Exploit detection instantly sends notification when an attack is attempting to exploit a vulnerable system. The Exploit Detection feature depends on the following:
Both vulnerability scanners and the intrusion detection systems must report vulnerabilities and attacks against the same set of systems. In Sentinel, systems are identified by their IP addresses and their MSSP Customer Name. The MSSP Customer Name is a namespace identifier that prevents overlapping IP ranges from matching incorrectly.
The vulnerability scanner and intrusion detection system products must be supported by the Advisor service. This data uses specific product identifiers to ensure proper matching.
The specific reported attacks and vulnerabilities must be known to the Advisor service and Exploit Detection.
All Collectors shipped by Novell meet these requirements, as long as they are declared as being supported by Advisor. To write your own vulnerability or intrusion detection Collector, or to modify one of the shipped Collectors, refer to the Sentinel Plug-in SDK for specific information about which event and vulnerability fields must be filled in to support this service.
The following table lists the supported products with their associated device type (IDS for intrusion detection system, VULN for vulnerability scanners, and FW for firewall).
Table 9-1 Supported Products and the Associated Device Types
To enable exploit detection, the Sentinel Collectors must populate several variables as expected. Collectors built by Novell populate these variables by default.
In intrusion detection systems and vulnerability Collectors, the RV31 (DeviceName) variable in the event must be set to the value in the RV31 column in Table 9-1. This string is case sensitive.
In the intrusion detection systems Collector, the DIP (Destination or Target IP) must be populated with the IP address of the machine that is being attacked.
In the intrusion detection systems Collector, RT1 (DeviceAttackName) must be set to the attack name or attack code for that intrusion detection system.
In the intrusion detection systems and vulnerability Collectors, RV39 (MSSPCustomerName) value must be populated. For a standard corporation, the value can be anything. For a Managed Security Service Provider (MSSP), the customer name should be set for the individual customer. For either type of company, the value in the intrusion detection systems Collector must exactly match with the value in the vulnerability Collector.
These values are used by the Mapping Service to populate the VULN field in the event. This value is used to evaluate the incoming events to determine whether a vulnerability is exploited or not. When the vulnerability field (VULN) equals 1, the asset or destination device is exploited. If the vulnerability field equals 0, the asset or destination device is not exploited.
When you run the intrusion detection system or vulnerability type Collectors, events from all the selected products are scanned for possible attacks and vulnerabilities, and the product name and MSSP customer name are mapped to the Advisor product name and MSSP customer name. If the events match successfully, the exploit information (IP address, Device Name, Attack Name, and MSSP Customer Name) is updated in the exploitdetection.csv file in the <install_directory>/data/map_data directory.
The initial mapping time might take up to 30 minutes. However, you can modify the time by changing the value of the minregenerateinterval property in the ExploitDetectDataGenerator component of the das_core.xml file. The time is given in milliseconds. For example, you can change the time from 1800000 (30 minutes) to 180000 (3 minutes).
NOTE:You must restart the das_core services after you change the time.
To view events that indicate a possible exploitation, create an Active View with a filter that has the Vulnerability value set to 1.
Within an event, the values in the Vulnerability field indicate the following:
1: the asset or destination device is possibly exploited.
0: the asset or destination device is not exploited.
NOTE:If the exploitdetection.csv file is not generated, the Vulnerability field is blank.
For more information on viewing events in Active Views, see Section 3.4, Viewing Real-Time Events.