Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
351
Views
0
Helpful
6
Replies

VMS 2.2/SecMon 1.2 Event Rules and E-mail

picketfence
Level 1
Level 1

‎09-12-2003 03:02 PM - edited ‎03-09-2019 04:46 AM

Hello,

I've set up an Event Rule to send me an e-mail when an alert matches. Unfortunately, the help file doesn't show any ${} variables for information such as type of signature matched, source or destination IP, or action taken. Can I insert this information into a message? If not, a mail message of the "a high level event has happened!" type is pretty useless.

Thanks,

Ben

Labels:
0 Helpful
6 Replies 6

gfullage
Cisco Employee
Cisco Employee

‎09-13-2003 08:06 PM

You can do this but you need to write a script that'll grab the things like SigID, Src/Dest Address, etc out of the database.

Send me an email (gf@cisco.com) and what version of code you're running on your sensors and I'll send you everything you need to get it working.

0 Helpful

bbenton
Level 1
Level 1
In response to gfullage

‎09-14-2003 03:55 AM

You might as well post it, we're all going to want it.

0 Helpful

picketfence
Level 1
Level 1
In response to bbenton

‎09-14-2003 11:10 AM

I agree, please give this info to everyone. I'm running VMS 2.2. It's interesting that you guys have a fancy script, but no support in VMS 2.2. What's the story?

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to picketfence

‎09-14-2003 03:47 PM

I would post it but it's quite large and easier for you to configure if I send you a html doc explaining what to do. FYI I have previously posted the v3.x script to this forum, the v4.x script is quite a bit larger though because v4.x sensors report there alerts in a completely different way (XML docs within SSL rather than the old PostOffice protocol).

As I said, send me an email and I'll gladly send you the stuff.

As for why it's not in the product, well, it will be. The developers didn't add email functionality into the original design, but have now recognised that a lot of customers want it and so are adding it into a future release. The script is simply a temporary work-around that'll do the same thing for you that I developed in the interim. There's nothing shady going on, just trying to make things a little easier for you guys. If anyone calls the TAC and asks for email functionality they'll get given the same script.

0 Helpful

5mlattimore
Level 1
Level 1
In response to gfullage

‎09-15-2003 03:04 PM

Could you please post the 3.x script? I actually had a case open on this and was told the only script they had was a cspm script that didnt work with the vms platform.

I already knew that since I had tried to modify it

If you could post the one that will work, that would be greatly appreciated.

thanks

Mike

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to 5mlattimore

‎09-15-2003 07:32 PM

The v3.x script is in the old forum post here:

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.ee8fdd3/1#selected_message

remember that this will NOT work with v4.x sensors though, for that email me.

0 Helpful
Customers Also Viewed These Support Documents