Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Alerts via email in IDS MC

We are in the process of upgrading to IDS MC from CSPM 2.3.3i. In CSPM, we were able to send an email with alert information if a HIGH event occured. How do you do this with IDSMC?

13 REPLIES
New Member

Re: Alerts via email in IDS MC

Hello,

Security Monitor has the ability to send email notifications when an Event Rule is triggered. Unfortunately, the inbuilt variables that can be used within the email notification for each event do not include things like the Signature ID, the Source and Destination of the alert, etc.

In order to send the same variables as you did with CSPM, you have to use a script. If you have problems, you can open a case with TAC and they should help you.

HTH,

Eric

Cisco Employee

Re: Alerts via email in IDS MC

Eric is correct, the inbuilt variables available within Security Monitor do not provide the grnaularity like you had with CSPM. It is possible to get this same functionality with Security Monitor, and opening a TAC case is probably the easiest way to get this. I'll include basically what the TAC will tell you below, hopefully other people will be able to get it working by searching on this message.

First off you need to copy the script attached at the bottom of this message into a file and save it into the $BASE\CSCOpx\MDC\etc\ids\scripts directory on the VMS server, this will allow you to select it when you define an event rule in the next step. The script contains comments about what it's doing, but basically the only thing that needs changing in it is the variable $EmailRcpt (near the top of the file), just make this the email address of the end user who is to receive the email alert.

Now define an Event Rule within Security Monitor that will call a new Perl script. From the main Security Monitor page, go to Admin - Event Rules and Add a new event. On the "Specify the Event Filter" screen, add the filters that you want to trigger the email alert. On the "Choose the Action" screen, check the box to execute a script and select the script name from the drop-down box. In the Arguments section, enter (exactly) "${Query}" (make sure you include the double-quotes and it is case-sensitive, ie, type in double-quote, dollar sign, open parenthesis, Query, close parenthesis,double-quote).

Now when a high severity alert (or whatever you defined as your event filters) is received, the script called emailalert.pl (or whatever you called it on your server) will be called with an argument of ${Query} which contains additional information about the alert. The script parses out all the separate fields and uses a program called blat to send an email to the end user.

Blat is a freeware email program used on WinNT/95 systems to send emails from batch files or Perl scripts. It is included as part of the VMS install in the $BASE\CSCOpx\bin directory. To install it, open up a Command prompt window on the VMS server and type "blat". If you don't get any "File not found" type errors then your path is set up correctly. If the blat.exe file cannot be found, copy it into the winnt\system32 directory so it will always be found. To install, run:

> blat -install

Once this program is installed, you're ready to go.

To troubleshoot, first off, check that blat is working properly by running the following from a command prompt:

> blat -t -s "Test message"

where is the full path to any text file on the VMS system. If you receive this file in the body of an email, then you know blat is working.

If no email is received after an alert is triggered, try running the Perl script from a command-prompt window. This will highlight any Perl or path type issues. Open a Command-prompt and enter:

> cd Program Files/CSCOpx/MDC/etc/ids/scripts

> emailalert.pl ${Query}

You will receive a Sybase error since the ${Query} parameter you're passing the script doesn't actually contain anything (unlike when it's passed from Security Monitor), but other than that the script should run properly and send an email (any alert parameters within the email body will simply be blank). If you receive any Perl or path errors then you'll have to fix those before any emails will be sent out.

Here's the emailalert.pl script, just copy everything from here into a file on your VMS server and you're ready to go:

#!/usr/bin/perl

#***********************************************************************

#

# FILE NAME : emailalert.pl

#

# DESCRIPTION : This file is a perl script that will be executed as an

# action when an IDS-MC Event Rule triggers, and will send an

# email to $EmailRcpt with additional alert parameters (similar to

# the functionality available with CSPM notifications)

#

# NOTES : This script takes the ${Query} keyword from the

# triggered rule, extracts the set of alarms that caused

# the rule to trigger. It then reads the last alarm of

# this set, parses the individual alarm fields, and

# calls the legacy script with the same set of command

# line arguments as CSPM.

#

# The calling sequence of this script must be of the form:

#

# emailalert.pl "${Query}"

#

# Where:

#

# "${Query}" - this is the query keyword dynamically

# output by the rule when it triggers.

# It MUST be wrapped in double quotes

# when specifying it in the Arguments

# box on the Rule Actions panel.

#

#

#***********************************************************************

##

## The following are the only two variables that need changing. $TempIDSFile can be any

## filename (doesn't have to exist), just make sure the directory that you specify

## exists. Make sure to use 2 backslashes for each directory, the first backslash is

## so the Perl interpretor doesn't error on the pathname.

##

## $EmailRcpt is the person that is going to receive the email notifications. Also

## make sure you escape the @ symbol by putting a backslash in front of it, otherwise

## you'll get a Perl syntax error.

##

$TempIDSFile = "c:\\temp\\idsalert.txt";

$EmailRcpt = "user\@domain.com";

##

## pull out command line arg

##

$whereClause = $ARGV[0];

##

## extract all the alarms matching search expression

##

$tmpFile = "alarms.out";

system("IdsAlarms -s\"$whereClause\" -f\"$tmpFile\"");

# open matching alarm output

if (!open(ALARM_FILE, $tmpFile))

{

print "Could not open ", $tmpFile, "\n";

exit -1;

}

# read to last line

while ()

{

$line = $_;

}

# clean up

close(ALARM_FILE);

unlink($tmpFile);

##

## split last line into fields

##

@fields = split(/,/, $line);

$eventType = @fields[0];

$recordId = @fields[1];

$gmtTimestamp = 0; # need gmt time_t

$localTimestamp = 0; # need local time_t

$localDate = @fields[4];

$localTime = @fields[5];

$appId = @fields[6];

$hostId = @fields[7];

$orgId = @fields[8];

$srcDirection = @fields[9];

$destDirection = @fields[10];

$severity = @fields[11];

$sigId = @fields[12];

$subSigId = @fields[13];

$protocol = "TCP/IP";

$srcAddr = @fields[15];

$destAddr = @fields[16];

$srcPort = @fields[17];

$destPort = @fields[18];

$routerAddr = @fields[19];

$contextString = @fields[20];

## Open temp file to write alert data into,

open(OUT,">$TempIDSFile") || warn "Unable to open output file!\n";

## Now write your email notification message. You're writing the following into

## the temporary file for the moment, but this will then be emailed. Use the format:

##

## print (OUT "Your text with any variable name from the list above \n");

##

## Again, make sure you escape special characters with a backslash (note the : in between $sigId

## and $subSigId has a backslash in front of it)

print(OUT "\n");

print(OUT "Received severity $severity alert at $localDate $localTime\n");

print(OUT "Signature ID $sigId\:$subSigId from $srcAddr to $destAddr\n");

print(OUT "$contextString");

close(OUT);

## then call "blat" to send contents of that file in the body of an email message.

## Blat is a freeware email program for WinNT/95, it comes with VMS in the

## $BASE\CSCOpx\bin directory, make sure you install it first by running:

##

## blat -install

##

## For more help on blat, just type "blat" at the command prompt on your VMS system (make

## sure it's in your path (feel free to move the executable to c:\winnt\system32 BEFORE

## you run the install, that'll make sure your system can always find it).

system ("blat \"$TempIDSFile\" -t \"$EmailRcpt\" -s \"Received IDS alert\"");

New Member

Re: Alerts via email in IDS MC

Hi,

Let me understand your reply....the ONLY way a Cisco IDS customer can get email alerts is to be running a CiscoWorks2000 add-on module and that functionality is somewhat limited so you would have to further enhance the functionality with your PERL script?

We have a significant investment in Cisco gear, including two NIDS devices and I personally believe that Cisco needs to provide this email alert capability natively in the IEV / IDM apps.

Do you have any scripts that would enable email alerting that I could run on the SunOS of the network IDS platforms themselves?

Silver

Re: Alerts via email in IDS MC

Unfortunately, Cisco has not bothered to add this simple functionality to their product. You must spend upwards of thousands $$ in addtional software and hardware to gain this simple event.

I have taken the approach of writing a simple perl script that runs on my IEV station. This simple 30 line script runs every 10 mins using the Microsoft schedule service. It looks in the Mysql database of IEV for any event with severity greater than 3 and status of "new" and then sends an email along with the Sig. ID, time stamp, link the the NSDB page, etc.

I'm interested in seeing other peoples ideas/suggestions for scripts on the IDS sensor or IEV only. In otherwords, without spending a lot of money on VMS/CPSM just to receive emails.

The email messages look like this:

Time: 18:01:41

Severity: 4

Signature ID: 3201

Description: WWW cgi-bin

Source: 205.158.149.132-2714

Destination: 10.10.10.14-80

http://localhost/nsdb/expsig_3201.html

My script looks something like this:

#! c:\perl\bin\perl.exe

use DBI;

use Mail::Sender;

my $dsn='DBI:mysql:alarmDB:localhost:3306';

my $user='alerter';

my $password='alerting';

my $dbh=DBI->connect ($dsn, $user, $password);

if (not $dbh) {

print "Can't Connect to the DB: $DBI::errstr\n";

exit;

}

my $sth=$dbh->prepare("select * from event_realtime_table where severity>3

and alarm_status='New'");

$sth->execute;

while (@row=$sth->fetchrow()) {

$alert=$alert."Time: $row[3]\nSeverity: $row[11]\nSignature ID: $row[12]";

$alert=$alert."\nDescription: ";

$sig=$dbh->prepare("select * from signature_tbl where sig_id=$row[12]");

$sig->execute;

@ids=$sig->fetchrow();

$alert=$alert."$ids[1]\n";

$alert=$alert."Source: $row[15]-$row[17]\n";

$alert=$alert."Destination: $row[16]-$row[18] \n";

$alert=$alert."http://localhost/nsdb/expsig_$row[12].html\n\n\n";

$last=$row[3];

}

$sender = new Mail::Sender {smtp => 'localhost', from => 'test.ids@comsoltx.com'};

$sender->Open({to => 'sgillenwater@comsoltx.com', subject => 'IDS ALERT!'});

$sender->SendLineEnc($alert);

$sender->Close;

undef($sig);

$dbh->disconnect;

exit;

New Member

Re: Alerts via email in IDS MC

can you tell me how you executed this? I have tried

c:\ perl scriptname

and it allways says there is a problem. I am running it on nt. thanks

Cisco Employee

Re: Alerts via email in IDS MC

Email notifications are being planned for IDM/IEV, unfortunately they probably won't make it into the next release but they are on the way. Many customers have asked for this functionality.

Email notifications have always been a part of CSPM, which is our original IDS management solution. IEV/IDM was created because customers with small NIDS deployments baulked at spending the money on CSPM, and rightly so in my opinion. IEV/IDM provides a no-additional-cost management solution, but as you're aware, it doesn't currently have all the capabilities as our additional-cost management solutions. Additional features, such as email alerts, are gradually being released into IEV/IDM over time.

Please feel free to contact your Account Manager and have him push this further for you. The more customers that complain about a missing feature, the more urgency it gets and the faster it gets added.

New Member

Re: Alerts via email in IDS MC

I had used this procedure to receive email alerts and it worked. But, when I recently installed the IDSMC patch for allowing use of the IDS sensor 4.x, I would receive the emails without any data...the variables no longer worked. What needs to be done in order to restore functionality or is there a new way of sending email alerts with alert data?

New Member

Re: Alerts via email in IDS MC

To fix the script, line 111 needs to be changed to force output in NrLog format (add -on).

From: system("IdsAlarms -s\"$whereClause\" -f\"$tmpFile\"");

To: system("IdsAlarms -on -s\"$whereClause\" -f\"$tmpFile\"");

New Member

Re: Alerts via email in IDS MC

Hi,

Previously in cspm 2.3.3i, I could use variable in the email header as well so that i can even sort and group email. In IDS MC 1.2, I cant get it working this time round. Is that normal, in another word a restriction that i should expect ?

New Member

Re: Alerts via email in IDS MC

I had try this. The folowing is what i got:

Received severity 5 alert at 2003/09/04 09:18:12

Signature ID 5366:1 from xx.xx.xx.xx to xx.xx.xx.xx

GET ...?...%B2%A0...

the Signature ID was always 5366:1

and the Context String would always be: GET ...?...%B2%A0...

whats wrong??

poh
New Member

Re: Alerts via email in IDS MC

TAC told me this script will not work for IDS sensors running 4.x which i have. Is there a way to enable email alerts to include the signature id's, signature names, etc. for ids senser versions 4.x also? thanks in advance.

New Member

Re: Alerts via email in IDS MC

TAC told me we are on our own. But they did tell me that with 4.x sensors, the output is IDIOM v1 (XML). The previously mentioned script in this thread uses the utility IDSALARMS. I played with it and the only output format available is IDIOM with 4.x sensors. Can anyone help me figure out how to modify the script to parse it? Here is what a single line from my sensor looks like:

ZT8vYytkaXIrYzogSFRUUC8xLjEN80.207.198.372584xxx.64.64.2680falsefalsefalsenetrangr2sensorApp1098IdiomV1xxx.64.157.100URL with /..00R0VUIC9zY3JpcHRzLy4uJWMxJTFjLi4vd2lubnQvc3lzdGVtMzIvY21kLmV4

Cisco Employee

Re: Alerts via email in IDS MC

TAC should have access to a script that'll work with 4.0 IDIOM alerts now. If you don't get any luck there let me know (gf@cisco.com) and I'll arrange to get it for you with instructions on how to make it work.

As you can see the alarm format changed significantly between 3.x and 4.x cause the 3.x format just couldn't keep up with all the new possibilities for alerts (multiple victims, multiple attackers, etc, etc). Because this format changed the original 3.x email script is useless and you'll need a completely new script to run.

You also won't be able to receive email alerts from both 3.x and 4.x sensors at the same time, since you can only run one script and that has to be either the one that works with 3.x alerts or the one that works with 4.x alerts.

311
Views
0
Helpful
13
Replies
CreatePlease to create content