Table Of Contents
Defining Notifications
About Using Event Rules
Adding an Event Rule
About Executing a Script from an Event Rule
About Intervals and Thresholds
Viewing Event Rule Details
Editing an Event Rule
Activating an Event Rule
Deactivating an Event Rule
Deleting an Event Rule
Defining Notifications
When security devices are deployed to protect a network, they can generate large amounts of event data. Monitoring this data for specific events or a specific pattern of events can be difficult. Monitoring Center for Security (Security Monitor) uses event rules to monitor for specific events or patterns of events.
Event rules use IDS events, which can come from a sensor (appliance or module), a PIX Firewall, or a Cisco router running Cisco Intrusion Prevention System software. Event rules do not use firewall events, which can come from a PIX Firewall or a Cisco IOS device running the firewall feature set. However, firewall events are collected and stored in the database by Security Monitor.
Event rules have three parts:
•
The event filtering criteria
•The action that you want to occur when filter conditions are met
•The thresholds and intervals for the actions you define
While you may define and add multiple event rules, you can only have up to ten activated event rules at a given time.
This chapter contains the following topics:
•About Using Event Rules
•Adding an Event Rule
•Viewing Event Rule Details
•Editing an Event Rule
•Activating an Event Rule
•Deactivating an Event Rule
•Deleting an Event Rule
About Using Event Rules
You add an event rule to define a Security Monitor response to IDS events. By adding an event rule you specify the nature of the events the system is to monitor and the actions to take when specified criteria and thresholds are met. Event rules are named constructs.
The event filter is the part of an event rule that uses clauses to specify the following:
•What you are looking for (for example, Attacker Address or Signature ID).
•What relationship pertains to this rule (for example, must equal or must be in a range.
•What option or value pertains to this filter (for example, [Attacker Address] [must equal] IP Address 10.179.256.256.
An event filter can contain up to five separate clauses. You must define each clause on a single line.
The action specification is the part of an event rule that details what is to occur when the conditions specified by the event filter are met. The actions available include:
•Send an e-mail notification.
•Generate a console notification to the audit log.
•Execute a script.
The thresholds and intervals specification is the part of an event rule that regulates at what point, and how often, to perform the action you have specified for an event rule. You can specify such aspects as the following:
•Number of times the event filter conditions must be met before the action is taken.
•Number of additional event occurrences before the action is taken again.
•Number of minutes without an event occurrence after which the event count should be reset.
Adding an Event Rule
Adding an event rule defines the parameters and actions for the event rule. For the actions that you specify to occur, you must activate the event rule.
To add an event rule, follow these steps:
Step 1 Select Configuration > Event Rules.
The Event Rules page appears.
Step 2 Click Add.
The Identify the Rule page appears.
Step 3 Enter a name for your event rule in the Rule Name field. You can also enter a description of the rule in the Description field. Then, click Next.
The Specify the Event Filter page appears.
Step 4 Specify the clauses for the event filter of the event rule. You can specify up to five clauses per event filter. Define one clause per line.
Note The event filter that is part of an event rule in Security Monitor should not be confused with filters for a sensor in the Management Center for IPS Sensors (IPS MC).
a. Select an option from the list box in the first column to specify the object of the clause. You can choose from the following options:
•Originating Device
•Originating Device Address
•Attacker Address
•Victim Address
•Signature Name
•Signature Id
•Severity
•Risk Rating
b. Select a relational comparison operator from the list box in the middle column.
c. Depending on the option you selected in Step a, you will either select an option from a list box or enter a value for the field in the third column.
•If you selected Originating Device, select a device from the list box. The list includes monitored devices that generate network IDS events. The list is populated with devices you have added to Security Monitor.
•If you selected Originating Device Address, enter the IP address.
•If you selected Attacker Address or Victim Address, enter the IP address.
•If you selected Signature Name, select a signature from the list box.
•If you selected Signature Id, enter a number between 1 and 65,535. By default, all subsignature IDs are included for the signature that you enter. To specify a specific subsignature ID, enter a number between 1.x and 65,535.x, where x is the subsignature ID. The value of x must be between 0 and 65,535.
•If you selected Severity, select a severity from the list box.
•If you selected Risk Rating, enter a risk rating between 0 and 100.
d. Repeat Step a through Step c for each clause you want to add. If you add more than one clause, you must also specify a logical operator from the list box between the rows of each clause you define. The logical operators specify the relationships between the clauses.
e. Click Show Filter to view the defined filter in the box at the bottom of the page.
Tip You can also enter and edit the filter definition directly in the box at the bottom of the page. However, if you enter or edit the filter definition using the box, do not click Show Filter or your changes will be replaced with the values specified in the event filtering columns above.
f. Verify that the filter definition in the box to the left of Show Filter is correct, and then click Next.
The Choose the Actions page appears.
Step 5 Specify the action or actions that Security Monitor should take when the event filter defined in Step 4 is detected, and then click Next.
a. To send an e-mail notification when the specified threshold is met, select the Notify via Email check box. Then, enter the e-mail address for the recipient in the Recipient(s) field. Use commas to separate multiple e-mail addresses. Enter the subject for the message in the Subject field and the message text in the Message field.
Note The e-mail message text is limited to 32,765 characters. If you enter more than that, Security Monitor notifies you that the message is too long and will be truncated to the maximum number of characters allowed.
You can use the keyword substitutions listed in Table 1-1 to fill in the Subject and Message fields:
Table 1-1 Keyword Substitutions
Keyword
|
Description
|
${RuleName}
|
The name of the event rule.
|
${RuleDescr}
|
The description of the event rule.
|
${Filter}
|
The query filter for the event rule.
|
${Interval}
|
The query interval for the event rule.
|
${Initial}
|
The initial threshold for the event rule.
|
${Repeat}
|
The repeat threshold for the event rule.
|
${DateStr}
|
Date stamp for when the event rule was triggered, based on the server local time. The date stamp is in YYYY/MM/DD format.
|
${TimeStr}
|
Time stamp for when the event rule was triggered, based on the server local time. The time stamp is in HH:MM:SS format, where HH is in 24-hour form.
|
${GmtDateStr}
|
The Universal Coordinated Time (UTC) date stamp for when the rule was triggered, in YYYY/MM/DD format.
|
${GmtTimeStr}
|
The UTC time stamp for when the event rule was triggered in HH:MM:SS format, where HH is in 24-hour form and time zone is always UTC.
|
${MsgCount}
|
The number of matches that occurred in the current interval causing this rule to be triggered.
|
${Threshold}
|
The threshold that was met that caused the event rule to be triggered. This value is the same as either the ${Initial} value (if this is the first time the action was issued during a given interval period) or the ${Repeat} value (if this is a repeat occurrence).
|
${Query}
|
A time-bounded, syntactically correct SQL expression that can be used in the WHERE clause of a database query to select the set of alarms that caused the rule to trigger this time.
|
${IntervalCount}
|
The number of new matching alarms that have been detected causing the rule to trigger this time. This is the number of records that is expected to be returned by a query using the ${Query} keyword.
|
${RepeatCount}
|
The number of times the rule has triggered on the repeat threshold. A value of 0 indicates that the rule was triggered on the initial threshold.
|
${idsSigNames}
|
The signature names that triggered the rule. The value reverts to sig_id:sub_sig_id if no signature name is available.
|
${idsSigIds}
|
The sig_id:sub_sig_id pairs.
|
${idsVictimAddrs}
|
The dotted decimal IP addresses of the victims.
|
${idsVictimLocs}
|
The victim localities.
|
${idsAttackerAddrs}
|
The dotted decimal IP addresses of the attackers.
|
${idsAttackerLocs}
|
The attacker localities.
|
Note The keyword matching (inside the braces) is case-insensitive.
|
Note Keyword substitution applies only to e-mail notification sent from event rules—not e-mail notification sent by database rules (or by reports).
b. To log a console notification to the audit log when the specified threshold is met, select the Log a Console Notification Event check box. Then, enter your username in the User Name field. Select an alarm event level from the Severity list box and enter a message in the Message field. You can use the keyword substitutions listed in Table 1-1.
Tip To view the console notification messages, run the Console Notification Report on the Reports > Generate page.
c. To execute a script when the specified threshold is met, select the Execute a Script check box. Then, select a script from the Script File list box. You can enter any required arguments in the Arguments field. For more information about scripts, see About Executing a Script from an Event Rule.
Tip You can use the keyword substitutions listed in Table 1-1 in the Arguments field. If you use a keyword substitution that contains spaces in its replacement value, surround the keyword in quotation marks to preserve the atomicity of the data. For example, a script specified as
myScript ${RuleDesc}
might be expanded to
myScript This is a description.
However, a script specified as
myScript "${RuleDesc}"
would be expanded to
myScript "This is a description."
The Specify the Thresholds and Intervals page appears.
Step 6 Specify the thresholds and intervals that determine when Security Monitor takes the action you defined in Step 5.
a. To take the specified action after the event filter occurs more than a specified number of times, specify a number in the Issue action(s) after (#event occurrences) field. This value specifies the initial trigger threshold.
b. To repeat the specified action at regular intervals after the initial trigger threshold in Step 6a is met, specify a number in the Repeat action(s) again after (# event occurrences) field.
c. Specify in minutes how often to reset the count for measuring when the initial threshold is met in the Reset count every (minutes) field.
Step 7 Click Finish.
The event rule is added.
Note For information on activating a rule that has been added, see Activating an Event Rule.
About Executing a Script from an Event Rule
One of the actions you can select from the Choose the Actions page is Execute a Script. If you select Execute a Script, you must select a script from the Script File list box.
Security Monitor includes the following script:
LegacyIf.pl
|
Provides an interface to the scripts. The LegacyIf.pl script executes a query against the database and outputs all matching alarms for the event filter to a temp file. It then finds the most recent alarm in the set, parses the alarm fields, and calls the Security Monitor script with the alarm field arguments
The LegacyIf.pl script is applicable only to event rules.
Note The alarm data passed to the script is not necessarily the exact alarm that crossed the threshold due to the intervals used for threshold processing.
Note Security Monitor provides local and UTC timestamps in time_t format, but this data is not available via the LegacyIf.pl script. These values are passed to the script as 0 every time.
Use as follows:
ScriptName "${Query}" ${MsgCount}
You can use the following options in the script argument:
•ScriptName (Required)—Specifies the full path to the script that you want to run. The script is a user-authored script that must be saved on the Security Monitor server. We recommend that you save it in the X:\Program Files\CSCOpx\MDC\etc\ids\scripts folder, where X is the drive where Security Monitor is installed.
•${Query} (Required)—Specifies a time-bounded, syntactically correct SQL expression that can be used in the WHERE clause of a database query to select the set of alarms that caused the rule to trigger this time. You must surround this option in quotation marks (" ") for the script to execute correctly.
•${MsgCount} (Required)—Specifies the number of matches that occurred in the current interval to trigger this rule.
|
Additionally, you can add your own custom scripts. To add a custom script, place your script file in the X:\Program Files\CSCOpx\MDC\etc\ids\scripts folder, where X is the drive where Security Monitor is installed. If you add your script to this folder, it appears in the Script File list box.
Caution Security Monitor cannot validate scripts or their execution. A poorly written custom script can potentially crash your system.
About Intervals and Thresholds
A combination of two types of intervals is used for threshold processing: sliding intervals and stand-off intervals. The first interval is a sliding interval to detect the initial trigger threshold, which prevents an initial threshold from being missed due to the expiration of a fixed interval. For example, given an interval of one hour and an initial threshold of 100, if 99 matches were detected in minute 59 of interval A and another 99 were detected in minute 1 of interval B, no threshold would be triggered. This is in all likelihood not what the user intended. Using a sliding interval, however, the threshold would be triggered any time 100 matches were detected in the past hour.
The sliding interval is divided up into a fixed number of discrete sampling intervals or buckets. Each database query returns a count of matches within that bucket. A running total of all buckets is maintained and compared against the initial threshold. The value of the oldest bucket is subtracted from the total before the newest bucket is added in, thus providing the sliding interval.
If Security Monitor does not gain control of the processor for an amount of time greater than a sampling interval, it loops until it catches up to current time. Thus, an initial threshold trigger that occurred while Security Monitor was blocked from the processor is still reported (along with the time it occurred), although late.
When the initial threshold is crossed, the repeat threshold in the stand-off interval begins, anchored at the current time. This interval is used for handling repeat threshold(s), and provides a means for allowing a particular activity to return to normal levels. This interval is the same length as the sliding interval.
When the stand-off interval expires, a new sliding interval is established and detection of the initial threshold resumes. All counters are reset at this time.
When a rule is read from the database for the first time, its sliding interval begins at that time. At subsystem initialization time, then, all activated rules have a common starting point for their intervals. If you edit a rule, its sliding interval is reset to the current time. However, the intervals of other (unchanged) active event rules are not disturbed.
Viewing Event Rule Details
This procedure provides the basic steps for viewing detailed information for an event rule. You cannot edit event rules from the View Event Rule page.
To view detailed information for an event rule, follow these steps:
Step 1 Select Configuration > Event Rules.
The Event Rules page appears.
Step 2 Click the radio button next to the event rule that you want to view.
Step 3 Click View.
The View Event Rule page appears. Detailed information about the event rule appears in the View Event Rule text box.
Step 4 Click OK to return to the Event Rules page.
Editing an Event Rule
You can edit any event rules that you have added to Security Monitor.
Note You can edit active and deactivated rules. However, if your edits make an active event rule invalid, the rule is deactivated. For example, if you remove the filter or action of an event rule, the rule becomes deactivated.
To edit an event rule, follow these steps:
Step 1 Select Configuration > Event Rules.
The Event Rules page appears.
Step 2 Click the radio button next to the event rule that you want to edit. Then, click Edit.
The Identify the Rule page appears.
Step 3 Click Next and Back to navigate between the event rule pages.
Note If you make changes on the Specify the Event Filter page, you must click Show Filter. If you do not click Show Filter, your changes to the filter clauses are not saved.
Step 4 To save your changes, click Finish.
Activating an Event Rule
For the actions that you specify in an event rule to occur, you must activate the event rule. You can have up to ten activated event rules.
Note If the event rule does not contain an event filter and an action, you cannot activate it, and you receive an error message. Edit the event rule to complete the missing fields, and then activate it.
To activate an event rule, follow these steps:
Step 1 Select Configuration > Event Rules.
The Event Rules page appears.
Step 2 Click the radio button next to the event rule that you want to activate.
Tip If you see the word "yes" in the Active column for the event rule, the event rule is already activated.
Step 3 To activate the selected event rule, click Activate.
The selected event rule is activated. The word "yes" appears in the Active column of the activated event rules.
Deactivating an Event Rule
Deactivate an event rule if you do not want the specified action to occur for the specified event.
Tip If an event rule is active, the word "yes" appears in the Active column on the Event Rules page.
To deactivate an event rule, follow these steps:
Step 1 Select Configuration > Event Rules.
The Event Rules page appears.
Step 2 Click the radio button next to the event rule that you want to deactivate. Then, click Deactivate.
The selected rule is deactivated. The word "no" appears in the Active column of the deactivated event rules.
Deleting an Event Rule
You can delete any unwanted event rules.
To delete an event rule, follow these steps:
Step 1 Select Configuration > Event Rules.
The Event Rules page appears.
Step 2 Click the radio button next to the event rule that you want to delete. Then, click Delete.
Caution You are not prompted to confirm the deletion. Additionally, you cannot recover a deleted event rule.
The selected event rule is deleted.
