Anonymous_User Absent Member.
Absent Member.
343 views

Vulnerability Collector Problem


Good morning everybody, I have installed and configured the McAfee
Vulnerability Manager 6.8 for checking when a scan of any IP find
vulnerabilities.
In the Sentinel Control Center I cannot view any of the events
generated except some summary fields indicating how many vulnerabilities
found, but in the raw data is all the information I need. In the VULN
tables of the ESEC database the information is stored successfully.
I do not have advisor and can not buy it.
My problem is that I need to do some correlations but if the
information is not in Sentinel I cannot do that. I have been thinking in
this possible solutions:

1) Modify the Collector Javascript for parsing the fields one by one
because the raw data has the information needed. This is a lot of work.
2) Create new mappings based on one .csv file that updates
automatically (as would it be with Advisor), but the problem is that I
do not know how to do that if it is possible, I know how to create a
file but in debug mode.
3) Link the VULN* tables so I might use the information there for doing
correlations (I don't know if it is possible, because the information
stored in VULN* does not appear anywhere in Sentinel, only in the raw
data).

Please help indicating me what is the best choice and how to find
information about that. Thank you in advance.


--
apinzon
------------------------------------------------------------------------
apinzon's Profile: http://forums.novell.com/member.php?userid=101459
View this thread: http://forums.novell.com/showthread.php?t=433321

0 Likes
7 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Vulnerability Collector Problem


Hi apinzon,

It's not very clear to me what you mean by "do some correlations" - the
act of scanning a host to look for vulnerabilities is an event, but the
set of vulnerabilities found is not an event, hence you can't
"correlate" on them.

The Advisor system will map between the set of vulnerabilities on a
target system and real-time IDS-detected attacks, which are events.

If what you're looking for is a report of vulnerabilities per host,
that is certainly possible, but I would not describe it as a
"correlation."

Can you explain your use case better?


--
DCorlette
------------------------------------------------------------------------
DCorlette's Profile: http://forums.novell.com/member.php?userid=4437
View this thread: http://forums.novell.com/showthread.php?t=433321

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Vulnerability Collector Problem


Thanks for your response DCorlette, this is the situation:
-I have McAfee Vulnerability Manager 6.8 Collector installed and
working.
-When the collector finds a specific vulnerability for any IP it do any
action.
-More specific, I have a list of software allowed for some IP's, if
McAfee find a vulnerability in any IP related with software installed
(Skype for instance), I need that using a correlation, Sentinel verifies
if this IP is authorized checking for example a Dynamic list.
-If the software is not authorized, Sentinel should create an incident
automatically.
-In VULN* tables this information is stored, but I do not know how to
extract it in Sentinel without normalizing all the fields (what is a lot
of manual work).

Thank you in advance for your always useful advises.


--
apinzon
------------------------------------------------------------------------
apinzon's Profile: http://forums.novell.com/member.php?userid=101459
View this thread: http://forums.novell.com/showthread.php?t=433321

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Vulnerability Collector Problem


OK, I see.

Interesting use case.

In essence, what you're trying to do is to compare the current
configuration (e.g. software installed, etc) of systems in your
environment against a known "approved" configuration, e.g. the list of
IPs and approved software that you have. This is traditionally the
domain of the CMDB, not so much real-time event systems like Sentinel,
but is certainly a use case that we are interested in expanding to
handle in the future.

One interesting approach might be for you to inject your list of IP
addresses and approved software into the Sentinel database schema,
creating custom tables and views as necessary. You'll also have to come
up with some way to keep the list up to date.

Then, maybe all you do is schedule a report that reports on the
detected vulnerabilities and compares them against the list of approved
software. If you set the permissions correctly on the tables/views you
create, there's no reason your report, running in Sentinel, can't access
both sets of data.

W.r.t the Vuln tables, it shouldn't be too hard to figure out how they
are constructed - do you know about the schema page at:
'Novell Login'
(http://support.novell.com/products/sentinel/secure/schema/)
?

I think basically by joining the VULN_RSRC table (which contains the IP
of the resource scanned) with the VULN table, you'll get your list of
vulnerabilities on a particular system.


--
DCorlette
------------------------------------------------------------------------
DCorlette's Profile: http://forums.novell.com/member.php?userid=4437
View this thread: http://forums.novell.com/showthread.php?t=433321

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Vulnerability Collector Problem


I was thinking in a simpler solution because I don't want to review all
the software of any machine, I just want that when McAfee find a
vulnerability in a non-authorized software (Skype for instance),
Sentinel create an incident automatically in order to uninstall that
software. Today I could do that normalizing the McAfee log because in
the raw data is all the information I need, but I wonder if, for
example, I could do some mappings using a CSV file that the collector
build (I don't know if a collector is able to generate an auto-updated
CSV file as output, as it does using Advisor).
My VULN* tables are generated correctly and I could join VULN table and
VULN_RSRC as you suggested (in fact I think Sentinel join both tables),
but I don't know how to use those tables within Sentinel. ¿Should I
install another SQL Collector pointing to a View of those tables for
checking the records?, or there is an easier way to do that?.
Thank you in advance.


--
apinzon
------------------------------------------------------------------------
apinzon's Profile: http://forums.novell.com/member.php?userid=101459
View this thread: http://forums.novell.com/showthread.php?t=433321

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Vulnerability Collector Problem


Well you have a couple options here, but yes you could construct a
Collector that queries the Sentinel tables themselves and generates
events as vulnerabilities are inserted (you should be able to use the
timestamp as an offset). Or you could modify the existing vulnerability
Collectors to generate "events" as vulnerabilities are processed, even
though reporting a vulnerability isn't really what we think of as a
real-time event.


--
DCorlette
------------------------------------------------------------------------
DCorlette's Profile: http://forums.novell.com/member.php?userid=4437
View this thread: http://forums.novell.com/showthread.php?t=433321

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Vulnerability Collector Problem


Hi DCorlette, you are right, vulnerability is not a real-time event, so
I do not know if using a Vulnerability Manager tool is the best choice
for detecting unauthorized software.
I have some other questions related with this thread:
- I know I can use an inventory tool similar to NMAP for creating the
file assets.csv and perform mappings. ¿Can I use the McAfee
Vulnerability Manager instead NMAP for doing the same thing?, if yes,
¿How to do that?, ¿How can I link the Vulnerability Collector Output
with Assets.CSV file?.
- In the Sentinel User's Guide is the next sentence: "The
exploitDetection.csv file is automatically generated from Advisor and
Vulnerability data from Sentinel Database when either an Advisor feed is
completed or a vulnerability Collector is run". ¿How could I make
Sentinel map the information of vulnerabilities with the IP of an asset
for instance, without Advisor?.
-I have a SNORT Collector installed ¿how can I use the information of
this Collector and link it with the Vulnerability Manager information
without using Advisor?.
I am looking forward for your answers. Thank you very much in advance.


--
apinzon
------------------------------------------------------------------------
apinzon's Profile: http://forums.novell.com/member.php?userid=101459
View this thread: http://forums.novell.com/showthread.php?t=433321

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Vulnerability Collector Problem


- I know I can use an inventory tool similar to NMAP for creating the
file assets.csv and perform mappings. ¿Can I use the McAfee
Vulnerability Manager instead NMAP for doing the same thing?, if yes,
¿How to do that?, ¿How can I link the Vulnerability Collector Output
with Assets.CSV file?.

Well, right now the Vuln Mgr Collector does not report anything about
the assets it knows about to the Asset Framework, so you essentially
have two choices:

1) Write a custom Collector to parse the same datafiles and extract
what relevant Asset information you can, then store that in the DB. The
Asset Framework is documented as part of the SDK.
2) Write a custom script to parse the same VM data files and construct
a simple CSV text file, that can then be imported via the Generic Asset
Collector. This option would allow you inject other interesting
information such as system owner and the like at the same time.

- In the Sentinel User's Guide is the next sentence: "The
exploitDetection.csv file is automatically generated from Advisor and
Vulnerability data from Sentinel Database when either an Advisor feed is
completed or a vulnerability Collector is run". ¿How could I make
Sentinel map the information of vulnerabilities with the IP of an asset
for instance, without Advisor?.

Well, you can't. This is actually a very complex problem and our
partner, SecurityNexus, has built an entire business around providing
those mappings. The issue is not mapping vulns to assets - that's all
part of the vuln scan. The issue is mapping the propriety, vendor-only
vulnerability information to the real-time vendor-proprietary IDS attack
information, so you can detect if a given IDS attack is actually going
to affect the targeted asset. This will filter out, say, IIS attacks
against Linux systems.

-I have a SNORT Collector installed ¿how can I use the information of
this Collector and link it with the Vulnerability Manager information
without using Advisor?.

See above.


--
DCorlette
------------------------------------------------------------------------
DCorlette's Profile: http://forums.novell.com/member.php?userid=4437
View this thread: http://forums.novell.com/showthread.php?t=433321

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.