Red Hat NETWORK BASIC - USER REFERENCE GUIDE 4.0 Guida Utente Scaricare il pdf (Pagina 57)

Initially, the PVS has no knowledge of your network’s active hosts. The first packets that the PVS sniffs would send an

alert. To avoid this, the PVS can be configured to learn the network over a period of days. Once this period is over, any

“new” traffic would be from a host that has not communicated during the initial training.

To prevent the PVS from having to relearn the network each time it starts, a file can be specified to save the active host

information. This file contains a list of all the current active hosts for the PVS. The scanner also requires that an interval to

update this file be specified. Tenable recommends an update time of at least one day (1440 minutes).

When the PVS logs a new host, the Ethernet address is saved in the message. When the PVS is more than one

hop away from the sniffed traffic, the Ethernet address will be that of the local switch, not the actual host. If the

scanner is deployed in the same collision domain as the sniffed server, the Ethernet address will be accurate.

For DHCP networks, the PVS will detect a “new” host very often. Tenable recommends deploying this feature

on non-volatile networks such as demilitarized zone (DMZ). Users should also consider analyzing PVS “new”

host alerts with Tenable’s SecurityCenter, which can sort real-time PVS events by networks.

Internal Passive Vulnerability Scanner IDs

What is a Passive Vulnerability Scanner ID?

This section describes the PVS’s advanced signature language for each plugin. Each vulnerability and real-time check

that the PVS performs has a unique associated ID. Since Tenable manages the Nessus vulnerability scanner, we have

added the IDs used by the PVS into the overall Nessus architecture. PVS IDs start from #00000 and go through #10000.

Nessus IDs start from #10001 and extend upward.

Internal Passive Vulnerability Scanner IDs

Some of the PVS’s checks, such as detecting open ports, are built in. The following chart lists some of the more

commonly encountered internal checks and describes what they mean:

PVS ID

Name

Description

00000

Detection of open port

The PVS has observed a SYN-ACK leave from a server.

00001

Passive OS Fingerprint

The PVS has observed enough traffic about a server to perform a guess of the

operating system.

00002

Client Side Port Usage

The PVS has observed browsing traffic from a host.

00003

Internal Client Trusted

Connections

The PVS has logged a unique network session of source IP, destination IP and

destination port.

00004

Internal Interactive

Sessions

The PVS has detected one or more interactive network sessions between two

hosts within your focus network.

00005

Outbound Interactive

Sessions

The PVS has detected one or more interactive network sessions originating from

within your focus network and destined for one or more addresses on the Internet.

00006

Inbound Interactive

Sessions

The PVS has detected one or more interactive network sessions originating from

one or more addresses on the Internet to this address within your focus network.

00007

Internal Encrypted

Session

The PVS has detected one or more encrypted network sessions between two

hosts within your focus network.

1 2 ... 52 53 54 55 56 57 58 59 60 61 62 ... 78 79

Commenti su questo manuale

Nessun commento

Red Hat NETWORK BASIC - USER REFERENCE GUIDE 4.0 Guida Utente Pagina 57

Commenti su questo manuale

Prodotti e manuali riguardandi Software Red Hat NETWORK BASIC - USER REFERENCE GUIDE 4.0