Article

(View Disclaimer)

Problem

We need to implement Sentinel's Exploit Detection functionality.

Solution

1. Unzip the 3 subfolders in the ED-DemoCollectors.zip file into the Elements folder.

2. Configure 3 new ports in Collector Builder with the following port options.

Click to view.

Figure 1 - Port options in Collector Builder

3. Click Save.

You will now get this reminder:

Click to view.

Figure 2 - Wizard warning - x

4. Click OK.

5. Click the Upload/Download button to display the upload/download dialog.

Click to view.

Figure 3 - Upload/Download dialog

6. Click Upload. You will see the Transfer Progress window:

Click to view.

Figure 4 - Transfer Progress window

7. Install the Advisor component from the install CD, choosing the standalone configuration. The advisor feed folder should be something like "advisorfeed" or "advisor_data" in the %ESEC_HOME%\sentinel directory.

8. Open a web browser and point it to http://advisor.esecurityinc.com

9. Use the Advisor user name and password to log in.

10. Click Downloads. This will take you to the attacks and alerts.

11. From each of these, select the latest folder and download the 'all' file from them.

12. Unzip these into two separate folders on your system. One should be called 'attack' and the other should be called 'alert'. Put the alert files into the alert folder and the attack files into the attack folder.

13. Move the alert and attack folders into the advisorfeed or advisor_data folder in %ESEC_HOME\sentinel\ (Windows) or $ESEC_HOME/sentinel (Linux).

14. Run advisor.bat (Windows) or advisor.sh (Linux). This should run for a while (on my system, this takes up to 10 minutes the first time around).

15. Start the ports named "AssetImport" and "VulnerabilitesImport". They should run for a couple of seconds and then automatically stop.

Click to view.

Figure 5 - Port descriptions

When you run the port "DemoAttacks", you should see attack events in Sentinel Control Center. One of these events should have the 'vulnerabiliy' meta-tag (column) set to 1. This indicates that Sentinel's exploit detection has determined that the attack maps to a known vulnerability on that system. You can now right-click on the event and see the asset, vulnerability, and advisor data for this host/attack/vulnerability combination.

Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).

It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.