Tutorial: Using Sentinel's Exploit Detection
We need to implement Sentinel's Exploit Detection functionality.
1. Unzip the 3 subfolders in the ED-DemoCollectors.zip file into the Elements folder.
2. Configure 3 new ports in Collector Builder with the following port options.
Figure 1 - Port options in Collector Builder
3. Click Save.
You will now get this reminder:
Figure 2 - Wizard warning - x
4. Click OK.
5. Click the Upload/Download button to display the upload/download dialog.
Figure 3 - Upload/Download dialog
6. Click Upload. You will see the Transfer Progress window:
Figure 4 - Transfer Progress window
7. Install the Advisor component from the install CD, choosing the standalone configuration. The advisor feed folder should be something like "advisorfeed" or "advisor_data" in the %ESEC_HOME%\sentinel directory.
8. Open a web browser and point it to http://advisor.esecurityinc.com
9. Use the Advisor user name and password to log in.
10. Click Downloads. This will take you to the attacks and alerts.
11. From each of these, select the latest folder and download the 'all' file from them.
12. Unzip these into two separate folders on your system. One should be called 'attack' and the other should be called 'alert'. Put the alert files into the alert folder and the attack files into the attack folder.
13. Move the alert and attack folders into the advisorfeed or advisor_data folder in %ESEC_HOME\sentinel\ (Windows) or $ESEC_HOME/sentinel (Linux).
14. Run advisor.bat (Windows) or advisor.sh (Linux). This should run for a while (on my system, this takes up to 10 minutes the first time around).
15. Start the ports named "AssetImport" and "VulnerabilitesImport". They should run for a couple of seconds and then automatically stop.
Figure 5 - Port descriptions
When you run the port "DemoAttacks", you should see attack events in Sentinel Control Center. One of these events should have the 'vulnerabiliy' meta-tag (column) set to 1. This indicates that Sentinel's exploit detection has determined that the attack maps to a known vulnerability on that system. You can now right-click on the event and see the asset, vulnerability, and advisor data for this host/attack/vulnerability combination.