Novell SENTINEL RAPID DEPLOYMENT 6.1 - 12-2009 User Manual page 391

ISS Wireless Scanner
Nessus
nCircle IP360
Qualys QualysGuard
You need at least one vulnerability scanner and either an intrusion detection system, IPS, or firewall
from each category above. The intrusion detection system and Firewall DeviceName (rv31) must
appear in the event as shown above. Also, the intrusion detection system and the firewall must
properly populate the DeviceAttackName (rt1) field (for example, WEB-PHP Mambo
uploadimage.php access).
The Advisor feed is sent to the database and then to the Exploit Detection Service. The Exploit
Detection Service generates one or two files, depending upon what kind of data has been updated.
Exploit Detection
Figure A-3
The Exploit Detection map files are used by the Mapping Service to map attacks to exploits of
vulnerabilities.
Vulnerability scanners scan for system (asset) vulnerable areas. Intrusion detection systems detects
attacks (if any) against these vulnerable areas. Firewalls detect if any traffic is against any of these
vulnerable areas. If an attack is associated with any vulnerability, the asset has been exploited.
The Exploit Detection Service generates two files located in:
<Install_directory>/bin/map_data
The two files are
attackNormalization.csv
The
attackNormalization.csv
Advisor feed
DAS Startup (if enabled in
The
exploitDetection.csv
Advisor feed
Vulnerability scan
Sentinel server startup (if enabled in
and
exploitDetection.csv
is generated after:
; disabled by default)
das_core.xml
is generated after one of the following:
das_core.xml
.
; disabled by default)
Sentinel 6.1 Rapid Deployment Architecture 391