El monitor de seguridad puede enviar notificaciones por correo electrónico cuando se activa una regla de evento. Las variables incorporadas que se pueden utilizar en la notificación de correo electrónico para cada evento no incluyen elementos como la ID de firma, el origen y el destino de la alerta, etc. Este documento proporciona instrucciones que puede utilizar para configurar Security Monitor para incluir estas variables (y muchas más) dentro del mensaje de notificación de correo electrónico.
No hay requisitos específicos para este documento.
Este documento no tiene restricciones específicas en cuanto a versiones de software y de hardware. Sin embargo, asegúrese de utilizar la secuencia de comandos Perl adecuada en función de las versiones de Sensor ejecutadas en su entorno.
Consulte Convenciones de Consejos Técnicos de Cisco para obtener más información sobre las convenciones sobre documentos.
Utilice este procedimiento para configurar las notificaciones de correo electrónico.
Nota: Para enviar el correo electrónico a la dirección correcta, asegúrese de cambiar la dirección en el script.
Copie uno de estos scripts en el servidor de la solución de administración de seguridad (VMS) de $BASE\CSCOpx\MDC\etc\ids\scripts directory on the VPN. Esto le permite seleccionarlo más adelante en el proceso cuando defina una regla de evento. Guarde el script como email alert.pl.
Nota: Si utiliza un nombre diferente, asegúrese de hacer referencia a ese nombre en la regla de evento definida en estos pasos.
Para los sensores de la versión 3.x, utilice el script de sensores 3.x
Para los sensores de la versión 4.x, utilice el script de sensores 4.x
Para los sensores de la versión 5.x, utilice el script de sensores 5.x
Si tiene una combinación de versiones de Sensor, Cisco recomienda que actualice para que todas estén en el mismo nivel de versión. Esto se debe a que sólo se puede ejecutar uno de estos scripts en cualquier momento.
El script contiene comentarios que explican cada parte y cualquier entrada necesaria. En particular, modifique la variable $EmailRcpt (cerca de la parte superior del archivo) para que sea la dirección de correo electrónico de la persona que recibirá las alertas.
Defina una regla de evento en el monitor de seguridad para llamar a un nuevo script Perl. En la página principal de Security Monitor, elija Admin > Event Rules y agregue un nuevo evento.
En la ventana Especificar el filtro de eventos, agregue los filtros que desea activar la alerta de correo electrónico (en el ejemplo aquí, se envía un correo electrónico para cualquier alerta de gravedad alta).
En la ventana Elegir acción, active la casilla para ejecutar un script y seleccione el nombre del script en el cuadro desplegable.
En la sección Argumentos, ingrese "${Query}" como se muestra aquí.
Nota: Debe introducirse exactamente como aquí, incluidos los dobles presupuestos. También distingue entre mayúsculas y minúsculas.
Cuando se recibe una alerta, tal como se define en los filtros de eventos (en este ejemplo, una alerta de gravedad alta), se llama al script llamado email alert.pl con un argumento de ${Query}. Esto contiene información adicional sobre la alerta. El script analiza todos los campos separados y utiliza un programa llamado "blat" para enviar un correo electrónico al usuario final.
Blat es un programa de correo electrónico gratuito que se utiliza en sistemas Windows para enviar correos electrónicos desde archivos por lotes o scripts Perl. Se incluye como parte de la instalación de VMS en el archivo $BASE\CSCOpx\bin directory. Para verificar la configuración de su trayectoria, abra una ventana del símbolo del sistema en el servidor VMS y escriba blat.
Si recibe el error File not found, copie el archivo blat.exe en el directorio winnt\system32 o búsquelo y ábralo desde el directorio en el que se encuentra. Para instalar esto, ejecute:
blat -install
Una vez instalado este programa, ya lo ha hecho.
Estos son los scripts a los que se hace referencia en el paso 1 del procedimiento de configuración:
Utilice esta secuencia de comandos para los sensores de la versión 3.x.
Sensores 3.x |
---|
#!/usr/bin/perl #*********************************************************************** # # FILE NAME : emailalert.pl # # DESCRIPTION : This file is a perl script that will be executed as an # action when an IDS-MC Event Rule triggers, and will send an # email to $EmailRcpt with additional alert parameters (similar to # the functionality available with CSPM notifications) # # NOTE: this script only works with 3.x sensors, alarms from 4.0 # sensors are stored differently and cannot be represented # in a similar format. # # NOTE: check the "system" command in the script for the correct # format depending on whether you're using IDSMC/SecMon # v1.0 or v1.1, you may need the "-on" command-line option. # # NOTE : This script takes the ${Query} keyword from the # triggered rule, extracts the set of alarms that caused # the rule to trigger. It then reads the last alarm of # this set, parses the individual alarm fields, and # calls the legacy script with the same set of command # line arguments as CSPM. # # The calling sequence of this script must be of the form: # # emailalert.pl "${Query}" # # Where: # # "${Query}" - this is the query keyword dynamically # output by the rule when it triggers. # It MUST be wrapped in double quotes when specifying it in the Arguments # box on the Rule Actions panel. # # #*********************************************************************** ## ## The following are the only two variables that need changing. $TempIDSFile can be any ## filename (doesn't have to exist), just make sure the directory that you specify ## exists. Make sure to use 2 backslashes for each directory, the first backslash is ## so the Perl interpretor doesn't error on the pathname. ## ## $EmailRcpt is the person that is going to receive the email notifications. Also ## make sure you escape the @ symbol by putting a backslash in front of it, otherwise ## you'll get a Perl syntax error. ## $TempIDSFile = "c:\\temp\\idsalert.txt"; $EmailRcpt = "nobody\@cisco.com"; ## ## pull out command line arg ## $whereClause = $ARGV[0]; ## ## extract all the alarms matching search expression ## $tmpFile = "alarms.out"; ## The following line will extract alarms from 1.0 IDSMC/SecMon database, if ## using 1.1 comment out the line below and un-comment the other system line ## below it. ## V1.0 IDSMC/SecMon version system("IdsAlarms -s\"$whereClause\" -f\"$tmpFile\""); ## V1.1 IDSMC/SecMon version. ## system("IdsAlarms -on -s\"$whereClause\" -f\"$tmpFile\""); ## # open matching alarm output if (!open(ALARM_FILE, $tmpFile)) { print "Could not open ", $tmpFile, "\n"; exit -1; } # read to last line while (<ALARM_FILE>) { $line = $_; } # clean up close(ALARM_FILE); unlink($tmpFile); ## ## split last line into fields ## @fields = split(/,/, $line); $eventType = @fields[0]; $recordId = @fields[1]; $gmtTimestamp = 0; # need gmt time_t $localTimestamp = 0; # need local time_t $localDate = @fields[4]; $localTime = @fields[5]; $appId = @fields[6]; $hostId = @fields[7]; $orgId = @fields[8]; $srcDirection = @fields[9]; $destDirection = @fields[10]; $severity = @fields[11]; $sigId = @fields[12]; $subSigId = @fields[13]; $protocol = "TCP/IP"; $srcAddr = @fields[15]; $destAddr = @fields[16]; $srcPort = @fields[17]; $destPort = @fields[18]; $routerAddr = @fields[19]; $contextString = @fields[20]; ## Open temp file to write alert data into, open(OUT,">$TempIDSFile") || warn "Unable to open output file!\n"; ## Now write your email notification message. You're writing the following into ## the temporary file for the moment, but this will then be emailed. Use the format: ## ## print (OUT "Your text with any variable name from the list above \n"); ## ## Again, make sure you escape special characters with a backslash (note the : in between $sigId ## and $subSigId has a backslash in front of it) print(OUT "\n"); print(OUT "Received severity $severity alert at $localDate $localTime\n"); print(OUT "Signature ID $sigId\:$subSigId from $srcAddr to $destAddr\n"); print(OUT "$contextString"); close(OUT); ## then call "blat" to send contents of that file in the body of an email message. ## Blat is a freeware email program for WinNT/95, it comes with VMS in the ## $BASE\CSCOpx\bin directory, make sure you install it first by running: ## ## blat -install <SMTP server address> <source email address> ## ## For more help on blat, just type "blat" at the command prompt on your VMS system (make ## sure it's in your path (feel free to move the executable to c:\winnt\system32 BEFORE ## you run the install, that'll make sure your system can always find it). system ("blat \"$TempIDSFile\" -t \"$EmailRcpt\" -s \"Received IDS alert\""); |
Utilice esta secuencia de comandos para los sensores de la versión 4.x.
Sensores 4.x |
---|
#!/usr/bin/perluse Time::Local;#*********************************************************************** # # FILE NAME : emailalert.pl # # DESCRIPTION : This file is a perl script that will be executed as an # action when an IDS-MC Event Rule triggers, and will send an # email to $EmailRcpt with additional alert parameters (similar to # the functionality available with CSPM notifications) # # NOTE: this script only works with 4.x sensors. It will # not work with 3.x sensors. # # NOTES : This script takes the ${Query} keyword from the # triggered rule, extracts the set of alarms that caused # the rule to trigger. It then reads the last alarm of # this set, parses the individual alarm fields, and # calls the legacy script with the same set of command # line arguments as CSPM. # # The calling sequence of this script must be of the form: # # emailalert.pl "${Query}" # # Where: # # "${Query}" - this is the query keyword dynamically # output by the rule when it triggers. # It MUST be wrapped in double quotes # when specifying it in the Arguments # box on the Rule Actions panel. # # #*********************************************************************** ## ## The following are the only two variables that need changing. $TempIDSFile can be any ## filename (doesn't have to exist), just make sure the directory that you specify ## exists. Make sure to use 2 backslashes for each directory, the first backslash is ## so the Perl interpretor doesn't error on the pathname. ## ## $EmailRcpt is the person that is going to receive the email notifications. Also ## make sure you escape the @ symbol by putting a backslash in front of it, otherwise ## you'll get a Perl syntax error. ## $TempIDSFile = "c:\\temp\\idsalert.txt"; $EmailRcpt = "yourname\@yourcompany.com"; # subroutine to add leading 0's to any date variable that's less than 10. sub add_zero { my ($var) = @_; if ($var < 10) { $var = "0" .$var } return $var; } # subroutine to find one or more IP addresses within an XML tag (we can have multiple # victims and/or attackers in one alert now). sub find_addresses { my ($var) = @_; my @addresses = (); if (m/$var/) { $raw = $&; while ($raw =~ m/(\d{1,3}\.){3}\d{1,3}/) { push @addresses,$&; $raw = $'; } $var = join(', ',@addresses); return $var; } } # pull out command line arg $whereClause = $ARGV[0]; # extract all the alarms matching search expression $tmpFile = "alarms.out"; # Extract the XML alert/event out of the database. system("IdsAlarms -s\"$whereClause\" -f\"$tmpFile\""); # open matching alarm output if (!open(ALARM_FILE, $tmpFile)) { print "Could not open $tmpFile\n"; exit -1; } # read to last line while (<ALARM_FILE>) { chomp $_; push @logfile,$_; } # clean up close(ALARM_FILE); unlink($tmpFile); # Open temp file to write alert data into, open(OUT,">$TempIDSFile"); # split XML output into fields $oneline = join('',@logfile); $oneline =~ s/\<\/events\>//g; $oneline =~ s/\<\/evAlert\>/\<\/evAlert\>,/g; @items = split(/,/,$oneline); # If you want to see the actual database query result in the email, un-comment out the # line below (useful for troubleshooting): # print(OUT "$oneline\n"); # Loop until there's no more alerts foreach (@items) { if (m/\<hostId\>(.*)\<\/hostId\>/) { $hostid = $1; } if (m/severity="(.*?)"/) { $sev = $1; } if (m/Zone\=".*"\>(.*)\<\/time\>/) { $t = $1; if ($t =~ m/(.*)(\d{9})/) { ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime($1); # Year is reported from 1900 onwards (eg. 2003 is 103). $year = $year + 1900; # Months start at 0 (January = 0, February = 1, etc), so add 1. $mon = $mon + 1; $mon = add_zero ($mon); $mday = add_zero ($mday); $hour = add_zero ($hour); $min = add_zero ($min); $sec = add_zero ($sec); } } if (m/sigName="(.*?)"/) { $SigName = $1; } if (m/sigId="(.*?)"/) { $SigID = $1; } if (m/subSigId="(.*?)"/) { $SubSig = $1; } $attackerstring = "\<attacker.*\<\/attacker"; if ($attackerstring = find_addresses ($attackerstring)) { } $victimstring = "\<victim.*\<\/victim"; if ($victimstring = find_addresses ($victimstring)) { } if (m/\<alertDetails\>(.*)\<\/alertDetails\>/) { $AlertDetails = $1; } @actions = (); if (m/\<actions\>(.*)\<\/actions\>/) { $rawaction = $1; while ($rawaction =~ m/\<(\w*?)\>(.*?)\</) { $rawaction = $'; if ($2 eq "true") { push @actions,$1; } } if (@actions) { $actiontaken = join(', ',@actions); } } else { $actiontaken = "None"; } ## Now write your email notification message. You're writing the following into ## the temporary file for the moment, but this will then be emailed. ## ## Again, make sure you escape special characters with a backslash (note the : between ## the SigID and the SubSig). ## ## Put your VMS servers IP address in the NSDB: line below to get a direct link ## to the signature details within the email. print(OUT "\n$hostid reported a $sev severity alert at $hour:$min:$sec on $mon/$mday/$year\n"); print(OUT "Signature: $SigName \($SigID\:$SubSig\)\n"); print(OUT "Attacker: $attackerstring ---> Victim: $victimstring\n"); print(OUT "Alert details: $AlertDetails \n"); print(OUT "Actions taken: $actiontaken \n"); print(OUT "NSDB: https\://<your VMS server IP address>/vms/nsdb/html/expsig_$SigID.html\n\n"); print(OUT "----------------------------------------------------\n"); } close(OUT); ## Now call "blat" to send contents of the file in the body of an email message. ## Blat is a freeware email program for WinNT/95, it comes with VMS in the ## $BASE\CSCOpx\bin directory, make sure you install it first by running: ## ## blat -install <SMTP server address> <source email address> ## ## For more help on blat, just type "blat" at the command prompt on your VMS system (make ## sure it's in your path (feel free to move the executable to c:\winnt\system32 BEFORE ## you run the install, that'll make sure your system can always find it). system ("blat \"$TempIDSFile\" -t \"$EmailRcpt\" -s \"Received IDS alert\""); |
Utilice esta secuencia de comandos para los sensores de la versión 5.x.
Sensores 5.x |
---|
#!/usr/bin/perl use Time::Local; #*********************************************************************** # # FILE NAME : emailalertv5.pl # # DESCRIPTION : This file is a perl script that will be executed as an # action when an IDS-MC Event Rule triggers, and will send an # email to $EmailRcpt with additional alert parameters (similar to # the functionality available with CSPM notifications) # # NOTE: this script only works with 5.x sensors. # # NOTES : This script takes the ${Query} keyword from the # triggered rule, extracts the set of alarms that caused # the rule to trigger. It then reads the last alarm of # this set, parses the individual alarm fields, and # calls the legacy script with the same set of command # line arguments as CSPM. # # The calling sequence of this script must be of the form: # # emailalert.pl "${Query}" # # Where: # # "${Query}" - this is the query keyword dynamically # output by the rule when it triggers. # It MUST be wrapped in double quotes # when specifying it in the Arguments # box on the Rule Actions panel. # # #*********************************************************************** ## ## The following are the only two variables that need changing. $TempIDSFile can be any ## filename (doesn't have to exist), just make sure the directory that you specify ## exists. Make sure to use 2 backslashes for each directory, the first backslash is ## so the Perl interpretor doesn't error on the pathname. ## ## $EmailRcpt is the person that is going to receive the email notifications. Also ## make sure you escape the @ symbol by putting a backslash in front of it, otherwise ## you'll get a Perl syntax error. ## $TempIDSFile = "c:\\temp\\idsalert.txt"; $EmailRcpt = "gfullage\@cisco.com"; # subroutine to add leading 0's to any date variable that's less than 10. sub add_zero { my ($var) = @_; if ($var < 10) { $var = "0" .$var } return $var; } # subroutine to find one or more IP addresses within an XML tag (we can have multiple # victims and/or attackers in one alert now). sub find_addresses { my ($var) = @_; my @addresses = (); if (m/$var/) { $raw = $&; while ($raw =~ m/(\d{1,3}\.){3}\d{1,3}/) { push @addresses,$&; $raw = $'; } $var = join(', ',@addresses); return $var; } } # pull out command line arg $whereClause = $ARGV[0]; # extract all the alarms matching search expression $tmpFile = "alarms.out"; # Extract the XML alert/event out of the database. system("IdsAlarms -os -s\"$whereClause\" -f\"$tmpFile\""); # open matching alarm output if (!open(ALARM_FILE, $tmpFile)) { print "Could not open $tmpFile\n"; exit -1; } # read to last line while (<ALARM_FILE>) { chomp $_; push @logfile,$_; } # clean up close(ALARM_FILE); unlink($tmpFile); # Open temp file to write alert data into, open(OUT,">$TempIDSFile"); # split XML output into fields $oneline = join('',@logfile); $oneline =~ s/\<\/sd\:events\>//g; $oneline =~ s/\<\/sd\:evIdsAlert\>/\<\/sd\:evIdsAlert\>,/g; @items = split(/,/,$oneline); # If you want to see the actual database query result in the email, un-comment out the # line below (useful for troubleshooting): # print(OUT "$oneline\n"); # Loop until there's no more alerts foreach (@items) { unless ($_ =~ /\<\/env\:Body\>/) { if (m/\<sd\:hostId\>(.*)\<\/sd\:hostId\>/) { $hostid = $1; } if (m/severity="(.*?)"/) { $sev = $1; } if (m/Zone\=".*"\>(.*)\<\/sd\:time\>/) { $t = $1; if ($t =~ m/(.*)(\d{9})/) { ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime($1); # Year is reported from 1900 onwards (eg. 2003 is 103). $year = $year + 1900; # Months start at 0 (January = 0, February = 1, etc), so add 1. $mon = $mon + 1; $mon = add_zero ($mon); $mday = add_zero ($mday); $hour = add_zero ($hour); $min = add_zero ($min); $sec = add_zero ($sec); } } if (m/description="(.*?)"/) { $SigName = $1; } if (m/\ id="(.*?)"/) { $SigID = $1; } if (m/\<cid\:subsigId\>(.*)\<\/cid\:subsigId\>/) { $SubSig = $1; } if (m/\<cid\:riskRatingValue\>(.*)\<\/cid\:riskRatingValue\>/) { $RR = $1; } if (m/\<cid\:interface\>(.*)\<\/cid\:interface\>/) { $Intf = $1; } $attackerstring = "\<sd\:attacker.*\<\/sd\:attacker"; if ($attackerstring = find_addresses ($attackerstring)) { } $victimstring = "\<sd\:target.*\<\/sd\:target"; if ($victimstring = find_addresses ($victimstring)) { } if (m/\<cid\:alertDetails\>(.*)\<\/cid\:alertDetails\>/) { $AlertDetails = $1; } @actions = (); if (m/\<sd\:actions\>(.*)\<\/sd\:actions\>/) { $rawaction = $1; while ($rawaction =~ m/\<\w*?:(\w*?)\>(.*?)\</) { $rawaction = $'; if ($2 eq "true") { push @actions,$1; } } if (@actions) { $actiontaken = join(', ',@actions); } } else { $actiontaken = "None"; } ## Now write your email notification message. You're writing the following into ## the temporary file for the moment, but this will then be emailed. ## ## Again, make sure you escape special characters with a backslash (note the : between ## the SigID and the SubSig). ## ## Put your VMS servers IP address in the NSDB: line below to get a direct link ## to the signature details within the email. print(OUT "\n$hostid reported a $sev severity alert at $hour:$min:$sec on $mon/$mday/$year\n"); print(OUT "Signature: $SigName \($SigID\:$SubSig\)\n"); print(OUT "Attacker: $attackerstring ---> Victim: $victimstring\n"); print(OUT "Alert details: $AlertDetails \n"); print(OUT "Risk Rating: $RR, Interface: $Intf \n"); print(OUT "Actions taken: $actiontaken \n"); print(OUT "NSDB: https\://sec-srv/vms/nsdb/html/expsig_$SigID.html\n\n"); print(OUT "----------------------------------------------------\n"); } } close(OUT); ## Now call "blat" to send contents of the file in the body of an email message. ## Blat is a freeware email program for WinNT/95, it comes with VMS in the ## $BASE\CSCOpx\bin directory, make sure you install it first by running: ## ## blat -install <SMTP server address> <source email address> ## ## For more help on blat, just type "blat" at the command prompt on your VMS system (make ## sure it's in your path (feel free to move the executable to c:\winnt\system32 BEFORE ## you run the install, that'll make sure your system can always find it). system ("blat \"$TempIDSFile\" -t \"$EmailRcpt\" -s \"Received IDS alert\""); |
Actualmente, no hay un procedimiento de verificación disponible para esta configuración.
Sigue estas instrucciones de resolver problemas su configuración.
Ejecute este comando desde un símbolo del sistema para verificar que el blat funciona correctamente:
blat-t -s "Test message"
<filename> es la ruta completa a cualquier archivo de texto del sistema VMS. Si el usuario al que se dirige el script de correo electrónico recibe este archivo en el cuerpo de un correo electrónico, entonces usted sabe que el blat funciona.
Si no se recibe ningún correo electrónico después de que se active una alerta, intente ejecutar el script Perl desde una ventana de símbolo del sistema.
Esto resalta cualquier problema de tipo Perl o path. Para hacer esto, abra un símbolo del sistema e ingrese:
>cd Program Files/CSCOpx/MDC/etc/ids/scripts >emailalert.pl ${Query}
Puede recibir potencialmente un error Sybase, similar a este ejemplo. Esto se debe al hecho de que el parámetro ${Query} que se pasa no contiene realmente información, a diferencia de cuando pasa del Monitor de Seguridad.
Aparte de ver este error, el script se ejecuta correctamente y envía un correo electrónico. Los parámetros de alerta del cuerpo del correo electrónico están en blanco. Si recibe algún error de Perl o de trayectoria, es necesario corregirlo antes de enviar un correo electrónico.
Revisión | Fecha de publicación | Comentarios |
---|---|---|
1.0 |
12-Jul-2006 |
Versión inicial |