Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
746
Views
5
Helpful
7
Replies

emailalert.pl for 5.x actions

mkirbyii
Level 1
Level 1

‎01-13-2006 11:31 PM - edited ‎03-10-2019 01:50 AM

We have been using the emailalert.pl script to send emails when certain sigs fire. Previously we had all 4.x sensors and now we have upgraded them all to 5.x. The script still works however, the "Actions taken:" part of the email is blank. Does anyone know of a way to have it list the new 5.x actions (denypacket)? I suppose a new script may have to be written. Is cisco going to update this?

Thanks

M

Labels:
0 Helpful
7 Replies 7

gfullage
Cisco Employee
Cisco Employee

‎01-15-2006 08:05 PM

Hmmm, I'll get onto it. I wrote the scripts and I must apologise I did some quick testing when v5 came out and saw that it still produced alerts and left it at that. I'll get onto it as soon as I can and will update the web site with the details, my apologies.

mkirbyii
Level 1
Level 1
In response to gfullage

‎01-15-2006 11:51 PM

Wow, how about that. Post a question and the author of the script responds! Good success story for the forums!

Thank you for taking a look and no need to apoligize. The script is extremely valuable to our team. I will keep watching this post Thank you again.

M

0 Helpful

mkirbyii
Level 1
Level 1
In response to gfullage

‎04-01-2006 08:24 AM

Hello,

Any luck on updating your script?

Mike

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to mkirbyii

‎06-21-2006 06:26 PM

My apologies, been a mad house here for the past few months and this completely slipped through the cracks. I'll get onto it next week when I have some time and will post the finalised script here for your use. Again, my apologies.

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to mkirbyii

‎06-26-2006 10:05 PM

OK, here 'tis, finally. Sorry for the delays. Let me know if it doesn't work correctly.

Change its name to emailalertv5.pl (I wasn't allowed to attach .pl files up here), and save it into the same directory as your current script. Then change your SecMon Notifications config to point to this script, leave the Query variable the same.

25126-emailalertv5.txt
Preview file
8 KB
0 Helpful

mkirbyii
Level 1
Level 1
In response to gfullage

‎06-27-2006 03:44 PM

Works Great! and I also like the added info. adding the RiskRating and int name is very helpful.

Thank you again

A note, about getting the nsbd url working: you must change the nsdb in the url path to NSDB5.

https://ipofvmsserver/vms/nsdb5/

Mike

0 Helpful

chager00
Level 1
Level 1
In response to gfullage

‎06-15-2006 12:37 PM

Hello. You wrote the scripts? Maybe you can help me. I opened a TAC incident a couple of years ago and they failed to resolve this for me. I've been using 4.x sensors for 3 years now, and the emailalert script has never reliably worked. I received a few odd emails here and there and then it stopped working and I haven't been able to get it working since. It isn't an email issue, because I can use blat from the command line to send emails from the VMS box all day long. If I look at the temp file, it just never gets updated. I have a rule set now that should trip constantly. I set it up for testing purposes. It's set to run the script after every single occurrence of any type pf alarm, but it never does a thing. Can you tell me what I may be doing wrong? If I run the script manually I get an email containing this:

reported a severity alert at :: on //

Signature: (:)

Attacker: ---> Victim:

Alert details:

Actions taken: None

NSDB: https://hastingsvms/vms/nsdb/html/expsig_.html

So I think the script is okay and that blat is set up properly. Something between the IDS MC and the script isn't working, and I don't know where to begin troubleshooting.

0 Helpful
Review Cisco Networking for a $25 gift card
Top