Re: emailalert.pl for 5.x actions

mkirbyii · ‎01-13-2006

We have been using the emailalert.pl script to send emails when certain sigs fire. Previously we had all 4.x sensors and now we have upgraded them all to 5.x. The script still works however, the "Actions taken:" part of the email is blank. Does anyone know of a way to have it list the new 5.x actions (denypacket)? I suppose a new script may have to be written. Is cisco going to update this?

Thanks

M

gfullage · ‎01-15-2006

Hmmm, I'll get onto it. I wrote the scripts and I must apologise I did some quick testing when v5 came out and saw that it still produced alerts and left it at that. I'll get onto it as soon as I can and will update the web site with the details, my apologies.

mkirbyii · ‎01-15-2006

Wow, how about that. Post a question and the author of the script responds! Good success story for the forums!

Thank you for taking a look and no need to apoligize. The script is extremely valuable to our team. I will keep watching this post Thank you again.

M

mkirbyii · ‎04-01-2006

Hello,

Any luck on updating your script?

Mike

gfullage · ‎06-21-2006

My apologies, been a mad house here for the past few months and this completely slipped through the cracks. I'll get onto it next week when I have some time and will post the finalised script here for your use. Again, my apologies.

gfullage · ‎06-26-2006

OK, here 'tis, finally. Sorry for the delays. Let me know if it doesn't work correctly.

Change its name to emailalertv5.pl (I wasn't allowed to attach .pl files up here), and save it into the same directory as your current script. Then change your SecMon Notifications config to point to this script, leave the Query variable the same.

mkirbyii · ‎06-27-2006

Works Great! and I also like the added info. adding the RiskRating and int name is very helpful.

Thank you again

A note, about getting the nsbd url working: you must change the nsdb in the url path to NSDB5.

https://ipofvmsserver/vms/nsdb5/

Mike

chager00 · ‎06-15-2006

Hello. You wrote the scripts? Maybe you can help me. I opened a TAC incident a couple of years ago and they failed to resolve this for me. I've been using 4.x sensors for 3 years now, and the emailalert script has never reliably worked. I received a few odd emails here and there and then it stopped working and I haven't been able to get it working since. It isn't an email issue, because I can use blat from the command line to send emails from the VMS box all day long. If I look at the temp file, it just never gets updated. I have a rule set now that should trip constantly. I set it up for testing purposes. It's set to run the script after every single occurrence of any type pf alarm, but it never does a thing. Can you tell me what I may be doing wrong? If I run the script manually I get an email containing this:

reported a severity alert at :: on //

Signature: (:)

Attacker: ---> Victim:

Alert details:

Actions taken: None

NSDB: https://hastingsvms/vms/nsdb/html/expsig_.html

So I think the script is okay and that blat is set up properly. Something between the IDS MC and the script isn't working, and I don't know where to begin troubleshooting.