Tutorial: Using Sentinel's Exploit Detection

Tutorial: Using Sentinel's Exploit Detection


We need to implement Sentinel's Exploit Detection functionality.


1. Unzip the 3 subfolders in the ED-DemoCollectors.zip file into the Elements folder.

2. Configure 3 new ports in Collector Builder with the following port options.

Figure 1 - Port options in Collector Builder

3. Click Save.

You will now get this reminder:

Figure 2 - Wizard warning - x

4. Click OK.

5. Click the Upload/Download button to display the upload/download dialog.

Figure 3 - Upload/Download dialog

6. Click Upload. You will see the Transfer Progress window:

Figure 4 - Transfer Progress window

7. Install the Advisor component from the install CD, choosing the standalone configuration. The advisor feed folder should be something like "advisorfeed" or "advisor_data" in the %ESEC_HOME%\sentinel directory.

8. Open a web browser and point it to http://advisor.esecurityinc.com

9. Use the Advisor user name and password to log in.

10. Click Downloads. This will take you to the attacks and alerts.

11. From each of these, select the latest folder and download the 'all' file from them.

12. Unzip these into two separate folders on your system. One should be called 'attack' and the other should be called 'alert'. Put the alert files into the alert folder and the attack files into the attack folder.

13. Move the alert and attack folders into the advisorfeed or advisor_data folder in %ESEC_HOME\sentinel\ (Windows) or $ESEC_HOME/sentinel (Linux).

14. Run advisor.bat (Windows) or advisor.sh (Linux). This should run for a while (on my system, this takes up to 10 minutes the first time around).

15. Start the ports named "AssetImport" and "VulnerabilitesImport". They should run for a couple of seconds and then automatically stop.

Figure 5 - Port descriptions

When you run the port "DemoAttacks", you should see attack events in Sentinel Control Center. One of these events should have the 'vulnerabiliy' meta-tag (column) set to 1. This indicates that Sentinel's exploit detection has determined that the attack maps to a known vulnerability on that system. You can now right-click on the event and see the asset, vulnerability, and advisor data for this host/attack/vulnerability combination.


Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Top Contributors
Version history
Revision #:
1 of 1
Last update:
‎2007-04-11 11:25
Updated by:
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.