Solved: Re: Auto Generating Reports on VMS based on events

s.surani · ‎08-10-2003

Hi,

Is it possible to receive a mail from VMS whenever an event like high signature is detected, can we automate this process, I am unable to find any such settings in VMS, can you please help me out of this.

Thanks and Regards

Salim

jgbarnes · ‎08-19-2003

This is a script that will somewhat work on VMS and 4.1 sensors

#!/usr/bin/perl

use Time::Local;

#***********************************************************************

#

# FILE NAME : emailalert.pl

#

# DESCRIPTION : This file is a perl script that will be executed as an

# action when an IDS-MC Event Rule triggers, and will send an

# email to $EmailRcpt with additional alert parameters (similar to

# the functionality available with CSPM notifications)

#

# NOTE: this script only works with 4.x sensors. It will

# not work with 3.x sensors.

#

# NOTES : This script takes the ${Query} keyword from the

# triggered rule, extracts the set of alarms that caused

# the rule to trigger. It then reads the last alarm of

# this set, parses the individual alarm fields, and

# calls the legacy script with the same set of command

# line arguments as CSPM.

#

# The calling sequence of this script must be of the form:

#

# emailalert.pl "${Query}"

#

# Where:

#

# "${Query}" - this is the query keyword dynamically

# output by the rule when it triggers.

# It MUST be wrapped in double quotes

# when specifying it in the Arguments

# box on the Rule Actions panel.

#

#***********************************************************************

##

## The following are the only two variables that need changing. $TempIDSFile can be any

## filename (doesn't have to exist), just make sure the directory that you specify

## exists. Make sure to use 2 backslashes for each directory, the first backslash is

## so the Perl interpretor doesn't error on the pathname.

##

## $EmailRcpt is the person that is going to receive the email notifications. Also

## make sure you escape the @ symbol by putting a backslash in front of it, otherwise

## you'll get a Perl syntax error.

##

$TempIDSFile = "c:\\temp\\idsalert.txt";

$EmailRcpt = "gfullage\@cisco.com";

# subroutine to add leading 0's to any date variable that's less than 10.

sub add_zero {

my ($var) = @_;

if ($var < 10) {

$var = "0" .$var

}

return $var;

}

# subroutine to find one or more IP addresses within an XML tag (we can have multiple

# victims and/or attackers in one alert now).

sub find_addresses {

my ($var) = @_;

my @addresses = ();

if (m/$var/) {

$raw = $&;

while ($raw =~ m/(\d{1,3}\.){3}\d{1,3}/) {

push @addresses,$&;

$raw = $';

}

$var = join(', ',@addresses);

return $var;

}

# pull out command line arg

$whereClause = $ARGV[0];

# extract all the alarms matching search expression

$tmpFile = "alarms.out";

# Extract the XML alert/event out of the database.

system("IdsAlarms -s\"$whereClause\" -f\"$tmpFile\"");

# open matching alarm output

if (!open(ALARM_FILE, $tmpFile)) {

print "Could not open $tmpFile\n";

exit -1;

}

# read to last line

while () {

chomp $_;

push @logfile,$_;

}

# clean up

close(ALARM_FILE);

unlink($tmpFile);

# Open temp file to write alert data into,

open(OUT,">$TempIDSFile");

# split XML output into fields

$oneline = join('',@logfile);

$oneline =~ s/\<\/events\>//g;

$oneline =~ s/\<\/evAlert\>/\<\/evAlert\>,/g;

@items = split(/,/,$oneline);

# If you want to see the actual database query result in the email, un-comment out the

# line below (useful for troubleshooting):

# print(OUT "$oneline\n");

# Loop until there's no more alerts

foreach (@items) {

if (m/\(.*)\<\/hostId\>/) {

$hostid = $1;

}

if (m/severity="(.*?)"/) {

$sev = $1;

}

if (m/Zone\=".*"\>(.*)\<\/time\>/) {

$t = $1;

if ($t =~ m/(.*)(\d{9})/) {

($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime($1);

# Year is reported from 1900 onwards (eg. 2003 is 103).

$year = $year + 1900;

# Months start at 0 (January = 0, February = 1, etc), so add 1.

$mon = $mon + 1;

$mon = add_zero ($mon);

$mday = add_zero ($mday);

$hour = add_zero ($hour);

$min = add_zero ($min);

$sec = add_zero ($sec);

}

if (m/sigName="(.*?)"/) {

$SigName = $1;

}

if (m/sigId="(.*?)"/) {

$SigID = $1;

}

if (m/subSigId="(.*?)"/) {

$SubSig = $1;

}

$attackerstring = "\

if ($attackerstring = find_addresses ($attackerstring)) {

}

$victimstring = "\

if ($victimstring = find_addresses ($victimstring)) {

}

@actions = ();

if (m/\(.*)\<\/actions\>/) {

$rawaction = $1;

while ($rawaction =~ m/\<(\w*?)\>(.*?)\

$rawaction = $';

if ($2 eq "true") {

push @actions,$1;

}

if (@actions) {

$actiontaken = join(', ',@actions);

}

else {

$actiontaken = "None";

}

## Now write your email notification message. You're writing the following into

## the temporary file for the moment, but this will then be emailed.

##

## Again, make sure you escape special characters with a backslash (note the : between

## the SigID and the SubSig).

print(OUT "\n$hostid reported a $sev severity alert at $mon/$mday/$year $hour:$min:$sec\n");

print(OUT "Signature $SigName $$SigID\:$SubSig$ from $attackerstring to $victimstring\n");

print(OUT "Actions taken: $actiontaken \n\n");

print(OUT "----------------------------------------------------\n");

}

close(OUT);

## Now call "blat" to send contents of the file in the body of an email message.

## Blat is a freeware email program for WinNT/95, it comes with VMS in the

## $BASE\CSCOpx\bin directory, make sure you install it first by running:

##

## blat -install

##

## For more help on blat, just type "blat" at the command prompt on your VMS system (make

## sure it's in your path (feel free to move the executable to c:\winnt\system32 BEFORE

## you run the install, that'll make sure your system can always find it).

system ("blat \"$TempIDSFile\" -t \"$EmailRcpt\" -s \"Received IDS alert\"");

View solution in original post

marcabal · ‎08-11-2003

Reference the following documentation:

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/mon_sec/secmon12/ug/ch05.htm

s.surani · ‎08-18-2003

Hi,

Thanks for the above URL, I am able to get some notification when an event is generated but I am not able to figure out how to know which particular script is detected and at what time, the source and destination etc, can you please help me out of this

Thanks and Regards

Salim

jgbarnes · ‎08-19-2003

This is a script that will somewhat work on VMS and 4.1 sensors

#!/usr/bin/perl

use Time::Local;

#***********************************************************************

#

# FILE NAME : emailalert.pl

#

# DESCRIPTION : This file is a perl script that will be executed as an

# action when an IDS-MC Event Rule triggers, and will send an

# email to $EmailRcpt with additional alert parameters (similar to

# the functionality available with CSPM notifications)

#

# NOTE: this script only works with 4.x sensors. It will

# not work with 3.x sensors.

#

# NOTES : This script takes the ${Query} keyword from the

# triggered rule, extracts the set of alarms that caused

# the rule to trigger. It then reads the last alarm of

# this set, parses the individual alarm fields, and

# calls the legacy script with the same set of command

# line arguments as CSPM.

#

# The calling sequence of this script must be of the form:

#

# emailalert.pl "${Query}"

#

# Where:

#

# "${Query}" - this is the query keyword dynamically

# output by the rule when it triggers.

# It MUST be wrapped in double quotes

# when specifying it in the Arguments

# box on the Rule Actions panel.

#

#***********************************************************************

##

## The following are the only two variables that need changing. $TempIDSFile can be any

## filename (doesn't have to exist), just make sure the directory that you specify

## exists. Make sure to use 2 backslashes for each directory, the first backslash is

## so the Perl interpretor doesn't error on the pathname.

##

## $EmailRcpt is the person that is going to receive the email notifications. Also

## make sure you escape the @ symbol by putting a backslash in front of it, otherwise

## you'll get a Perl syntax error.

##

$TempIDSFile = "c:\\temp\\idsalert.txt";

$EmailRcpt = "gfullage\@cisco.com";

# subroutine to add leading 0's to any date variable that's less than 10.

sub add_zero {

my ($var) = @_;

if ($var < 10) {

$var = "0" .$var

}

return $var;

}

# subroutine to find one or more IP addresses within an XML tag (we can have multiple

# victims and/or attackers in one alert now).

sub find_addresses {

my ($var) = @_;

my @addresses = ();

if (m/$var/) {

$raw = $&;

while ($raw =~ m/(\d{1,3}\.){3}\d{1,3}/) {

push @addresses,$&;

$raw = $';

}

$var = join(', ',@addresses);

return $var;

}

# pull out command line arg

$whereClause = $ARGV[0];

# extract all the alarms matching search expression

$tmpFile = "alarms.out";

# Extract the XML alert/event out of the database.

system("IdsAlarms -s\"$whereClause\" -f\"$tmpFile\"");

# open matching alarm output

if (!open(ALARM_FILE, $tmpFile)) {

print "Could not open $tmpFile\n";

exit -1;

}

# read to last line

while () {

chomp $_;

push @logfile,$_;

}

# clean up

close(ALARM_FILE);

unlink($tmpFile);

# Open temp file to write alert data into,

open(OUT,">$TempIDSFile");

# split XML output into fields

$oneline = join('',@logfile);

$oneline =~ s/\<\/events\>//g;

$oneline =~ s/\<\/evAlert\>/\<\/evAlert\>,/g;

@items = split(/,/,$oneline);

# If you want to see the actual database query result in the email, un-comment out the

# line below (useful for troubleshooting):

# print(OUT "$oneline\n");

# Loop until there's no more alerts

foreach (@items) {

if (m/\(.*)\<\/hostId\>/) {

$hostid = $1;

}

if (m/severity="(.*?)"/) {

$sev = $1;

}

if (m/Zone\=".*"\>(.*)\<\/time\>/) {

$t = $1;

if ($t =~ m/(.*)(\d{9})/) {

($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime($1);

# Year is reported from 1900 onwards (eg. 2003 is 103).

$year = $year + 1900;

# Months start at 0 (January = 0, February = 1, etc), so add 1.

$mon = $mon + 1;

$mon = add_zero ($mon);

$mday = add_zero ($mday);

$hour = add_zero ($hour);

$min = add_zero ($min);

$sec = add_zero ($sec);

}

if (m/sigName="(.*?)"/) {

$SigName = $1;

}

if (m/sigId="(.*?)"/) {

$SigID = $1;

}

if (m/subSigId="(.*?)"/) {

$SubSig = $1;

}

$attackerstring = "\

if ($attackerstring = find_addresses ($attackerstring)) {

}

$victimstring = "\

if ($victimstring = find_addresses ($victimstring)) {

}

@actions = ();

if (m/\(.*)\<\/actions\>/) {

$rawaction = $1;

while ($rawaction =~ m/\<(\w*?)\>(.*?)\

$rawaction = $';

if ($2 eq "true") {

push @actions,$1;

}

if (@actions) {

$actiontaken = join(', ',@actions);

}

else {

$actiontaken = "None";

}

## Now write your email notification message. You're writing the following into

## the temporary file for the moment, but this will then be emailed.

##

## Again, make sure you escape special characters with a backslash (note the : between

## the SigID and the SubSig).

print(OUT "\n$hostid reported a $sev severity alert at $mon/$mday/$year $hour:$min:$sec\n");

print(OUT "Signature $SigName $$SigID\:$SubSig$ from $attackerstring to $victimstring\n");

print(OUT "Actions taken: $actiontaken \n\n");

print(OUT "----------------------------------------------------\n");

}

close(OUT);

## Now call "blat" to send contents of the file in the body of an email message.

## Blat is a freeware email program for WinNT/95, it comes with VMS in the

## $BASE\CSCOpx\bin directory, make sure you install it first by running:

##

## blat -install

##

## For more help on blat, just type "blat" at the command prompt on your VMS system (make

## sure it's in your path (feel free to move the executable to c:\winnt\system32 BEFORE

## you run the install, that'll make sure your system can always find it).

system ("blat \"$TempIDSFile\" -t \"$EmailRcpt\" -s \"Received IDS alert\"");