Tenable Passive Vulnerability Scanner – IDS / Sniffer / Scanner ?

Tenable Passive Vulnerability ScannerI was reading about Tenable’s new Passive Vulnerability Scanner (PVS) which can monitor traffic for as much as 25,000 systems whilst passively detecting vulnerabilities.

From the PVS datasheet, it can continuously monitor the traffic for a variety of security related information including:

  • Keeping track of all client and server application vulnerabilities
  • Detecting when an application is compromised or subverted
  • Detecting which applications and servers host or transmit sensitive data
  • Detecting when new hosts are added to the network
  • Detecting when an internal system begins to port scan other systems
  • Highlighting all interactive and encrypted network sessions
  • Tracking exactly which systems communicate with other internal systems
  • Detecting which ports are served and which ports are browsed for each individual system
  • Passively determining the type of operating system of each active host

I have to admit that this sounds like a cool combination of IDS & Sniffer devices and it sure helps to have an all seeing eye inside your network. The part that I don’t get in PSV is the "Scanner" .

Each PVS is deployed like a sniffer. It needs to be attached to a switch span port, network tap or can be deployed directly on commonly used servers.

Again this deployment scenario is typically for a network sniffer performing protocol encapsulation and analysis.
By definition, a vulnerability scanner is a proactive security control, whereas an IDS is a reactive control.

Of course, using an IDS may prevent some successful exploits taking over a specific system (incident response tickets can take care of this), but labeling a system as vulnerable just because PVS  has detected malicious traffic originating to / from that system is a reactive security action.

I guess this is the reason Tenable is strongly recommending using a combination of scanning, host-based and passive monitoring. But still.. how can a passive network sniffer be qualified as vulnerability scanner ?

Update: The Passive Vulnerability Scanner‘s plugin rule base was recently updated with new logic to recognize a variety of client-side account information for services such as AIM, MySpace and many others. 

  • 1329 return email addr
  • 2341 POP3 User
  • 2600 MSN Messenger UserID
  • 2609 PGP Sender email
  • 3018 HTTP Base64 encoded credentials
  • 3954 IDA Pro UserID
  • 4082 AOL Instant Messenger user enumeration
  • 4098 IMAP UserID enumeration
  • 9000 Myspace UserID
  • 9001 Facebook UserID
  • 9003 Xanga UserID
  • 9005 gmail userID
  • 9006 XM Radio UserID

Pretty cool spying tools 🙂 .

Thank you for reading this post. You can now Read Comment (1) or Leave A Trackback. Print This Post Print This Post

One Response to “Tenable Passive Vulnerability Scanner – IDS / Sniffer / Scanner ?

  • 1
    June 20th, 2007 07:12

    I’ve always been torn as to whether I’m comfortable using the term “scanner” for passive technologies and I can never quite make up my mind.

    I understand Tenable’s perspective that it’s not just a sniffer or IDS and it really is relying on logic that much more closely resembles an active scanner, but it also will never, ever, be able to catch hosts that just aren’t talking. Of course, active scanners do diddly squat for client-vulns without credentials, so there definitely are advantages to each.

Subscribe without commenting

Leave a Reply

Note: Any comments are permitted only because the site owner is letting you post, and any comments will be removed for any reason at the absolute discretion of the site owner.

CommentLuv badge