Re: Emailing Events

cburgarella · ‎12-09-2003

Hi all,

i have modified the script to email events .

Now i've upgraded to VMS 2.2, my sensors are still 3.1.

e-mail continues to arrive but the variables in the script are null.

is there a way to make this continue to work?

here is my script:

###########################

$whereClause = $ARGV[0];

##

## extract all the alarms matching search expression

##

$tmpFile = "alarms.out";

system("IdsAlarms -s\"$whereClause\" -f\"$tmpFile\"");

# open matching alarm output

if (!open(ALARM_FILE, $tmpFile))

{

print "Could not open ", $tmpFile, "\n";

exit -1;

}

# read to last line

while (<ALARM_FILE>)

{

$line = $_;

}

# clean up

close(ALARM_FILE);

unlink($tmpFile);

##

## split last line into fields

##

@fields = split(/,/, $line);

$eventType = @fields[0];

$recordId = @fields[1];

$gmtTimestamp = 0; # need gmt time_t

$localTimestamp = 0; # need local time_t

$localDate = @fields[4];

$localTime = @fields[5];

$appId = @fields[6];

$hostId = @fields[7];

$orgId = @fields[8];

$srcDirection = @fields[9];

$destDirection = @fields[10];

$severity = @fields[11];

$sigId = @fields[12];

$subSigId = @fields[13];

$protocol = "TCP/IP";

$srcAddr = @fields[15];

$destAddr = @fields[16];

$srcPort = @fields[17];

$destPort = @fields[18];

$routerAddr = @fields[19];

$contextString = @fields[20];

##

## build the command line and execute the legacy script

##

$TempIDSFile = "c:\\temp\\idsalert.txt";

$EmailRcpt = "user\@domain";

$EmailSender= "domain\\user";

$SenderPW= "password";

$Subject= "Alert IDS";

open(OUT,">$TempIDSFile") || warn "Unable to open output file!\n";

print(OUT "\n");

print(OUT "Received severity $severity alert at $localDate $localTime\n");

print(OUT "Signature ID $sigId\:$subSigId from $srcAddr to $destAddr\n");

print(OUT "$contextString");

close(OUT);

system ("blat \"$TempIDSFile\" -to \"$EmailRcpt\" -subject \"$Subject\" -u \"$EmailSender\" -pw \"$SenderPW\"");

################################################à

marcabal · ‎12-09-2003

Tru replacing the:

system("IdsAlarms -s\"$whereClause\" -f\"$tmpFile\"")

WITH:

system("IdsAlarms -on -s\"$whereClause\" -f\"$tmpFile\"")

Here is a copy of a more recent script:

#!/usr/bin/perl

#***********************************************************************

#

# FILE NAME : emailalert.pl

#

# DESCRIPTION : This file is a perl script that will be executed as an

# action when an IDS-MC Event Rule triggers, and will send an

# email to $EmailRcpt with additional alert parameters (similar to

# the functionality available with CSPM notifications)

#

# NOTE: this script only works with 3.x sensors, alarms from 4.0

# sensors are stored differently and cannot be represented

# in a similar format.

#

# NOTE: check the "system" command in the script for the correct

# format depending on whether you're using IDSMC/SecMon

# v1.0 or v1.1, you may need the "-on" command-line option.

#

# NOTES : This script takes the ${Query} keyword from the

# triggered rule, extracts the set of alarms that caused

# the rule to trigger. It then reads the last alarm of

# this set, parses the individual alarm fields, and

# calls the legacy script with the same set of command

# line arguments as CSPM.

#

# The calling sequence of this script must be of the form:

#

# emailalert.pl "${Query}"

#

# Where:

#

# "${Query}" - this is the query keyword dynamically

# output by the rule when it triggers.

# It MUST be wrapped in double quotes

# when specifying it in the Arguments

# box on the Rule Actions panel.

#

#***********************************************************************

##

## The following are the only two variables that need changing. $TempIDSFile can be any

## filename (doesn't have to exist), just make sure the directory that you specify

## exists. Make sure to use 2 backslashes for each directory, the first backslash is

## so the Perl interpretor doesn't error on the pathname.

##

## $EmailRcpt is the person that is going to receive the email notifications. Also

## make sure you escape the @ symbol by putting a backslash in front of it, otherwise

## you'll get a Perl syntax error.

##

$TempIDSFile = "c:\\temp\\idsalert.txt";

$EmailRcpt = "gfullage\@cisco.com";

##

## pull out command line arg

##

$whereClause = $ARGV[0];

##

## extract all the alarms matching search expression

##

$tmpFile = "alarms.out";

## The following line will extract alarms from 1.0 IDSMC/SecMon database, if

## using 1.1 comment out the line below and un-comment the other system line

## below it.

## V1.0 IDSMC/SecMon version

system("IdsAlarms -s\"$whereClause\" -f\"$tmpFile\"");

## V1.1 IDSMC/SecMon version.

## system("IdsAlarms -on -s\"$whereClause\" -f\"$tmpFile\"");

##

# open matching alarm output

if (!open(ALARM_FILE, $tmpFile))

{

print "Could not open ", $tmpFile, "\n";

exit -1;

}

# read to last line

while ()

{

$line = $_;

}

# clean up

close(ALARM_FILE);

unlink($tmpFile);

##

## split last line into fields

##

@fields = split(/,/, $line);

$eventType = @fields[0];

$recordId = @fields[1];

$gmtTimestamp = 0; # need gmt time_t

$localTimestamp = 0; # need local time_t

$localDate = @fields[4];

$localTime = @fields[5];

$appId = @fields[6];

$hostId = @fields[7];

$orgId = @fields[8];

$srcDirection = @fields[9];

$destDirection = @fields[10];

$severity = @fields[11];

$sigId = @fields[12];

$subSigId = @fields[13];

$protocol = "TCP/IP";

$srcAddr = @fields[15];

$destAddr = @fields[16];

$srcPort = @fields[17];

$destPort = @fields[18];

$routerAddr = @fields[19];

$contextString = @fields[20];

## Open temp file to write alert data into,

open(OUT,">$TempIDSFile") || warn "Unable to open output file!\n";

## Now write your email notification message. You're writing the following into

## the temporary file for the moment, but this will then be emailed. Use the format:

##

## print (OUT "Your text with any variable name from the list above \n");

##

## Again, make sure you escape special characters with a backslash (note the : in between $sigId

## and $subSigId has a backslash in front of it)

print(OUT "\n");

print(OUT "Received severity $severity alert at $localDate $localTime\n");

print(OUT "Signature ID $sigId\:$subSigId from $srcAddr to $destAddr\n");

print(OUT "$contextString");

close(OUT);

## then call "blat" to send contents of that file in the body of an email message.

## Blat is a freeware email program for WinNT/95, it comes with VMS in the

## $BASE\CSCOpx\bin directory, make sure you install it first by running:

##

## blat -install

##

## For more help on blat, just type "blat" at the command prompt on your VMS system (make

## sure it's in your path (feel free to move the executable to c:\winnt\system32 BEFORE

## you run the install, that'll make sure your system can always find it).

system ("blat \"$TempIDSFile\" -t \"$EmailRcpt\" -s \"Received IDS alert\"");

cburgarella · ‎12-10-2003

Hi marcabal,

I'm still getting the same result,

the e-mail are sent but without any information by the alarms.out file.

The IDSMC/SecMon Version is 1.2

gareth.ward · ‎03-02-2004

I am just trying to set this up for the first time, and knowing nothing of Perl, have copied the script verbatim from the Cisco page.

I too am receiving the email alerts, but with no "variable" data embedded.

When I uncomment out the line

print(OUT"$oneline/n");

The first line of the email displays the very first line of the Alarms.out file

http://www.cisco.com/cids/idiom" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.cisco.com/cids/idiom http://www.cisco.com/cids/1.00/idiom.xsd" schemaVersion="1.00">

It would appear that the script is only reading this first part of the file, and not catching any other data.

Any help would be muchappreciated.

dpatkins · ‎03-02-2004

I have the same problem with 4.1.3 S74.

This is what is reported from our event rule that is defined with 4 filters.

reported a severity alert at :: on //

Signature: (:)

Attacker: ---> Victim:

If I use another event rule that has sig 2000 and 2004 as filters, it works just fine. Can you tell me how you have your filter set up? Do you have more than one filter?

dpatkins · ‎03-03-2004

Yesterday, I removed my event rules. I then seperated them using the Mydoom as one and the Netsky as the other and it worked. I am not sure if you can have more than one event rule calling up the same script or not. It would seem like it should work. But all the field are now full. Hope this helps.

Dwane

darin.marais · ‎07-01-2004

I am looking for an email script simular to this one that will work with version 4.1 sensors and the event rules of SecMon 1.2.3. This script mentions that it will only work with 3.x sensors.

has anyone got such a thing?