cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1320
Views
0
Helpful
1
Replies

Intrusion Alert - Email vs SNMP

Hi everyone,

 

We have an FMC set up that is managing a number of FTD devices. We currently have alerts set up to send emails when intrusion events occur. Emails are generated using the Impact Flag settings and when specific rules are fired (via the Intrusion Email tab in the Policy -> Actions -> Alerts section).

 

We have set up SNMP traps to be sent when Impact Flag alerts are generated. We want to be able to auto-generate tickets for inspection/review. However, when SNMP traps do come through, it seems to be missing quite a bit of information.

 

This is what the Intrusion email looks like via Impact Flag Alerts (I have redacted certain information):

 

[1:27964:6] "MALWARE-CNC Win.Trojan.Gh0st variant outbound connection" [Impact: Vulnerable] From "(IP Address_FTD Device)" at Mon Apr  5 12:38:45 2021 UTC [Classification: A Network Trojan was Detected] [Priority: 1] {tcp} (SOURCE_IP:Port) (unknown)->(DEST_IP:Port) (unknown)

 

This is what the SNMP trap looks like:

 

Trap: [Trap Number] (translated from v2c)
Mon Apr 5 08:38:45 2021
Src IP: (Redacted)
Agent: (Redacted)
Trap Type: Vendor Specific
Specific Type: XX
Enterprise: [Version]
Timestamp: 3746566981
Object:1.3.6.1.4.1.14223.1.1.29 Value: (IP Address_FTD Device)
Object:1.3.6.1.4.1.14223.1.1.1 Value: (0123456789ABCDEF)
Object:1.3.6.1.4.1.14223.1.1.115 Value:Global
Object:1.3.6.1.4.1.14223.1.1.32 Value:XX
Object:1.3.6.1.4.1.14223.1.1.43 Value:Vulnerable
Object:1.3.6.1.4.1.14223.1.1.13 Value: (Intrusion_SOURCE_IP)

 

How can I get the SNMP trap to be more descriptive? Is there something about that 16 digit value in the SNMP trap that is related to the intrusion description? If so, what needs to be done on our end to translate the SNMP trap? Any assistance would be greatly appreciated. Thank you.

1 Accepted Solution

Accepted Solutions

OK, looking through the documentation, would it be accurate to say that the MIB would assist in translating the SNMP traps?

View solution in original post

1 Reply 1

OK, looking through the documentation, would it be accurate to say that the MIB would assist in translating the SNMP traps?

Review Cisco Networking for a $25 gift card