Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Writing scripts for CSPM notifications

What is needed in order to write scripts for CSPM2.3.3i? Do you need to install a scripting language like Perl first? I would like to be able to write a script that emails me when a specific signature is triggered on the IDS sensor. Any suggestions or procedures would be appreciated. Thanks

4 REPLIES
Community Member

Re: Writing scripts for CSPM notifications

You may find the following useful:

Configuring E-mail Notifications for Cisco Secure IDS Events in CSPM

http://www.cisco.com/warp/customer/707/idsemailcspm_6155.html

HTH

Jeff

Community Member

Re: Writing scripts for CSPM notifications

That link doesn't address making scripts. I haven't been able to find any Cisco documents that show how to make scripts for CSPM.

Community Member

Re: Writing scripts for CSPM notifications

Making scripts is essentially a custom operation, consequently there aren't any Cisco documents that show you how to make scripts for CSPM.

First, for context, refer to the link I provided earlier. It shows what arguments are available from CSPM for sending vial email or via a script.

Within that context, the following may be helpful:

All IDS script notifications are provided with the same argument list currently provided by eventd.

When the argument list is passed to the scripts, all arguments are passed and it is up to the script to parse these events as needed. The argument values

are separated using a space when passed to the command line. Just specify the name of the script in the subject line of the message box.

The following is a sample script that has been used, but which I have not tested. It is NOT supported by Cisco. Nevertheless, others have modified it as described and it worked fine for them. Good luck!

HTH

Jeff

Here is a perl script and a batch file that will read the signatures file and put signature names in the subject of the email. To use, set the notification script to the batch file that launches it. You must edit the emailEvent.pl script to setup the email server and location of the CSPM installation of Postoffice. You must edit the emailEvent.bat file to point to the installed Perl interpreter and emailEvent.pl script. The version of perl must support email. You can get the latest free version for Win32 from http://aspn.activestate.com/ASPN/Downloads/ActivePerl/.

emailEvent.bat File:

perl d:\n\emailEvent.pl %*

emailEvent.pl File:

# This script receives an event notification then looks up the

# signature name in a "signatures" file. Next the script

# generates an email appending the signature name to the

# default subject. The contents of the email is the parsed

# arguments of the event notification with the addition of

# the signature name.

use Net::SMTP;

#############################################################

#

### YOU NEED TO SET THESE or override them in emailEvent.config

#

$SMTP_Server = 'mailhost.yourdomain.com';

$email_from = 'nobody@yourdomain.com';

$email_to = 'nobody@yourdomain.com';

$email_subject = 'IDS';

$email_reply_to = 'nobody@yourdomain.com';

$signatures_file = 'D:\program files\cisco systems\cisco secure policy manager\Postoffice\etc\signatures';

# note, the format for overriding these defaults in the

# emailEvent.config file is:

#

# SMTP-Server=servername

# email-from=emailAddress

# email-to=emailAddress

# email-subject=subject

# email-reply-to=emailAddress

#

#############################################################

# Start here

&setup_defaults; # setup command defaults

&read_cmdline_args; # read in any cmd line args

&read_config_file; # read in the configuration file

&check_sanity; # is everything set to go.

&process; # process the bookmarks

exit 0; # terminate execution

##############################################################3

#

# help message

sub help

{

print <

emailEvent.pl - emails a CSPM event

This program takes an event notification and generates an e-mail

message.

usage:

emailEvent.pl MsgType RecordID GlobalTime LocalTime DateStr TimeStr

ApplID HostID OrgID SrcDirection DstDirection AlarmLevel

SigID SubSigID ProtocolType SrcIpAddr DstIpAddr SrcIpPort

DstIpPort RouterIpAddr AlarmDetails MsgCount

where:

MsgType Identifies an integer value indicating the event

type: 4 = Alarm. Note This value is always 4.

RecordID Identifies record ID for the event.

GlobalTime Identifies the GMT timestamp for when the event

was generated, expressed in seconds since

midnight, January 1, 1970 (time_t).

LocalTime Identifies (sensor-local) timestamp for when the

event was generated, expressed in seconds since

midnight, January 1, 1970 (time_t).

DateStr Identifies (sensor-local) date stamp for when

the event was generated, in YYYY/MM/DD format.

TimeStr Identifies (sensor-local) time stamp for when

the event was generated, in HH:MM:SS format.

ApplID Identifies (postoffice) application ID on the

sensor that generated the event.

HostID Identifies (postoffice) host ID of the sensor

that generated the event.

OrgID Identifies (postoffice) organization ID on the

sensor that generated the event.

SrcDirection Identifies the location of the source (attacking)

entity with respect to the protected network.

Values are "IN" for inside the protected network,

or "OUT" for outside the protected network.

DstDirection Identifies location of the destination (attacked)

entity with respect to the protected network.

Values are "IN" for inside the protected network,

or "OUT" for outside the protected network.

AlarmLevel Identifies the severity level of the alarm.

SigID Identifies the signature ID that triggered the

alarm.

SubSigID Identifies the sub-signature ID that triggered

the alarm, if applicable.

ProtocolType Identifies the protocol of the alarm - always

"TCP/IP".

SrcIpAddr Identifies the IP address of the source

(attacking) node.

DstIpAddr Identifies the IP address of the destination

(attacked) node.

SrcIpPort Identifies the IP port number of the source

(attacking) node.

DstIpPort Identifies the IP port number of the destination

(attacked) node.

RouterIpAddr Identifies the IP address of the router that sent

the syslog message to the sensor (10000 series

alarms only); otherwise 0.0.0.0

AlarmDetails Identifies the details and/or context data for

the alarm.

MsgCount Identifies the number of events that occurred in

the current interval that caused this notification

to be generated.

-help this message

END_HELP

}

##############################################################3

# setup

#

sub setup_defaults

{

$config{'config-file'} = './emailEvent.config';

$config{'debug-level'} = 0;

$config{'SMTP-Server'} = $SMTP_Server;

$config{'email-from'} = $email_from;

$config{'email-to'} = $email_to;

$config{'email-subject'} = $email_subject;

$config{'email-reply-to'} = $email_reply_to;

$config{'signatures-file'} = $signatures_file;

}

##############################################################3

#

# Read the command line args and update the %config hash

sub read_cmdline_args {

if($#ARGV < 21) {

help();

exit 0;

}

$cmdline{'MsgType'} = $ARGV[0];

$cmdline{'RecordID'} = $ARGV[1];

$cmdline{'GlobalTime'} = $ARGV[2];

$cmdline{'LocalTime'} = $ARGV[3];

$cmdline{'DateStr'} = $ARGV[4];

$cmdline{'TimeStr'} = $ARGV[5];

$cmdline{'ApplID'} = $ARGV[6];

$cmdline{'HostID'} = $ARGV[7];

$cmdline{'OrgID'} = $ARGV[8];

$cmdline{'SrcDirection'} = $ARGV[9];

$cmdline{'DstDirection'} = $ARGV[10];

$cmdline{'AlarmLevel'} = $ARGV[11];

$cmdline{'SigID'} = $ARGV[12];

$cmdline{'SubSigID'} = $ARGV[13];

$cmdline{'ProtocolType'} = $ARGV[14];

$cmdline{'SrcIpAddr'} = $ARGV[15];

$cmdline{'DstIpAddr'} = $ARGV[16];

$cmdline{'SrcIpPort'} = $ARGV[17];

$cmdline{'DstIpPort'} = $ARGV[18];

$cmdline{'RouterIpAddr'} = $ARGV[19];

$cmdline{'AlarmDetails'} = $ARGV[20];

$cmdline{'MsgCount'} = $ARGV[21];

# The config file name is the *ONLY config item

# we special case. That is if the config_file is

# set on the cmd line then we overrided the default

# value right now!

if( defined $cmdline{'config-file'}) {

$config{'config-file'}=$cmdline{'config-file'};

}

}

##############################################################3

#

# Read the configuration file and update the %config hash

sub read_config_file {

$CONFIG_FILE=$config{'config-file'};

open CONFIG_FILE;

while( ) {

chomp;

($first, $second) = split( /=/ );

$config{$first}=$second;

}

}

##############################################################3

#

# Check the sanity of the %config hash

sub check_sanity {

# First thing: Integrate the cmd line args with config args

foreach (keys %cmdline) {

$config{$_} = $cmdline{$_};

}

# Now lets print the whole shebang!

if( $config{'debug-level'} > 1) {

foreach (sort keys %config) {

print "$_ ==> $config{$_}\n";

}

}

}

##############################################################3

#

# process

sub process

{

local @msgLines;

debug("debug is on");

# setup the %signatures hash

parseSignatures();

# get the signature name

$sigName = $signatures{$config{'SigID'}};

# append signature name to email subject

if($sigName ne "") {

$config{'email-subject'} = "$config{'email-subject'} ($sigName)";

}

# build text message to email in a string array

push(@msgLines, "MsgType = $config{'MsgType'}");

push(@msgLines, "RecordID = $config{'RecordID'}");

push(@msgLines, "GlobalTime = $config{'GlobalTime'}");

push(@msgLines, "LocalTime = $config{'LocalTime'}");

push(@msgLines, "DateStr = $config{'DateStr'}");

push(@msgLines, "TimeStr = $config{'TimeStr'}");

push(@msgLines, "ApplID = $config{'ApplID'}");

push(@msgLines, "HostID = $config{'HostID'}");

push(@msgLines, "OrgID = $config{'OrgID'}");

push(@msgLines, "SrcDirection = $config{'SrcDirection'}");

push(@msgLines, "DstDirection = $config{'DstDirection'}");

push(@msgLines, "AlarmLevel = $config{'AlarmLevel'}");

push(@msgLines, "SigID = $config{'SigID'}");

push(@msgLines, "SigName = $sigName");

push(@msgLines, "SubSigID = $config{'SubSigID'}");

push(@msgLines, "ProtocolType = $config{'ProtocolType'}");

push(@msgLines, "SrcIpAddr = $config{'SrcIpAddr'}");

push(@msgLines, "DstIpAddr = $config{'DstIpAddr'}");

push(@msgLines, "SrcIpPort = $config{'SrcIpPort'}");

push(@msgLines, "DstIpPort = $config{'DstIpPort'}");

push(@msgLines, "RouterIpAddr = $config{'RouterIpAddr'}");

push(@msgLines, "AlarmDetails = $config{'AlarmDetails'}");

push(@msgLines, "MsgCount = $config{'MsgCount'}");

sendEmail(@msgLines);

debug("done");

}

##############################################################

#

# parse the signatures file and store in the %signatures hash

sub parseSignatures

{

local $sigId, $sigName;

open(INSIG, "<$config{'signatures-file'}") || warn "unable to open signatures file($config{'signatures-file'})\n";

while() {

# skip commented lines

if(/^\s*#/) {

next;

}

# the signatures are in the following format:

# sigId "signature name"

# where sigId is an integer

if(/^\s*(\d+)\s+\"([^\"]+)\"/) {

$sigId = $1;

$sigName = $2;

$signatures{$sigId} = $sigName;

}

}

close(INSIG);

}

##############################################################

#

# send the given string array as email

sub sendEmail

{

local(@msgLines) = @_;

debug("sending email");

debug("To: $config{'email-to'}");

debug("From: $config{'email-from'}");

debug("Subject: $config{'email-subject'}");

debug("Reply-To: $config{'email-reply-to'}");

$smtp = Net::SMTP->new($SMTP_Server); # connect to an SMTP server

$smtp->mail($config{'email-from'}); # use the sender's address here

local(@recipients);

local($to);

# split the recipients on spaces and commas

@recipients = split(/,\s/, $config{'email-to'});

# tell smtp about each recipient

foreach $to (@recipients) {

$smtp->to($to); # recipient's address

}

$smtp->data(); # Start the mail

# Send the header.

$smtp->datasend("To: $config{'email-to'}\n");

$smtp->datasend("From: $config{'email-from'}\n");

$smtp->datasend("Subject: $config{'email-subject'}\n");

$smtp->datasend("Reply-To: $config{'email-reply-to'}\n");

$smtp->datasend("\n");

# Send the body.

foreach $line (@msgLines)

{

debug($line);

$smtp->datasend("$line\n");

}

$smtp->datasend("\n");

$smtp->dataend(); # Finish sending the mail

$smtp->quit; # Close the SMTP connection

}

##############################################################

#

# debug print statement

sub debug

{

local($str) = @_;

if($config{'debug-level'} > 0) {

print "$str\n";

}

}

Community Member

Re: Writing scripts for CSPM notifications

Hi,

I went through this too and ended up using activestate perl and writing perl scripts with pd perl libraries for generating events and sending via syslog.

The good thing about the script was that it is easier to do extensive filtering prior to sending an alert than having to go around each sensor and configure the filtering.

115
Views
0
Helpful
4
Replies
CreatePlease to create content