Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
590
Views
0
Helpful
1
Replies

Notification Message with CSPM

teperjesi
Level 1
Level 1

‎05-10-2001 03:53 AM - edited ‎03-08-2019 08:13 PM

How could I generate more detailed messages from the IDS Events, then the custom message?

I have a CSPM 2.3i and a IDS 2.2.1! Thanks!

Labels:
0 Helpful
1 Reply 1

bernhard
Level 1
Level 1

‎05-10-2001 02:49 PM

Here's a snippet from an upcoming documentation update.

Usage Note: Passing IDS Alarm Data to E-mail and Script Notification Events

In addition to passing the standard event descriptions associated with CSPM-based notifications, you can pass additional data about the IDS events. You can pass this additional data in e-mail notifications while specifying the Subject or Message values in the Notification Message Content dialog box. This data is presented in the

form of a list of argument values taken fields contained in an IDS event.

The argument values passed to scripts for non-IDS-based CSPM events are different from the argument values

passed to scripts based on IDS events. For backward compatibility with eventd-based scripts, scripts triggered

as the result of IDS-based events are passed the same argument list that eventd supports.

All IDS script notifications are provided with the same argument list currently provided by eventd on the Unix

Director product. When the argument list is passed to the scripts, all arguments listed in Table 1are passed in

the order they appear, and it is up to the script to parse these events correctly. When passed to a script, a space

separates the argument values in the list. Just specify the name of the script as the Script Name(s) value

Notification Script(s) dialog box, and that script receives the entire argument for further processing.

Note These keywords are case-sensitive. You must type the keywords exactly as they appear in the table

when referencing them within the subject or message of an e-mail notifications, including the ${}.

If you are passing these arguments to a script, they are passed in the order listed in Table 1.

Ordered List of Arguments for use in Script and E-mail Notifications Based on IDS Events.

Table 1. Ordered List of Arguments for use in Script and E-mail Notifications Based on IDS Events

Keyword Result of Using This Keyword

${MsgType} Identifies an integer value indicating the event type: 4 = Alarm.

Note: This value is always 4.

${RecordID} Identifies record ID for the event.

${GlobalTime} Identifies the GMT timestamp for when the event was generated, expressed in

seconds since midnight, January 1, 1970 (time_t).

${LocalTime} Identifies (sensor-local) timestamp for when the event was generated, expressed

in seconds since midnight, January 1, 1970 (time_t).

${DateStr} Identifies (sensor-local) date stamp for when the event was generated, in

YYYY/MM/DD format.

${TimeStr} Identifies (sensor-local) time stamp for when the event was generated, in

HH:MM:SS format.

${ApplID} Identifies (postoffice) application ID on the sensor that generated the event.

${HostID} Identifies (postoffice) host ID of the sensor that generated the event.

${OrgID} Identifies (postoffice) organization ID on the sensor that generated the event.

${SrcDirection} Identifies the location of the source (attacking) entity with respect to the

protected network. Values are “IN” for inside the protected network, or “OUT”

for outside the protected network.

${DstDirection} Identifies location of the destination (attacked) entity with respect to the

protected network. Values are “IN” for inside the protected network, or “OUT”

for outside the protected network.

${AlarmLevel} Identifies the severity level of the alarm

${SigID} Identifies the signature ID that triggered the alarm.

${SubSigID} Identifies the sub-signature ID that triggered the alarm, if applicable.

${ProtocolType} Identifies the protocol of the alarm – currently always “TCP/IP”.

${SrcIpAddr} Identifies the IP address of the source (attacking) node.

${DstIpAddr} Identifies the IP address of the destination (attacked) node.

${SrcIpPort} Identifies the IP port number of the source (attacking) node.

${DstIpPort} Identifies the IP port number of the destination (attacked) node.

${RouterIpAddr} Identifies the IP address of the router which sent the syslog message to the sensor

(10000 series alarms only); otherwise 0.0.0.0

${AlarmDetails} Identifies the details and/or context data for the alarm

${MsgCount} Identifies the number of events that occurred in the current interval that caused

this notification to be generated.

0 Helpful
Customers Also Viewed These Support Documents