Tenable LCE Updates
http://www.nessus.org/
Log Correlation Engine Content UpdatesNessus Newshttp://www.nessus.org/images/RssLogo.jpg
http://www.nessus.org/
ISA Firewall and MailScanner Policy Files
Links for these policies, as well as an updated event name map are below:
Performing a plugin update will automatically place these files in your ~/daemons/plugins directory. Otherwise, these files can be manually downloaded and placed there. After they are in place, restarting your thunderd process will make these files live.
Below is a link to the official Mail Scanner web site:
More info]]>
http://www.tenablesecurity.com/news/rssview.php?id=155
2008-09-07T09:33:00-04:00Support for TopLayer IPS Logs
Both of these files should be manually placed in your plugins directory on your LCE. Also, if you perform a full plugin update, the new library will be automatically added as well. Be sure to restart the thunderd process after the new files are loaded.
More info]]>
http://www.tenablesecurity.com/news/rssview.php?id=150
2008-09-07T09:33:00-04:00Support for F5 Big IP Application Firewall Logs
Make sure to restart your thunderd process after installing these new libraries.
More info]]>
http://www.tenablesecurity.com/news/rssview.php?id=146
2008-09-07T13:33:00-04:00Support for Cisco ACS Log Filesauth_cisco_acs.prm.
This new PRM file should be downloaded to your /usr/thunder/daemons/plugins directory and your thunderd process restarted. In addition, if you are making use of any TASL scripts, the prm_map.prm file should also be updated prior to restarting the thunderd process.
More info]]>
http://www.tenablesecurity.com/news/rssview.php?id=142
2008-09-07T13:33:00-04:00F5 Local Traffic Manager Log support
This new PRM file can be downloaded from here and then placed in your /usr/thunder/daemons/plugins directory. An updated prm_map.prm file is also available. Performing a full plugin update will also add this new rule to your Log Correlation Engine. The thunderd process must also be restarted after the plugin update.
Directions and references on how to configure the F5 LTM are included in the comments of the new PRM file.
More info]]>
http://www.tenablesecurity.com/news/rssview.php?id=140
2008-09-07T17:33:00-04:00New and Updated PRM Libraries
Performing an automated plugin update with the thunder-update-plugins.sh script located in the /usr/thunder/daemons directory will add these new libraries to your Log Correlation Engine. Once updated, the thunderd process must be restarted.
To see a list of all normalized LCE events, click on the below link: More info]]>
http://www.tenablesecurity.com/news/rssview.php?id=134
2008-09-07T21:33:00-04:00Discrete Anomaly Event Typesstats daemon have recently been modified to provide more fidelity when analyzing statistical anomalies.
Previously, the normalization process categorized all anomalies into generic types of "Large Anomaly", "Medium Anomaly" or just an "Anomaly".
This new rule set creates events based on the "type" of event that created the anomaly. For example, here are some example new event names:
Statistics-User_Activity_Anomaly
Statistics-Login_Failure_Anomaly
Statistics-Network_Large_Anomaly
There are more than 100 new rules to support minor, regular, medium and large anomaly levels for all unique LCE event types. Having rules with this type of fidelity makes it much easier to focus on event types (such as logins) in which a minor statistical anomaly could be rather important.
To update your LCE, please use the following links:
The ids event followed by change TASL script was modified to look for Large and Medium statistical anomalies in the connection rates of profiled hosts.
The standard deviation long term TASL script was modified to look for Large and Medium events from the new PRM library.
Follow the link below to learn more about how the LCE's stats engine profiles all of the logs from each host to look for anomalies: More info]]>
http://www.tenablesecurity.com/news/rssview.php?id=128
2008-09-07T20:33:00-04:00Support for Emerging Threats Project Content
A new PRM library named nids_snort_emergingthreats.prm is now available that can normalize Snort logs running the Emerging Threats rule base.
Version 2.4.3 of the Blacklist perl script is now available from the customer support portal and includes support for IP address correlation with known botnets, the Russian Business Network and known compromised hosts. The lce_tasl.prm library has also been updated to parse these new types of blacklist correlation rules.
The existing nids_snort.prm library has had support for the previous Bleeding Threats signature database removed.
If you are using any TASL scripts, then also be sure to update the prm_map.prm file. This file is referenced by many TASL scripts as an index of all normalized log event names.
More info]]>
http://www.tenablesecurity.com/news/rssview.php?id=127
2008-09-07T20:33:00-04:00Updated Cyberguard PRM Filefirewall_cyberguard.prm library has been updated with support for logs from Cyberguard TSP1250 appliances.
To update your Log Correlation Engine, either run a plugins update, or manually download the updated file with the link below, place it in your /usr/thunder/daemons/plugins directory and restart the thunderd process. More info]]>
http://www.tenablesecurity.com/news/rssview.php?id=120
2008-09-07T15:33:00-05:00Cisco FSWM Library Update
To obtain this updated PRM library, follow the link below and place this library into your plugins directory in /usr/thunder/daemons/plugins and then restart the thunderd process. If you are using TASL correlation scripts, also download the latest prm_map.prm file and replace it in the same plugins directory before restarting. More info]]>
http://www.tenablesecurity.com/news/rssview.php?id=116
2008-09-07T17:33:00-05:00