Log Correlation Engine Rules Update

Tenable has released several new PRM libraries and TASL scripts. This blog entry details the changes and how Tenable customers can obtain them.

PRM Updates

dns_bind.prm

New rules to parse zone transfer updates.

Added rule for generic "IP deny" events.

firewall_cisco_pix.prm

Added rule for generic "IP deny" events.

firewall_netscreen.prm

Added rules to detect authorized SNMP polling and running policy configuration changes.

mail_postfix.prm

Added rule to process rejected logs due to Spamhaus filtering.

nbad_arbor.prm

This new library has rules to parse events from the Arbor network behavioral anomaly detection products. Incidentally, the nids_stealthwatch.prm was renamed to nbad_stealthwatch.prm.

os_win2k_sys.prm

New rules were added to identify unexpected Windows service crashes, as well as application faults due to failed memory write attempts. These may be generated by failed buffer overflow or worm attacks. These events are also consumed by the new windows_crashes_and_restarts.tasl script that looks for these events occurring across multiple hosts.

PRM_mappings.prm

This PRM library does not contain any rules, but does include a list of all PRM IDs used by all libraries. This is useful to have for TASL writers and for choosing new IDs for new PRM rules.

router_cisco.prm

New rules for "RSH" connection attempts as well as link "up" and "down" messages.

ssh_openssh.prm

New rule added for processing of user login attempts which don't have executable shells.

virus_clamav.prm

A new PRM library to analyze logs generated by the Clam Anti Virus application. Multiple PRM rules are used to normalize detected viruses as Trojans, Worms, Phishing attempts and so on.

vpn_cisco_concentrator.prm

The regular expressions were modified to handle logs from systems specified by an IP address or a DNS name. Also, administrator login success events and failures now generate specific events.

TASL Updates

detect_change.tasl

Now processes change detection events for NetScreen firewalls.

ids_event_followed_by_change.tasl

This TASL has been updated to include alerts from Arbor devices. In addition, it now also considers normalized Snort IDS events for detected executable code in motion.

standard_deviation_long_term.tasl

This TASL has also been updated to include alerts from Arbor devices.

windows_crashes_and_restarts.tasl

This TASL looks for many different types of Windows events, including new events added to the os_win2k_sys.prm library. These rules identify unexpected Windows service crashes, Windows restarts due to crashes as well as application faults due to failed memory write attempts. These may be generated by failed buffer overflow or worm attacks. The script looks for these events occurring across multiple hosts.

Obtaining These Rules

To obtain a particular PRM library, a user can use the UNIX wget program to load the file directly from the www.tenablesecurity.com web site. below is an example of a user obtaining the os_linux.prm file:

wget http://www.tenablesecurity.com/os_linux.prm .

The period is needed and means to place the file in the local directory. If this command were executed from the /usr/thunder/daemons/plugins directory, a user would just need to make sure the file is owned by user 'thunder' and then restart the thunderd service. To restart the Log Correlation Engine, please run:

/etc/rc.d/init.d/thunder restart

The TASL scripts are available for web download from:

http://cgi.tenablesecurity.com/tasl.html

Individual scripts can also be obtained with the wget tool in a similar manner. Here is an example download of the Windows Event Correlator script:

wget http://www.tenablesecurity.com/os_linux.prm . http://cgi.tenablesecurity.com/tasl/windows_event_correlator.tasl

As with PRM libraries, if this command were executed from the /usr/thunder/daemons/plugins directory, a user would just need to make sure the file is owned by user 'thunder' and then restart the thunderd service.