Novell SENTINEL 6.1 SP2 - 02-2010 User Manual page 446

Vulnerability Scanners scan for system (asset) vulnerable areas. IDS detects attacks (if any) against
these vulnerable areas. Firewalls detect if any traffic is against any of these vulnerable areas. If an
attack is associated with any vulnerability, the asset has been exploited.
The Exploit Detection Service generates the
$ESEC_HOME/bin/map_data
The
exploitDetection.csv
Advisor feed

Vulnerability scan

 Sentinel Server Startup (if enabled in
By default, there are two configured event columns used for exploit detection and they are
referenced from a map (all mapped tags have the Scroll icon).
 Vulnerability
AttackId

Figure A-4
When the Vulnerability field (vul) equals 1, the asset or destination device is exploited. If the
Vulnerability field equals 0, the asset or destination device is not exploited.
The map name for the
There are two types of data sources:
 External: Retrieves information from the Collector
Referenced from Map: Retrieves information from a map file to populate the tag.

The Vulnerability tag has a column entry "_EXIST_", which means that map result value will be 1 if
the key is in IsExploitWatchlist (
the vulnerability tag are IP and NormalizedAttackId. When an incoming event with a DestinationIP
event tag that matches the IP column entry and an AttackId event tag that matches the
NormalizedAttackId column entry in the same row, the result is one (1). If no match is found in a
common row, the result is zero (0).
446 Sentinel 6.1 User Guide
is generated after one of the following:
Event Columns
exploitdetection.csv
exploitDetection.csv
exploitdetection.csv
, disabled by default)
das_query.xml
file is IsExploitWatchlist.
file) or 0 if it is not. The key columns for
file at: