Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
615
Views
0
Helpful
7
Replies

Event notifications via e-mail VMS vs. CSPM for IDS's

jgbarnes
Level 1
Level 1

‎03-20-2003 02:09 PM - edited ‎03-09-2019 02:36 AM

I have upgraded to VMS 2.1 and have a question about event notifications.

My old CSPM was able to generate USEFULL e-mails about alerts.

The new Security monitor has a lack of good keywords. and does not seem to be able to even give me the signature id of the alert. Let alone where it is from and where it is going.

following are the keywords for each and a sample of my e-mail notifications.

I would really like to get some pertinant info in the event notification.

Can this be done???

VMS e-mail notification

From: notifier.VMS [mailto:notifier.VMS]

Sent: Thursday, March 20, 2003 1:58 PM

To: jbarnes@smtp.ais.ucla.edu

Subject: High TEST.164.67.132.105

(Severity = High)

High TEST

with all keywords

(Severity = High)

30

1

5

2003/03/20

13:58:01 Pacific Standard Time

2003/03/20

21:58:01 UTC

1

1

(((SEVERITY = 3)) AND event_storage_time > '2003-03-20 13:57:01' AND event_storage_time <= '2003-03-20 13:58:01')

1

0

VMS KEYWORDS

Keyword Description

${RuleName}

The name of the event rule.

${RuleDescr}

The description of the event rule.

${Filter}

The query filter for the event rule.

${Interval}

The query interval for the event rule.

${Initial}

The initial threshold for the event rule.

${Repeat}

The repeat threshold for the event rule.

${DateStr}

Date stamp for when the event rule was triggered, based on the server local time. The date stamp is in YYYY/MM/DD format.

${TimeStr}

Time stamp for when the event rule was triggered, based on the server local time. The time stamp is in HH:MM:SS time zone format, where HH is in 24-hour form.

${GmtDateStr}

The Coordinated Universal Time (UTC) date stamp for when the rule was triggered, in YYYY/MM/DD format.

${GmtTimeStr}

The UTC time stamp for when the event rule was triggered in HH:MM:SS time zone format, where HH is in 24-hour form and time zone is always UTC.

${MsgCount}

The number of matches that occurred in the current interval causing this rule to be triggered.

${Threshold}

The threshold that was met, causing the event rule to be triggered. This value is the same as the value for either ${Initial} or ${Repeat}.

${Query}

A time-bounded, syntactically correct SQL expression that can be used in the WHERE clause of a database query to select the set of alarms that caused the rule to trigger this time.

${IntervalCount}

The number of new matching alarms that have been detected causing the rule to trigger this time. This is the number of records that is expected to be returned by a query using the ${Query} keyword.

${RepeatCount}

The number of times the rule has triggered on the repeat threshold. A value of 0 indicates that the rule was triggered on the initial threshold.

CSPM e-mail notification

From: Cisco Secure Policy Manager [mailto:Cisco Secure Policy Manager]

Sent: Saturday, January 11, 2003 2:58 AM

To: jbarnes@ais.ucla.edu; rhinton@ais.ucla.edu

Subject: Level: 5 Node:108 Sig ID: 3216

High Severity Alarms

Time: 02:55:07 2003/01/11

Direction: OUT To IN

Source: 68.112.47.184 Port: 4537 Destination: 164.67.133.76 Port: 80

Signature ID: 3216 Subsignature: 0

Alarm Details: ../..

Message Count: 2

CSPM keywords

Keyword Result of Using This Keyword

${MsgType}

Identifies an integer value indicating the event type: 4 = Alarm.

Note This value is always 4.

${RecordID}

Identifies record ID for the event.

${GlobalTime}

Identifies the GMT timestamp for when the event was generated, expressed in seconds since midnight, January 1, 1970 (time_t).

${LocalTime}

Identifies (sensor-local) timestamp for when the event was generated, expressed in seconds since midnight, January 1, 1970 (time_t).

${DateStr}

Identifies (sensor-local) date stamp for when the event was generated, in YYYY/MM/DD format.

${TimeStr}

Identifies (sensor-local) time stamp for when the event was generated, in HH:MM:SS format.

${ApplID}

Identifies (postoffice) application ID on the sensor that generated the event.

${HostID}

Identifies (postoffice) host ID of the sensor that generated the event.

${OrgID}

Identifies (postoffice) organization ID on the sensor that generated the event.

${SrcDirection}

Identifies the location of the source (attacking) entity with respect to the protected network. Values are "IN" for inside the protected network, or "OUT" for outside the protected network.

${DstDirection}

Identifies location of the destination (attacked) entity with respect to the protected network. Values are "IN" for inside the protected network, or "OUT" for outside the protected network.

${AlarmLevel}

Identifies the severity level of the alarm.

${SigID}

Identifies the signature ID that triggered the alarm.

${SubSigID}

Identifies the sub-signature ID that triggered the alarm, if applicable.

${ProtocolType}

Identifies the protocol of the alarm - always "TCP/IP".

${SrcIpAddr}

Identifies the IP address of the source (attacking) node.

${DstIpAddr}

Identifies the IP address of the destination (attacked) node.

${SrcIpPort}

Identifies the IP port number of the source (attacking) node.

${DstIpPort}

Identifies the IP port number of the destination (attacked) node.

${RouterIpAddr}

Identifies the IP address of the router that sent the syslog message to the sensor (10000 series alarms only); otherwise 0.0.0.0

${AlarmDetails}

Identifies the details and/or context data for the alarm.

${MsgCount}

Identifies the number of events that occurred in the current interval that caused this notification to be generated.

Labels:
0 Helpful
7 Replies 7

b.hsu
Level 5
Level 5

‎03-26-2003 11:40 AM

I thought CSPM was still integrated into the new VMS suite??

0 Helpful

jgbarnes
Level 1
Level 1
In response to b.hsu

‎03-26-2003 12:18 PM

It is!

Actually it is a standalond seperate product and not really integrated except in the fact it comes in the same box.

But only for firewall management.

The IDS's fall under vms security management and monitoring.

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to jgbarnes

‎03-30-2003 05:21 PM

You can do this but you have to set up a script and then call that script from the Event notifications section. I wrote a detailed post including the script and how to call it in this forum about a month or two ago, try searching for that and it should give you all the pertinent details to get this running.

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to gfullage

‎03-30-2003 05:25 PM

The post was titled "Alerts via email in IDS MC" and was last updated on March 5th. It contains everything you need to do to get this working.

0 Helpful

tednie
Level 1
Level 1
In response to gfullage

‎04-09-2003 10:11 AM

Should this script also work with 4.0 sensors?

Thanks

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to tednie

‎04-09-2003 09:09 PM

Actually no, just found that out. I'm asking the developers what we need to change in the script, and will post the solution back here.

Apparently the database format in SecMon 1.1 completely changed, and so the script doesn't get the right details anymore. It'll still email out the alert, but none of the fields will be completed.

0 Helpful

jgbarnes
Level 1
Level 1
In response to gfullage

‎04-10-2003 12:51 AM

Found that out I guess when I opened case D827060 because of another problem. They had me upgrade to 1.1. Now all my fields are blank.

You might take a look at the case cause I am not sure my support guy has a good handle on the problem.

Jeff

0 Helpful
Customers Also Viewed These Support Documents