Novell SENTINEL RAPID DEPLOYMENT 6.1 - 12-2009 User Manual page 392

By default, there are two configured event columns used for exploit detection and they are
referenced from a map (all mapped tags have the Scroll icon).
Vulnerability
AttackId
Figure A-4
When the Vulnerability field (vul) equals 1, the asset or destination device is exploited. If the
Vulnerability field equals 0, the asset or destination device is not exploited.
Sentinel comes preconfigured with the following map names associated with
attackNormalization.csv
Map Name and csv Filename
Table A-2
Map Name
AttackSignatureNormalization
IsExploitWatchlist
There are two types of data sources:
External: Retrieves information from the Collector
Referenced from Map: Retrieves information from a map file to populate the tag.
The AttackId tag has the Device (type of the security device, such as Snort) and AttackSignature
columns set as Keys and uses the NormalizedAttackID column in the
file. In a row where the DeviceName event tag (an intrusion detection system device such as Snort,
with information filled in by Advisor and Vulnerability information from the Sentinel database) is
the same as Device and where the DeviceAttackName event tag (attack information filled in by
Advisor information in the Sentinel Database through the Exploit Detection Service) is the same as
AttackSignature, the value for AttackId is where that row intersects with the NormalizedAttackID
column.
Figure A-5
392 Sentinel 6.1 Rapid Deployment User Guide
Event Columns
and
exploitDetection.csv
AttackId and Data Source Information
.
csv Filename
attackNormalization.csv
exploitDetection.csv
attackNormalization.csv