How Exploit Detection Works

Exploit detection instantly sends notification when an attack is attempting to exploit a vulnerable system. The Exploit Detection feature depends on the following:

All Collectors shipped by Novell meet these requirements, as long as they are declared as being supported by Advisor. To write your own vulnerability or intrusion detection Collector, or to modify one of the shipped Collectors, refer to the Sentinel Plug-in SDK for specific information about which event and vulnerability fields must be filled in to support this service.

The following table lists the supported products with their associated device type (IDS for intrusion detection system, VULN for vulnerability scanners, and FW for firewall).

Table 1 Supported Products and the Associated Device Types

Supported Products

Device Type

RV31 Value

Cisco Secure IDS

IDS

Secure

Enterasys Dragon Host Sensor

IDS

Dragon

Enterasys Dragon Network Sensor

IDS

Dragon

Intrusion.com (SecureNet_Provider)

IDS

SecureNet_Provider

ISS BlackICE PC Protection

IDS

XForce

ISS RealSecure Desktop

IDS

XForce

ISS RealSecure Network

IDS

XForce

ISS RealSecure Server

IDS

XForce

ISS RealSecure Guard

IDS

XForce

Sourcefire Snort/Phalanx

IDS

Snort

Symantec Network Security 4.0 (ManHunt)

IDS

ManHunt

Symantec Intruder Alert

IDS

Intruder

McAfee IntruShield

IDS

IntruShield

TippingPoint

IPS

TippingPoint

eEYE Retina

VULN

Retina

Foundstone Foundscan

VULN

Foundstone

ISS Database Scanner

VULN

XForce

ISS Internet Scanner

VULN

XForce

ISS System Scanner

VULN

XForce

ISS Wireless Scanner

VULN

XForce

Nessus

VULN

Nessus

nCircle IP360

VULN

nCircle IP360

Qualys QualysGuard

VULN

QualysGuard

Cisco IOS Firewall

FW

Secure

To enable exploit detection, the Sentinel Collectors must populate several variables as expected. Collectors built by Novell populate these variables by default.

These values are used by the Mapping Service to populate the VULN field in the event. This value is used to evaluate the incoming events to determine whether a vulnerability is exploited or not. When the vulnerability field (VULN) equals 1, the asset or destination device is exploited. If the vulnerability field equals 0, the asset or destination device is not exploited.

For trademark and copyright information, see Legal Notices.