Configuring External Alerting for Intrusion Rules
While the FireSIGHT System provides various views of intrusion events within the web interface, some enterprises prefer to define external intrusion event notification to facilitate constant monitoring of critical systems. If you want to immediately notify a specific person of critical events, you can set up email alerts to do so. You can also enable logging to syslog facilities or send event data to an SNMP trap server.
Within each intrusion policy, you can specify intrusion event notification limits, set up intrusion event notification to external logging facilities, and configure external responses to intrusion events.
Tip Some analysts prefer not to receive multiple alerts for the same intrusion event, but want to control how often they are notified of a given intrusion event occurrence. See Filtering Intrusion Event Notification Per Policy for more information.
There is another type of alerting you can perform in the FireSIGHT System, outside of your intrusion policies. You can configure email, SNMP, and syslog alert responses for other types of events, including intrusion events with specific impact flags, or connection events logged by specific access control rules. For more information, see Configuring External Alerting.
See the following sections for more information on external intrusion event notification:
-
Using SNMP Responses describes the options you can configure to send event data to specified SNMP trap servers and provides the procedure for specifying the SNMP alerting options.
-
Using Syslog Responses describes the options you can configure to send event data to an external syslog and provides the procedure for specifying the syslog alerting options.
-
Understanding Email Alerting describes the options you can configure to send notifications of intrusion events by email.
Using SNMP Responses
License:
Protection
An
SNMP trap
is a network management notification. You can configure the device to send intrusion event notifications as SNMP traps, also known as
SNMP alerts
. Each SNMP alert includes:
-
the name of the server generating the trap
-
the IP address of the device that detected it
-
the name of the device that detected it
-
the event data
You can set a variety of SNMP alerting parameters. Available parameters vary depending on the version of SNMP you use. For details on enabling and disabling SNMP alerting, see Configuring Advanced Settings in an Intrusion Policy.
Tip If your network management system requires a management information base file (MIB), you can obtain it from the Defense Center at /etc/sf/DCEALERT.MIB
.
SNMP v2 Options
For SNMP v2, you can specify the options described in the following table.
Table 44-1 SNMP v2 Options
|
|
Trap Type
|
The trap type to use for IP addresses that appear in the alerts.
If your network management system correctly renders the INET_IPV4 address type, then you can select
as Binary
. Otherwise, select
as String
. For example, HP Openview requires the string type.
|
Trap Server
|
The server that will receive SNMP traps notification.
You can specify a single IP address or hostname.
|
Community String
|
The community name.
|
SNMP v3 Options
For SNMP v3, you can specify the options described in the following table.
Note When using SNMP v3, the appliance uses an Engine ID value to encode the message. Your SNMP server requires this value to decode the message. Currently, this Engine ID value will always be the hexadecimal version of the appliance’s IP address with 01
at the end of the string. For example, if the appliance sending the SNMP alert has an IP address of 172.16.1.50
, the Engine ID is 0xAC10013201
or, if the appliance has an IP address of 10.1.1.77
, 0x0a01014D01
is used as the Engine ID.
Table 44-2 SNMP v3 Options
|
|
Trap Type
|
The trap type to use for IP addresses that appear in the alerts.
If your network management system correctly renders the INET_IPV4 address type, then you can select
as Binary
. Otherwise, select
as String
. For example, HP Openview requires the string type.
|
Trap Server
|
The server that will receive SNMP traps notification.
You can specify a single IP address or hostname.
|
Authentication Password
|
The password required for authentication. SNMP v3 uses either the Message Digest 5 (MD5) hash function or the Secure Hash Algorithm (SHA) hash function to encrypt this password, depending on configuration.
If you specify an authentication password, authentication is enabled.
|
Private Password
|
The SNMP key for privacy. SNMP v3 uses the Data Encryption Standard (DES) block cipher to encrypt this password.
If you specify a private password, privacy is enabled. If you specify a private password, you must also specify an authentication password.
|
User Name
|
Your SNMP user name.
|
For information about configuring SNMP Alerting, see Configuring SNMP Responses.
Configuring SNMP Responses
License:
Protection
You can configure SNMP alerting in an intrusion policy. After you apply the policy as part of an access control policy, the system notifies you of any intrusion events it detects via SNMP trap. For more details on SNMP alerting, see Using SNMP Responses.
To configure SNMP alerting options:
Access:
Admin/Intrusion Admin
Step 1 Select
Policies> Intrusion > Intrusion Policy.
The Intrusion Policy page appears.
Step 2 Click the edit icon (
) next to the policy you want to edit.
If you have unsaved changes in another policy, click
OK
to discard those changes and continue. See Resolving Conflicts and Committing Policy Changes for information on saving unsaved changes in another policy.
The Policy Information page appears.
Step 3 Click
Advanced Settings
in the navigation panel on the left.
The Advanced Settings page appears.
Step 4 You have two choices, depending on whether
SNMP Alerting
under External Responses is enabled:
-
If the configuration is enabled, click
Edit
.
-
If the configuration is disabled, click
Enabled
, then click
Edit
.
The SNMP Alerting page appears.
A message at the bottom of the page identifies the intrusion policy layer that contains the configuration. See Using Layers in a Network Analysis or Intrusion Policy for more information.
Step 5 Specify the trap type format that you want to use for IP addresses that appear in the alerts,
as Binary
or
as String
.
Note If your network management system correctly renders the INET_IPV4 address type, then you can use the as Binary option. Otherwise, use the as String option. For example, HP OpenView requires the as String option.
Step 6 Select either SNMP v2 or SNMP v3:
-
To configure SNMP v2, enter the IP address and the community name of the trap server you want to use in the corresponding fields. See SNMP v2 Options.
-
To configure SNMP v3, enter the IP address of the trap server you want to use, an authentication password, a private password, and a user name in the corresponding fields. See SNMP v3 Options for more information.
Note You must select SNMP v2 or SNMP v3.
Note When you enter an SNMP v3 password, the password displays in plain text during initial configuration but is saved in encrypted format.
Step 7 Save your policy, continue editing, discard your changes, revert to the default configuration settings in the base policy, or exit while leaving your changes in the system cache. See Resolving Conflicts and Committing Policy Changes for more information.
Using Syslog Responses
License:
Protection
The system log, or
syslog,
is the standard logging mechanism for network event logging. You can send
syslog alerts
, which are intrusion event notifications, to the syslog on an appliance. The syslog allows you to categorize information in the syslog by priority and facility. The
priority
reflects the severity of the alert and the
facility
indicates the subsystem that generated the alert. Facilities and priorities are not displayed in the actual message that appears in syslog, but are instead used to tell the system that receives the syslog message how to categorize it.
Syslog alerts contain the following information:
-
date and time of alert generation
-
event message
-
event data
-
generator ID of the triggering event
-
Snort ID of the triggering event
-
revision
In an intrusion policy, you can turn on syslog alerting and specify the syslog priority and facility associated with intrusion event notifications in the syslog. When you apply the intrusion policy as part of an access control policy, the system then sends syslog alerts for the intrusion events it detects to the syslog facility on the local host or on the logging host specified in the policy. The host receiving the alerts uses the facility and priority information you set when configuring syslog alerting to categorize the alerts.
The following table lists the facilities you can select when configuring syslog alerting. Be sure to configure a facility that makes sense based on the configuration of the remote syslog server you use. The
syslog.conf
file located on the remote system (if you are logging syslog messages to a UNIX- or Linux-based system) indicates which facilities are saved to which log files on the server.
Table 44-3 Available Syslog Facilities
|
|
AUTH
|
A message associated with security and authorization.
|
AUTHPRIV
|
A restricted access message associated with security and authorization. On many systems, these messages are forwarded to a secure file.
|
CRON
|
A message generated by the clock daemon.
|
DAEMON
|
A message generated by a system daemon.
|
FTP
|
A message generated by the FTP daemon.
|
KERN
|
A message generated by the kernel. On many systems, these messages are printed to the console when they appear.
|
LOCAL0-LOCAL7
|
A message generated by an internal process.
|
LPR
|
A message generated by the printing subsystem.
|
MAIL
|
A message generated by a mail system.
|
NEWS
|
A message generated by the network news subsystem.
|
SYSLOG
|
A message generated by the syslog daemon.
|
USER
|
A message generated by a user-level process.
|
UUCP
|
A message generated by the UUCP subsystem.
|
Select one of the following standard syslog priority levels to display on all notifications generated by this alert:
Table 44-4 Syslog Priority Levels
|
|
EMERG
|
A panic condition broadcast to all users
|
ALERT
|
A condition that should be corrected immediately
|
CRIT
|
A critical condition
|
ERR
|
An error condition
|
WARNING
|
Warning messages
|
NOTICE
|
Conditions that are not error conditions, but require attention
|
INFO
|
Informational messages
|
DEBUG
|
Messages that contain debug information
|
For more detailed information about how syslog works and how to configure it, refer to the documentation that accompanies your system. If you are logging to a UNIX- or Linux-based system’s syslog, the
syslog.conf
man file (type
man syslog.conf
at the command line) and syslog man file (type
man syslog
at the command line) provide information about how syslog works and how to configure it.
Configuring Syslog Responses
License:
Protection
You can configure syslog alerting in an intrusion policy. After you apply the policy as part of an access control policy, the system notifies you of any intrusion events it detects via the syslog. For more information on syslog alerting, see Using Syslog Responses.
To configure syslog alerting options:
Access:
Admin/Intrusion Admin
Step 1 Select
Policies > Intrusion > Intrusion Policy.
The Intrusion Policy page appears.
Step 2 Click the edit icon (
) next to the policy you want to edit.
If you have unsaved changes in another policy, click
OK
to discard those changes and continue. See Resolving Conflicts and Committing Policy Changes for information on saving unsaved changes in another policy.
The Policy Information page appears.
Step 3 Click
Advanced Settings
in the navigation panel on the left.
The Advanced Settings page appears.
Step 4 You have two choices, depending on whether
Syslog Alerting
under External Responses is enabled:
-
If the configuration is enabled, click
Edit
.
-
If the configuration is disabled, click
Enabled
, then click
Edit
.
The Syslog Alerting page appears.
A message at the bottom of the page identifies the intrusion policy layer that contains the configuration. See Using Layers in a Network Analysis or Intrusion Policy for more information.
Step 5 Optionally, in the
Logging Hosts
field, enter the remote access IP address you want to specify as logging host. Separate multiple hosts with commas.
Step 6 Select facility and priority levels from the drop-down lists.
See Using Syslog Responses for details on facility and priority options.
Step 7 Save your policy, continue editing, discard your changes, revert to the default configuration settings in the base policy, or exit while leaving your changes in the system cache. See Resolving Conflicts and Committing Policy Changes for more information.
Understanding Email Alerting
License:
Protection
Email alerts
are notifications of intrusion events by email. Email alerts include the following information:
-
total number of alerts in the database
-
last email time (the time that the system generated the last email report)
-
current time (the time that the system generated the current email report)
-
total number of new alerts
-
number of events that matched specified email filters (if events are configured for specific rules)
-
timestamp, protocol, event message, and session information (source and destination IPs and ports with traffic direction) for each event (if Summary Output is off)
Note If multiple intrusion events originate from the same source IP, a note appears beneath the event that displays the number of additional events.
-
number of events per destination port
-
number of events per source IP
For each rule or rule group, you can enable or disable email alerting on intrusion events. Your email alert settings are used regardless of which intrusion policy you apply to the device as part of an access control policy.
The following list describes the parameters you can set for email alerting.
On/Off
Enables or disables email notification.
From Address
Specifies the email address or addresses from which the system sends intrusion events.
To Address
Specifies the email address where the system sends intrusion events. To send email to multiple recipients, separate email addresses with commas. For example:
user1@example.com, user2@example.com
Max Alerts
Specifies the maximum number of intrusion events the system sends via email in the time frame specified by Frequency (seconds).
Frequency (seconds)
Specifies how often the system mails intrusion events. The Frequency setting also specifies the frequency with which email settings are saved.
Minimum frequency: 300 seconds
Maximum frequency: 4 billion seconds
Coalesce Alerts
Enables or disables grouping of intrusion events by source IP and event so that multiple identical intrusion events generated against the same source IP only present one event on the page.
Note that alert coalescence (grouping) occurs after events are filtered. Therefore, if you configure email alerting on specific rules, you will only receive a list of events that match the rules you specified in the Mail Alerting Configuration.
Summary Output
Enables or disables brief email alerting, which is suitable for text-limited devices such as pagers. Brief email alerts contain:
– event timestamp
– for Defense Centers, the IP address for the device that generated the event
– event protocol
– source IP and port
– destination IP and port
– event message
– the number of intrusion events generated against the same source IP
For example:
2011-05-18 10:35:10 10.1.1.100 icmp 10.10.10.1:8 -> 10.2.1.3:0
snort_decoder: Unknown Datagram decoding problem! (116:108)
Email Alerting on Specific Rules Configuration
Specifies the rules or rule groups whose events you want mailed to the specified email address or addresses.
For information about configuring email alerting, see Configuring Email Alerting.
Configuring Email Alerting
License:
Protection
You can configure email alerting so that your appliance notifies you whenever an intrusion event occurs for an specific rule or rule group.
Before you can receive email alerts, you
must:
To configure email alerting options:
Access:
Admin/Intrusion Admin
Step 1 Select
Policies > Intrusion > Email
.
The Email Alerting page appears.
Step 2 Next to
State
, select
on
to enable email alerting.
Step 3 In the
From Address
field, type the address you want to display in the From field in the email alerts.
Step 4 In the
To Address
field, type the address where you want to receive the email alerts.
Step 5 In the
Max Alerts
field, type the maximum number of events you want included in a single email.
Step 6 In the
Min Frequency
field, type the number of seconds for the minimum frequency with which you want to receive email alerts.
Step 7 To group events by IP address, next to
Coalesce Alerts
, select
on
.
Step 8 To send brief email alerts, next to
Summary Output
, select
on
.
Tip If you enable Summary Output, consider enabling Coalesce Alerts to reduce the number of alerts generated. Also consider setting Max Alerts to 1 to avoid overflowing your device’s text message buffer.
Step 9 In the
Time Zone
field, select your time zone from the drop-down list.
Step 10 To enable email alerting per rule, click
Email Alerting per Rule Configuration
.
The rule groups appear.
Tip To receive email alerts for all rules in all categories, select Select All.
Step 11 Perform one or both of the following:
-
Click
All
next to rule categories for which you want to receive email alerts for all rules belonging to the category.
-
Click the category folder within which you want to specify email alerting on individual rules in that category, then enable the rules for which you want to receive email alerts.
Step 12 Click
Save
.
The system saves your email alerting configuration. When applicable intrusion events occur, you receive email alerts.