Sentinel provides the ability to cross-reference event data signatures with vulnerability scanner data.You are notified automatically and immediately when an attack is attempting to exploit a vulnerable system. This is accomplished through:
The Advisor feed
Intrusion detection
Vulnerability scanning
The firewall
Advisor provides a cross-reference between event data signatures and vulnerability scanner data. The Advisor feed has both an alert feed and an attack feed. The alert feed contains information about vulnerabilities and threats. The attack feed is a normalization of event signatures and vulnerability plug-ins.
The supported systems are:
Intrusion Detections Systems
Cisco Secure IDS
Enterasys Dragon Host Sensor
Enterasys Dragon Network Sensor
Intrusion.com (SecureNet_Provider)
ISS BlackICE
ISS RealSecure Desktop
ISS RealSecure Network
ISS RealSecure Server
ISS RealSecure Guard
Snort
Symantec Network Security 4.0 (ManHunt)
Symantec Intruder Alert
McAfee IntruShield
Vulnerability Scanners
eEYE Retina
Foundstone Foundscan
ISS Database Scanner
ISS Internet Scanner
ISS System Scanner
ISS Wireless Scanner
Nessus
nCircle IP360
Qualys QualysGuard
You need at least one vulnerability scanner and either an intrusion detection system, IPS, or firewall from each category above. The intrusion detection system and Firewall DeviceName (rv31) must appear in the event as shown above. Also, the intrusion detection system and the firewall must properly populate the DeviceAttackName (rt1) field (for example, WEB-PHP Mambo uploadimage.php access).
The Advisor feed is sent to the database and then to the Exploit Detection Service. The Exploit Detection Service generates one or two files, depending upon what kind of data has been updated.
Figure 3 Exploit Detection
The Exploit Detection map files are used by the Mapping Service to map attacks to exploits of vulnerabilities.
Vulnerability scanners scan for system (asset) vulnerable areas. Intrusion detection systems detects attacks (if any) against these vulnerable areas. Firewalls detect if any traffic is against any of these vulnerable areas. If an attack is associated with any vulnerability, the asset has been exploited.
The Exploit Detection Service generates two files located in:
<install_directory>/bin/map_data
The two files are attackNormalization.csv and exploitDetection.csv.
The attackNormalization.csv is generated after:
Advisor feed
DAS Startup (if enabled in das_core.xml; disabled by default)
The exploitDetection.csv is generated after one of the following:
Advisor feed
Vulnerability scan
Sentinel server startup (if enabled in das_core.xml; disabled by default)
By default, there are two configured event columns used for exploit detection and they are referenced from a map (all mapped tags have the Scroll icon).
Vulnerability
AttackId
Figure 4 Event Columns
When the Vulnerability field (vul) equals 1, the asset or destination device is exploited. If the Vulnerability field equals 0, the asset or destination device is not exploited.
Sentinel comes preconfigured with the following map names associated with attackNormalization.csv and exploitDetection.csv.
Table 2 Map Name and csv Filename
Map Name |
csv Filename |
---|---|
AttackSignatureNormalization |
attackNormalization.csv |
IsExploitWatchlist |
exploitDetection.csv |
There are two types of data sources:
External: Retrieves information from the Collector
Referenced from Map: Retrieves information from a map file to populate the tag.
The AttackId tag has the Device (type of the security device, such as Snort) and AttackSignature columns set as Keys and uses the NormalizedAttackID column in the attackNormalization.csv file. In a row where the DeviceName event tag (an intrusion detection system device such as Snort, with information filled in by Advisor and Vulnerability information from the Sentinel database) is the same as Device and where the DeviceAttackName event tag (attack information filled in by Advisor information in the Sentinel Database through the Exploit Detection Service) is the same as AttackSignature, the value for AttackId is where that row intersects with the NormalizedAttackID column.
Figure 5 AttackId and Data Source Information
Figure 6 attackNormalization.csv Sample
The Vulnerability tag has a column entry _EXIST_, which means that the map result value is 1 if the key is in IsExploitWatchlist (exploitDetection.csv file) or 0 if it is not. The key columns for the vulnerability tag are IP and NormalizedAttackId. When an incoming event with a DestinationIP event tag that matches the IP column entry and an AttackId event tag that matches the NormalizedAttackId column entry in the same row, the result is one (1). If no match is found in a common row, the result is zero (0).
Figure 7 Vulnerability and Data Source
For trademark and copyright information, see Legal Notices.