Environment
Sentinel Server 5.1.3 Hotfix2
Sentinel Control Center
Sentinel Control Center
Situation
After applying Sentinel 5.1.3.0 Sp1 Hotfix 2, customers can no
longer access Advisor data from a given event in Sentinel Control
Center, (SCC).
Right click on the event, choose Analysis, choose Advisor data. Returns an error of;
"Error Reported by the Database"
Hotfix 2 is missing files and an update to the das_query.xml was needed in the read-me for Hotfix 2 to enable this feature.
Right click on the event, choose Analysis, choose Advisor data. Returns an error of;
"Error Reported by the Database"
Hotfix 2 is missing files and an update to the das_query.xml was needed in the read-me for Hotfix 2 to enable this feature.
Resolution
In order to resolve this issue you must do the following;
1) Make sure that all machines running SCC and the central DAS/Sentinel server are running the same patch level, i.e. Sentinel 5.1.3.0 Sp1 HF2
2)The missing file is the exploit_detect_data_generator.prop file. This file is listed in the notes section of this TID and can be manually created with a text editor by copying the data below. Create a file with the name of exploit_detect_data_generator.prop by copying the text below and copy this file to the appropriate path for the OS.
Windows:
%ESEC_HOME%\sentinel\config\exploit_detect_data_generator.prop
Unix:
$ESEC_HOME/sentinel/config/exploit_detect_data_generator.prop
3) ***IMPORTANT***
Backup the existing das_query.xml file before changing.
Update the das_query.xml file as follows;
a) Update the component AdvisorQueryService by adding a new property
../config/exploit_detect_data_generator.prop
So the updated component should look like:
esecurity.ccs.comp.advisor.service.AdvisorQueryService
esecurity.ccs.comp.advisor.service.DataObjectAdvisorStore
../config/exploit_detect_data_generator.prop
20
10
b) Update the component ExploitDetectDataGenerator by adding a new property
../config/exploit_detect_data_generator.prop
So the updated component should look like:
esecurity.ccs.comp.exploitdetect.ExploitDetectDataGenerator
true
../config/exploit_detect_data_generator.prop
1800000
esecurity.ccs.comp.exploitdetect.ExploitMapCreator
***IMPORTANT***
The das_query.xml file is an .xml file therefore hierarchy is important so please ensure that you have followed the above steps exactly.
1) Make sure that all machines running SCC and the central DAS/Sentinel server are running the same patch level, i.e. Sentinel 5.1.3.0 Sp1 HF2
2)The missing file is the exploit_detect_data_generator.prop file. This file is listed in the notes section of this TID and can be manually created with a text editor by copying the data below. Create a file with the name of exploit_detect_data_generator.prop by copying the text below and copy this file to the appropriate path for the OS.
Windows:
%ESEC_HOME%\sentinel\config\exploit_detect_data_generator.prop
Unix:
$ESEC_HOME/sentinel/config/exploit_detect_data_generator.prop
3) ***IMPORTANT***
Backup the existing das_query.xml file before changing.
Update the das_query.xml file as follows;
a) Update the component AdvisorQueryService by adding a new property
So the updated component should look like:
b) Update the component ExploitDetectDataGenerator by adding a new property
So the updated component should look like:
***IMPORTANT***
The das_query.xml file is an .xml file therefore hierarchy is important so please ensure that you have followed the above steps exactly.
Additional Information
exploit_detect_data_generator.prop
exclude.names=RealSecure,RealSecure Desktop,RealSecure Guard,RealSecure Server,BlackICE,Proventia
exclude.ids=Snort,Cisco IOS,IntruShield,ManHunt,Phalanx,SecureNet_Provider,Secure,Dragon Network,Dragon,Intruder
alias.id.RealSecure=xforce
alias.id.RealSecure_Desktop=xforce
alias.id.RealSecure_Guard=xforce
alias.id.RealSecure_Server=xforce
alias.id.BlackICE=xforce
alias.id.Proventia=xforce
exclude.names=RealSecure,RealSecure Desktop,RealSecure Guard,RealSecure Server,BlackICE,Proventia
exclude.ids=Snort,Cisco IOS,IntruShield,ManHunt,Phalanx,SecureNet_Provider,Secure,Dragon Network,Dragon,Intruder
alias.id.RealSecure=xforce
alias.id.RealSecure_Desktop=xforce
alias.id.RealSecure_Guard=xforce
alias.id.RealSecure_Server=xforce
alias.id.BlackICE=xforce
alias.id.Proventia=xforce