Guest

Cisco Secure Policy Manager

Configuring E-mail Notifications for Cisco Secure IDS Events in CSPM

Document ID: 6155

Updated: Jan 19, 2006

   Print

Introduction

This document explains the procedures used to configure Cisco Secure Policy Manager (CSPM) to send e-mail notifications for alarms that it receives from a Cisco Secure Intrusion Detection System (IDS) Sensor.

Note: The paging function of CSPM does not work at this time. Additional information about this issue is available in the Cisco Bug Toolkit under Cisco bug ID CSCdu78552 (registered customers only) .

Prerequisites

Requirements

This document is based on these assumptions about your network setup.

  • You have installed CSPM 2.3.I on your computer.

  • You have successfully configured a CSPM host communicating with a Sensor device, and the CSPM host is receiving alarms from the Sensor.

Components Used

The information in this document is based on CSPM 2.3.I.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

For more information on document conventions, refer to the Cisco Technical Tips Conventions.

Configurations

When you log in to CSPM, you should see a screen similar to this example. From this screen, you can define the Simple Mail Transfer Protocol (SMTP) mail server, configure CSPM to use the mail server, define the IDS events that trigger an e-mail notification, and create the subject and body of the e-mail notifications.

idsemailcspm_6155_a.gif

Define the SMTP Mail Server

After you initially log in to CSPM, complete these steps to define the SMTP mail server that CSPM uses to e-mail alarms.

Note: Your mail server does not have to be on the same network as the CSPM host and Sensor. To define the network that your mail server is on, right-click the Internet icon and select New > Cloud Network.

  1. Right-click the Network icon in the topology area and select New > Host. The screen that appears allows you to define the mail server's IP address.

    idsemailcspm_6155_b.gif

  2. In the topology area, enter a name for the new host.

  3. Enter the IP address of the new host in the IP Address field and click Add.

  4. Click Add in the Resident Client/Server Products box.

  5. Click Add.

  6. Select SMTP and click OK. A screen similar to this appears.

    idsemailcspm_6155_c.gif

  7. Click OK again to finish defining the SMTP mail server.

Configure CSPM to Use the SMTP Mail Server

After the SMTP mail server is defined, complete these steps to configure CSPM to use this mail server.

  1. Select the CSPM host from the topology area.

  2. From the General tab, click the SMTP Server drop-down list, select the mail server you just defined, then click OK.

    idsemailcspm_6155_d.gif

  3. From the CSPM file menu, select File > Save and Update. After CSPM updates (assuming there are no errors), you should see a screen similar to this example.

    idsemailcspm_6155_e.gif

Define the IDS Events That Trigger an E-mail Notification Message

Complete these steps to define the IDS events that trigger an e-mail message.

  1. From the CSPM main menu, select Tools > Configure Notifications.

  2. Click IDS Events.

    idsemailcspm_6155_f.gif

  3. In the Event Description window, select High Severity Alarms to activate the Event Disposition window.

  4. In the Event Disposition section, click Log event and issue notification specified below.

  5. In the Notification Message area, click the Include event description box.

  6. In the Notification Methods area, click the E-Mail box and then click Addresses to add the e-mail addresses that receive the e-mail notifications.

    idsemailcspm_6155_g.gif

  7. Enter the e-mail addresses of the users who are to be notified by e-mail. You can put multiple addresses into this box. Click OK when you are finished.

    idsemailcspm_6155_h.gif

  8. On the Configure Logging and Notifications screen, click Apply and then Close.

  9. From the main CSPM menu, select File > Save and Update.

    Note: Your CSPM host must be able to reach your SMTP mail server on TCP port 25. In order to test this, open up a command prompt on your CSPM host and type telnet x.x.x.x. 25, where x.x.x.x is the IP address of the SMTP server that you defined. If this works correctly, you should get an SMTP banner similar to this output.

    rtp% telnet 172.18.124.116 25
    Trying 172.18.124.116...
    Connected to 172.18.124.116.
    Escape character is '^]'.
    
    !--- You should get some kind of response
    !--- like this from your mail server.
    
    220 anger.cisco.com ESMTP
    
    !--- Type quit to exit the SMTP session.
    
    quit   
    221 anger.cisco.com
    Connection closed by foreign host.
    rtp%

    This output shows an instance where this command did not work.

    rtp% telnet 172.18.124.116 25
    Trying 172.18.124.116...
    
    !--- The SMTP server is not running on the host.
    
    telnet: Unable to connect to remote host: Connection refused
    rtp%

Create the Subject and Body of an E-mail Notification Message

By default, a notification e-mail only contains information similar to this example.

>Message 1:
From MAILER-DAEMON Mon Oct 15 16:48:20 2001
Delivered-To: jason@anger.cisco.com
From:Cisco Secure Policy Manager
To: Jason@anger.cisco.com
Subject: Cisco Notification
High Severity Alarms

Complete these steps to configure CSPM to define the information that is sent within a notification e-mail.

  1. From the CSPM main menu, select Tools > Configure Notifications.

  2. Click IDS Notifications.

  3. Click High Severity Alarms.

  4. Under the Notification Message section, click Message to bring up the Notification Message Content window that lets you specify the subject and body of your notification e-mail message. Enter the desired message elements, then click OK. An example is shown here.

    idsemailcspm_6155_i.gif

    This table displays a complete list of variables that you can use within notification e-mails.

    Script and E-mail Notifications Keywords Keyword Actions
    ${MsgType} Identifies an integer value indicating the event type: 4 = Alarm.

    Note: This value is always 4.

    ${RecordID} Identifies the record ID for the event.
    ${GlobalTime} Identifies the GMT timestamp for when the event was generated, expressed in seconds since midnight, January 1, 1970 (time_t).
    ${LocalTime} Identifies the (sensor-local) timestamp for when the event was generated, expressed in seconds since midnight, January 1, 1970 (time_t).
    ${DateStr} Identifies the (sensor-local) date stamp for when the event was generated, in YYYY/MM/DD format.
    ${TimeStr} Identifies the (sensor-local) time stamp for when the event was generated, in HH:MM:SS format.
    ${ApplID} Identifies the (postoffice) application ID on the sensor that generated the event.
    ${HostID} Identifies the (postoffice) host ID of the sensor that generated the event.
    ${OrgID} Identifies the (postoffice) organization ID on the sensor that generated the event.
    ${SrcDirection} Identifies the location of the source (attacking) entity with respect to the protected network. Values are "IN" for inside the protected network, or "OUT" for outside the protected network.
    ${DstDirection} Identifies the location of the destination (attacked) entity with respect to the protected network. Values are "IN" for inside the protected network, or "OUT" for outside the protected network.
    ${AlarmLevel} Identifies the severity level of the alarm.
    ${SigID} Identifies the signature ID that triggered the alarm.
    ${SubSigID} Identifies the sub-signature ID that triggered the alarm, if applicable.
    ${ProtocolType} Identifies the protocol of the alarm - always "TCP/IP".
    ${SrcIpAddr} Identifies the IP address of the source (attacking) node.
    ${DstIpAddr} Identifies the IP address of the destination (attacked) node.
    ${SrcIpPort} Identifies the IP port number of the source (attacking) node.
    ${DstIpPort} Identifies the IP port number of the destination (attacked) node.
    ${RouterIpAddr} Identifies the IP address of the router that sent the syslog message to the sensor (10000 series alarms only); otherwise 0.0.0.0 .
    ${AlarmDetails} Identifies the details and/or context data for the alarm.
    ${MsgCount} Identifies the number of events that occurred in the current interval that caused this notification to be generated.

This is an example of an e-mail notification message and the steps used to create it.

  1. On the Notification Message Content window, enter IDS alarm ${SigID} in the Subject field.

  2. Enter IDS alarm ${SigID} source: ${SrcIpAddr} destination: ${DstIpAddr} @ ${DateStr} in the Message field.

  3. Click Apply.

  4. Click Close on the Configure Logging and Notifications window.

  5. From the CSPM main menu, select File > Save and Update.

    The e-mail notification message generated by these steps should look like this example.

    From MAILER-DAEMON Mon Oct 15 18:27:53 2001
    Delivered-To: jason@anger.cisco.com
    From:Cisco Secure Policy Manager
    To: jason@anger.cisco.com
    Subject: IDS alarm 3001
    High Severity Alarms
    IDS alarm 3001 source: 172.18.124.116 destination:    
        172.18.124.122 @ 2001/10/15 - 14:27:33

Related Information

Updated: Jan 19, 2006
Document ID: 6155