Tenable LCE Updates

Tenable LCE Updates http://www.nessus.org/ Log Correlation Engine Content Updates Nessus News http://www.nessus.org/images/RssLogo.jpg http://www.nessus.org/ Process Accounting and Process Auditing with TASL program_accounting.tasl) which summarizes process execution events for Windows and Unix servers. The new TASL script tracks all Windows process event logs as well as Unix process accounting logs and produces hourly and daily summaries per server.

This makes it very easy to understand which programs have been executed on a server recently or historically. Once a program of interest has been identified, full log searches can be used to determine who and when these programs were executed.

To install the new TASL script, simply download it from the below link, install it into your plugins directory, update your plugins and then restart the Log Correlation Engine.

More information about this TASL is available in a discussion on the Tenable Discussion Portal.

More info]]> http://www.tenablesecurity.com/news/rssview.php?id=229 2009-07-02T08:44:01-04:00 Suoshin PHP Log Parsing Suoshin security enhancements. Suoshin blocks many SQL injection and other web application attacks.

If you make use of Suoshin in your environment, the web_php_suhosin.prm library can be downloaded to your Log Correlation Engine to parse their logs. All Suoshin events have been normalized to an event type of "access-denied".

More info]]> http://www.tenablesecurity.com/news/rssview.php?id=218 2009-07-02T13:44:01-04:00 New Sonicwall and D-Link Firewall Log PRMs

firewall_dlink.prm

firewall_sonicwall2.prm

These polices can be manually downloaded and added to your LCE /opt/lce/daemons/plugins directory, or your can use the lce_update_plugins.pl tool to perform a full update.

More info]]> http://www.tenablesecurity.com/news/rssview.php?id=210 2009-07-02T14:44:01-05:00 System Monitor TASL Script
Each LCE heartbeat message contains a snapshot of the system's existing CPU, memory and disk usage.

The TASL script includes some default levels for global alerting and these can be overridden by editing a file named system_monitor.conf in the local LCE plugins directory.

To install it on your LCE, simply add this TASL script to your plugins directory, optionally configure a system_monitor.conf file and then restart your LCE.

The script will generate events such as:

- LCE-High_CPU_Usage
- LCE-High_Disk_Usage
- LCE-High_Memory_Usage

These events will be contained in the 'lce' type of event.

The script can be downloaded from the below link.
More info]]> http://www.tenablesecurity.com/news/rssview.php?id=198 2009-07-02T10:44:01-05:00 Additional Support for Juniper IDP Syslog Messages

http://nessus.org/nids_netscreen_idp4.prm

This file should be loaded into your plugins directory and then your lced daemon restarted. If you have configured your LCE 3.0 to automatically update new PRM libraries, this file will be installed during your next silo rotation. Thunder users should also place this file in their plugins directory and then manually restart their thunderd process.

More info]]> http://www.tenablesecurity.com/news/rssview.php?id=185 2009-07-02T20:44:01-05:00 Support for McAfee Anti Virus and Cisco 4400 Logs

virus_mcafee.prm

switch_cisco4400.prm

prm_map.prm

Both files should be added to the /usr/thunder/daemons/plugins directory and then the thunderd process should be restarted. If a full plugin update is also performed, these new PRMs will automatically be downloaded and installed.
More info]]> http://www.tenablesecurity.com/news/rssview.php?id=171 2009-07-02T09:44:01-04:00 Foundry FastIron and Windows Filezilla Log Parsers

switch_fastiron.prm

ftp_filezilla.prm

prm_map.prm

Both files should be added to the /usr/thunder/daemons/plugins directory and then the thunderd process should be restarted. If a full plugin update is also performed, these new PRMs will automatically be downloaded and installed.

More info]]> http://www.tenablesecurity.com/news/rssview.php?id=168 2009-07-02T13:44:01-04:00 PRM Library for Cisco NAC

nac_cisco.prm

prm_map.prm

Both files should be added to the /usr/thunder/daemons/plugins directory and then the thunderd process should be restarted. If a full plugin update is also performed, these new PRMs will automatically be downloaded and installed.

More info]]> http://www.tenablesecurity.com/news/rssview.php?id=164 2009-07-02T11:44:01-04:00 ISA Firewall and MailScanner Policy Files
Links for these policies, as well as an updated event name map are below:

firewall_isa_snare.prm

mail_scanner.prm

prm_map.prm

Performing a plugin update will automatically place these files in your ~/daemons/plugins directory. Otherwise, these files can be manually downloaded and placed there. After they are in place, restarting your thunderd process will make these files live.

Below is a link to the official Mail Scanner web site:

More info]]> http://www.tenablesecurity.com/news/rssview.php?id=155 2009-07-02T09:44:01-04:00 Support for TopLayer IPS Logs

nids_toplayer.prm

prm_map.prm

Both of these files should be manually placed in your plugins directory on your LCE. Also, if you perform a full plugin update, the new library will be automatically added as well. Be sure to restart the thunderd process after the new files are loaded.

More info]]> http://www.tenablesecurity.com/news/rssview.php?id=150 2009-07-02T09:44:01-04:00