Cannot access Advisor data from Sentinel Control Center

  • 3173228
  • 06-Sep-2007
  • 26-Apr-2012

Environment

Sentinel Server 5.1.3 Hotfix2
Sentinel Control Center

Situation

After applying Sentinel 5.1.3.0 Sp1 Hotfix 2, customers can no longer access Advisor data from a given event in Sentinel Control Center, (SCC).

Right click on the event, choose Analysis, choose Advisor data. Returns an error of;

"Error Reported by the Database"

Hotfix 2 is missing files and an update to the das_query.xml was needed in the read-me for Hotfix 2 to enable this feature.

Resolution

In order to resolve this issue you must do the following;

1) Make sure that all machines running SCC and the central DAS/Sentinel server are running the same patch level, i.e. Sentinel 5.1.3.0 Sp1 HF2

2)The missing file is the exploit_detect_data_generator.prop file. This file is listed in the notes section of this TID and can be manually created with a text editor by copying the data below. Create a file with the name of exploit_detect_data_generator.prop by copying the text below and copy this file to the appropriate path for the OS.
Windows:
%ESEC_HOME%\sentinel\config\exploit_detect_data_generator.prop
Unix:
$ESEC_HOME/sentinel/config/exploit_detect_data_generator.prop

3) ***IMPORTANT***
Backup the existing das_query.xml file before changing.

Update the das_query.xml file as follows;

a) Update the component AdvisorQueryService by adding a new property
../config/exploit_detect_data_generator.prop

So the updated component should look like:

esecurity.ccs.comp.advisor.service.AdvisorQueryService

esecurity.ccs.comp.advisor.service.DataObjectAdvisorStore
../config/exploit_detect_data_generator.prop

20
10


b) Update the component ExploitDetectDataGenerator by adding a new property
../config/exploit_detect_data_generator.prop

So the updated component should look like:

esecurity.ccs.comp.exploitdetect.ExploitDetectDataGenerator


true
../config/exploit_detect_data_generator.prop
1800000


esecurity.ccs.comp.exploitdetect.ExploitMapCreator


***IMPORTANT***
The das_query.xml file is an .xml file therefore hierarchy is important so please ensure that you have followed the above steps exactly.

Additional Information

exploit_detect_data_generator.prop

exclude.names=RealSecure,RealSecure Desktop,RealSecure Guard,RealSecure Server,BlackICE,Proventia
exclude.ids=Snort,Cisco IOS,IntruShield,ManHunt,Phalanx,SecureNet_Provider,Secure,Dragon Network,Dragon,Intruder
alias.id.RealSecure=xforce
alias.id.RealSecure_Desktop=xforce
alias.id.RealSecure_Guard=xforce
alias.id.RealSecure_Server=xforce
alias.id.BlackICE=xforce
alias.id.Proventia=xforce