 and Series B<= 15.000 DNP3Remote DoS

Rockwell Automation/Allen-Brad-ley MicroLogix 1400 pro-grammable logic controllers(PLCs) contain a denial of servicevulnerability related to the DNP3protocol stack. Successful exploit-ation of this vulnerability resultsin the PLC becoming non-responsive, and recoveryrequires a power cycle. This vul-nerability can be exploited bysending a series of malformedDNP3 packets to the MicroLogix1400's DNP3 interface. TheMicroLogix 1400's DNP3 interfacecan be either a serial or Ethernetport. Note that DNP3 is disabled

HIGH 7147



- 183 -

ModuleDetectionID



LegacyPASLID

by default in MicroLogix 1400PLCs and that this vulnerabilitycan be exploited only in devicesthat have DNP3 enabled.

65 Rockwell Auto-mation/Allen-BradleyMicroLogix 1100 Detec-tion

A Rockwell Automation/Allen-Bradley MicroLogix 1100 PLC hasbeen detected. The MicroLogix1100 is a PLC which supportsserial and networked com-munication over a built-in RS-232/RS-485 combo port and Eth-ernet peer-to-peer commnic-ations over its built-inEtherNet/IP port.

INFO 7188

66 Rockwell Auto-mation/Allen-BradleyMicroLogix 1000Detection

A Rockwell Automation/Allen-Bradley MicroLogix 1000 PLC hasbeen detected. The MicroLogix1000 is a PLC which supportsserial and networked com-munication over a built-in RS-232/RS-485 combo port. TheMicroLogix 1000 can also supportEthernet peer-to-peer commnic-ations when outfitted with the1761-NET-ENI communicationsmodule, which supports Ether-Net/IP.

INFO 7189

67 Rockwell Auto-mation/Allen-BradleyCompactLogix 1768Detection

A Rockwell Automation/Allen-Bradley CompactLogix 1768 PLChas been detected. The Com-pactLogix 1768 is a PLC which sup-ports EtherNet/IP and serialcommunications.

INFO 7190



- 184 -

ModuleDetectionID



LegacyPASLID

68 Rockwell Auto-mation/Allen-BradleyCompactLogix 1769L23x/L3x Detection

A Rockwell Automation/Allen-Bradley CompactLogix 1769L23x/L3x PLC has been detected.The CompactLogix 1769 L23x/L3xis a PLC which supports integ-rated serial, EtherNet/IP and Con-trolNet communications, as wellas modular extensibility forDeviceNet support.

INFO 7191

69 Rockwell Auto-mation/Allen-BradleyCompactLogix 17695370 Series Detection

A Rockwell Automation/Allen-Bradley CompactLogix 1769 5370Series PLC has been detected.The CompactLogix 1769 5370 Ser-ies is a PLC which supports Ether-Net/IP communications.

INFO 7192

70 Rockwell Auto-mation/Allen-BradleyMicroLogix 1400SNMP Remote Priv-ilege Escalation

Rockwell Automation/Allen-Brad-ley MicroLogix 1400 pro-grammable logic controllers(PLCs) contain an undoc-umented, hi gh privileged SNMPcommunity string. This may allowan unauthorized remote attackerto make changes to the device'sconfiguration or update the firm-ware.

MEDIUM 7221

71 Schneider ElectricModicon TSX MicroPLC Detection

A Schneider Electric Modicon TSXMicro PLC has been detected.The Schneider Electric ModiconTSX Micro is a compact, modularprogrammable logic controller(PLC) for OEM machine buildersand infrastructure.

INFO 7153



- 185 -

ModuleDetectionID



LegacyPASLID

72 Ethernet IndustrialProtocol (Ether-Net/IP) Implicit Mes-sage Detection

EtherNet/IP is a communicationsprotocol used in industrial auto-mation applications. EtherNet/IPimplements the Common Indus-trial Protocol (CIP) at the sessionand application layers and usesTCP as a transport protocol forCIP explicit messages and UDP asa transport protocol for CIP impli-cit messages. CIP explicit mes-sages are typically used totransmit configuration, dia-gnostic, and event data. CIP impli-cit messages are used forrealtime I/O data transfer. AnEtherNet/IP implicit message hasbeen detected.

INFO 7113

73 Ethernet IndustrialProtocol (Ether-Net/IP) Client ExplicitMessage Detection

EtherNet/IP is a communicationsprotocol used in industrial auto-mation applications. EtherNet/IPimplements the Common Indus-trial Protocol (CIP) at the sessionand application layers and usesTCP as a transport protocol forCIP explicit messages and UDP asa transport protocol for CIP impli-cit messages. CIP explicit mes-sages are typically used totransmit configuration, dia-gnostic, and event data. CIP impli-cit messages are used forrealtime I/O data transfer. AnEtherNet/IP explicit message hasbeen detected.

INFO 7114



- 186 -

ModuleDetectionID



LegacyPASLID

74 Ethernet IndustrialProtocol (Ether-Net/IP) Server ExplicitMessage Detection

EtherNet/IP is a communicationsprotocol used in industrial auto-mation applications. EtherNet/IPimplements the Common Indus-trial Protocol (CIP) at the sessionand application layers and usesTCP as a transport protocol forCIP explicit messages and UDP asa transport protocol for CIP impli-cit messages. CIP explicit mes-sages are typically used totransmit configuration, dia-gnostic, and event data. CIP impli-cit messages are used forrealtime I/O data transfer. AnEtherNet/IP explicit message hasbeen detected.

INFO 7115

75 Common IndustrialProtocol (CIP) IdentityObject Detection

The Common Industrial Protocol(CIP) Identity Object providesidentification of and generalinformation about a CIP-enableddevice. The CIP I dentity Objectdetected provides the followinginformation: Vendor ID, DeviceType, Product Code, Revision,and Product Name.

INFO 7144

76 Rockwell Auto-mation/Allen-BradleyMicroLogix 1100L16xxx < 10.000 HTTPRemote DoS

Rockwell Automation MicroLogix1100 PLCs contain an unspecifiedflaw in the password mechanismthat may allow a remote denial ofservice. The issue is only presentwhen the HTTP server is enabled.This may allow a remote attacker

HIGH 7198



- 187 -

ModuleDetectionID



LegacyPASLID

to cause the program to crash.

77 Rockwell Auto-mation/Allen-BradleyMicroLogix 1400 1766-L32xxx Series A <7.000 / Series B <=11.000 HTTP RemoteDoS

Rockwell Automation MicroLogix1400 PLCs contain an unspecifiedflaw in the password mechanismthat may allow a remote denial ofservice. The issue is only presentwhen the HTTP server is enabled.This may allow a remote attackerto cause the program to crash.

HIGH 7199

78 WellinTechKingSCADA ClientDetection via TCP

WellinTech KingSCADA isSCADA/HMI software for indus-trial automation. KingSCADA isfound in the transportation,aerospace, electric power, oil andgas, petrochemical, and otherindustries. KingSCADA Clients usea proprietary communicationsprotocol to access real-time datafrom KingSCADA Servers. AKingSCADA Client using this pro-prietary communications pro-tocol has been detected.

INFO 7118

79 WellinTechKingSCADA ServerDetection via TCP

WellinTech KingSCADA isSCADA/HMI software for indus-trial automation. KingSCADA isfound in several industries includ-ing transportation, aerospace,electric power, oil and gas, andpetrochemical. KingSCADA Cli-ents use a proprietary com-munications protocol to accessreal-time data from KingSCADA

INFO 7130



- 188 -

ModuleDetectionID



LegacyPASLID

Servers. A KingSCADA Serverusing this proprietary com-munications protocol has beendetected.

80 DNP3/TCP OutstationDetection

A DNP3/TCP outstation has beendetected. DNP3 is a com-munications protocol used inSCADA systems primarily in theelectric utility industry.

INFO 7090

81 BACnet/IP ProtocolDetection

BACnet is a communications pro-tocol for building automationand control. BACnet applicationsinclude heating, ventilating, air-conditioning control, lighting con-trol, access control and fire detec-tion systems. There are severaloptions for BACnet data link andphysical layers. BACnet/IP (theprotocol detected here) uses IPand UDP as a virtual data linklayer.

INFO 7110

82 BACnet Device ObjectDetection

Each BACnet device has an asso-ciated Device object. Deviceobjects contain properties thatrepresent the physical and functional properties of a device.Device object properties includeapplication software version, firm-ware version, model name,object identifier, object name,vendor name, and vendor iden-tifier.

INFO 7165



- 189 -

ModuleDetectionID



LegacyPASLID

83 WellinTech KingViewClient Detection

WellinTech KingView isSCADA/HMI software for indus-trial automation. KingView isfound in the transportation,aerospace, electric power, oil andgas, petrochemical, and otherindustries. KingView Clients use aproprietary communications pro-tocol to access real-time datafrom KingView Servers. AKingView Client using this pro-prietary communications pro-tocol has been detected.

INFO 7131

84 WellinTech KingViewServer Detection

WellinTech KingView isSCADA/HMI software for indus-trial automation. KingView isfound in several industries includ-ing transportation, aerospace,electric power, oil and gas, andpetrochemical. KingView Serversuse a proprietary com-munications protocol to accessreal-time data from KingViewServers. A KingView Server usingthis proprietary communicationsprotocol has been detected.

INFO 7132

85 Synchrophaser (IEEEC37.118) Client Detec-tion via TCP

The remote client is using the Syn-chrophaser Protocol (IEEEC37.118) over TCP. The Syn-chrophaser Protocol is used bysupervisory clients to remotelyconfigure, monitor and receiveddata from synchrophaser

INFO 7216



- 190 -

ModuleDetectionID



LegacyPASLID

devices. A synchrophaser deviceis used to monitor, measure andanalyze electrical flows at keyintersections of the bulk electricgrid (such as substations).

86 Synchrophaser (IEEEC37.118) Server Detec-tion via TCP

The remote server is using theSynchrophaser Protocol (IEEEC37.118) over TCP. The Syn-chrophaser Protocol is used bysynchrophaser devices to reportdata and receive remote con-figuration commands from man-agement clients. A synchrophaserdevice is used to monitor, meas-ure and analyze electrical flowsat key intersections of the bulkelectric grid (such as sub-stations).

INFO 7217

87 Synchrophaser (IEEEC37.118) Client Detec-tion via UDP

The remote client is using the Syn-chrophaser Protocol (IEEEC37.118) over UDP. The Syn-chrophaser Protocol is used bysupervisory clients to remotelyconfigure, monitor and receiveddata from synchrophaserdevices. A synchrophaser deviceis used to monitor, measure andanalyze electrical flows at keyintersections of the bulk electricgrid (such as substations).

INFO 7218

88 Synchrophaser (IEEEC37.118) Server Detec-tion via UDP

The remote server is using theSynchrophaser Protocol (IEEE

INFO 7237



- 191 -

ModuleDetectionID



LegacyPASLID

C37.118) over UDP. The Syn-chrophaser Protocol is used bysynchrophaser devices to reportdata and receive remote con-figuration commands from man-agement clients. A synchrophaserdevice is used to monitor, meas-ure and analyze electrical flowsat key intersections of the bulkelectric grid (such as sub-stations).

89 DNP3/TCP ProtocolDetection

Distributed Network Protocol(DNP3/TCP) has been detected.DNP3 is a communications pro-tocol used in SCADA systemsprimarily in the electric utilityindustry. The detected variant ofDNP3, or DNP3/TCP, is encap-sulated within TCP for deliveryover IP networks.

INFO 7226

90 MODBUS/TCP Pro-tocol Detection

The Modbus/TCP protocol hasbeen detected. Modbus is aSCADA protocol used in indus-trial manufacturing and otherindustries. The detected variantof Modbus, or Modbus/TCP, isencapsulated within TCP for deliv-ery over IP networks.

INFO 7227

91 Ethernet/IP ProtocolDetection

The Ethernet Industrial Protocol(EtherNet/IP) has been detected.EtherNet/IP is a communicationsprotocol used in industrial auto-

INFO 7228



- 192 -

ModuleDetectionID



LegacyPASLID

mation applications. EtherNet/IPimplements the Common Indus-trial Protocol (CIP) at the sessionand application layers and usesTCP as a transport protocol forCIP explicit messages and UDP asa transport protocol for CIP impli-cit messages. CIP explicit mes-sages are typically used totransmit configuration, dia-gnostic, and event data. CIP impli-cit messages are used forrealtime I/O data transfer.

92 IEC 60870-5-104 Pro-tocol Detection

The IEC 60870-5-104 protocol hasbeen detected. IEC 60870-5-104 isa Supervisory Control and DataAcquisition (SCADA) protocolused in the power, pet-rochemical, water treatment, andoil and gas production indus-tries. IEC 60870-5-104 is oftenused in power systems as aSCADA protocol between controlstations and substations. IEC60870-5-104 is based on IEC60870-5-101 but uses TCP/IPinstead of serial com-munications.

INFO 7229

93 Siemens S7 ProtocolDetection

The Siemens S7 protocol hasbeen detected. S7 is a proprietarycommunications protocoldeveloped by Siemens that runsbetween programmable logic con-

INFO 7230



- 193 -

ModuleDetectionID



LegacyPASLID

trollers (PLCs) of the Siemens S7family. It is used for PLC pro-gramming, exchanging databetween PLCs, accessing PLCdata from SCADA (supervisorycontrol and data acquisition) sys-tems, and for diagnostic pur-poses.

94 IEC 60870-5-104Server Detection

IEC 60870-5-104 is a SupervisoryControl and Data Acquisition(SCADA) protocol used in thepower, petrochemical, watertreatment, and oil and gas pro-duction industries. IEC 60870-5-104 is often used in power sys-tems as a SCADA protocolbetween control stations and sub-stations. IEC 60870-5-104 is basedon IEC 60870-5-101 but usesTCP/IP instead of serial.

INFO 7139

95 IEC 60870-5-104 ClientDetection

IEC 60870-5-104 is a SupervisoryControl and Data Acquisition(SCADA) protocol used in thepower, petrochemical, watertreatment, and oil and gas pro-duction industries. IEC 60870-5-104 is often used in power sys-tems as a SCADA protocolbetween control stations and sub-stations. IEC 60870-5-104 is basedon IEC 60870-5-101 but usesTCP/IP instead of serial.

INFO 7133



- 194 -

ModuleDetectionID



LegacyPASLID

96 Saia Burgess ControlsPCD Controllers Hard-Coded FTP Cre-dentials Vulnerability

One or more of the following SBCcontrollers was detected to berunning a version of firmwareearlier than 1.24.50 :PCD1.M0xx0PCD1.M2xx0PCD2.M5xx0PCD3.Mxxx0PCD7.D4xxxT5FPCD7.D4xxxWTPFPCD7.D4xxxVPCD7.D4xxxDFirmware versions prior to1.24.50 are implemented withhard-coded FTP credentials. Anattacker who exploits this vul-nerability would have admin-istrative access to the targetdevice and resources.

HIGH 7183

114 MODBUS/TCP 'IllegalFunction Code' Excep-tion Code Detection(SCADA)

The MODBUS/TCP server hassent a MODBUS client a responsewith an Illegal Function Codeexception. This means that thefunction code of the query fromthe client is not an allowableaction for the server.

INFO N/A

115 MODBUS/TCP 'IllegalData Address' Excep-tion Code Detection(SCADA)

The MODBUS/TCP server hassent a MODBUS client a responsewith an Illegal Data Addressexception. The data addressreceived in the query is not anallowable address for the server.

INFO N/A



- 195 -

ModuleDetectionID



LegacyPASLID

116 MODBUS/TCP 'IllegalData Value' ExceptionCode Detection(SCADA)

The MODBUS/TCP server hassent a MODBUS client a responsewith an Illegal Data Value excep-tion. A value contained in thequery data field is not an allow-able value for server.

INFO N/A

117 MODBUS/TCP 'ServerDevice Failure' Excep-tion Code Detection(SCADA)

The MODBUS/TCP server hassent a MODBUS client a responsewith a Server Device Failure excep-tion. An unrecoverable erroroccurred while the server wasattempting to perform the reques-ted action.

INFO N/A

118 MODBUS/TCP 'ServerDevice Busy' Excep-tion Code Detection(SCADA)

The MODBUS/TCP server hassent a MODBUS client a responsewith a Service Device Busy excep-tion. Specialized use in con-junction with programmingcommands. The server isengaged in processing a log-dur-ation program command. The cli-ent should retransmit themessage later when the server isfree.

INFO N/A

119 MODBUS/TCP'Memory Parity Error'Exception Code Detec-tion (SCADA)

The MODBUS/TCP server hassent a MODBUS client a responsewith a Memory Parity Error excep-tion. Specialized use in con-junction with function codes 20and 21 and reference type 6, toindicate that the extended filearea failed to pass a consistencycheck.

INFO N/A



- 196 -

ModuleDetectionID



LegacyPASLID

120 MODBUS/TCP 'Gate-way Path Unavailable'Exception Code Detec-tion (SCADA)

The MODBUS/TCP server hassent a MODBUS client a responsewith a Gateway Path Unavailableexception. Specialized use in con-junction with gateways, indicatesthat the gateway was unable toallocate an internal com-munication path from the inputport to the output port for pro-cessing the request. Usuallymeans that the gateway is mis-configured or overloaded.

INFO N/A

121 MODBUS/TCP 'Gate-way Target DeviceFailed to Respond'Exception Code Detec-tion (SCADA)

The MODBUS/TCP server hassent a MODBUS client a responsewith a Gateway Target DeviceFailed to Respond exception. Spe-cialized use in conjunction withgateways, indicates that noresponse was obtained from thetarget device. Usually means thatthe device is not present on thenetwork.

INFO N/A

122 Ethernet/IP CIP ListIdentity Device Detec-tion Response

The Ethernet/IP CIP (CommonIndustrial Protocol) List Identitycommand provides identificationof and general information aboutan Ethernet/IP-enabled device.

INFO N/A

123 Ethernet/IP CIPSendRRData GetAttribute All DeviceIdentity Response

The Ethernet/IP CIP (CommonIndustrial Protocol) SendRRDatacommand Get Attribute All DeviceIdentity response provides iden-tification of and general inform-

INFO N/A



- 197 -

ModuleDetectionID



LegacyPASLID

ation about an Ethernet/IP-enabled device.

124 DNP3/TCP 'Write'Function Code Detec-tion (SCADA)

The DNP3/TCP master has sentan outstation the Write com-mand. The Write command, func-tion code 2 (0x02), is a Transfercontrol function used to storecontrol information at the out-station.

INFO N/A

125 DNP3/TCP 'Select'Function Code Detec-tion (SCADA)

The DNP3/TCP master has sentan outstation the Select com-mand. The Select command, func-tion code 3 (0x03), is used toselect, or arm points to be oper-ated on.

INFO N/A

126 DNP3/TCP 'Operate'Function Code Detec-tion (SCADA)

The DNP3/TCP master has sentan outstation the Operate com-mand. The Operate command,function code 4 (0x04), is used toset or produce the output actionson the points previously selected.

INFO N/A

127 DNP3/TCP 'DirectOperate' FunctionCode Detection(SCADA)

The DNP3/TCP master has sentan outstation the Direct Operatecommand. The Direct Operatecommand, function code 5(0x05), lacks the security featureof SBO. Direct operate forcesselected points to execute thespecified action without a veri-fication check of the selected out-stations.

INFO N/A



- 198 -

ModuleDetectionID



LegacyPASLID

128 DNP3/TCP 'DirectOperate/NoResponse' FunctionCode Detection(SCADA)

The DNP3/TCP master has sentan outstation the Direct Oper-ate/No Response command. TheDirect Operate/No Response com-mand, function code 6 (0x06),lacks the security feature of SBO.Direct operate forces selectedpoints to execute the specifiedaction without a verificationcheck of the selected outstations.

INFO N/A

129 DNP3/TCP 'EnableUnsolicited Messages'Function Code Detec-tion (SCADA)

The DNP3/TCP master has sentan outstation the 'Enable Unso-licited Messages' command. TheEnable Unsolicited Messages com-mand, function code 20 (0x14),enables spontaneous reportingof the specified objects.

INFO N/A

130 Rockwell Auto-mation/Allen-Bradley1756 ControlLogixController Detection

A Rockwell Automation/Allen-Bradley 1756 ControlLogix Con-troller PLC has been detected.The 1756 ControlLogix Controlleris a scalable controller solutionthat is capable of addressingmany I/O points.

INFO N/A

131 Rockwell Auto-mation/Allen-Bradley1756 ControlLogixCommunication Mod-ule Detection

A Rockwell Automation/Allen-Bradley 1756 ControlLogix Com-munication Module com-munication adapter has beendetected. This 1756 ControlLogixCommunication Module is usedto add Ethernet/IP com-munication capabilities to a PLC.

INFO N/A



- 199 -

ModuleDetectionID



LegacyPASLID

132 - Used in pvs_core/re-port/report.h

133 Siemens SIMATIC S71500 Firmware < 1.8.3Multiple Vul-nerabilities

Siemens SIMATIC S7 1500 pro-grammable logic controllers(PLCs) prior to firmware version1.8.3 are vulnerable to a Denial ofService (DoS) condition (STOPmode transition) via a speciallycrafted packet to TCP port 102.An attacker can also bypass areplay protection mechanism viapackets on TCP port 102."

HIGH N/A


Siemens SIMATIC S7 1500 pro-grammable logic controllers(PLCs) prior to firmware version1.5 have multiple vulnerabilitiesthat may allow attackers to per-form Denial of Service (DoS)attacks with specially craftedHTTP(S), ISO-TSAP, or Profinetnetwork packets. The web servermay also be vulnerable to cross-site request forgery (CSRF),cross-site scripting (XSS), headerinjection, open redirect attacks,and privilege escalation.

HIGH N/A

135 Siemens SIMATIC S71500 Firmware < 1.6.0DoS Vulnerability

Siemens SIMATIC S7 1500 pro-grammable logic controllers(PLCs) prior to firmware version1.6 are vulnerable to a Denial ofService (DoS) via crafted TCPpackets. Successful exploitation

HIGH N/A



- 200 -

ModuleDetectionID



LegacyPASLID

causes the CPU to automaticallyrestart and remain in the\"STOP\" mode. The CPU wouldthen need to be manually put inthe \"RUN\" mode to restoreoperations.

136 Siemens SIMATIC S7400 Firmware 6.0.0 <6.0.3 Denial of ServiceVulnerability

Siemens SIMATIC S7 400 pro-grammable logic controllers(PLCs) versions 6.0.1 and 6.0.2 forspecific model families are vul-nerable to a Denial of Service(DoS) via specially crafted pack-ets. Successful exploitationcauses the CPU to default intodefect mode and the PLC willneed to be manually reset toreturn to normal operation.SIMATIC V5 PN CPUs are also vul-nerable but no update exists asthis version has reached end-of-life and has been discontinued.

HIGH N/A

137 Siemens SIMATIC CP343-1, CP 443-1Authentication BypassVulnerability

Siemens SIMATIC CP 443-1 andCP 443-1 Advanced Com-munication Processors with firm-ware versions lower than 3.2.9,CP 343-1 Advanced with firmwareless than 3.0.44, and CP 343-1Lean with firmware less than3.1.1, have a flaw that allows anunauthenticated remote userwith access to port 102/TCP toperform administrative actions, ifthe CPs configuration is stored

CRITICAL N/A



- 201 -

ModuleDetectionID



LegacyPASLID

on its corresponding CPU.


Siemens SIMATIC S7 400 CP 443-1Advanced devices with firmwareversions lower than 3.2.17 have aweb server vulnerability that mayallow remote attackers to per-form actions with the per-missions of an authenticateduser. The web server also deliv-ers cookies without the \"se-cure\" flag.

MEDIUM N/A

139 Siemens S7-1200 Ser-ies PLC CPU < 4.0 Mul-tiple Vulnerabilities

Siemens S7-1200 PLC central pro-cessing units (CPUs) prior to ver-sion 4.0 are vulnerable to cross-site request forgery (CSRF) via theweb interface. An attacker mayalso be able to perform a Denialof Server (DoS) attack with spe-cially crafted HTTP(S), ISO-TSAP,or Profinet network packets. Dueto low entropy in its random num-ber generator, the integratedweb server’s authenticationmethod (port 80/tcp and port443/tcp) could allow attackers tohijack web sessions over the net-work if the session token can bepredicted.

HIGH N/A

140 Siemens S7-1200 Ser-ies PLC CPU < 4.0 Mul-tiple DoSVulnerabilities

Siemens S7-1200 PLC central pro-cessing units (CPUs) prior to 4.0are vulnerable to a Denial of Ser-vice (DoS) condition via specially

HIGH N/A



- 202 -

ModuleDetectionID



LegacyPASLID

crafted packets on port 161/udp(SNMP) and port 102/tcp (ISO_TSAP).

141 Siemens S7-1200 Ser-ies PLC CPU CA Cer-tificate DefaultHardcoded PrivateKey

Siemens S7-1200 PLC central pro-cessing units (CPUs) contain aflaw that would allow an attackerto intercept and decrypt encryp-ted traffic from any other S7-1200PLC device through a man-in-the-middle (MiTM) attack usingthe SLL private key of one device.

CRITICAL N/A

142 Siemens S7-1200 Ser-ies PLC CPU User Pro-gram Block ProtectionRemote Bypass

Siemens S7-1200 PLC central pro-cessing units (CPUs) contain aflaw that flaw that may allow aremote attacker to circumventuser program block protection.

HIGH N/A

143 Siemens S7-1200 Ser-ies PLC CPU RecordedFrame Command Exe-cution Replay

Siemens S7-1200 PLC central pro-cessing units (CPUs) contain aflaw that could allow an attackerto trigger CPU functions byrecord and playback of legitimatenetwork communication.

MEDIUM N/A

144 Siemens S7-1200 Ser-ies PLC CPU WebServer NetworkRequest SaturationRemote DoS

Siemens S7-1200 PLC central pro-cessing units (CPUs) contain aflaw that could allow an attackerto place the controller in thestop/defect state by causing acommunication error.

MEDIUM N/A

145 Siemens DevicesUsing Profinet DCPMultiple DoS Vul-

A wide variety of Siemens devicesare vulnerable to a Denial of Ser-vice (DoS) condition via specially

MEDIUM N/A



- 203 -

ModuleDetectionID



LegacyPASLID

nerabilities crafted PROFINET DCP networkpackets.

146 Siemens S7-400 CPUPacket HandlingRemote DoS

A vulnerability in SIEMENSSIMATIC S7-400 PN CPUs (V6 andV7) could allow a remote attackerto cause a Denial of Service con-dition by sending specially craf-ted packets to port 80/TCP.

HIGH N/A

147 Siemens S7-400 CPUProtection-level 2Configuration Unspe-cified Remote Cre-dential Disclosure

A vulnerability in SIEMENSSIMATIC S7-400 PN CPUs (all ver-sions including V7) could allow aremote attacker to obtain cre-dentials from the PLC if pro-tection-level 2 is configured onthe affected devices.

MEDIUM N/A

148 Siemens SCALANCE X-300 Switches HTTPRequest HandlingRemote DoS

The web server on SiemensSCALANCE X-300 switches withfirmware before 4.0 allowsremote attackers to cause adenial of service (reboot) via mal-formed HTTP requests.

HIGH N/A

149 Siemens SCALANCE X-300 Switches FTPServer NetworkPacket HandlingRemote DoS

The FTP server on SiemensSCALANCE X-300 switches withfirmware before 4.0 allowsremote authenticated users tocause a denial of service (reboot)via crafted FTP packets.

MEDIUM N/A

150 Siemens SCALANCE X-300 Product FamilySwitch Detection

A Siemens SCALANCE X-300product family switch has beendetected. The SCALANCE X-300product family are managed

INFO N/A



- 204 -

ModuleDetectionID



LegacyPASLID

industrial ethernet switches.

151 Siemens S7-300 CPUPacket HandlingRemote DoS

Siemens S7-300 central pro-cessing units (CPUs) before ver-sion 3.X.14 have a vulnerabilitywhich could allow a remoteattacker to cause a Denial of Ser-vice condition by sending spe-cially crafted packets to port80/TCP.

HIGH N/A

152 Siemens S7-300 CPUProtection-level 2Configuration Unspe-cified Remote Cre-dential Disclosure

Siemens S7-300 central pro-cessing units (CPUs) for all ver-sions including version 3.2.12have a vulnerability which couldallow a remote attacker to obtaincredentials from the PLC if pro-tection-level 2 is configured onthe affected devices.

MEDIUM N/A

153 Siemens 44x-1 RNA CPRemote Admin-istrative Action Exe-cution

Siemens 44x-1 RNA Com-munication Processors (CP), forall versions prior to 1.4.1, has aflaw that can allow an unau-thenticated remote attacker toperform adminstrative actions ifnetwork access to port 102/TCPis available and the configurationfile for the CP is stored on theRNA's CPU.

HIGH N/A

154 Siemens S7 Com-munication SetupRequest

The S7 master has sent an S7slave a Communication Setuprequest. The CommunicationSetup request is used to estab-lish an S7 session.

INFO N/A



- 205 -

ModuleDetectionID



LegacyPASLID

155 Siemens S7 Read SZLRequest

The S7 master has sent an S7slave a Read SZL request. The SZLRead request is used for retriev-ing system status information.

INFO N/A

156 Siemens S7 Read SZLResponse

The S7 slave has sent an S7 mas-ter a Read SZL response. The SZLRead response contains systemstatus information.

INFO N/A

157 Siemens S7 Read Vari-able Request

The S7 master has sent an S7slave a Read Variable request.The Read Variable request isused to query values on the slavesuch as counters, flags, timers,and other values in memory.

INFO N/A

158 Siemens S7 Read Vari-able Response

The S7 slave has sent an S7 mas-ter a Read Variable response. TheRead Variable response containsthe data requested by the mastersuch as counters, flags, timers,and other values in memory.

INFO N/A

159 Siemens S7 Write Vari-able Request

The S7 master has sent an S7slave a Write Variable request.The Write Variable request isused to set values on the slavesuch as counters, flags, timers,and other values in memory.

INFO N/A

160 Siemens S7 Write Vari-able Response

The S7 slave has sent an S7 mas-ter a Write Variable response.The Write Variable response isused to indicate the status of theWrite Variable request.

INFO N/A



- 206 -

ModuleDetectionID



LegacyPASLID

161 Siemens S7 PLC HotStart Request

The S7 master has sent an S7slave a PLC Hot Start request. TheHot Start command is used torestart the PLC without clearingdata in memory.

INFO N/A

162 Siemens S7 PLC ColdStart Request

The S7 master has sent an S7slave a PLC Cold Start request.The Cold Start command is usedto restart the PLC and clearingmemory.

INFO N/A

163 Siemens S7 StartUpload Request

The S7 master has sent an S7slave a Start Upload request. AStart Upload request is used tobegin a data transfer from theslave to the master and identifiesthe filename which specifieswhich blocks will be uploaded.

INFO N/A

164 Siemens S7 UploadBlock Job Request

The S7 Master has sent an S7slave an Upload Block Jobrequest. The Upload Block Jobrequest is sent by the master torequest the next block of data.

INFO N/A

165 Siemens S7 UploadBlock Data Message

The S7 slave has sent an S7 mas-ter an Upload Block Data Mes-sage. The Upload Block Datamessage is sent in response toan Upload Block Job request andcontains the requested block ofdata.

INFO N/A

166 Siemens S7 EndUpload Request

The S7 master has sent an S7slave an End Upload request mes-

INFO N/A



- 207 -

ModuleDetectionID



LegacyPASLID

sage. The End Upload request issent to finish the upload.

167 Siemens S7 StartDownload Request

The S7 master has sent an S7slave a Start Download Request.A Start Download request is usedto begin a data transfer from themaster to the slave and identifiesthe filename which specifieswhich blocks will be downloaded.

INFO N/A

168 Siemens S7 DownloadBlock Job Request

The S7 slave has sent an S7 mas-ter a Download Block Jobrequest. The Download Block Jobrequest is sent by the slave torequest the next block of data.

INFO N/A

169 Siemens S7 DownloadBlock Data Message

The S7 master has sent an S7slave a Download Block Data mes-sage. The Download Block Datamessage is sent in response to aDownload Block Job request andcontains the requested block ofdata.

INFO N/A

170 Siemens S7 End Down-loadRequest

The S7 master has sent an S7slave an End Download requestmessage. The End Downloadrequest is sent to finish the down-load.

INFO N/A

171 Siemens S7 Set Pass-word Request

The S7 master has sent an S7slave a Set Password request.The Set Password request sendsthe encoded password to theslave to login.

INFO N/A



- 208 -

ModuleDetectionID



LegacyPASLID

172 Profinet IO ProtocolDetection

Profinet is an open standardSCADA protocol for the control,monitoring, and diagnostic ana-lysis of industrial equipment inautomation networks.

INFO N/A

173 Siemens SIMATIC KP8HMI Detection

The Siemens SIMATIC KP8 HMIhas a Profinet interface, 8 short-stroke keys, and is configurablewith Step 7 V5.5 and later.

INFO N/A

174 Siemens SIMATICKTP700 HMI Detection

The Siemens SIMATIC KTP700 HMIhas a Profinet interface, a 7 inchTFT display, and is configurablewith WinCC Basic V13/Step7 Basicv13.

INFO N/A

175 Siemens S7-1500 Ver-sion InformationDetected

Version information for aSiemens S7-1500 SIMATIC PLCwas detected via HTTP man-agement console.

INFO N/A

176 HTTP Server Detectedon Industrial Network

An industrial web server is run-ning on this port.

INFO N/A

177 HTTP Client Detectedon Industrial Network

A web client has connected to aweb server on an industrial net-work.

INFO N/A

178 HTTP Protocol Detec-ted on Industrial Net-work

The HTTP protocol was detectedon an industrial network.

INFO N/A

179 Siemens TIA PortalDetected

The TIA Portal software is used tomanage Siemens PLCs.

INFO N/A

180 Siemens S7-1500Device State Change

A request to change a devicestate was sent via the HTTP pro-

INFO N/A



- 209 -

ModuleDetectionID



LegacyPASLID

Request Detected tocol. This requires admin-istrative access to the S7-1500HTTP server.

181 Siemens S7-1200Device State ChangeRequest Detected

A request to change a devicestate was sent via the HTTP pro-tocol. This requires admin-istrative access to the S7-1200HTTP server.

INFO N/A

183 OPC UA Client Detec-tion via Binary

An OPC UA Server has been detec-ted. OPC UA is a platform-inde-pendent standard through whichvarious systems and devices cancommunicate by sending mes-sages between clients and serv-ers over various networks. Itsupports robust, secure com-munication that assures the iden-tity of clients and servers andresists attacks. The three sup-ported methods of com-munication are Binary,SOAP/HTTP, and Binary viaSOAP/HTTP.

INFO N/A

184 OPC UA Server Detec-tion via Binary

An OPC UA Server has been detec-ted. OPC UA is a platform-inde-pendent standard through whichvarious systems and devices cancommunicate by sending mes-sages between clients and serv-ers over various networks. Itsupports robust, secure com-munication that assures the iden-

INFO N/A



- 210 -

ModuleDetectionID



LegacyPASLID

tity of clients and servers and res-ists attacks. The three supportedmethods of communication areBinary, SOAP/HTTP, and Binaryvia SOAP/HTTP.

185 OPC UA Client Detec-tion via HTTPS

An OPC UA Client has been detec-ted. OPC UA is a platform-inde-pendent standard through whichvarious systems and devices cancommunicate by sending mes-sages between clients and serv-ers over various networks. Itsupports robust, secure com-munication that assures the iden-tity of clients and servers andresists attacks. The three sup-ported methods of com-munication are Binary,SOAP/HTTP, and Binary viaSOAP/HTTP.

INFO N/A

186 OPC UA Server Detec-tion via HTTPS

An OPC UA Server has been detec-ted. OPC UA is a platform-inde-pendent standard through whichvarious systems and devices cancommunicate by sending mes-sages between clients and serv-ers over various networks. Itsupports robust, secure com-munication that assures the iden-tity of clients and servers andresists attacks. The three sup-ported methods of com-munication are Binary,

INFO N/A



- 211 -

ModuleDetectionID



LegacyPASLID

SOAP/HTTP, and Binary viaSOAP/HTTP.

187 OPC UA Client ErrorDetection

An OPC UA Client hasencountered an error. OPC UA isa platform-independent standardthrough which various systemsand devices can communicate bysending messages between cli-ents and servers over various net-works. It supports robust, securecommunication that assures theidentity of clients and serversand resists attacks.

INFO N/A

188 OPC UA Server ErrorDetection

An OPC UA Server hasencountered an error. OPC UA isa platform-independent standardthrough which various systemsand devices can communicate bysending messages between cli-ents and servers over various net-works. It supports robust, securecommunication that assures theidentity of clients and serversand resists attacks.

INFO N/A

189 OPC UA Client Mes-sage Type Detection

An OPC UA Client Message hasbeen detected. OPC UA is a plat-form-independent standardthrough which various systemsand devices can communicate bysending messages between cli-ents and servers over various net-works. It supports robust, secure

INFO N/A



- 212 -

ModuleDetectionID



LegacyPASLID

communication that assures theidentity of clients and serversand resists attacks.

190 OPC UA Server Mes-sage Type Detection

An OPC UA Server Message hasbeen detected. OPC UA is a plat-form-independent standardthrough which various systemsand devices can communicate bysending messages between cli-ents and servers over various net-works. It supports robust, securecommunication that assures theidentity of clients and serversand resists attacks.

INFO N/A

191 Schneider ElectricModicon TSXPremium EthernetCommunication Mod-ule Detection

A Schneider Electric Modicon TSXPremium Ethernet Com-munication Module has beendetected. The Schneider ElectricModicon TSX Premium EthernetCommunication Module providesethernet connectivity for the TSXPremium PLC, SNMP capabilityfor management, and ModbusTCP/IP capability.

INFO N/A

192 Rockwell Auto-mation/Allen-Bradley1734 POINT I/O Com-munication ModuleDetection

Rockwell Automation/Allen-Brad-ley 1734 POINT I/O Com-munication Modulecommunication adapter has beendetected. The 1734 POINT I/OCommunication Module is usedto add Ethernet/IP com-munication capabilities to 1734

INFO N/A



- 213 -

ModuleDetectionID



LegacyPASLID

POINT I/O input and output fieldmodules.

193 Rockwell Auto-mation/Allen-Bradley1794 FLEX I/O Com-munication ModuleDetection

Rockwell Automation/Allen-Brad-ley 1794 FLEX I/O CommunicationModule communication adapterhas been detected. The 1794 FLEXI/O Communication Module isused to add Ethernet/IP com-munication capabilities to 1794FLEX I/O input and output fieldmodules.

INFO N/A

194 Rockwell Auto-mation/Allen-BradleyPanelView Plus 6Human Machine Inter-face

Rockwell Automation/Allen-Brad-ley PanelView Plus 6 HumanMachine Interface has been detec-ted. The PanelView Plus 6 HMI isused to monitor, control, and dis-play status information graph-ically for industrial processes.

INFO N/A

195 Rockwell Auto-mation/Allen-BradleyPanelView PlusHuman Machine Inter-face

Rockwell Automation/Allen-Brad-ley PanelView Plus HumanMachine Interface has been detec-ted. The PanelView Plus 7 Stand-ard HMI is used to monitor,control, and display statusinformation graphically for indus-trial processes in a standard ICSenvironment.

INFO N/A

196 Rockwell Auto-mation/Allen-BradleyPanelView PlusHuman Machine Inter-face

Rockwell Automation/Allen-Brad-ley PanelView Plus HumanMachine Interface has been detec-ted. The PanelView Plus 7 Per-formance HMI is used to monitor,

INFO N/A



- 214 -

ModuleDetectionID



LegacyPASLID

control, and display statusinformation graphically for indus-trial processes in a performance-intensive ICS environment.

197 Rockwell Auto-mation/Allen-BradleySoftLogix 5800 Con-troller

Rockwell Automation/Allen-Brad-ley SoftLogix 5800 Controller hasbeen detected. The SoftLogix5800 takes the control functionsnormally found in dedicated pro-grammable logic controllers,encapsulates those functions insoftware and runs them on acommercial operating system.

INFO N/A

198 Mettler-Toledo IND-ETHIP Com-munications Adapter

Mettler-Toledo IND-ETHIP Com-munications Adapter has beendetected. The Mettler-ToledoIND-ETHIP is a communicationsadapter that adds Ethernet/IPconnectivity.

INFO N/A

199 Endress and HauserProline Promass Cori-olis Flowmeter

Endress and Hauser Proline Pro-mass Coriolis Flowmeter hasbeen detected. The device usesthe Coriolis principle (a change influid flow causes changes in thefrequency, phase shift or amp-litude of vibrations) to measuresthe mass flow rate of a fluid trav-eling through a tube.

INFO N/A

200 Festo CPX-FB36 Com-munications Adapter

Festo CPX-FB36 CommunicationsAdapter has been detected. Thisadapter adds Ethernet/IP andModbus/TCP support to Festo

INFO N/A



- 215 -

ModuleDetectionID



LegacyPASLID

CPX terminals.

201 Emerson MicroMotion 5700 CoriolisField Mount Trans-mitter

Emerson Micro Motion 5700 Cori-olis Field Mount Transmitter hasbeen detected. This device is acombination Coriolis mass flowmeter and communicationsadapter for transmitting massflow data to monitoring stationsover Ethernet/IP, Modbus/TCPand PROFINET.

N/A INFO

202 Prosoft TechnologyRLX2 Com-munications Adapter

Prosoft Technology RLX2 Com-munications Adapter has beendetected. The RLX2 family of com-munications adapters securewireless connectivity in industrialenvironments.

INFO N/A

203 Siemens S7 PLC StopRequest

The S7 master has sent an S7slave a PLC Stop request. ThePLC Stop request sets the Runstate of the device to stopped.

INFO N/A

204 Siemens S7 MessageService Request

The S7 master has sent an S7slave a Message Service Request.The Message Service request isused to subscribe events on thePLC.

INFO N/A

205 Siemens S7 DiagnosticMessage Push

The S7 slave has pushed a Dia-gnostic message to an S7 master.The Diagnostic message is usedto notify the S7 master of eventsthat occur on the PLC.

INFO N/A

206 Siemens S7 Alarm The S7 slave has pushed an INFO N/A



- 216 -

ModuleDetectionID



LegacyPASLID

Indication MessagePush

Alarm Indication message to anS7 master. The Alarm Indicationmessage is used to provideinformation to the S7 masterabout an alarm that has occurredon the PLC.

207 Siemens S7 AlarmQuery Request

The S7 master has sent an S7slave an Alarm Query request.The Alarm Query request is usedto get the status of an alarmblock on the PLC.

INFO N/A

208 Modicon M340 BMXNOR Ethernet/SerialRTU Module Detection

A Schneider Electric ModiconM340 BMX xvNOR Ethernet/SerialCommunications Module hasbeen detected.

INFO N/A

209 Modicon M340 BMXNOE Network ModuleDetection

A Schneider Electric ModiconM340 BMX NOE Network Modulehas been detected. The Sch-neider Electric Modicon M340BMX NOE adds Ethernet com-munications capabilities to theSchneider Electric Modicon M340PLC. Communications Moduleadds Ethernet and Serial com-munications capabilities to theSchneider Electric Modicon M340PLC, along with support for a vari-ety of industrial control protocolssuch as Modbus, ModbusTCP,CANopen, IEC60870-5-101/104,and DNP3.

INFO N/A

210 Accuenergy Acuvim II he Accuenergy Acuvim II is a rev- INFO N/A



- 217 -

ModuleDetectionID



LegacyPASLID

Detection enue-grade power meter. Thesemeters are found in power dis-tribution and plant automationsystems. The AXM-NET is anoptional communications mod-ule for the Acuvim II whichprovides web server, e-mail, andMODBUS/TCP capabilities.

211 SNMP System Descrip-tion Response Detec-tion

Device object and its propertiesdetected through the SNMP Sys-tem Description response.

INFO N/A

212 SNMP Object IDResponse Detection

Device object and its propertiesdetected through the SNMPObject ID response.

INFO N/A

213 SNMP Custom OIDResponse Detection

Device object and its propertiesdetected through the SNMP Cus-tom OID response.

INFO N/A

214 Siemens S7 CommPlus Client Detection

An S7 Comm Plus Client has beendetected. S7 Comm Plus is a pro-prietary communications pro-tocol developed by Siemens thatruns between programmablelogic controllers (PLCs) of theSiemens S7 family. It is used forPLC programming, exchangingdata between PLCs, accessingPLC data from SCADA (super-visory control and data acquis-ition) systems, and for diagnosticpurposes.

INFO N/A

215 Siemens S7 Comm An S7 Comm Plus Server has INFO N/A



- 218 -

ModuleDetectionID



LegacyPASLID

Plus Server Detection been detected. S7 Comm Plus is aproprietary communications pro-tocol developed by Siemens thatruns between programmablelogic controllers (PLCs) of theSiemens S7 family. It is used forPLC programming, exchangingdata between PLCs, accessingPLC data from SCADA (super-visory control and data acquis-ition) systems, and for diagnosticpurposes.

216 Siemens S7 CommPlus Protocol Detec-tion

The Siemens S7 Comm Plus pro-tocol has been detected. S7Comm Plus is a proprietary com-munications protocol developedby Siemens that runs betweenprogrammable logic controllers(PLCs) of the Siemens S7 family. Itis used for PLC programming,exchanging data between PLCs,accessing PLC data from SCADA(supervisory control and dataacquisition) systems, and for dia-gnostic purposes.

INFO N/A

217 Siemens SIMATICKP1200 HMI Detection

The Siemens SIMATIC KP1200 HMIhas a Profinet interface, key oper-ation, a 12 inch widescreen TFTdisplay, and is configurable usingWinCC Comfort V11 and later.

INFO N/A

218 Ethernet/IP CIPSendUnitData Get

The Ethernet/IP CIP (CommonIndustrial Protocol) SendUnitData

INFO N/A



- 219 -

ModuleDetectionID



LegacyPASLID

Attribute List DeviceIdentity Response

Get Attribute List Device Identityresponse provides identificationof and general information aboutan Ethernet/IP-enabled device.

219 Siemens EP 200SPPLC Series Detection

A Siemens ET 200SP Series PLChas been detetected. TheSiemens ET 200SP Series is a fam-ily of PLCs which supports themanufacturer's own proprietaryS7 protocol, supports theProfinet protocol, Profinet IO Iso-chronous Real-Time protocol,and can be configured as aProfinet IO Controller or ProfinetIO Device.

INFO N/A

220 Profinet IO UDP Mes-sage with DeviceInformation Detection

A Profinet IO UDP message withdevice information was detected.The Profinet IO Read responsewith the I&M0 block (Iden-tification and Maintenance) is typ-ically sent by an IO Device inresponse to a request from an IOController, and contains theorder id, serial number, hard-ware version, and software ver-sion.

INFO N/A

221 Siemens S7-300Denial of Service Vul-nerability

Siemens S7-300 central pro-cessing units (CPUs) with Profinetsupport less than version 3.2.12and without Profinet support lessthan version 3.3.12 have a vul-nerability which could allow a

MEDIUM N /A



- 220 -

ModuleDetectionID



LegacyPASLID

remote attacker to cause a Denialof Service condition. The attackinvolves sending specially craftedpackets to 102/TCP and couldcause the device to go into defectmode. A cold restart is requiredto recover the system.

222 Siemens SINAMICSG110M PN Drive Detec-tion

The Siemens SINAMICS G110M PNDrive has been detected. Thisdevice is a variable speed drivewith a high degree of protection,has a modular design, comprisedof a Control Unit and Power Mod-ule – and is designed to be usedas a drive integrated inSIMOGEAR geared motors andSIMOTICS GP motors.

INFO N/A

223 Siemens SINAMICSG120C PN Drive Detec-tion

The Siemens SINAMICS G120C PNDrive has been detected. Thisdevice is a built-in inverter.

INFO N/A

224 Siemens SINAMICSG120 CU230P-2 DriveDetection

The Siemens SINAMICS G120CU230P-2 has been detected.This is a Control Unit that hasbeen optimized for pumps andfans. It can be operated with allpower units of the PM240 andPM250 series.

INFO N/A

225 Siemens SINAMICSG120D CU240D-2 PNDrive Detection

The Siemens SINAMICS G120DCU240D-2 PN has been detected.This is a distributed converterwith encoder evaluation.

INFO N/A



- 221 -

ModuleDetectionID



LegacyPASLID

226 Siemens SINAMICSG120D CU240D-2 PN-FDrive Detection

The Siemens SINAMICS G120DCU240D-2 PN-F has been detec-ted. This is a distributed con-verter with encoder evaluation.

INFO N/A

227 Siemens SINAMICSG120 CU240E-2 PNDrive Detection

The Siemens SINAMICS G120CU240E-2 PN has been detected.

INFO N/A

228 Siemens SINAMICSG120 CU240E-2 PN-FDrive Detection

The Siemens SINAMICS G120CU240E-2 PN-F has been detec-ted.

INFO N/A

229 Siemens SINAMICSG120D CU250D-2 PNDrive Detection

The Siemens SINAMICS G120DCU250D-2 PN has been detected.This is a distributed converterwith encoder evaluation andbasic positioner EPos.

INFO N/A

230 Siemens SINAMICSG120 CU250S-2VECTOR Drive Detec-tion

The Siemens SINAMICS G120CU250S-2 VECTOR has been detec-ted.

INFO N/A

231 Siemens SIMOCODE-proV EIP Detection

The Siemens SIMOCODEproV EIPhas been detected. This is amotor management system.

INFO N/A

232 Siemens S7 Messagewith Device Inform-ation Detection

A Siemens S7 or S7 Plus Messagewith device information wasdetected. S7 and S7 Plus are pro-prietary Siemens protocols usedfor communication with Pro-grammable Logic Controllers.

INFO N/A



- 222 -

Internal NNM Plugin IDs

Each vulnerability and real-time check NNM performs has a unique associated ID. NNM IDs are withinthe range 0 to 10000.

Internal NNM IDsSome of NNM’s checks, such as detecting open ports, are built in. The following chart lists some of themore commonly encountered internal checks and describes what they mean:

NNM ID Name Description

0 Detection of OpenPort

NNM has observed a SYN-ACK leave from a server.

1 Operating SystemFingerprint

NNM has observed enough traffic about a server to guessthe operating system.

2 Service Connection NNM has observed browsing traffic from a host.

3 Internal Client Trus-ted Connections

NNM has logged a unique network session of source IP,destination IP, and destination port.

4 Internal InteractiveSession

NNM has detected one or more interactive network ses-sions between two hosts within your focus network.

5 Outbound Inter-active Sessions

NNM has detected one or more interactive network ses-sions originating from within your focus network anddestined for one or more addresses on the Internet.

6 Inbound Inter-active Sessions

NNM has detected one or more interactive network ses-sions originating from one or more addresses on the Inter-net to this address within your focus network.

7 Internal EncryptedSession

NNM has detected one or more encrypted network ses-sions between two hosts within your focus network.

8 Outbound Encryp-ted Session

NNM has detected one or more encrypted network ses-sions originating from within your focus network anddestined for one or more addresses on the Internet.

9 Inbound EncryptedSession

NNM has detected one or more encrypted network ses-sions originating from one or more addresses on the Inter-



- 223 -

NNM ID Name Description

net to this address within your focus network.

12 Number of Hops NNM logs the number of hops away each host is located.

14 Accepts ExternalConnections

NNM detects an external connection to this host. Specific IPaddresses are not reported by this plugin, but it does trackthe destination port and protocol used. You can view fullconnection details in the real-time event log. This is theopposite of plugin 16, which reports on outbound con-nections.

15 Internal ServerTrusted Con-nections

NNM has logged a unique network session of source IP,destination IP, and destination port. Specific IP addressesare not reported by this plugin, but it does track which des-tination port and protocol was used. You can view full con-nection details in the real-time event log. This is theopposite of plugin 14, which reports on inbound con-nections.

16 Outbound ExternalConnection

NNM has detected an external connection from this host.

17 TCP Session NNM identifies TCP sessions and reports the start time,number of bytes of data downloaded during, and end timeof these sessions. This plugin is reported at the end ofeach TCP session.

18 IP Protocol Detec-tion

NNM detects all IP protocols.

19 VLAN ID Reporting NNM reports all observed VLAN tags per host.

20 IPv6 Tunneling NNM identifies and processes tunneled IPv6 traffic.



- 224 -

NNM Plugins

This section provides the following information about NNM plugins:

l Vulnerability and Passive Fingerprinting

l NNM Fingerprinting

l NNM Plugin Syntax

l NNM Real-Time Plugin Syntax and Examples

l NNM Corporate Policy Plugins



- 225 -

About NNM Plugins

NNM has two sources of plugin information: the .prmx and .prm plugin libraries in the plugins dir-ectory.

Tenable distributes its passive vulnerability plugin database in an encrypted format. The encrypted fileis named tenable_plugins.prmx and, if necessary, can be updated daily. NNM plugins written bythe customer or third parties have the .prm extension.

Tenable has also implemented passive fingerprinting technology based on the open-source SinFPtool. With permission from the author, Tenable includes the database of passive operating system fin-gerprints for the fingerprinting technology in this distribution of NNM.

Writing Custom PluginsNNM customers can write their own passive plugins, which are added into the plugins directory inthe NNM installation directory. The plugin must end with a .prm extension to be visible by NNM.

You must restart NNM if:

l You add a new custom plugin to the plugins directory. NNM does not fire the plugin until yourestart.

l You delete a .prm file manually from the plugins directory. NNM continues to fire the pluginuntil you restart.



- 226 -

NNM Fingerprinting

Tenable uses a hybrid approach to operating system fingerprinting. Primarily, plugins are used todetect and identify the OS of a host. If this is not possible, NNM uses detected packets to identify theOS.

NNM has the ability to guess the operating system of a host by looking at the packets it generates. Spe-cific combinations of TCP packet entries, such as the window size and initial time-to-live (TTL) values,allow NNM to predict the operating system generating the traffic.

These unique TCP values are present when a server makes or responds to a TCP request. All TCP trafficis initiated with a “SYN” packet. If the server accepts the connection, it sends a response known as a“SYN-ACK” packet. If the server cannot or will not communicate, it sends a reset (RST) packet. When aserver sends a “SYN” packet, NNM applies these list of operating system fingerprints and attempts todetermine the operating system type.

Tenable Network Security has permission to re-distribute the passive operating fingerprints from theauthor of SinFP open source project.



https://www.metabrik.org/blog/2012/09/21/sinfp3-operating-system-fingerprinting-tool-released/

- 227 -

NNM Plugin Syntax

PluginsNNM plugins allow spaces and comment fields that start with a number (#) sign. Each plugin must beseparated with the word “NEXT” on a single line. Create a .prm file in the plugins directory to make itavailable for use. You must restart NNM to use new custom plugins.

Plugin KeywordsThere are several keywords available for writing passive vulnerability plugins for NNM. Some of thesekeywords are mandatory and some are optional. In the table below, mandatory keywords are high-lighted in blue.

Name Description

bid Tenable assigns SecurityFocus Bugtraq IDs (BID) to NNM plugins. Thisallows a user reading a report generated by NNM to link to more inform-ation available at http://www.securityfocus.com/bid. Multiple Bugtraqentries can be entered on one line if separated by commas.

bmatch This is the same as match but can look for any type of data. A bmatchmust always have an even number of alphanumeric characters.

clientissue If a vulnerability is determined in a network client such as a webbrowser or an email tool, a server port is associated with the reportedvulnerability.

cve Tenable also assigns Common Vulnerability and Exposure (CVE) tags toeach NNM plugin. This allows a user reading a report generated by NNMto link to more information available at http://cve.mitre.org/. MultipleCVE entries can be entered on one line if separated by commas.

dependency This is the opposite of noplugin. Instead of specifying another pluginthat has failed, this keyword specifies which plugin must succeed. Thiskeyword specifies a NNM ID that should exist to evaluate the plugin. Inaddition, this plugin can take the form of dependency=ephemeral-server-port, which means the evaluated server must have an openport above port 1024.



http://www.securityfocus.com/bid

http://cve.mitre.org/

- 228 -

Name Description

dport This is the same as sport, but for destination ports.

Exploitability:

canvas

core

cvsstemporal

metasploit

Displays exploitability factors for the selected vulnerability. For example,if the vulnerability is exploitable via both Canvas and Core and has aunique CVSS temporal score, the following tags may be displayed in theplugin output:

CANVAS : D2ExploitPack

CORE : true

CVSSTEMPORAL : CVSS2#E:F/RL:OF/RC:C

family Each Tenable plugin for NNM is included in a family. This designationallows Tenable to group NNM plugins into easily managed sets that canbe reported on individually.

hs_dport This is the same as hs_sport except for destination ports.

hs_sport Normally, when NNM runs its plugins, they are either free ranging look-ing for matches on any port, or fixed to specific ports with the sport ordport keywords. In very high speed networks, many plugins have a fall-back port, known as a high-speed port, which focuses the plugin onlyon one specific port. In High Performance mode, the performance of aNNM plugin with an hs_sport keyword is exactly the same as if the plu-gin was written with the sport keyword.

id Each NNM plugin needs a unique rule ID. Tenable assigns these 16 bitnumbers within the overall NNM range of valid entries. A list of the cur-rent NNM plugin IDs can be found on the Tenable website.

match This keyword specifies a set of one or more simple ASCII patterns thatmust be present in order for the more complex pattern analysis to takeplace. The match keyword gives NNM a lot of its performance and func-tionality. With this keyword, if it does not see a simple pattern, theentire plugin does not match.

name This is the name of the vulnerability NNM has detected. Though multipleNNM plugins can have the same name, it is not encouraged.



http://www.tenable.com/pvs-plugins/

- 229 -

Name Description

nid To track compatibility with the Nessus vulnerability scanner, Tenableassociates NNM vulnerability checks with relevant Nessus vulnerabilitychecks. Multiple Nessus IDs can be listed under one nid entry such asnid=10222,10223.

nooutput For plugins that are written specifically to be used as part of a depend-ency with another plugin, the nooutput keyword causes NNM not toreport anything for any plugin with this keyword enabled.

noplugin This keyword prevents a plugin from being evaluated if another pluginhas already matched. For example, it may make sense to write a pluginthat looks for a specific anonymous FTP vulnerability, but disable it ifanother plugin that checked for anonymous FTP has already failed.

pbmatch This is the same as bmatch except for binary data on the previous sideof the reconstructed network session.

plugin_output This keyword displays dynamic data for a given vulnerability or event.The dynamic data is usually represented using %L or %P, and its valueis obtained from the regular expressions defined using regex, regexi,pregex, or pregexi.

pmatch This keyword is the same as match but is applied against the previouspacket on the other side of the reconstructed network session.

pregex This is the same as regex except the regular expression is applied tothe previous side of the reconstructed network session.

pregexi This is the same as pregex except the pattern matching is not case sens-itive.

protocol_id This keyword is used to specify the protocol number of the protocolcausing the plugin to fire.

regex This keyword specifies a complex regular expression search rule appliedto the network session.

regexi This is the same as regex except the pattern matching is not case sens-itive.



- 230 -

Name Description

risk All NNM plugins need a risk setting. Risks are classified as INFO, LOW,MEDIUM, HIGH, and CRITICAL. An INFO risk is an informational vul-nerability such as client or server detection. A LOW risk is an inform-ational vulnerability such as an active port or service. A MEDIUM risk issomething that may be exploitable or discloses information. A HIGH riskis something that is easily exploitable. A CRITICAL risk is something thatis very easily exploitable and allows for malicious attacks.

seealso If one or more URLs are available, this keyword can be used to displaythem. Multiple URLs can be specified on one line if separated by com-mas. Example entries for this include CERT advisories and vendorinformation websites.

solution If a solution is available, it can be described here. The report sectionhighlights the solution with different text.

sport This setting applies the NNM plugin to just one port. For example, youmay wish to write a SNMP plugin that just looks for activity on port 162.However, for detection of off-port services like a web server running onport 8080, a sport field is not used in the plugin.

stripped_descrip-tion

This field describes on one line the nature of the detected vulnerability.This data is printed out by NNM when printing the vulnerability report.Macros are available that allow the printing of matched network trafficsuch as banner information and are discussed in the examples below.For line breaks, the characters “\n” can be used to invoke a new line.

timed-depend-ency

This keyword slightly modifies the functionality of the noplugin anddependency keywords such that the evaluation must have occurredwithin the last N seconds.

udp This keyword specifies that plugins are to be based on the UDP protocolrather than TCP protocol.

Tip: In addition to tcp or udp, the following protocols are supported: sctp, icmp, igmp, ipip, egp, pup, idp,tp, rsvp, gre, pim, esp, ah, mtp, encap, comp, raw or other.

Related Information



- 231 -

l Network Client Detection

l Pattern Matching

l Time Dependent Plugins

l Plugin Examples



- 232 -

Network Client Detection

Match patterns that begin with the ^ symbol mean at least one line in the packet payload must beginwith the following pattern. Match patterns that begin with the ! symbol indicate that the string mustNOT match anything in the packet payload. In this case, the ! and ^ symbols are combined to indicatethat NNM should not evaluate any packet whose payload contains a line starting with the patternReceived:.

The ^ is more expensive to evaluate than the > symbol. So, while both match patterns ^<pattern>and ><pattern> would find <pattern> at the beginning of a packet payload, the use of > is moredesirable as it is less costly. Use ^ when looking for the occurrence of a string at the beginning of aline, but not at the beginning of the packet payload. In the latter case, use the > character instead.

id=79526hs_dport=25clientissuename=Buffer overflow in multiple IMAP clientsdescription=The remote e-mail client is Mozilla 1.3 or 1.4a which is vulnerable to aboundary condition error whereby a malicious IMAP server may be able to crash orexecute code on the client.solution=Upgrade to either 1.3.1 or 1.4arisk=HIGHmatch=^From:match=^To:match=^Date:match=Ûser-Agent: Mozillamatch=!^Received:regex=Ûser-Agent: Mozilla/.* \(.*rv:(1\.3|1\.4a)



- 233 -

Pattern Matching

NNM Can Match "Previous" PacketsNNM allows matching on patterns in the current packet as well as patterns in the previous packet inthe current session. This plugin shows how we can make use of this feature to determine if a Unix pass-word file is sent by a web server:

id=79175name=Password file obtained by HTTP (GET)family=Genericsport=80description=It seems that a Unix password file was sent by the remote web serverwhen the following request was made :\n%P\nWe saw : \n%Lpmatch=>GET /pmatch=HTTP/1.match=rootmatch=daemonmatch=binregex=root:.*:0:0:.*:.*

Here we see match patterns for a root entry in a Unix password file. We also see pmatch patterns thatmatch against a packet that makes an HTTP GET request to a web server. The match patterns apply thecurrent packet in a session and the pmatch patterns apply to the packet that was captured imme-diately before the one in the current session. To explain this visually, we are looking for occurrences ofthe following:

GET / HTTP/1.*

1) client -------------------------> server:port 80

Contents of password file:

root:.*:0:0:.*:.*

2) client <------------------------- server:port 80

Our match pattern would focus on the contents in packet 2) and our pmatch pattern would focus onpacket 1) payload contents.

NNM Can Match Binary Data



- 234 -

NNM also allows matching against binary patterns. Here is an example plugin that makes use of binarypattern matching to detect the usage of the well-known community string “public” in SNMPv1 responsepackets (The “#” is used to denote a comment):

#### SNMPv1 response## Matches on the following:# 0x30 - ASN.1 header# 0x02 0x01 0x00 - (integer) (byte length) (SNMP version - 1)# 0x04 0x06 public - (string) (byte length) (community string - "public")# 0xa2 - message type - RESPONSE# 0x02 0x01 0x00 - (integer) (byte length) (error status - 0)# 0x02 0x01 0x00 - (integer) (byte length) (error index - 0)###id=71975udpsport=161name=SNMP public community stringdescription=The remote host is running an SNMPv1 server that uses a well-knowncommunity string - publicbmatch=>0:30bmatch=>2:020100bmatch=>5:04067075626c6963a2bmatch=020100020100

Binary match patterns take the following form:

bmatch=[<>[off]:]<hex>

Binary match starts at <off>’th offset of the packet or at the last <offset> of the packet, depending onthe use of > (start) or < (end). <hex> is a hex string we look for.

bmatch=<:ffffffff

This matches any packet whose last four bytes are set to 0xFFFFFFFF.

bmatch=>4:41414141

This matches any packet that contains the string “AAAA” (0x41414141 in hex) starting at its fourth byte.

bmatch=123456789ABCDEF5

This matches any packet that contains the hex string above.



- 235 -

Negative MatchesNNM plugins can also be negated. Here are two examples:

pmatch=!pattern

pbmatch=>0:!414141

In each of these cases, the plugin does not match if the patterns contained in these “not” statementsare present. For example, in the first pmatch statement, if the pattern named “pattern” is present,then the plugin does not match. In the second statement, the binary pattern of “AAA” (the letter “A” inASCII hex is 0x41) only matches if it does not present the first three characters.



- 236 -

Time Dependent Plugins

The last plugin example shows some more advanced features of the NNM plugin language that allowsa plugin to be time dependent as well as make use of the evaluation of other plugins. The pluginshows how NNM detects an anonymous FTP server. Use the NEXT keyword to separate plugins in theplugin file.

id=79200nooutpuths_sport=21name=Anonymous FTP (login: ftp)pmatch=ÛSER ftpmatch=^331NEXT #-----------------------------------------------------------id=79201dependency=79200timed-dependency=5hs_sport=21name=Anonymous FTP enableddescription=The remote FTP server has anonymous access enabled.risk=LOWpmatch=^PASSmatch=^230

Since we want to detect an anonymous FTP server, we must look for the following traffic pattern:

USER ftp

1) FTP client -----------------------> FTP server

331 Guest login ok, ...

2) FTP client <----------------------- FTP server

PASS [email protected]

3) FTP client -----------------------> FTP server

230 Logged in

4) FTP client <----------------------- FTP server



- 237 -

Here we cannot use a single plugin to detect this entire session. So, instead we use two plugins: thefirst plugin looks for packets 1) and 2) and the second plugin looks for packets 3) and 4).

A review of the above plugin shows that plugin 79200 matches 1) and 2) in the session by keying on thepatterns “USER ftp” and the 331 return code. Plugin 79201 matches on 3) and 4) by keying on the pat-terns “PASS” and the 230 return code.

Notice that plugin 79201 contains the following field: dependency=79200. This field indicates the plu-gin 79200 must evaluate successfully before plugin 79201 may be evaluated.

To complete the plugin for the anonymous FTP session, we must ensure both plugins are evaluatingthe same FTP session. To do this, we attach a time dependency to plugin 79201. The field time-dependency=5 indicates that plugin 79200 must evaluate successfully in the last five seconds for79201 to evaluate. This way, we can ensure that both plugins evaluate the same FTP session.



- 238 -

Plugin Examples

Basic ExampleThis plugin illustrates the basic concepts of NNM plugin writing:

id=79873nid=11414hs_sport=143name=IMAP Bannerdescription=An IMAP server is running on this port. Its banner is :\n %Lrisk=NONEmatch=OKmatch=IMAPmatch=server readyregex=^.*OK.*IMAP.*server ready

This example uses the following fields:

l id - A unique number assigned to this plugin.

l nid - The Nessus ID of the corresponding Nessus NASL script.

l hs_sport - The source port to key on if High Performance mode is enabled.

l name - The name of the plugin.

l description - A description of the problem or service.

l match - The set of match patterns that must be found in the payload of the packet before theregular expression can be evaluated.

l regex - The regular expression to apply to the packet payload.

Tip: The description contains the %L macro. If this plugin evaluates successfully, then the string patternin the payload that matched the regular expression is stored in %L and prints out at report time.

Complex Example

id=79004nid=10382



- 239 -

cve=CVE-2000-0318bid=1144hs_sport=143name=Atrium Mercur Mailserverdescription=The remote imap server is Mercur Mailserver 3.20. There is a flaw inthis server (present up to version 3.20.02) which allow any authenticated user toread any file on the system. This includes other user mailboxes, or any system file.Warning : this flaw has not been actually checked but was deduced from the serverbannersolution=There was no solution ready when this vulnerability was written; Pleasecontact the vendor for updates that address this vulnerability.risk=HIGHmatch=>* OKmatch=MERCURmatch=IMAP4-Serverregex=^\* OK.*MERCUR IMAP4-Server.*v3\.20\..*$

Tip: The first match pattern makes use of the > symbol. The > symbol indicates that the subsequentstring must be at the beginning of the packet payload. Use of the > symbol is encouraged where pos-sible as it is an inexpensive operation.

Case-Insensitive ExampleThere is a tool called SmartDownLoader that uploads and downloads large files. Unfortunately, ver-sions 0.1 through 1.3 use the capitalization SmartDownloader, versions 1.4 through 2.7 usesmartdownloader and versions 2.8 through current use SMARTdownloader. Searching for the vari-ous combinations of this text with purely the regex command would cause us to use a statement thatlooks like this:

regex=[sS][mM][aA][rR][tT][dD]own[lL]oader

However, with the regexi command, the search string is much less complex and less prone to cre-ating an error:

regexi=smartdownloader

By using regexi, we can more quickly match on all three versions as well as future permutations ofthe string smartdownloader. In a case such as this, regexi is the logical choice.



- 240 -

id=79910dependency=1442hs_sport=6789name=SmartDownLoader Detectiondescription=The remote host is running SmartDownLoader, a tool for performingrudimentary uploads and downloads of large binary files.solution=Ensure that this application is in keeping with Corporate policies andguidelinesrisk=MEDIUMfamily=PeerToPeermatch=ownloaderregexi=smartdownloader

Above is a complete example NNM plugin using the regexi keyword. The use of the match keywordsearching for the string ownloader is not a typo. By searching for network sessions that have thisstring in them first, NNM can avoid invoking the expensive regexi search algorithm unless the own-loader pattern is present.



- 241 -

NNM Real-Time Plugin Syntax

Real-Time Plugin ModelNNM real-time plugins are exactly the same as NNM vulnerability plugins with two exceptions:

l They can occur multiple times.

l Their occurrence may not be recorded as a vulnerability.

For example, an attacker may attempt to retrieve the source code for a Perl script from an Apache webserver. If NNM observes this event, it would be logical to send a real-time alert. It would also be logicalto mark that the Apache server is potentially vulnerable to some sort of Perl script source code down-load. In other cases, it may be more logical to just log the attempt as an event, but not a vulnerability.For example, a login failure over FTP is an event that may be worth logging, but does not indicate a vul-nerability.

As the real-time plugins are written, there are two keywords that indicate to NNM that these are notregular vulnerability plugins. These are the real-time and realtimeonly keywords.

In the previous example, the FTP user login failure would be marked as a realtimeonly eventbecause we would like real-time alerting, but not a new entry into the vulnerability database.

Real-Time Plugin Keywords

Name Description

real-time If a plugin has this keyword, then NNM will generate a SYSLOG message orreal-time log file entry the first time this plugin matches. This prevents vul-nerabilities that are worm related from causing millions of events. Forexample, the plugins for the Sasser worm generate only one event. Outputfrom plugins with this keyword will show up in the vulnerability report.

realtimeonly If a plugin has this keyword, then NNM will generate a SYSLOG message orreal-time log file entry each time the plugin evaluates successfully. Theseplugins never show up in the report file.

track-ses-sion

This keyword will cause the contents of a session to be reported (viaSYSLOG or the real-time log file) a specified number of times after the plu-gin containing this keyword was matched. This is an excellent way to dis-cover what a hacker “did next” or possibly what the contents of a retrieved



- 242 -

Name Description

file were real-time.

trigger-dependency

Normally if a plugin has multiple dependencies, then all of those depend-encies must be successful for the current plugin to evaluate. However, thetrigger-dependency keyword allows a plugin to be evaluated as long asat least one of its dependencies is successful.



- 243 -

Real-Time Plugin Examples

Failed Telnet Login PluginThe easiest way to learn about NNM real-time plugins is to evaluate some of those included by Ten-able. Below is a plugin that detects a failed Telnet login to a FreeBSD server.

# Look for failed logins into an FreeBSD telnet serverid=79400hs_sport=23dependency=1903realtimeonlyname=Failed login attemptdescription=NNM detected a failed login attempt to a telnet serverrisk=LOWmatch=Login incorrect

This plugin has many of the same features as a vulnerability plugin. The ID of the plugin is 79400. Thehigh-speed port is 23. We need to be dependent on plugin 1903 (which detects a Telnet service). Therealtimeonly keyword tells NNM that if it observes this pattern, then it should alert on the activity,but not record any vulnerability.

Under SecurityCenter CV, events from NNM are recorded alongside other IDS tools.

Finger User List Enumeration PluginThe finger daemon is an older Internet protocol that allowed system users to query remote serversto get information about a user on that box. There have been several security holes in this protocolthat allowed an attacker to elicit user and system information that could be useful to attackers.

id=79500dependency=1277hs_sport=79track-session=10realtimeonlyname=App Subversion - Successful finger query to multiple usersdescription=A response from a known finger daemon was observed which indicated thatthe attacker was able to retrieve a list of three or more valid user names.risk=HIGH



- 244 -

match=Directory:match=Directory:match=Directory:

This plugin looks for these patterns only on systems where a working finger daemon has been iden-tified (dependency #1277). However, the addition of the track-session keyword means that if thisplugin is launched with a value of 10, the session data from the next 10 packets is tracked and loggedin either the SYSLOG or real-time log file.

During a normal finger query, if only one valid user is queried, then only one home directory isreturned. However, many of the exploits for finger involve querying for users such as NULL, .., or 0.This causes vulnerable finger daemons to return a listing of all users. In that case, this plugin wouldbe activated because of the multiple “Directory:” matches.

Unix Password File Download Web Server PluginThis plugin below looks for any download from a web server that does not look like HTML traffic, butdoes look like the contents of a generic Unix password file.

id=79300dependency=1442hs_sport=80track-session=10realtimeonlyname=Web Subversion - /etc/passwd file obtaineddescription=A file which looks like a Linux /etc/passwd file was downloaded from aweb server.risk=HIGHmatch=!<HTML>match=!<html>match=^root:x:0:0:root:/root:/bin/bashmatch=^bin:x:1:1:bin:match=^daemon:x:2:2:daemon:

The plugin is dependent on NNM ID 1442, which detects web servers. In the match statements, weattempt to ignore any traffic that contains valid HTML tags, but also has lines that start with commonUnix password file entries.

Generic Buffer Overflow Detection on Windows Plugin



- 245 -

One of NNM’s strongest intrusion detection features is its ability to recognize specific services, andthen to look for traffic occurring on those services that should never occur unless they have been com-promised. Since NNM can keep track of both sides of a conversation and make decisions based on thecontent of each, it is ideal to look for Unix and Windows command shells occurring in services thatshould not have those command shells in them. Here is an example plugin:

# look for Windows error when a user tries to# switch to a drive that doesn't existid=79201include=services.inctrigger-dependencytrack-session=10realtimeonlyname=Successful shell attack detected - Failed cd commanddescription=The results of an unsuccessful attempt to change drives on a Windowsmachine occurred in a TCP session normally used for a standard service. This mayindicate a successful compromise of this service has occurred.risk=HIGHpmatch=!>GETpregexi=cdmatch=!>550match=^The system cannot find thematch=specified.

This plugin uses the include keyword that identifies a file that lists several dozen NNM IDs, whichidentify well known services such as HTTP, DNS, and NTP. The plugin is not evaluated unless the targethost is running one of those services.

The keyword trigger-dependency is needed to ensure the plugin is evaluated even if there is onlyone match in the services.inc file. Otherwise, NNM evaluates this plugin only if the target host wasrunning all NNM IDs present in the services.inc file. The trigger-dependency keyword says thatat least one NNM ID must be specified by one or more dependency or include rules must be present.

Finally, the logic of plugin detection looks for the following type of response on a Windows system:



- 246 -

In this case, a user has attempted to use the cd command to change directories within a file systemand the attempt was not allowed. This is a common event that occurs when a remote hacker com-promises a Windows 2000 or Windows 2003 server with a buffer overflow. The NNM plugin looks for anetwork session that should not be there.

In the plugin logic, there are pmatch and pregexi statements that attempt to ensure that the sessionis not an HTTP session, and that the previous side of the session contains the string cd.

Tip: The pregexi statement could be expanded to include the trailing space after the “d” character andalso the first character.

The plugin then looks for the expected results of the failed cd command. The first match statementmakes sure this pattern is not part of the FTP protocol. Looking for “cd” in one side of a session andthe error of attempting to change to a directory in an FTP session causes false positives for this plugin.Adding a rule to ignore if a line starts with “550” avoids this. While writing and testing this plugin, Ten-able considered having a different set of plugins just for FTP, but the additional filter statement tookcare of any false positives. Finally, the last two match statements look for the results of the failedchange directory attempt. They are spread across two match statements and could have been com-bined into one regular expression statement, but there was enough content in the basic message tosplit them into higher-speed matching.



- 247 -

NNM Corporate Policy Plugins

Most companies have an “Acceptable Use Policy” that defines appropriate use of the company’s IT facil-ities. Often, this policy is abused to some extent since detecting abuse can be difficult.

NNM can help in this regard through use of NNM Corporate Policy plugins. These plugins can be usedto look for policy violations and items such as credit card numbers, Social Security numbers, and othersensitive content in motion.

Tenable ships NNM with a large number of plugins that are frequently updated. The primary focus ofthese plugins is to discover hosts, applications and their related client/server vulnerabilities. To searchfor a specific plugin, visit http://www.tenable.com/NNM-plugins.

Many of the available plugins already detect activities that would fall into the “Inappropriate Use” cat-egory in most companies. Some of the activities that are detected through these plugins include (butare not limited to):

l Game servers

l Botnet clients and servers

l Peer to peer file sharing

l IRC clients and servers

l Chat clients

l Tunneling software or applications like Tor, GoToMyPC, and LogMeIn

Related Informationl Detecting Custom Activity Prohibited by Policy

l Detecting Confidential Data in Motion



http://www.tenable.com/pvs-plugins

- 248 -

Detecting Custom Activity Prohibited by Policy

The plugins provided with NNM are useful for detecting generally inappropriate activities, but theremay be times when more specific activities need to be detected. For example, a company may want togenerate an alert when email is sent to a competitor’s mail service or if users are managing their Face-book accounts from the corporate network.

Tenable provides the ability for users to write their own custom plugins, as documented in NNM Plu-gin Syntax. These plugins are saved as prm files.

The following example shows how to create a custom plugin to detect users logging into their Face-book accounts. First, a unique plugin ID is assigned, in this case 79420. So, the first line of our pluginis:

id=79420

Next, we want a description of what the vulnerability detects:

description=The remote client was observed logging into a Facebook account.You should ensure that such behavior is in alignment with corporate policiesand guidelines. For your information, the user account was logged as:\n %L

The %L is the results of our regular expression statement that is created later. We want to log thesource address of the offending computer as well as the user ID that was used to log in. Next, we cre-ate a distinct name for our plugin.

name=POLICY - Facebook usage detection

Note that the name begins with the string POLICY. This makes all POLICY violations easily searchablefrom the SecurityCenter CV interface.

You can also define a SecurityCenter CV dynamic asset list that contains only POLICY violators.

The next field defines a family. For this example, the application is a web browser, so the family ID isdefined as follows:

family=Web Clients

Since this is a web browser, a dependency can be assigned that tells NNM to look at only those clientsthat have been observed surfing the web:

dependency=1735

Furthermore, since we are looking at client traffic, we define:



- 249 -

clientissue

Next, we assign a risk rating for the observed behavior:

risk=MEDIUM

In the final section we create match and regex statements that NNM looks for passively. We want allof these statements to be true before the client is flagged for inappropriate usage:

match=>POST /

The web request must begin with a POST verb. This weeds out all “GET” requests.

match=^Host: *.facebook.com

The statement above ensures that they are posting a host with a domain of *.facebook.com.

Finally, we have a match and regex statement that detects the user’s login credentials:

match=email=

regex=email=.*%40[^&]+

Altogether, we have a single plugin as follows:

id=79420family=Web Clientsclientissuedependency=1735name=Facebook_Usagedescription=The remote client was observed logging into a Facebook account.You should ensure that such behavior is in alignment withCorporate Policies and guidelines. For your information, the user accountwas logged as:risk=MEDIUMsolution=Stay off of Facebook.match=>POST /match=^Host: *.facebook.commatch=email=regex=email=.*%40[^&]+

This plugin could be named Facebook.prm and added into the /opt/NNM/var/nnm/plugins/ dir-ectory. If SecurityCenter CV is used to manage one or more NNM systems, use the plugin upload dialogto add the new .prm file.



- 250 -

If you wish to create a policy file that includes multiple checks, use the reserved word NEXT within thepolicy file. For example:

id=79420…rest of plugin…NEXTid=79421…etc.



- 251 -

Detecting Confidential Data in Motion

Many organizations want to ensure that confidential data does not leave the network. NNM can aid inthis by looking at binary patterns within observed network traffic. If critical documents or data can betagged with a binary string, such as an MD5 checksum, NNM has the ability to detect these files beingpassed outside the network. For example:

Create a document that has a binary string of:

0xde1d7f362734c4d71ecc93a23bb5dd4c and 0x747f029fbf8f7e0ade2a6198560c3278

A NNM plugin can then be created to look for this pattern as follows:

id=79580trigger-dependencydependency=2004dependency=2005hs_dport=25description=POLICY - Confidential data passed outside thecorporate network. The Confidential file don'tshare.doc wasjust observed leaving the network via email.name=Confidential file misusefamily=Genericclientissuerisk=HIGHbmatch=de1d7f362734c4d71ecc93a23bb5dd4cbmatch=747f029fbf8f7e0ade2a6198560c3278

These binary codes were created by simply generating md5 hashes of the following strings:

"Copyright 2006 BigCorp, file: don'tshare.doc"

"file: don'tshare.doc"

The security compliance group maintains the list of mappings (confidential file to md5 hash). The md5hash can be embedded within the binary file and can then be tracked as it traverses the network.

Similar checks can be performed against ASCII strings to detect, for example, if confidential data wascut-and-pasted into an email. Simply create text watermarks that appear benign to the casual observerand map to a specific file name. For example:

"Reference data at \\192.168.0.2\c$\shares\employmentfiles for HR data regard-ing Jane Mcintyre" could be a string which maps to a file named Finances.xls.



- 252 -

A NNM plugin can look for the string as follows:

id=79581trigger-dependencydependency=2004dependency=2005hs_dport=25description=POLICY - Confidential data passed outside thecorporate network. Data from the confidential file Finances.xls was justobserved leaving the network via email.name=Confidential file misusefamily=Genericclientissuerisk=HIGHmatch=Reference data atmatch=192.168.0.2\c$\shares\employmentfilesmatch=for HR data regarding Jane Mcintyre

The two example plugins above (IDs 79580 and 79581) detect files leaving the network via email. Mostcorporations have a list of ports that are allowed outbound access. SMTP is typically one of theseports. Other ports may include FTP, Messenger client ports (e.g., AIM, Yahoo and ICQ), or Peer2Peer(e.g., GNUTELLA and BitTorrent). Depending on your specific network policy, you may wish to clone plu-gins 79580 and 79581 to detect these strings on other outbound protocols.



- 253 -

Working with SecurityCenter CV

NNM can operate under the control of SecurityCenter, which provides NNM with passive vulnerabilitydata and retrieves scanned data. SecurityCenter has a variety of reporting, remediation, and noti-fication mechanisms to efficiently distribute vulnerability information across large enterprises. In addi-tion, it can also control a distributed set of Nessus active vulnerability scanners. By combining activeand passive vulnerability scanning, SecurityCenter can be used to efficiently and accurately managesecurity across large networks.

This section contains the following information about NNM integration with SecurityCenter.

l Managing Vulnerabilities

l Updating the NNM Management Interface



- 254 -

Managing Vulnerabilities

SecurityCenter CV displays a summary of vulnerabilities detected by NNM. These vulnerabilities can beindependently viewed by many different users with different access control. SecurityCenter CV alsoallows security managers to issue recommendations that help guide network administrators as towhich vulnerabilities should be mitigated.

NNM is Real-TimeSince NNM’s vulnerability data is constantly fed into SecurityCenter CV and NNM’s plugins are updatedby Tenable™, the accuracy of the passive vulnerability data in SecurityCenter CV greatly enhances thequality of the security information available to SecurityCenter CV’s users.



- 255 -

Syslog Messages

NNM provides options to send real-time and vulnerability data as Syslog messages. This sectiondescribes the available Syslog message types:

l Standard Syslog Message Types

l CEF Syslog Message Types



- 256 -

Standard Syslog Message Types

Message Typesl Syslog message format for real-time Syslog entries generated by realtimeonly PRMs:

<priority>timestamp nnm: src_ip:src_port|dst_ip:dst_port|protocol|plugin_id|plugin_name|matched_text_current_packet|matched_text_previous_packet|risk

l Syslog message format for vulnerability and real-time Syslog entries generated by PASLs, PRMs,and internal plugins:

<priority>timestamp nnm: src_ip:src_port|dst_ip:dst_port|protocol|plugin_id|plugin_name|plugin_description|plugin_output|risk

Message Fields

Name Description

dst_ip Displays the destination IP address for reported traffic.

dst_port Displays the destination port for reported traffic.

matched_text_current_packet

Reports the payload, causing a match in the packet to trigger the NNMevent.

matched_text_previous_packet

Reports the payload that was observed prior to the payload in thematched_text_current_packet field.

plugin_id Displays the reported NNM plugin or PASL ID triggered by reportedtraffic.

plugin_name Displays the name of the NNM plugin or PASL ID triggered by reportedtraffic.

plugin_output Displays dynamic data for a given vulnerability or event. This field maybe empty if there is no plugin-specific data.

priority Displays the Syslog facility level of the message.



- 257 -

Name Description

protocol Reports the integer value for the protocol used for the reported traffic.

risk Displays the associated risk level of the reported vulnerability. This canbe NONE, LOW, MEDIUM, HIGH, CRITICAL, or INFO.

src_ip Displays the source IP address reported for the traffic.

src_port Displays the source port for the reported traffic.

timestamp Displays the date and time of the Syslog message.



- 258 -

CEF Syslog Message Types

Message TypeSyslog message format for vulnerability and real-time Syslog entries generated by PASLs, PRMs, andinternal plugins:

timestamp CEF: Version|Device Vendor|Device Product|Device Version|SignatureID|Name|Severity|Extension

Message Fields

Name Description

DeviceProduct

Displays the name of the product on the detected sending device.

DeviceVendor

Displays the vendor of the product on the detected sending device.

DeviceVersion

Displays the version of the product on the detected sending device.

Extension Displays key-value pairs for one or more of the following additional fields: src,dst, spt, dpt, proto, and msg.

Name Displays the name of the NNM plugin or PASL ID triggered by the reportedtraffic.

Severity Displays the associated severity level of the reported vulnerability.

SignatureID

Displays the reported NNM plugin or PASL ID triggered by the reported traffic.

timestamp Displays the date and time of the Syslog message.

Version Displays the version of the CEF format version.



- 259 -

Custom SSL Certificates

By default, NNM is installed and managed using HTTPS and SSL support and uses port 8835. Defaultinstallations of NNM use a self-signed SSL certificate.

To avoid browser warnings, use a custom SSL certificate specific to your organization. During theinstallation, NNM creates two files that make up the certificate: servercert.pem and serverkey.pem. Youmust replace these files with certificate files generated by your organization or a trusted CA.

Before replacing the certificate files, stop the NNM server. Replace the two files and re-start the NNMserver. If the certificate was generated by a trusted CA, subsequent connections to the scanner do notdisplay an error.

Certificate File Locations

Operating System Directory

Linux /opt/nnm/var/nnm/ssl/servercert.pem

/opt/nnm/var/nnm/ssl/serverkey.pem

Windows C:\ProgramData\Tenable\NNM\nnm\ssl\servercert.pem

C:\ProgramData\Tenable\NNM\nnm\ssl\serverkey.pem

macOS /Library/NNM/var/nnm/ssl/servercert.pem

/Library/NNM/var/nnm/ssl/serverkey.pem

Optionally, you can use the /getcert switch to install the root CA in your browser, which removes thewarning:

https://<IP address>:8835/getcert

To set up an intermediate certificate chain, place a file named serverchain.pem in the same dir-ectory as the servercert.pem file.

This file must contain the 1-n intermediate certificates (concatenated public certificates) necessary toconstruct the full certificate chain from the NNM server to its ultimate root certificate (one trusted bythe user’s browser).

SSL Client Certificate Authentication



- 260 -

NNM supports use of SSL client certificate authentication. When the browser is configured for thismethod, the use of SSL client certificates is allowed.

NNM allows for password-based or SSL Certificate authentication methods for user accounts. Whencreating a user for SSL certificate authentication, use the NNM-make-cert-client utility through the com-mand line on the NNM server.



- 261 -

Configure NNM for Certificates

To allow SSL certificate authentication, you must first configure the NNM web server with a server cer-tificate and CA.

This process allows the web server to trust certificates created by the CA for authentication purposes.Generated files related to certificates must be owned by root:root and, by default, have the correct per-missions.

This section contains the following instructions:

l Create a Custom CA and Server Certificate

l Create NNM SSL Certificates for Login

l Connect with Certificate Enabled Browser



- 262 -

Create a Custom CA and Server Certificate

Steps1. Optionally, create a new custom CA and server certificate for the NNM server using the NNM-

make-cert command. This places the certificates in the correct directories.

2. When prompted for the host name, enter the DNS name or IP address of the server in thebrowser (eg., https://hostname:8835/ or https://ipaddress:8835/). The default certificate usesthe host name.

3. If you wish to use a CA certificate instead of the NNM generated one, make a copy of the self-signed CA certificate using the appropriate command for your OS:

OperatingSystem

Command

Linux # cp /opt/nnm/var/nnm/ssl/cacert.pem /op-t/nnm/var/nnm/ssl/ORIGcacert.pem

Windows copy \ProgramData\Tenable\NNM\nnm\ssl\cacert.pem C:\Pro-gramData\Tenable\NNM\nnm\ssl\ORIGcacert.pem

macOS # cp /Library/NNM/var/nnm/ssl/cacert.pem/Library/NNM/var/nnm/ssl/ORIGcacert.pem

4. If the authentication certificates are created by a CA other than the NNM server, the CA certificatemust be installed on the NNM server. Copy the organization's CA certificate to the appropriatelocation for your OS:

Operating System File Location

Linux /opt/nnm/var/nnm/ssl/cacert.pem

Windows C:\ProgramData\Tenable\NNM\nnm\ssl\cacert.pem

macOS /Library/NNM/var/nnm/ssl/cacert.pem

5. Once the CA is in place, restart the NNM services.



- 263 -

6. After NNM is configured with the proper CA certificate(s), users may log in to NNM usingSSL client certificates.



- 264 -

Create NNM SSL Certificates for Login

To log in to an NNM server with SSL certificates, you must create the certificates using the NNM-make-cert command.

Note: When asked if you want to create a server certificate, select no to be prompted for the user cer-tificate information.

Steps1. On the NNM server, run the NNM-make-cert command.

Operating System Command

Linux # /opt/nnm/bin/nnm-make-cert

Windows C:\Program Files\Tenable\NNM\nnm-make-cert

macOS # /Library/NNM/bin/nnm-make-cert

2. Configure the client certificate by answering the various questions.

The client certificates generate in a temporary directory.

OperatingSystem

Directory

Linux /tmp/

Windows C:\users\<username>\AppData\Local\Temp, where <username> isthe user currently logged in.

macOS /tmp/

3. Two files are created in the temporary directory. In an example where the user name is admin,the files cert_admin.pem and key_admin.pem are created. These two files must be combinedand exported into a format that may be imported into the web browser, such as .pfx. You canaccomplish this with the openssl program and the following command:



- 265 -

openssl pkcs12 -export -out combined_admin.pfx -inkey key_admin.pem -in cert_admin.pem -chain -CAfile /opt/nnm/var/nnm/ssl/cacert.pem -passout'pass:password' -name 'NNM User Certificate for: admin'

The resulting file combined_admin.pfx is created in the directory from which the command islaunched. This file must then be imported into the web browser’s personal certificate store.

Note: The username you enter must correspond with an existing username in NNM. By default,NNM has only one administrative user. If you add another administrative user, then you can usemore than one certificate.

4. Configure the NNM server for certificate authentication using the appropriate command for yourOS. Once certificate authentication is enabled, username and password login is disabled.

OperatingSystem

Command

Linux # /opt/nnm/bin/nnm --config "Enable SSL Client Cer-tificate Authentication" "1"

Windows C:\Program Files\Tenable\NNM\nnm --config "EnableSSL Client Certificate Authentication" "1"

macOS # /Library/NNM/bin/nnm --config "Enable SSL Client Cer-tificate Authentication" "1"



- 266 -

Connect to NNM with a User Certificate

Steps1. In a web browser, navigate to https://<ip address or hostname>:8835.

The browser displays a list of available certificates.

2. Select the appropriate certificate.

The certificate becomes available for the current NNM session.

3. Click the Sign In button.

You are automatically logged in as the designated user and NNM can be used normally.

Note: If you log out of NNM, the standard NNM login screen appears. If you want to log in with thesame certificate, refresh your browser. If you want to use a different certificate, restart yourbrowser session.



Documents

NNM 5.4 User Guide - Tenable Documentation Center · l CentOS7.x64-bit l RedHatES6.6+64-bit l RedHatES7.x64-bit YoucanuseERSPANtomirrortrafficfromoneormoresourceportsonavirtualswitch,physical