Sentinel provides the ability to cross-reference event data signatures with Vulnerability Scanner data. Users are notified automatically and immediately when an attack is attempting to exploit a vulnerable system. This is accomplished through:
Advisor Feed
Intrusion detection
Vulnerability scanning
Firewalls
Advisor provides a cross-reference between event data signatures and vulnerability scanner data. Advisor feed has an alert and attack feed. The alert feed contains information about vulnerabilities and threats. The attack feed is a normalization of event signatures and vulnerability plug-ins. For more information on Advisor installation, see Advisor Configuration in Sentinel Installation Guide.
The supported systems are:
Intrusion Detections Systems |
|
|
Intrusion Protection System
Firewalls
|
You will require at least one vulnerability scanner and either an IDS, IPS or firewall from each category above. The IDS and Firewall DeviceName (rv31) has to appear in the event as hi-lighted in gray above. Also, the IDS and Firewall must properly populate the DeviceAttackName (rt1) field (for example, WEB-PHP Mambo uploadimage.php access).
The Advisor feed is sent to the database and then to the Exploit Detection Service. The Exploit Detection Service will generate one or two files depending upon what kind of data has been updated.
The Exploit Detection Map Files are used by the Mapping Service to map attacks to exploits of vulnerabilities.
Vulnerability Scanners scan for system (asset) vulnerable areas. IDS' detect attacks (if any) against these vulnerable areas. Firewalls detect if any traffic is against any of these vulnerable area. If an attack is associated with any vulnerability, the asset has been exploited.
The Exploit Detection Service generates two files located in:
$ESEC_HOME/bin/map_data
The two files are attackNormalization.csv and exploitDetection.csv.
The attackNormalization.csv is generated after:
Advisor feed
DAS Startup (if enabled in das_query.xml, disabled by default)
The exploitDetection.csv is generated after one of the following:
Advisor feed
Vulnerability scan
Sentinel Server Startup (if enabled in das_query.xml, disabled by default)
By default, there are two configured event columns used for exploit detection and they are referenced from a map (all mapped tags will have the scroll icon).
Vulnerability
AttackId
When the vulnerability field (vul) equals 1, the asset or destination device is exploited. If the vulnerability field equals 0, the asset or destination device is not exploited.
Sentinel comes pre-configured with the following map names associated with attackNormalization.csv and exploitDetection.csv.
Map Name |
csv File Name |
|
|
|
|
There are two types of data sources:
External: Retrieves information from the Collector
Referenced from Map: Retrieves information from a map file to populate the tag.
The AttackId tag has the Device (type of the security device, for example, Snort) and AttackSignature columns set as Keys and uses the NormalizedAttackID column in the attackNormalization.csv file. In a row where the DeviceName event tag (an IDS device such as Snort, information filled in by Advisor and Vulnerability information from the Sentinel Database) is the same as Device and where the DeviceAttackName event tag (attack information filled in by Advisor information in the Sentinel Database through the Exploit Detection Service) is the same as AttackSignature, the value for AttackId is where that row intersects with the NormalizedAttackID column.
The Vulnerability tag has a column entry "_EXIST_", which means that map result value will be 1 if the key is in IsExploitWatchlist (exploitDetection.csv file) or 0 if it is not. The key columns for the vulnerability tag are IP and NormalizedAttackId. When an incoming event with a DestinationIP event tag that matches the IP column entry and an AttackId event tag that matches the NormalizedAttackId column entry in the same row, the result is one (1). If no match is found in a common row, the result is zero (0).