In the world of Security Information Event monitoring it is imperative that you have the ability to sort through the mass amounts of data to quickly identify and isolate any attacks and identify any vulnerabilities in your infrastructure. Advisor is an optional subscription service that provides this capability by providing normalized attack information to help identify attacks against vulnerable systems. This session is intended to guide you through an understanding of what advisor is and how it can help you, how the advisor data feeds are downloaded and updated, what devices are supported, reporting, and step through demonstration of exploit detection.

1. Utilizing Novell Sentinel ®
™
Advisor and Attack vulnerability
Tom Burt
GTS-Backline Engineer Novell
Novell/tburt@novell.com

2. Presentation Goals
• Present the benefits of Advisor
• Explain Advisor and its related components
• Discuss installation and maintenance of Advisor
2 © Novell, Inc. All rights reserved.

3. Agenda
• Advisor Overview
• Exploit Detection Overview
• Background/History Advisor v3 vs. v4
• Installation and Maintenance
3 © Novell, Inc. All rights reserved.

4. Advisor Overview

5. Terminology
• Advisor-The Novell optional add on subscription to
®
provide attack and remediation information
• Attack-An event that indicates malicious or rogue
software and or devices
• Vulnerability-An opening or weakness in a network
allowing the potential for an attack
• Vulnerability Scanners-The process of detecting the
strength of protection on a network.
• IPS/IDS collectors-Sentinel device collectors that
™
gather data from IDS devices
• Vulnerability collectors-Sentinel device collectors that
gather data from vulnerability scanners
5 © Novell, Inc. All rights reserved.

6. Collector links
• IPS, IDS and Vulnerability scan collectors are available
at the following URL;
http://support.novell.com/products/sentinel/secure/senti
nel61.html
6 © Novell, Inc. All rights reserved.

7. Overview
• Powered by Security Nexus
• Acts as an early warning service to identify attacks and
vulnerabilities.
– Provides Normalized Attack and remediation information
• Optional add on subscription service
– Initial download feed is free but additional downloads require a
license
> Entitlement is linked to your Customer authentication credentials
7 © Novell, Inc. All rights reserved.

8. Overview
• Early warning service
– Normalization of attack data
– Correlation on real time data
– Incident Tracking
• Updates
– Updated on a regular configurable basis
– Advisor feeds/Downloads
> CVE's
> Bugtraq
> IDS
> ISS
> etc....
8 © Novell, Inc. All rights reserved.

9. Exploit Detection Overview

10. Exploit detection
• Exploit detection: Enables you to quickly identify and/or
send out notifications in the event an attack is
attempting to exploit a vulnerability in your system
10 © Novell, Inc. All rights reserved.

11. Requirements
• Requires that both the Vulnerability scanner and IDS
system reports the vulnerabilities and attacks against
the same systems.
• In Sentinel, systems are identified by IP Address and
MSSP Customer Name
• The Vulnerability and IDS system must be supported by
the Advisor service
• The reported attacks and vulnerabilities must be known
to the Advisor service and Exploit Detection
– Most Novell collectors support the Attack and exploit detection
data
11 © Novell, Inc. All rights reserved.

12. Requirements cont....
• The Vulnerability and IDS collectors must populate all 4
of these fields
– DeviceName (RV31)
– DIP (Destination or TargetIP)
– DeviceAttackName (RT1)
– MSSP Customer Name (RV39)
> Managed Security Service Provider
• All Novell shipped collectors populate these values by
®
default
12 © Novell, Inc. All rights reserved.

13. Exploit Detection
• When running supported IDS and Vulnerability
collectors, events from the devices are scanned for
potential attacks and vulnerabilities
– The mapping service maps the Product Name and MSSP
Customer Name to the Advisor name and MSSP Customer
Name
– If the events match successfully, the exploit information is
updated in the exploitdetection.csv file
> $ESEC_HOME/data/map_data/exploitdetection.csv
» IP, Device & Attack names, MSSP Customer name
– The mapping service populates the vulnerability event field
> Used to evaluate whether the incoming event exploits a vulnerability
» If the value is 1, the destination device IS exploited
» If the value is 0, the destination device is NOT exploited
13 © Novell, Inc. All rights reserved.

14. Brief History

15. History
Advisor v3 Advisor v4
XML Files CSV
Database Space GB Database Space MB
Disk Space GB Disk Space MB
Feed Process Time - Hours Feed Process Time - Minutes
Failed Feed Recovery - Hours Failed Feed Recovery - Minutes
Failed Process required database
MD5sum
cleanup
Configured at Install only Can be configured at any time
Log files for failure Internal Events
15 © Novell, Inc. All rights reserved.

16. History
• Supported Systems
– IDS
– IPS
– Vulnerability
16 © Novell, Inc. All rights reserved.

17. Installation/Maintenance

18. Installation
• Requirements
– The Advisor service and Exploit Detection rely on mappings
between attacks on assets and vulnerabilities of devices. As
such it requires the following data to work with Advisor
> Vulnerability scan data
» Sentinel supports multiple Vulnerability scanners
> Advisor map data
» Contains data about known threats, attacks, and vulnerabilities
» Service gathers information from multiple vulnerability and IDS vendors
» Creates mappings from abstract Vuln and attack data
» Security Nexus provides the advisor feed data
> Real Time attack data
» The real time attacks that are detected as events are loaded into the Sentinel
database from IDS collectors
18 © Novell, Inc. All rights reserved.

19. Installation
• Installation media
– SP2 Full installer
– SP2 Patch installer
• Initial load data
– Advisor v4 feed files are included with Novell Sentinel ®
™
> $ESEC_HOME/data/updates/advisor
– After initial load, updates are performed on scheduled basis
> Advisor license/subscription is required for updates
> Feed location;
https://secure-www.novell.com/sentinel/download/advisor/feed/
19 © Novell, Inc. All rights reserved.

20. Usage/Maintenance
• Advisor User Interface
• Novell Sentinel Control Center
®
™
– Must have Advisor Interface permissions
– Advisor Tab
> Status information
– Admin Tab
> Manual process of files in specified location
> Download Manager
» Initialize download
» Edit configuration preferences
> Preview Threat Map
20 © Novell, Inc. All rights reserved.

21. Usage/Maintenance
21 © Novell, Inc. All rights reserved.

22. Usage/Maintenance
22 © Novell, Inc. All rights reserved.

23. Usage/Maintenance
23 © Novell, Inc. All rights reserved.

24. Maintenance
• Advisor data feed source is updated on a regular basis
– Updating your database with current data feeds
> Automatic scheduling of updates
> Manual update
• Scripts
– Novell Sentinel 6.1SP2 & RD
®
™
> $ESEC_HOME/bin/advisor.sh
• Configuration
– advisor_client.xml
24 © Novell, Inc. All rights reserved.

25. Maintenance
• Logging
– As of v4 all logging is done to das_query logs
– Configuration for additional logging should be made to the
das_query_log.prop in the $ESEC_HOME/config directory
– Logs status of download and checking for feed notifcations
• Example;
Fri Mar 05 05:05:21 MST 2010|INFO|Thread-148570|
esecurity.ccs.comp.downloadfeed.
Downloader.download Downloaded file:
advnxsfeed.51.zip.md5 to local directory /opt/novell/se
ntinel6/data/updates/advisor
25 © Novell, Inc. All rights reserved.

26. Manual update
• A manual download of the advisor feeds can be done
as needed
– Login to the Novell Advisor feed download site using your
eLogin username and password that is associated with the
Advisor license
– Download any advisor feed files you need making sure to
include both the .zip and .md5 files.
– Copy the files to the directory on the Sentinel server you have
specified in the configuration
> Default location is $ESEC_HOME/data/updates/advisor
– In the Admin Tab → Advisor → Process Now
26 © Novell, Inc. All rights reserved.

27. Manual Update
27 © Novell, Inc. All rights reserved.

28. Manual Update
28 © Novell, Inc. All rights reserved.

29. Automatic Update
29 © Novell, Inc. All rights reserved.

30. Maintenance
• Advisor notifications
– Errors
> Errors in downloading feeds or data loading
– Success/failure on updates
> Success or failure messages on advisor feed updates
– Notifications
> Correlation rules
» Actions such as send email
30 © Novell, Inc. All rights reserved.

31. Maintenance
• Exploit Detection Data Generation
– By default scheduled to run every 30 minutes
> Configurable in $ESEC_HOME/config/das_query.xml
> Object component, <obj-component id="ExploitDetectDataGenerator">
> Property, <property name="minRegenerateInterval">1800000</property>
• Scheduled Updates
– Direct Download
> 6 hour, 12 hour, Daily, Weekly, Monthly
» The time of the download is based off the first successful download
~ Success at 10:30am results in 4:30pm for 6 hours configuration
31 © Novell, Inc. All rights reserved.

32. Usage
• View advisor data in SCC, Sentinel Control Center
™
– Right click an event → analyze → Advisor data
– Only available after initial data load
– Analyze is only available if event data is from a Supported IDS
Device
– Regular updates are necessary to ensure accuracy of data
32 © Novell, Inc. All rights reserved.

33. Demonstration

34. Demonstration
• Demonstration details
– Advisor download
– Advisor Processing
– Vulnerability scanning with test data
– Basic IDS Collector with Sample data
– Exploit detection
– Analyze Data
34 © Novell, Inc. All rights reserved.

35. Q&A

37. Unpublished Work of Novell, Inc. All Rights Reserved.
This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc.
Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope
of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified,
translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc.
Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
General Disclaimer
This document is not to be construed as a promise by any participating company to develop, deliver, or market a
product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in
making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents
of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any
particular purpose. The development, release, and timing of features or functionality described for Novell products
remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to
make changes to its content, at any time, without obligation to notify any person or entity of such revisions or
changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc.
in the United States and other countries. All third-party trademarks are the property of their respective owners.