Exploit detection instantly sends notification when an attack is attempting to exploit a vulnerable system. The Exploit Detection feature depends on the following:
Both vulnerability scanners and the intrusion detection systems must report vulnerabilities and attacks against the same set of systems. In Sentinel, systems are identified by their IP addresses and their tenant name. The tenant name is a namespace identifier that prevents overlapping IP ranges from matching incorrectly. The tenant name can be the name of the customer, division, department, and so forth that owns this event data.
The vulnerability scanner and intrusion detection system products must be supported by the Advisor service. This data uses specific product identifiers to ensure proper matching.
The specific reported attacks and vulnerabilities must be known to the Advisor service and Exploit Detection.
All Collectors shipped by NetIQ meet these requirements, as long as they are declared as being supported by Advisor. To write your own vulnerability or intrusion detection Collector, or to modify one of the shipped Collectors, refer to the Sentinel Plug-in SDK for specific information about which event and vulnerability fields must be filled in to support this service.
The following table lists the supported products with their associated device type (IDS for intrusion detection system, VULN for vulnerability scanners, and FW for firewall).
Table 11-1 Supported Products and the Associated Device Types
|
Supported Products |
Device Type |
RV31 Value |
|---|---|---|
|
Cisco Secure IDS |
IDS |
Secure |
|
Enterasys Dragon Host Sensor |
IDS |
Dragon |
|
Enterasys Dragon Network Sensor |
IDS |
Dragon |
|
Intrusion.com (SecureNet_Provider) |
IDS |
SecureNet_Provider |
|
ISS BlackICE PC Protection |
IDS |
XForce |
|
ISS RealSecure Desktop |
IDS |
XForce |
|
ISS RealSecure Network |
IDS |
XForce |
|
ISS RealSecure Server |
IDS |
XForce |
|
ISS RealSecure Guard |
IDS |
XForce |
|
Sourcefire Snort/Phalanx |
IDS |
Snort |
|
Symantec Network Security 4.0 (ManHunt) |
IDS |
ManHunt |
|
Symantec Intruder Alert |
IDS |
Intruder |
|
McAfee IntruShield |
IDS |
IntruShield |
|
TippingPoint |
IPS |
TippingPoint |
|
eEYE Retina |
VULN |
Retina |
|
Foundstone Foundscan |
VULN |
Foundstone |
|
ISS Database Scanner |
VULN |
XForce |
|
ISS Internet Scanner |
VULN |
XForce |
|
ISS System Scanner |
VULN |
XForce |
|
ISS Wireless Scanner |
VULN |
XForce |
|
Nessus |
VULN |
Nessus |
|
nCircle IP360 |
VULN |
nCircle IP360 |
|
Qualys QualysGuard |
VULN |
QualysGuard |
|
Cisco IOS Firewall |
FW |
Secure |
To enable exploit detection, the Sentinel Collectors must populate several variables as expected. Collectors built by NetIQ populate these variables by default. The Collectors are available for download on the Sentinel Plug-ins Web site. For information on configuring the Collectors, Connectors, and Event Sources, see Section 1.3, Event Source Management.
In intrusion detection systems and vulnerability Collectors, the RV31 (IDSName) variable in the event must be set to the value in the RV31 column in Table 11-1. This string is case sensitive.
In the intrusion detection systems Collector, the DIP (TargetIP) must be populated with the IP address of the machine that is being attacked.
In the intrusion detection systems Collector, RT1 (IDSAttackName) must be set to the attack name or attack code for that intrusion detection system.
In the intrusion detection systems and vulnerability Collectors, the RV39 (TenantName) value must be populated. For a standard corporation, the value can be anything. For a Managed Security Service Provider (MSSP), the tenant name should be set for the individual customer. For either type of company, the value in the intrusion detection systems Collector must exactly match with the value in the vulnerability Collector.
These values are used by the Mapping Service to populate the VULN field in the event. This value is used to evaluate the incoming events to determine whether a vulnerability is exploited or not. When the vulnerability field (VULN) equals 1, the asset or destination device is exploited. If the vulnerability field equals 0, the asset or destination device is not exploited.
When you run the intrusion detection system or vulnerability type Collectors, events from all the selected products are scanned for possible attacks and vulnerabilities, and the product name and the tenant name are mapped to the Advisor product name and the tenant name. If the events match successfully, the exploit information (IP address, device name, attack name, and tenant name) is updated in the exploitdetection.csv file in the /var/opt/novell/sentinel/data/map_data directory.
The initial mapping time might take up to 30 minutes. However, you can modify the time by changing the value of the minregenerateinterval property in the ExploitDetectDataGenerator component of the server.xml file. The time is given in milliseconds. For example, you can change the time from 1800000 (30 minutes) to 180000 (3 minutes).
NOTE:You must restart the Sentinel service for the changes to take effect.
To view events that indicate a possible exploitation, search for events whose Vulnerability value is 1.
The value in the Vulnerability field conveys the following:
1: The asset or destination device is possibly exploited.
0: The asset or destination device is not exploited.
NOTE:If the Vulnerability field is blank, the exploitdetection.csv file is not generated.
For more information on viewing events, see Section 11.8, Viewing the Advisor Data.