Seguridad : Sensores Cisco IPS de la serie 4200

Notificaciones por correo electrónico de la configuración con los scripts para las alertas IDS usando el CiscoWorks Monitoring Center for Security

23 Octubre 2015 - Traducción Automática
Otras Versiones: PDFpdf | Inglés (21 Julio 2015) | Comentarios


Contenido


Introducción

El monitor de la Seguridad tiene la capacidad de enviar las notificaciones por correo electrónico cuando se acciona una regla del evento. Las variables incorporadas que se pueden utilizar dentro de la notificación por correo electrónico para cada evento no incluyen las cosas tales como el ID de la firma, la fuente y destino de la alerta, y así sucesivamente. Este documento proporciona las instrucciones que usted puede utilizar para configurar el monitor de la Seguridad para incluir estas variables (y mucho más) dentro del mensaje de la notificación por correo electrónico.

prerrequisitos

Requisitos

No hay requisitos específicos para este documento.

Componentes Utilizados

Este documento no tiene restricciones específicas en cuanto a versiones de software y de hardware. Sin embargo, esté seguro de utilizar el script apropiado Perl basado en lo que se ejecutan las versiones Sensor en su entorno.

Convenciones

Consulte Convenciones de Consejos Técnicos de Cisco para obtener más información sobre las convenciones sobre documentos.

Procedimiento de configuración de la notificación por correo electrónico

Utilice este procedimiento para configurar las notificaciones por correo electrónico.

Nota:  Para enviar el email a la dirección de correo electrónico correcta, esté seguro de cambiar la dirección de correo electrónico en el script.

  1. Copie uno de estos scripts en el $BASE \ el CSCOpx \ MDC \ etc \ ids \ directorio de los scripts en el servidor del VPN/Security Management Solution (VMS). Esto permite que usted lo seleccione más adelante en el proceso cuando usted define una regla del evento. Salve el script como emailalert.pl.

    Nota:  Si usted utiliza un nombre diferente, asegúrele la referencia que nombra en la regla del evento definida en estos pasos.

    • Para los sensores de la versión 3.x, utilice el script de los sensores 3.x

    • Para los sensores de la versión 4.x, utilice el script de los sensores 4.x

    • Para los sensores de la versión 5.x, utilice el script de los sensores 5.x

    • Si usted tiene una combinación de versiones Sensor, Cisco le recomienda actualización de modo que todos estén en el mismo nivel de la versión. Esto es porque solamente uno de estos scripts se puede funcionar con a cualquier momento.

  2. El script contiene los comentarios que explican cada porción y cualquier entrada requerida. Particularmente, modifique la variable $EmailRcpt (cerca del top del archivo) para ser la dirección de correo electrónico de la persona que debe recibir las alertas.

  3. Defina una regla del evento dentro del monitor de la Seguridad para llamar un nuevo script Perl. De las páginas de monitor de seguridad principales, elija el Admin (Administración) > Event Rules (Reglas de eventos) y agregue un nuevo evento.

  4. En el especificar la ventana del filtro del evento, agrega los filtros que usted quiere para accionar la alerta del email (en la muestra aquí, un email se envía para cualquier alerta de la suma gravedad).

    cisco-works-email-alerts-1.gif

  5. En el elegir la ventana de la acción, marca el cuadro para ejecutar un script y para seleccionar el nombre de secuencia de comandos de la casilla desplegable.

  6. En los argumentos seccione, ingrese “$ {interrogación}” como se muestra aquí.

    Nota: Esto se debe ingresar exactamente como está aquí, incluyendo las comillas dobles. Es también con diferenciación entre mayúsculas y minúsculas.

    cisco-works-email-alerts-2.gif

  7. Cuando una alerta, según lo definido en sus filtros del evento (en este ejemplo, una alerta de la suma gravedad) se recibe, el script llamado emailalert.pl se llama con un argumento de $ {interrogación}. Esto contiene la información adicional sobre la alerta. El script analiza hacia fuera todos los campos separados y utiliza un programa llamado “blat” para enviar un email al usuario final.

  8. Blat es un programa de correo electrónico del freeware usado en los Sistemas Windows para enviar los email de los archivos por lote o de los scripts Perl. Es incluido como parte de las instalaciones de VMS en el $BASE \ el CSCOpx \ directorio BIN. Para verificar sus configuraciones de la trayectoria, abrir una ventana de prompt de comando en el servidor VMS y el tipo blat.

    Si usted recibe el error no encontrado del archivo, cualquier copia el archivo blat.exe en el directorio winnt\system32, o lo encuentra y lo abre del directorio en el cual está situado. Para instalar esto, ejecútese:

    blat -install <SMTP server address> <source email address>
    

    Una vez que este programa está instalado, le hacen.

Scripts

Éstos son los scripts mencionados en el paso 1 del Procedimiento de configuración:

script del sensor 3.x

Utilice este script para los sensores de la versión 3.x.

sensores 3.x
#!/usr/bin/perl
#***********************************************************************
#
# FILE NAME : emailalert.pl
#
# DESCRIPTION : This file is a perl script that will be executed as an
# action when an IDS-MC Event Rule triggers, and will send an 
# email to $EmailRcpt with additional alert parameters (similar to
# the functionality available with CSPM notifications)
#
# NOTE:   this script only works with 3.x sensors, alarms from 4.0
#         sensors are stored differently and cannot be represented
#         in a similar format. 
#
# NOTE:   check the "system" command in the script for the correct
#         format depending on whether you're using IDSMC/SecMon 
#         v1.0 or v1.1, you may need the "-on" command-line option.
#
# NOTE :  This script takes the ${Query} keyword from the
#         triggered rule, extracts the set of alarms that caused
#         the rule to trigger. It then reads the last alarm of
#         this set, parses the individual alarm fields, and
#         calls the legacy script with the same set of command
#         line arguments as CSPM.
#
# The calling sequence of this script must be of the form:
#
#         emailalert.pl "${Query}"
#
# Where:
# 
#         "${Query}" - this is the query keyword dynamically
#         output by the rule when it triggers.
#         It MUST be wrapped in double quotes when specifying it in the Arguments
#         box on the Rule Actions panel.
#
#
#***********************************************************************
##
## The following are the only two variables that need changing. $TempIDSFile can be any
## filename (doesn't have to exist), just make sure the directory that you specify
## exists. Make sure to use 2 backslashes for each directory, the first backslash is
## so the Perl interpretor doesn't error on the pathname.
##
## $EmailRcpt is the person that is going to receive the email notifications. Also 
## make sure you escape the @ symbol by putting a backslash in front of it, otherwise 
## you'll get a Perl syntax error.
## 
$TempIDSFile = "c:\\temp\\idsalert.txt";
$EmailRcpt = "nobody\@cisco.com";

##
## pull out command line arg
##

$whereClause = $ARGV[0];

##
## extract all the alarms matching search expression
##

$tmpFile = "alarms.out";

## The following line will extract alarms from 1.0 IDSMC/SecMon database, if 
## using 1.1 comment out the line below and un-comment the other system line
## below it.

## V1.0 IDSMC/SecMon version
system("IdsAlarms -s\"$whereClause\" -f\"$tmpFile\"");

## V1.1 IDSMC/SecMon version.
## system("IdsAlarms -on -s\"$whereClause\" -f\"$tmpFile\"");
##

# open matching alarm output

if (!open(ALARM_FILE, $tmpFile)) {
    print "Could not open ", $tmpFile, "\n";
    exit -1;
}

# read to last line

while (<ALARM_FILE>) {
    $line = $_;
}

# clean up

close(ALARM_FILE);
unlink($tmpFile);

##
## split last line into fields
##

@fields = split(/,/, $line);

$eventType = @fields[0];
$recordId = @fields[1];
$gmtTimestamp = 0; # need gmt time_t
$localTimestamp = 0; # need local time_t
$localDate = @fields[4];
$localTime = @fields[5];
$appId = @fields[6];
$hostId = @fields[7];
$orgId = @fields[8];
$srcDirection = @fields[9];
$destDirection = @fields[10];
$severity = @fields[11];
$sigId = @fields[12];
$subSigId = @fields[13];
$protocol = "TCP/IP";
$srcAddr = @fields[15];
$destAddr = @fields[16];
$srcPort = @fields[17];
$destPort = @fields[18];
$routerAddr = @fields[19];
$contextString = @fields[20];


## Open temp file to write alert data into,

open(OUT,">$TempIDSFile") || warn "Unable to open output file!\n";

## Now write your email notification message. You're writing the following into
## the temporary file for the moment, but this will then be emailed. Use the format:
##
## print (OUT "Your text with any variable name from the list above \n");
##
## Again, make sure you escape special characters with a backslash (note the : in between $sigId
## and $subSigId has a backslash in front of it)

print(OUT "\n");
print(OUT "Received severity $severity alert at $localDate $localTime\n");
print(OUT "Signature ID $sigId\:$subSigId from $srcAddr to $destAddr\n");
print(OUT "$contextString");
close(OUT);

## then call "blat" to send contents of that file in the body of an email message.
## Blat is a freeware email program for WinNT/95, it comes with VMS in the 
## $BASE\CSCOpx\bin directory, make sure you install it first by running:
##
## blat -install <SMTP server address> <source email address>
##
## For more help on blat, just type "blat" at the command prompt on your VMS system (make
## sure it's in your path (feel free to move the executable to c:\winnt\system32 BEFORE
## you run the install, that'll make sure your system can always find it).

system ("blat \"$TempIDSFile\" -t \"$EmailRcpt\" -s \"Received IDS alert\"");

script del sensor 4.x

Utilice este script para los sensores de la versión 4.x.

sensores 4.x
#!/usr/bin/perluse Time::Local;#***********************************************************************
#
# FILE NAME : emailalert.pl
#
# DESCRIPTION : This file is a perl script that will be executed as an
# action when an IDS-MC Event Rule triggers, and will send an 
# email to $EmailRcpt with additional alert parameters (similar to
# the functionality available with CSPM notifications)
#
# NOTE: this script only works with 4.x sensors. It will 
# not work with 3.x sensors.
#
# NOTES : This script takes the ${Query} keyword from the
# triggered rule, extracts the set of alarms that caused
# the rule to trigger. It then reads the last alarm of
# this set, parses the individual alarm fields, and
# calls the legacy script with the same set of command
# line arguments as CSPM.
#
# The calling sequence of this script must be of the form:
#
# emailalert.pl "${Query}"
#
# Where:
# 
# "${Query}" - this is the query keyword dynamically
# output by the rule when it triggers.
# It MUST be wrapped in double quotes
# when specifying it in the Arguments
# box on the Rule Actions panel.
#
#
#***********************************************************************
##
## The following are the only two variables that need changing. $TempIDSFile can be any
## filename (doesn't have to exist), just make sure the directory that you specify
## exists. Make sure to use 2 backslashes for each directory, the first backslash is
## so the Perl interpretor doesn't error on the pathname.
##
## $EmailRcpt is the person that is going to receive the email notifications. Also 
## make sure you escape the @ symbol by putting a backslash in front of it, otherwise 
## you'll get a Perl syntax error.
##

$TempIDSFile = "c:\\temp\\idsalert.txt";
$EmailRcpt = "yourname\@yourcompany.com";

# subroutine to add leading 0's to any date variable that's less than 10.
sub add_zero {
my ($var) = @_;
if ($var < 10) {
$var = "0" .$var
}
return $var;
}

# subroutine to find one or more IP addresses within an XML tag (we can have multiple
# victims and/or attackers in one alert now).
sub find_addresses {
my ($var) = @_;
my @addresses = ();
if (m/$var/) {
$raw = $&;
while ($raw =~ m/(\d{1,3}\.){3}\d{1,3}/) {
push @addresses,$&;
$raw = $';
}
$var = join(', ',@addresses);
return $var;
}
}

# pull out command line arg

$whereClause = $ARGV[0];

# extract all the alarms matching search expression

$tmpFile = "alarms.out";

# Extract the XML alert/event out of the database.

system("IdsAlarms -s\"$whereClause\" -f\"$tmpFile\"");

# open matching alarm output

if (!open(ALARM_FILE, $tmpFile)) {
print "Could not open $tmpFile\n";
exit -1;
}

# read to last line

while (<ALARM_FILE>) {
chomp $_;
push @logfile,$_;
}

# clean up

close(ALARM_FILE);
unlink($tmpFile);

# Open temp file to write alert data into,

open(OUT,">$TempIDSFile");

# split XML output into fields

$oneline = join('',@logfile);
$oneline =~ s/\<\/events\>//g;
$oneline =~ s/\<\/evAlert\>/\<\/evAlert\>,/g;
@items = split(/,/,$oneline);

# If you want to see the actual database query result in the email, un-comment out the
# line below (useful for troubleshooting):
# print(OUT "$oneline\n");

# Loop until there's no more alerts

foreach (@items) {

if (m/\<hostId\>(.*)\<\/hostId\>/) {
$hostid = $1;
}

if (m/severity="(.*?)"/) {
$sev = $1;
}

if (m/Zone\=".*"\>(.*)\<\/time\>/) {
$t = $1;
if ($t =~ m/(.*)(\d{9})/) {
($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime($1);

# Year is reported from 1900 onwards (eg. 2003 is 103).
$year = $year + 1900;

# Months start at 0 (January = 0, February = 1, etc), so add 1.
$mon = $mon + 1;

$mon = add_zero ($mon);
$mday = add_zero ($mday);
$hour = add_zero ($hour);
$min = add_zero ($min);
$sec = add_zero ($sec);
}
}

if (m/sigName="(.*?)"/) {
$SigName = $1;
}

if (m/sigId="(.*?)"/) {
$SigID = $1;
}

if (m/subSigId="(.*?)"/) {
$SubSig = $1;
}

$attackerstring = "\<attacker.*\<\/attacker";
if ($attackerstring = find_addresses ($attackerstring)) {
} 

$victimstring = "\<victim.*\<\/victim";
if ($victimstring = find_addresses ($victimstring)) {
} 

if (m/\<alertDetails\>(.*)\<\/alertDetails\>/) {
$AlertDetails = $1;
}

@actions = ();
if (m/\<actions\>(.*)\<\/actions\>/) {
$rawaction = $1;
while ($rawaction =~ m/\<(\w*?)\>(.*?)\</) {
$rawaction = $';
if ($2 eq "true") {
push @actions,$1;
}
} 
if (@actions) {
$actiontaken = join(', ',@actions);
}
}
else {
$actiontaken = "None";
}

## Now write your email notification message. You're writing the following into 
## the temporary file for the moment, but this will then be emailed.
## 
## Again, make sure you escape special characters with a backslash (note the : between
## the SigID and the SubSig). 
##
## Put your VMS servers IP address in the NSDB: line below to get a direct link 
## to the signature details within the email.

print(OUT "\n$hostid reported a $sev severity alert at $hour:$min:$sec on $mon/$mday/$year\n");
print(OUT "Signature: $SigName \($SigID\:$SubSig\)\n");
print(OUT "Attacker: $attackerstring ---> Victim: $victimstring\n");
print(OUT "Alert details: $AlertDetails \n");
print(OUT "Actions taken: $actiontaken \n");
print(OUT "NSDB: https\://<your VMS server IP address>/vms/nsdb/html/expsig_$SigID.html\n\n");
print(OUT "----------------------------------------------------\n");

}

close(OUT);

## Now call "blat" to send contents of the file in the body of an email message.
## Blat is a freeware email program for WinNT/95, it comes with VMS in the 
## $BASE\CSCOpx\bin directory, make sure you install it first by running:
##
## blat -install <SMTP server address> <source email address>
##
## For more help on blat, just type "blat" at the command prompt on your VMS system (make
## sure it's in your path (feel free to move the executable to c:\winnt\system32 BEFORE
## you run the install, that'll make sure your system can always find it).

system ("blat \"$TempIDSFile\" -t \"$EmailRcpt\" -s \"Received IDS alert\"");

script del sensor 5.x

Utilice este script para los sensores de la versión 5.x.

sensores 5.x
#!/usr/bin/perl
use Time::Local;

#***********************************************************************
#
#  FILE NAME   : emailalertv5.pl
#
#  DESCRIPTION : This file is a perl script that will be executed as an
#                action when an IDS-MC Event Rule triggers, and will send an 
#                email to $EmailRcpt with additional alert parameters (similar to
#                the functionality available with CSPM notifications)
#
#                NOTE: this script only works with 5.x sensors.  
#
#  NOTES       : This script takes the ${Query} keyword from the
#                triggered rule, extracts the set of alarms that caused
#                the rule to trigger.  It then reads the last alarm of
#                this set, parses the individual alarm fields, and
#                calls the legacy script with the same set of command
#                line arguments as CSPM.
#
#                The calling sequence of this script must be of the form:
#
#                emailalert.pl "${Query}"
#
#                Where:
#                   
#                   "${Query}"  - this is the query keyword dynamically
#                                 output by the rule when it triggers.
#                                 It MUST be wrapped in double quotes
#                                 when specifying it in the Arguments
#                                 box on the Rule Actions panel.
#
#
#***********************************************************************
##
## The following are the only two variables that need changing.  $TempIDSFile can be any
## filename (doesn't have to exist), just make sure the directory that you specify
## exists.  Make sure to use 2 backslashes for each directory, the first backslash is
## so the Perl interpretor doesn't error on the pathname.
##
## $EmailRcpt is the person that is going to receive the email notifications.  Also 
## make sure you escape the @ symbol by putting a backslash in front of it, otherwise 
## you'll get a Perl syntax error.
##

$TempIDSFile = "c:\\temp\\idsalert.txt";
$EmailRcpt = "gfullage\@cisco.com";

# subroutine to add leading 0's to any date variable that's less than 10.
sub add_zero {
  my ($var) = @_;
  if ($var < 10) {
      $var = "0" .$var
  }
  return $var;
}

# subroutine to find one or more IP addresses within an XML tag (we can have multiple
# victims and/or attackers in one alert now).
sub find_addresses {
  my ($var) = @_;
  my @addresses = ();
  if (m/$var/) {
      $raw = $&;
      while ($raw =~ m/(\d{1,3}\.){3}\d{1,3}/) {
          push @addresses,$&;
          $raw = $';
      }
      $var = join(', ',@addresses);
      return $var;
  }
}

# pull out command line arg

$whereClause = $ARGV[0];

# extract all the alarms matching search expression

$tmpFile = "alarms.out";

# Extract the XML alert/event  out of the database.

system("IdsAlarms -os -s\"$whereClause\" -f\"$tmpFile\"");

# open matching alarm output

if (!open(ALARM_FILE, $tmpFile)) {
  print "Could not open $tmpFile\n";
  exit -1;
}

# read to last line

while (<ALARM_FILE>) {
   chomp $_;
   push @logfile,$_;
}

# clean up

close(ALARM_FILE);
unlink($tmpFile);

# Open temp file to write alert data into,

open(OUT,">$TempIDSFile");

# split XML output into fields

$oneline = join('',@logfile);
$oneline =~ s/\<\/sd\:events\>//g;
$oneline =~ s/\<\/sd\:evIdsAlert\>/\<\/sd\:evIdsAlert\>,/g;
@items = split(/,/,$oneline);

# If you want to see the actual database query result in the email, un-comment out the
# line below (useful for troubleshooting):
# print(OUT "$oneline\n");

# Loop until there's no more alerts

foreach (@items) {
  unless ($_ =~ /\<\/env\:Body\>/) {

    if (m/\<sd\:hostId\>(.*)\<\/sd\:hostId\>/) {
      $hostid = $1;
    }

    if (m/severity="(.*?)"/) {
      $sev = $1;
    }

    if (m/Zone\=".*"\>(.*)\<\/sd\:time\>/) {
      $t = $1;
      if ($t =~ m/(.*)(\d{9})/) {
        ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime($1);
      
        # Year is reported from 1900 onwards (eg. 2003 is 103).
        $year = $year + 1900;
      
        # Months start at 0 (January = 0, February = 1, etc), so add 1.
        $mon = $mon + 1;

        $mon = add_zero ($mon);
	  $mday = add_zero ($mday);
	  $hour = add_zero ($hour);
	  $min = add_zero ($min);
	  $sec = add_zero ($sec);
      }
    }

    if (m/description="(.*?)"/) {
      $SigName = $1;
    }

    if (m/\ id="(.*?)"/) {
      $SigID = $1;
    }

    if (m/\<cid\:subsigId\>(.*)\<\/cid\:subsigId\>/) {
      $SubSig = $1;
    }

    if (m/\<cid\:riskRatingValue\>(.*)\<\/cid\:riskRatingValue\>/) {
      $RR = $1;
    }

    if (m/\<cid\:interface\>(.*)\<\/cid\:interface\>/) {
      $Intf = $1;
    }

    $attackerstring = "\<sd\:attacker.*\<\/sd\:attacker";
    if ($attackerstring = find_addresses ($attackerstring)) {
    } 

    $victimstring = "\<sd\:target.*\<\/sd\:target";
    if ($victimstring = find_addresses ($victimstring)) {
    } 
  
    if (m/\<cid\:alertDetails\>(.*)\<\/cid\:alertDetails\>/) {
      $AlertDetails = $1;
    }

    @actions = ();
    if (m/\<sd\:actions\>(.*)\<\/sd\:actions\>/) {
      $rawaction = $1;
      while ($rawaction =~ m/\<\w*?:(\w*?)\>(.*?)\</) {
         $rawaction = $';

         if ($2 eq "true") {
            push @actions,$1;
         }
      }
      if (@actions) {
        $actiontaken = join(', ',@actions);
      }
    }
    else {
        $actiontaken = "None";
      } 

## Now write your email notification message. You're writing the following into 
## the temporary file for the moment, but this will then be emailed.
## 
## Again, make sure you escape special characters with a backslash (note the : between
## the SigID and the SubSig). 
##
## Put your VMS servers IP address in the NSDB: line below to get a direct link 
## to the signature details within the email.

    print(OUT "\n$hostid reported a $sev severity alert at $hour:$min:$sec on $mon/$mday/$year\n");
    print(OUT "Signature: $SigName \($SigID\:$SubSig\)\n");
    print(OUT "Attacker: $attackerstring  --->  Victim: $victimstring\n");
    print(OUT "Alert details: $AlertDetails \n");
    print(OUT "Risk Rating: $RR,  Interface: $Intf \n");
    print(OUT "Actions taken: $actiontaken \n");
    print(OUT "NSDB: https\://sec-srv/vms/nsdb/html/expsig_$SigID.html\n\n");
    print(OUT "----------------------------------------------------\n");

   } 
}

close(OUT);

## Now call "blat" to send contents of the file in the body of an email message.
## Blat is a freeware email program for WinNT/95, it comes with VMS in the 
## $BASE\CSCOpx\bin directory, make sure you install it first by running:
##
##     blat -install <SMTP server address> <source email address>
##
## For more help on blat, just type "blat" at the command prompt on your VMS system (make
## sure it's in your path (feel free to move the executable to c:\winnt\system32 BEFORE
## you run the install, that'll make sure your system can always find it).

system ("blat \"$TempIDSFile\" -t \"$EmailRcpt\" -s \"Received IDS alert\"");

Verificación

Actualmente, no hay un procedimiento de verificación disponible para esta configuración.

Troubleshooting

Sigue estas instrucciones de resolver problemas su configuración.

  1. Funcione con este comando de un comando prompt para marcar que blat los trabajos correctamente:

    blat <filename> -t <customer's email> -s "Test message"
    

    el <filename> es la ruta completa a cualquier archivo de texto en el sistema VMS. Si el usuario a quien se dirige el script del email recibe este archivo en el cuerpo de un email, después usted sabe que blat los trabajos.

  2. Si no se recibe ningún email después de que se accione una alerta, intente ejecutar el script Perl de una ventana de prompt de comando.

    Esto resalta cualquier problema del tipo Perl o de la trayectoria. Para hacer esto, abra un comando prompt y ingrese:

    >cd Program Files/CSCOpx/MDC/etc/ids/scripts 
    >emailalert.pl ${Query} 

    Usted puede potencialmente recibir un error Sybase, similar a este ejemplo. Esto es debido al hecho de que el parámetro $ {interrogación} que usted pasa no contiene realmente la información, a diferencia de cuando pasa del monitor de la Seguridad.

    /image/gif/paws/47582/cisco-works-email-alerts-3.gif

    Con excepción de ver este error, el script se ejecuta correctamente y envía un email. Ningunos los parámetros alertas dentro del cuerpo del correo electrónico son en blanco. Si usted recibe cualquier Perl o errores de trayecto, necesitan ser reparados antes de que se envíe un email.

Discusiones relacionadas de la comunidad de soporte de Cisco

La Comunidad de Soporte de Cisco es un foro donde usted puede preguntar y responder, ofrecer sugerencias y colaborar con colegas.


Información Relacionada


Document ID: 47582