Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
710
Views
0
Helpful
6
Replies

CSPM notification script

dmorone
Level 1
Level 1

‎11-08-2001 11:55 AM - edited ‎03-08-2019 09:06 PM

Can I get a sample notification script for CSPM that sends email?

Unix Dir provided a sample script 'eventd' which included EventMessage. I want the plain english NSDB Signature Name in the email notification. e.g. for NSDB ID: 1102, I also want to see 'Impossible IP Packet'.

from http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids7/unix_cfg/advanced.htm#xtocid2528014

• $EventMessage—The generated alarm details, if any.

Labels:
0 Helpful
6 Replies 6

bernhard
Level 1
Level 1

‎11-08-2001 02:05 PM

Here is a perl script and a batch file that will read the signatures file and put signature names in the subject of the email. To use, set the notification script to the batch file that launches it. You must edit the emailEvent.pl script to setup the email server and location of the CSPM installation of Postoffice. You must edit the emailEvent.bat file to point to the installed Perl interpreter and emailEvent.pl script. The version of perl must support email. You can get the latest free version for Win32 from http://aspn.activestate.com/ASPN/Downloads/ActivePerl/.

=== emailEvent.bat ===

perl d:\n\emailEvent.pl %*

=======

=== emailEvent.pl ===

# This script receives an event notification then looks up the

# signature name in a "signatures" file. Next the script

# generates an email appending the signature name to the

# default subject. The contents of the email is the parsed

# arguments of the event notification with the addition of

# the signature name.

use Net::SMTP;

#############################################################

#

### YOU NEED TO SET THESE or override them in emailEvent.config

#

$SMTP_Server = 'mailhost.yourdomain.com';

$email_from = 'nobody@yourdomain.com';

$email_to = 'nobody@yourdomain.com';

$email_subject = 'IDS';

$email_reply_to = 'nobody@yourdomain.com';

$signatures_file = 'D:\program files\cisco systems\cisco secure policy manager\Postoffice\etc\signatures';

# note, the format for overriding these defaults in the

# emailEvent.config file is:

#

# SMTP-Server=servername

# email-from=emailAddress

# email-to=emailAddress

# email-subject=subject

# email-reply-to=emailAddress

#

#############################################################

# Start here

&setup_defaults; # setup command defaults

&read_cmdline_args; # read in any cmd line args

&read_config_file; # read in the configuration file

&check_sanity; # is everything set to go.

&process; # process the bookmarks

exit 0; # terminate execution

##############################################################3

#

# help message

sub help

{

print <

emailEvent.pl - emails a CSPM event

This program takes an event notification and generates an e-mail

message.

usage:

emailEvent.pl MsgType RecordID GlobalTime LocalTime DateStr TimeStr

ApplID HostID OrgID SrcDirection DstDirection AlarmLevel

SigID SubSigID ProtocolType SrcIpAddr DstIpAddr SrcIpPort

DstIpPort RouterIpAddr AlarmDetails MsgCount

where:

MsgType Identifies an integer value indicating the event

type: 4 = Alarm. Note This value is always 4.

RecordID Identifies record ID for the event.

GlobalTime Identifies the GMT timestamp for when the event

was generated, expressed in seconds since

midnight, January 1, 1970 (time_t).

LocalTime Identifies (sensor-local) timestamp for when the

event was generated, expressed in seconds since

midnight, January 1, 1970 (time_t).

DateStr Identifies (sensor-local) date stamp for when

the event was generated, in YYYY/MM/DD format.

TimeStr Identifies (sensor-local) time stamp for when

the event was generated, in HH:MM:SS format.

ApplID Identifies (postoffice) application ID on the

sensor that generated the event.

HostID Identifies (postoffice) host ID of the sensor

that generated the event.

OrgID Identifies (postoffice) organization ID on the

sensor that generated the event.

SrcDirection Identifies the location of the source (attacking)

entity with respect to the protected network.

Values are "IN" for inside the protected network,

or "OUT" for outside the protected network.

DstDirection Identifies location of the destination (attacked)

entity with respect to the protected network.

Values are "IN" for inside the protected network,

or "OUT" for outside the protected network.

AlarmLevel Identifies the severity level of the alarm.

SigID Identifies the signature ID that triggered the

alarm.

SubSigID Identifies the sub-signature ID that triggered

the alarm, if applicable.

ProtocolType Identifies the protocol of the alarm - always

"TCP/IP".

SrcIpAddr Identifies the IP address of the source

(attacking) node.

DstIpAddr Identifies the IP address of the destination

(attacked) node.

SrcIpPort Identifies the IP port number of the source

(attacking) node.

DstIpPort Identifies the IP port number of the destination

(attacked) node.

RouterIpAddr Identifies the IP address of the router that sent

the syslog message to the sensor (10000 series

alarms only); otherwise 0.0.0.0

AlarmDetails Identifies the details and/or context data for

the alarm.

MsgCount Identifies the number of events that occurred in

the current interval that caused this notification

to be generated.

-help this message

END_HELP

}

##############################################################3

# setup

#

sub setup_defaults

{

$config{'config-file'} = './emailEvent.config';

$config{'debug-level'} = 0;

$config{'SMTP-Server'} = $SMTP_Server;

$config{'email-from'} = $email_from;

$config{'email-to'} = $email_to;

$config{'email-subject'} = $email_subject;

$config{'email-reply-to'} = $email_reply_to;

$config{'signatures-file'} = $signatures_file;

}

##############################################################3

#

# Read the command line args and update the %config hash

sub read_cmdline_args {

if($#ARGV < 21) {

help();

exit 0;

}

$cmdline{'MsgType'} = $ARGV[0];

$cmdline{'RecordID'} = $ARGV[1];

$cmdline{'GlobalTime'} = $ARGV[2];

$cmdline{'LocalTime'} = $ARGV[3];

$cmdline{'DateStr'} = $ARGV[4];

$cmdline{'TimeStr'} = $ARGV[5];

$cmdline{'ApplID'} = $ARGV[6];

$cmdline{'HostID'} = $ARGV[7];

$cmdline{'OrgID'} = $ARGV[8];

$cmdline{'SrcDirection'} = $ARGV[9];

$cmdline{'DstDirection'} = $ARGV[10];

$cmdline{'AlarmLevel'} = $ARGV[11];

$cmdline{'SigID'} = $ARGV[12];

$cmdline{'SubSigID'} = $ARGV[13];

$cmdline{'ProtocolType'} = $ARGV[14];

$cmdline{'SrcIpAddr'} = $ARGV[15];

$cmdline{'DstIpAddr'} = $ARGV[16];

$cmdline{'SrcIpPort'} = $ARGV[17];

$cmdline{'DstIpPort'} = $ARGV[18];

$cmdline{'RouterIpAddr'} = $ARGV[19];

$cmdline{'AlarmDetails'} = $ARGV[20];

$cmdline{'MsgCount'} = $ARGV[21];

# The config file name is the *ONLY config item

# we special case. That is if the config_file is

# set on the cmd line then we overrided the default

# value right now!

if( defined $cmdline{'config-file'}) {

$config{'config-file'}=$cmdline{'config-file'};

}

}

##############################################################3

#

# Read the configuration file and update the %config hash

sub read_config_file {

$CONFIG_FILE=$config{'config-file'};

open CONFIG_FILE;

while( ) {

chomp;

($first, $second) = split( /=/ );

$config{$first}=$second;

}

}

##############################################################3

#

# Check the sanity of the %config hash

sub check_sanity {

# First thing: Integrate the cmd line args with config args

foreach (keys %cmdline) {

$config{$_} = $cmdline{$_};

}

# Now lets print the whole shebang!

if( $config{'debug-level'} > 1) {

foreach (sort keys %config) {

print "$_ ==> $config{$_}\n";

}

}

}

##############################################################3

#

# process

sub process

{

local @msgLines;

debug("debug is on");

# setup the %signatures hash

parseSignatures();

# get the signature name

$sigName = $signatures{$config{'SigID'}};

# append signature name to email subject

if($sigName ne "") {

$config{'email-subject'} = "$config{'email-subject'} ($sigName)";

}

# build text message to email in a string array

push(@msgLines, "MsgType = $config{'MsgType'}");

push(@msgLines, "RecordID = $config{'RecordID'}");

push(@msgLines, "GlobalTime = $config{'GlobalTime'}");

push(@msgLines, "LocalTime = $config{'LocalTime'}");

push(@msgLines, "DateStr = $config{'DateStr'}");

push(@msgLines, "TimeStr = $config{'TimeStr'}");

push(@msgLines, "ApplID = $config{'ApplID'}");

push(@msgLines, "HostID = $config{'HostID'}");

push(@msgLines, "OrgID = $config{'OrgID'}");

push(@msgLines, "SrcDirection = $config{'SrcDirection'}");

push(@msgLines, "DstDirection = $config{'DstDirection'}");

push(@msgLines, "AlarmLevel = $config{'AlarmLevel'}");

push(@msgLines, "SigID = $config{'SigID'}");

push(@msgLines, "SigName = $sigName");

push(@msgLines, "SubSigID = $config{'SubSigID'}");

push(@msgLines, "ProtocolType = $config{'ProtocolType'}");

push(@msgLines, "SrcIpAddr = $config{'SrcIpAddr'}");

push(@msgLines, "DstIpAddr = $config{'DstIpAddr'}");

push(@msgLines, "SrcIpPort = $config{'SrcIpPort'}");

push(@msgLines, "DstIpPort = $config{'DstIpPort'}");

push(@msgLines, "RouterIpAddr = $config{'RouterIpAddr'}");

push(@msgLines, "AlarmDetails = $config{'AlarmDetails'}");

push(@msgLines, "MsgCount = $config{'MsgCount'}");

sendEmail(@msgLines);

debug("done");

}

##############################################################

#

# parse the signatures file and store in the %signatures hash

sub parseSignatures

{

local $sigId, $sigName;

open(INSIG, "<$config{'signatures-file'}") || warn "unable to open signatures file($config{'signatures-file'})\n";

while() {

# skip commented lines

if(/^\s*#/) {

next;

}

# the signatures are in the following format:

# sigId "signature name"

# where sigId is an integer

if(/^\s*(\d+)\s+\"([^\"]+)\"/) {

$sigId = $1;

$sigName = $2;

$signatures{$sigId} = $sigName;

}

}

close(INSIG);

}

##############################################################

#

# send the given string array as email

sub sendEmail

{

local(@msgLines) = @_;

debug("sending email");

debug("To: $config{'email-to'}");

debug("From: $config{'email-from'}");

debug("Subject: $config{'email-subject'}");

debug("Reply-To: $config{'email-reply-to'}");

$smtp = Net::SMTP->new($SMTP_Server); # connect to an SMTP server

$smtp->mail($config{'email-from'}); # use the sender's address here

local(@recipients);

local($to);

# split the recipients on spaces and commas

@recipients = split(/,\s/, $config{'email-to'});

# tell smtp about each recipient

foreach $to (@recipients) {

$smtp->to($to); # recipient's address

}

$smtp->data(); # Start the mail

# Send the header.

$smtp->datasend("To: $config{'email-to'}\n");

$smtp->datasend("From: $config{'email-from'}\n");

$smtp->datasend("Subject: $config{'email-subject'}\n");

$smtp->datasend("Reply-To: $config{'email-reply-to'}\n");

$smtp->datasend("\n");

# Send the body.

foreach $line (@msgLines)

{

debug($line);

$smtp->datasend("$line\n");

}

$smtp->datasend("\n");

$smtp->dataend(); # Finish sending the mail

$smtp->quit; # Close the SMTP connection

}

##############################################################

#

# debug print statement

sub debug

{

local($str) = @_;

if($config{'debug-level'} > 0) {

print "$str\n";

}

}

======

0 Helpful

wongsusanto
Level 1
Level 1
In response to bernhard

‎11-12-2001 03:18 AM

Hi,

Can I ask one question regarding this problem ?

Why I don't have this folder :

$signatures_file = 'D:\program files\cisco systems\cisco secure policy

I tried to find in the directory where I installed CSPM.. I could not find it thanks

0 Helpful

dmorone
Level 1
Level 1
In response to bernhard

‎11-13-2001 01:19 PM

Bernhard,

Thank you, it looks like what I need, but I can't get it to work. I got perl and email working with a test script, but with your script I get an error: Unterminated <> operator at d:\temp\CSPM\emailEvent.pl line 46

Can I open a TAC case with you to get this notification script working? How?

Also, can you demonstrate how to get Signature Name into the subject line?

0 Helpful

teperjesi
Level 1
Level 1

‎11-09-2001 03:04 AM

I would have an other wish! I want to see the nslookup resolution names instead of IP address! It is possible? Will this features included in the following versions?

Thanks!

0 Helpful

dmorone
Level 1
Level 1

‎11-20-2001 10:12 AM

Had trouble with that script. I tweaked it. If you want a copy email me dmorone@courts.state.ny.us . I can't post it here because the forum won't accept the big post.

I've got it sending me email that looks like this:

From: Cisco Secure Policy Manager

To: <me@my.com>

Date: 11/20/01 11:26AM

Subject: SensorName - SigName - AlarmDetails

Date Time

Source: IP:port Destination: IP:port

Signature: SigID:SubSigID SigName AlarmDetails MsgCount

0 Helpful

dmorone
Level 1
Level 1
In response to dmorone

‎11-27-2001 09:50 AM

Don't email me. Get it here:

http://www.burdenlake.org/ids/emailEvent.pl

0 Helpful
Customers Also Viewed These Support Documents