Ron Gula

On Friday April 10, the Conficker worm was supposed to wake up and start network scanning. I grabbed the following screen shot from one of Tenable’s research sites:

I was recently working with a Log Correlation Engine customer who had gone through a typical deployment. Tenable advises customers to carefully consider which system and application logs they want their LCE Clients to send to the LCE server, in addition to a variety of Snort, Firewall and network activity logs. In this case, the customer had recently configured their system to send SSH logs to the LCE whereas before, they were only getting "network" events. When I had the opportunity to chat with them, they were very concerned about various worms or potential intruders performing a network scan such as those shown below:

Nessus plugin #36036 performs a network based check for Windows computers infected with a variant of the Conficker virus. The scan does not need credentials, but does require ports 445 or 139 to be open between the Nessus scanner and your scanned systems.

Tenable has been operating a new “Discussions Forums” web site for all Nessus users and Tenable customers. The forum is located at https://discussions.nessus.org/. It offers the following discussion areas: Announcements Nessus : Scanning Nessus : Reports Nessus : Advanced Nessus : Compliance Checks (*) Nessus : Feature Requests, Bug Reports Security Center (*) Log Correlation Engine (*) Passive Vulnerability Scanner (*) (*) – Customer access only

Tenable CSO Marcus Ranum gave a talk about the limitations of Cyber Warfare at this month's Dojosec in Columbia, Maryland. A video of his presentation, as well all of the other speakers, is now online at Vimeo.