Sentinel provides the ability to cross-reference event data signatures with Vulnerability Scanner data. Users are notified automatically and immediately when an attack is attempting to exploit a vulnerable system. This is accomplished through:

Advisor provides a cross-reference between event data signatures and vulnerability scanner data. Advisor feed has an alert and attack feed. The alert feed contains information about vulnerabilities and threats. The attack feed is a normalization of event signatures and vulnerability plug-ins. For more information on Advisor installation, see Advisor Configuration in Sentinel Installation Guide.

The supported systems are:

Intrusion Detections Systems

      • Vulnerability Scanners

      • Cisco Secure IDS

      • Enterasys Dragon Host Sensor

      • Enterasys Dragon Network Sensor

      • Intrusion.com (SecureNet_Provider)

      • ISS BlackICE

      • ISS RealSecure Desktop

      • ISS RealSecure Network

      • ISS RealSecure Server

      • ISS RealSecure Guard

      • Snort

      • Symantec Network Security 4.0 (ManHunt)

      • Symantec Intruder Alert

      • McAfee IntruShield

      • eEYE Retina

      • Foundstone Foundscan

      • ISS Database Scanner

      • ISS Internet Scanner

      • ISS System Scanner

      • ISS Wireless Scanner

      • Nessus

      • nCircle IP360

      • Qualys QualysGuard

Intrusion Protection System

      • ISS Proventia

Firewalls

      • Cisco IOS Firewall

You will require at least one vulnerability scanner and either an IDS, IPS or firewall from each category above. The IDS and Firewall DeviceName (rv31) has to appear in the event as hi-lighted in gray above. Also, the IDS and Firewall must properly populate the DeviceAttackName (rt1) field (for example, WEB-PHP Mambo uploadimage.php access).

The Advisor feed is sent to the database and then to the Exploit Detection Service. The Exploit Detection Service will generate one or two files depending upon what kind of data has been updated.

image\ebx_19015008.gif

The Exploit Detection Map Files are used by the Mapping Service to map attacks to exploits of vulnerabilities.

Vulnerability Scanners scan for system (asset) vulnerable areas. IDS' detect attacks (if any) against these vulnerable areas. Firewalls detect if any traffic is against any of these vulnerable area. If an attack is associated with any vulnerability, the asset has been exploited.

The Exploit Detection Service generates two files located in:

$ESEC_HOME/bin/map_data

The two files are attackNormalization.csv and exploitDetection.csv.

The attackNormalization.csv is generated after:

The exploitDetection.csv is generated after one of the following:

By default, there are two configured event columns used for exploit detection and they are referenced from a map (all mapped tags will have the scroll icon).

image\ebx_-835835040.gif

When the vulnerability field (vul) equals 1, the asset or destination device is exploited. If the vulnerability field equals 0, the asset or destination device is not exploited.

Sentinel comes pre-configured with the following map names associated with attackNormalization.csv and exploitDetection.csv.

Map Name

csv File Name

      • AttackSignatureNormalization

      • attackNormalization.csv

      • IsExploitWatchlist

      • exploitDetection.csv

There are two types of data sources:

The AttackId tag has the Device (type of the security device, for example, Snort) and AttackSignature columns set as Keys and uses the NormalizedAttackID column in the attackNormalization.csv file. In a row where the DeviceName event tag (an IDS device such as Snort, information filled in by Advisor and Vulnerability information from the Sentinel Database) is the same as Device and where the DeviceAttackName event tag (attack information filled in by Advisor information in the Sentinel Database through the Exploit Detection Service) is the same as AttackSignature, the value for AttackId is where that row intersects with the NormalizedAttackID column.

image\ebx_1914094713.gif

image\ebx_-2130465423.gif

The Vulnerability tag has a column entry "_EXIST_", which means that map result value will be 1 if the key is in IsExploitWatchlist (exploitDetection.csv file) or 0 if it is not. The key columns for the vulnerability tag are IP and NormalizedAttackId. When an incoming event with a DestinationIP event tag that matches the IP column entry and an AttackId event tag that matches the NormalizedAttackId column entry in the same row, the result is one (1). If no match is found in a common row, the result is zero (0).

image\ebx_-1812868160.gif