Exploit detection instantly sends notification when an attack is attempting to exploit a vulnerable system. The Exploit Detection feature depends on the following:
Both vulnerability scanners and the intrusion detection systems must report vulnerabilities and attacks against the same set of systems. In Sentinel, systems are identified by their IP addresses and their MSSP Customer Name. The MSSP Customer Name is a namespace identifier that prevents overlapping IP ranges from matching incorrectly.
The vulnerability scanner and intrusion detection system products must be supported by the Advisor service. This data uses specific product identifiers to ensure proper matching.
The specific reported attacks and vulnerabilities must be known to the Advisor service and Exploit Detection.
All Collectors shipped by Novell meet these requirements, as long as they are declared as being supported by Advisor. To write your own vulnerability or intrusion detection Collector, or to modify one of the shipped Collectors, refer to the Sentinel Plug-in SDK for specific information about which event and vulnerability fields must be filled in to support this service.
The following table lists the supported products with their associated device type (IDS for intrusion detection system, VULN for vulnerability scanners, and FW for firewall).
Table 1 Supported Products and the Associated Device Types
To enable exploit detection, the Sentinel Collectors must populate several variables as expected. Collectors built by Novell populate these variables by default.
In intrusion detection systems and vulnerability Collectors, the RV31 (DeviceName) variable in the event must be set to the value in the RV31 column in Table 1. This string is case sensitive.
In the intrusion detection systems Collector, the DIP (Destination or Target IP) must be populated with the IP address of the machine that is being attacked.
In the intrusion detection systems Collector, RT1 (DeviceAttackName) must be set to the attack name or attack code for that intrusion detection system.
In the intrusion detection systems and vulnerability Collectors, RV39 (MSSPCustomerName) value must be populated. For a standard corporation, the value can be anything. For a Managed Security Service Provider (MSSP), the customer name should be set for the individual customer. For either type of company, the value in the intrusion detection systems Collector must exactly match with the value in the vulnerability Collector.
These values are used by the Mapping Service to populate the VULN field in the event. This value is used to evaluate the incoming events to determine whether a vulnerability is exploited or not. When the vulnerability field (VULN) equals 1, the asset or destination device is exploited. If the vulnerability field equals 0, the asset or destination device is not exploited.
For trademark and copyright information, see Legal Notices.