Exploit Detection

Sentinel provides the ability to cross-reference event data signatures with vulnerability scanner data.You are notified automatically and immediately when an attack is attempting to exploit a vulnerable system. This is accomplished through:

Advisor provides a cross-reference between event data signatures and vulnerability scanner data. The Advisor feed has both an alert feed and an attack feed. The alert feed contains information about vulnerabilities and threats. The attack feed is a normalization of event signatures and vulnerability plug-ins.

The supported systems are:

You need at least one vulnerability scanner and either an intrusion detection system, IPS, or firewall from each category above. The intrusion detection system and Firewall DeviceName (rv31) must appear in the event as shown above. Also, the intrusion detection system and the firewall must properly populate the DeviceAttackName (rt1) field (for example, WEB-PHP Mambo uploadimage.php access).

The Advisor feed is sent to the database and then to the Exploit Detection Service. The Exploit Detection Service generates one or two files, depending upon what kind of data has been updated.

Figure 3 Exploit Detection

The Exploit Detection map files are used by the Mapping Service to map attacks to exploits of vulnerabilities.

Vulnerability scanners scan for system (asset) vulnerable areas. Intrusion detection systems detects attacks (if any) against these vulnerable areas. Firewalls detect if any traffic is against any of these vulnerable areas. If an attack is associated with any vulnerability, the asset has been exploited.

The Exploit Detection Service generates two files located in:

<install_directory>/bin/map_data

The two files are attackNormalization.csv and exploitDetection.csv.

The attackNormalization.csv is generated after:

The exploitDetection.csv is generated after one of the following:

By default, there are two configured event columns used for exploit detection and they are referenced from a map (all mapped tags have the Scroll icon).

Figure 4 Event Columns

When the Vulnerability field (vul) equals 1, the asset or destination device is exploited. If the Vulnerability field equals 0, the asset or destination device is not exploited.

Sentinel comes preconfigured with the following map names associated with attackNormalization.csv and exploitDetection.csv.

Table 2 Map Name and csv Filename

Map Name

csv Filename

AttackSignatureNormalization

attackNormalization.csv

IsExploitWatchlist

exploitDetection.csv

There are two types of data sources:

The AttackId tag has the Device (type of the security device, such as Snort) and AttackSignature columns set as Keys and uses the NormalizedAttackID column in the attackNormalization.csv file. In a row where the DeviceName event tag (an intrusion detection system device such as Snort, with information filled in by Advisor and Vulnerability information from the Sentinel database) is the same as Device and where the DeviceAttackName event tag (attack information filled in by Advisor information in the Sentinel Database through the Exploit Detection Service) is the same as AttackSignature, the value for AttackId is where that row intersects with the NormalizedAttackID column.

Figure 5 AttackId and Data Source Information

Figure 6 attackNormalization.csv Sample

The Vulnerability tag has a column entry _EXIST_, which means that the map result value is 1 if the key is in IsExploitWatchlist (exploitDetection.csv file) or 0 if it is not. The key columns for the vulnerability tag are IP and NormalizedAttackId. When an incoming event with a DestinationIP event tag that matches the IP column entry and an AttackId event tag that matches the NormalizedAttackId column entry in the same row, the result is one (1). If no match is found in a common row, the result is zero (0).

Figure 7 Vulnerability and Data Source

For trademark and copyright information, see Legal Notices.