Security Monitor能夠在觸發事件規則時傳送電子郵件通知。可以在電子郵件通知中使用的內建變數不包括諸如特徵碼ID、警報的源和目標等內容。本文檔提供了一些說明,您可以使用這些說明來配置安全監視器,以便在電子郵件通知消息中包括這些變數(以及更多變數)。
本文件沒有特定需求。
本文件所述內容不限於特定軟體和硬體版本。但是,請務必根據您的環境中運行的感測器版本使用適當的Perl指令碼。
使用此過程可以配置電子郵件通知。
附註: 若要將電子郵件傳送到正確的電子郵件地址,請確保更改指令碼中的電子郵件地址。
將其中一個指令碼複製到VPN/安全管理解決方案(VMS)伺服器上的$BASE\CSCOpx\MDC\etc\ids\scripts目錄中。這樣,您就可以在定義事件規則時稍後選擇它。將指令碼另存為emailalert.pl。
附註: 如果使用其他名稱,請確保在這些步驟中定義的事件規則中引用該名稱。
指令碼包含用於解釋每個部分和任何所需輸入的註釋。具體來說,請將$EmailRcpt變數(靠近檔案頂部)修改為接收警報的人員的電子郵件地址。
在安全監視器內定義事件規則以呼叫新的Perl指令碼。在Security Monitor首頁面中,選擇Admin > Event Rules,然後新增新事件。
在Specify the Event Filter(指定事件過濾器)視窗中,新增要觸發電子郵件警報的過濾器(在此示例中,為任何High severity alert傳送電子郵件)。
在「選擇操作」視窗中,選中執行指令碼的框並從下拉框中選擇指令碼名稱。
在「引數」部分中,輸入「${Query}」,如此處所示。
注意:此輸入內容必須完全按此處方式輸入,包括雙引號。它也區分大小寫。
收到事件過濾器(在本例中為高嚴重性警報)中定義的警報時,將使用${Query}引數呼叫名為emailalert.pl的指令碼。包含有關警報的更多資訊。該指令碼解析所有單獨的欄位,並使用名為「blat」的程式向終端使用者傳送電子郵件。
Blat是一個免費電子郵件程式,在Windows系統上使用,用於傳送來自批處理檔案或Perl指令碼的電子郵件。它包含在$BASE\CSCOpx\bin目錄下,作為VMS安裝的一部分。若要驗證路徑設定,請在VMS伺服器上開啟命令提示符視窗,然後鍵入blat。
如果收到File not found錯誤,請將blat.exe檔案複製到winnt\system32目錄中,或者找到該檔案並從其所在的目錄中將其開啟。若要安裝此程式,請運行:
blat -install
安裝此程式後,即完成安裝。
以下是設定程式的步驟1中所述的指令碼:
此指令碼用於3.x版感測器。
3.x感測器 |
---|
#!/usr/bin/perl #*********************************************************************** # # FILE NAME : emailalert.pl # # DESCRIPTION : This file is a perl script that will be executed as an # action when an IDS-MC Event Rule triggers, and will send an # email to $EmailRcpt with additional alert parameters (similar to # the functionality available with CSPM notifications) # # NOTE: this script only works with 3.x sensors, alarms from 4.0 # sensors are stored differently and cannot be represented # in a similar format. # # NOTE: check the "system" command in the script for the correct # format depending on whether you're using IDSMC/SecMon # v1.0 or v1.1, you may need the "-on" command-line option. # # NOTE : This script takes the ${Query} keyword from the # triggered rule, extracts the set of alarms that caused # the rule to trigger. It then reads the last alarm of # this set, parses the individual alarm fields, and # calls the legacy script with the same set of command # line arguments as CSPM. # # The calling sequence of this script must be of the form: # # emailalert.pl "${Query}" # # Where: # # "${Query}" - this is the query keyword dynamically # output by the rule when it triggers. # It MUST be wrapped in double quotes when specifying it in the Arguments # box on the Rule Actions panel. # # #*********************************************************************** ## ## The following are the only two variables that need changing. $TempIDSFile can be any ## filename (doesn't have to exist), just make sure the directory that you specify ## exists. Make sure to use 2 backslashes for each directory, the first backslash is ## so the Perl interpretor doesn't error on the pathname. ## ## $EmailRcpt is the person that is going to receive the email notifications. Also ## make sure you escape the @ symbol by putting a backslash in front of it, otherwise ## you'll get a Perl syntax error. ## $TempIDSFile = "c:\\temp\\idsalert.txt"; $EmailRcpt = "nobody\@cisco.com"; ## ## pull out command line arg ## $whereClause = $ARGV[0]; ## ## extract all the alarms matching search expression ## $tmpFile = "alarms.out"; ## The following line will extract alarms from 1.0 IDSMC/SecMon database, if ## using 1.1 comment out the line below and un-comment the other system line ## below it. ## V1.0 IDSMC/SecMon version system("IdsAlarms -s\"$whereClause\" -f\"$tmpFile\""); ## V1.1 IDSMC/SecMon version. ## system("IdsAlarms -on -s\"$whereClause\" -f\"$tmpFile\""); ## # open matching alarm output if (!open(ALARM_FILE, $tmpFile)) { print "Could not open ", $tmpFile, "\n"; exit -1; } # read to last line while (<ALARM_FILE>) { $line = $_; } # clean up close(ALARM_FILE); unlink($tmpFile); ## ## split last line into fields ## @fields = split(/,/, $line); $eventType = @fields[0]; $recordId = @fields[1]; $gmtTimestamp = 0; # need gmt time_t $localTimestamp = 0; # need local time_t $localDate = @fields[4]; $localTime = @fields[5]; $appId = @fields[6]; $hostId = @fields[7]; $orgId = @fields[8]; $srcDirection = @fields[9]; $destDirection = @fields[10]; $severity = @fields[11]; $sigId = @fields[12]; $subSigId = @fields[13]; $protocol = "TCP/IP"; $srcAddr = @fields[15]; $destAddr = @fields[16]; $srcPort = @fields[17]; $destPort = @fields[18]; $routerAddr = @fields[19]; $contextString = @fields[20]; ## Open temp file to write alert data into, open(OUT,">$TempIDSFile") || warn "Unable to open output file!\n"; ## Now write your email notification message. You're writing the following into ## the temporary file for the moment, but this will then be emailed. Use the format: ## ## print (OUT "Your text with any variable name from the list above \n"); ## ## Again, make sure you escape special characters with a backslash (note the : in between $sigId ## and $subSigId has a backslash in front of it) print(OUT "\n"); print(OUT "Received severity $severity alert at $localDate $localTime\n"); print(OUT "Signature ID $sigId\:$subSigId from $srcAddr to $destAddr\n"); print(OUT "$contextString"); close(OUT); ## then call "blat" to send contents of that file in the body of an email message. ## Blat is a freeware email program for WinNT/95, it comes with VMS in the ## $BASE\CSCOpx\bin directory, make sure you install it first by running: ## ## blat -install <SMTP server address> <source email address> ## ## For more help on blat, just type "blat" at the command prompt on your VMS system (make ## sure it's in your path (feel free to move the executable to c:\winnt\system32 BEFORE ## you run the install, that'll make sure your system can always find it). system ("blat \"$TempIDSFile\" -t \"$EmailRcpt\" -s \"Received IDS alert\""); |
對4.x版感測器使用此指令碼。
4.x感測器 |
---|
#!/usr/bin/perluse Time::Local;#*********************************************************************** # # FILE NAME : emailalert.pl # # DESCRIPTION : This file is a perl script that will be executed as an # action when an IDS-MC Event Rule triggers, and will send an # email to $EmailRcpt with additional alert parameters (similar to # the functionality available with CSPM notifications) # # NOTE: this script only works with 4.x sensors. It will # not work with 3.x sensors. # # NOTES : This script takes the ${Query} keyword from the # triggered rule, extracts the set of alarms that caused # the rule to trigger. It then reads the last alarm of # this set, parses the individual alarm fields, and # calls the legacy script with the same set of command # line arguments as CSPM. # # The calling sequence of this script must be of the form: # # emailalert.pl "${Query}" # # Where: # # "${Query}" - this is the query keyword dynamically # output by the rule when it triggers. # It MUST be wrapped in double quotes # when specifying it in the Arguments # box on the Rule Actions panel. # # #*********************************************************************** ## ## The following are the only two variables that need changing. $TempIDSFile can be any ## filename (doesn't have to exist), just make sure the directory that you specify ## exists. Make sure to use 2 backslashes for each directory, the first backslash is ## so the Perl interpretor doesn't error on the pathname. ## ## $EmailRcpt is the person that is going to receive the email notifications. Also ## make sure you escape the @ symbol by putting a backslash in front of it, otherwise ## you'll get a Perl syntax error. ## $TempIDSFile = "c:\\temp\\idsalert.txt"; $EmailRcpt = "yourname\@yourcompany.com"; # subroutine to add leading 0's to any date variable that's less than 10. sub add_zero { my ($var) = @_; if ($var < 10) { $var = "0" .$var } return $var; } # subroutine to find one or more IP addresses within an XML tag (we can have multiple # victims and/or attackers in one alert now). sub find_addresses { my ($var) = @_; my @addresses = (); if (m/$var/) { $raw = $&; while ($raw =~ m/(\d{1,3}\.){3}\d{1,3}/) { push @addresses,$&; $raw = $'; } $var = join(', ',@addresses); return $var; } } # pull out command line arg $whereClause = $ARGV[0]; # extract all the alarms matching search expression $tmpFile = "alarms.out"; # Extract the XML alert/event out of the database. system("IdsAlarms -s\"$whereClause\" -f\"$tmpFile\""); # open matching alarm output if (!open(ALARM_FILE, $tmpFile)) { print "Could not open $tmpFile\n"; exit -1; } # read to last line while (<ALARM_FILE>) { chomp $_; push @logfile,$_; } # clean up close(ALARM_FILE); unlink($tmpFile); # Open temp file to write alert data into, open(OUT,">$TempIDSFile"); # split XML output into fields $oneline = join('',@logfile); $oneline =~ s/\<\/events\>//g; $oneline =~ s/\<\/evAlert\>/\<\/evAlert\>,/g; @items = split(/,/,$oneline); # If you want to see the actual database query result in the email, un-comment out the # line below (useful for troubleshooting): # print(OUT "$oneline\n"); # Loop until there's no more alerts foreach (@items) { if (m/\<hostId\>(.*)\<\/hostId\>/) { $hostid = $1; } if (m/severity="(.*?)"/) { $sev = $1; } if (m/Zone\=".*"\>(.*)\<\/time\>/) { $t = $1; if ($t =~ m/(.*)(\d{9})/) { ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime($1); # Year is reported from 1900 onwards (eg. 2003 is 103). $year = $year + 1900; # Months start at 0 (January = 0, February = 1, etc), so add 1. $mon = $mon + 1; $mon = add_zero ($mon); $mday = add_zero ($mday); $hour = add_zero ($hour); $min = add_zero ($min); $sec = add_zero ($sec); } } if (m/sigName="(.*?)"/) { $SigName = $1; } if (m/sigId="(.*?)"/) { $SigID = $1; } if (m/subSigId="(.*?)"/) { $SubSig = $1; } $attackerstring = "\<attacker.*\<\/attacker"; if ($attackerstring = find_addresses ($attackerstring)) { } $victimstring = "\<victim.*\<\/victim"; if ($victimstring = find_addresses ($victimstring)) { } if (m/\<alertDetails\>(.*)\<\/alertDetails\>/) { $AlertDetails = $1; } @actions = (); if (m/\<actions\>(.*)\<\/actions\>/) { $rawaction = $1; while ($rawaction =~ m/\<(\w*?)\>(.*?)\</) { $rawaction = $'; if ($2 eq "true") { push @actions,$1; } } if (@actions) { $actiontaken = join(', ',@actions); } } else { $actiontaken = "None"; } ## Now write your email notification message. You're writing the following into ## the temporary file for the moment, but this will then be emailed. ## ## Again, make sure you escape special characters with a backslash (note the : between ## the SigID and the SubSig). ## ## Put your VMS servers IP address in the NSDB: line below to get a direct link ## to the signature details within the email. print(OUT "\n$hostid reported a $sev severity alert at $hour:$min:$sec on $mon/$mday/$year\n"); print(OUT "Signature: $SigName \($SigID\:$SubSig\)\n"); print(OUT "Attacker: $attackerstring ---> Victim: $victimstring\n"); print(OUT "Alert details: $AlertDetails \n"); print(OUT "Actions taken: $actiontaken \n"); print(OUT "NSDB: https\://<your VMS server IP address>/vms/nsdb/html/expsig_$SigID.html\n\n"); print(OUT "----------------------------------------------------\n"); } close(OUT); ## Now call "blat" to send contents of the file in the body of an email message. ## Blat is a freeware email program for WinNT/95, it comes with VMS in the ## $BASE\CSCOpx\bin directory, make sure you install it first by running: ## ## blat -install <SMTP server address> <source email address> ## ## For more help on blat, just type "blat" at the command prompt on your VMS system (make ## sure it's in your path (feel free to move the executable to c:\winnt\system32 BEFORE ## you run the install, that'll make sure your system can always find it). system ("blat \"$TempIDSFile\" -t \"$EmailRcpt\" -s \"Received IDS alert\""); |
將此指令碼用於5.x版感測器。
5.x感測器 |
---|
#!/usr/bin/perl use Time::Local; #*********************************************************************** # # FILE NAME : emailalertv5.pl # # DESCRIPTION : This file is a perl script that will be executed as an # action when an IDS-MC Event Rule triggers, and will send an # email to $EmailRcpt with additional alert parameters (similar to # the functionality available with CSPM notifications) # # NOTE: this script only works with 5.x sensors. # # NOTES : This script takes the ${Query} keyword from the # triggered rule, extracts the set of alarms that caused # the rule to trigger. It then reads the last alarm of # this set, parses the individual alarm fields, and # calls the legacy script with the same set of command # line arguments as CSPM. # # The calling sequence of this script must be of the form: # # emailalert.pl "${Query}" # # Where: # # "${Query}" - this is the query keyword dynamically # output by the rule when it triggers. # It MUST be wrapped in double quotes # when specifying it in the Arguments # box on the Rule Actions panel. # # #*********************************************************************** ## ## The following are the only two variables that need changing. $TempIDSFile can be any ## filename (doesn't have to exist), just make sure the directory that you specify ## exists. Make sure to use 2 backslashes for each directory, the first backslash is ## so the Perl interpretor doesn't error on the pathname. ## ## $EmailRcpt is the person that is going to receive the email notifications. Also ## make sure you escape the @ symbol by putting a backslash in front of it, otherwise ## you'll get a Perl syntax error. ## $TempIDSFile = "c:\\temp\\idsalert.txt"; $EmailRcpt = "gfullage\@cisco.com"; # subroutine to add leading 0's to any date variable that's less than 10. sub add_zero { my ($var) = @_; if ($var < 10) { $var = "0" .$var } return $var; } # subroutine to find one or more IP addresses within an XML tag (we can have multiple # victims and/or attackers in one alert now). sub find_addresses { my ($var) = @_; my @addresses = (); if (m/$var/) { $raw = $&; while ($raw =~ m/(\d{1,3}\.){3}\d{1,3}/) { push @addresses,$&; $raw = $'; } $var = join(', ',@addresses); return $var; } } # pull out command line arg $whereClause = $ARGV[0]; # extract all the alarms matching search expression $tmpFile = "alarms.out"; # Extract the XML alert/event out of the database. system("IdsAlarms -os -s\"$whereClause\" -f\"$tmpFile\""); # open matching alarm output if (!open(ALARM_FILE, $tmpFile)) { print "Could not open $tmpFile\n"; exit -1; } # read to last line while (<ALARM_FILE>) { chomp $_; push @logfile,$_; } # clean up close(ALARM_FILE); unlink($tmpFile); # Open temp file to write alert data into, open(OUT,">$TempIDSFile"); # split XML output into fields $oneline = join('',@logfile); $oneline =~ s/\<\/sd\:events\>//g; $oneline =~ s/\<\/sd\:evIdsAlert\>/\<\/sd\:evIdsAlert\>,/g; @items = split(/,/,$oneline); # If you want to see the actual database query result in the email, un-comment out the # line below (useful for troubleshooting): # print(OUT "$oneline\n"); # Loop until there's no more alerts foreach (@items) { unless ($_ =~ /\<\/env\:Body\>/) { if (m/\<sd\:hostId\>(.*)\<\/sd\:hostId\>/) { $hostid = $1; } if (m/severity="(.*?)"/) { $sev = $1; } if (m/Zone\=".*"\>(.*)\<\/sd\:time\>/) { $t = $1; if ($t =~ m/(.*)(\d{9})/) { ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime($1); # Year is reported from 1900 onwards (eg. 2003 is 103). $year = $year + 1900; # Months start at 0 (January = 0, February = 1, etc), so add 1. $mon = $mon + 1; $mon = add_zero ($mon); $mday = add_zero ($mday); $hour = add_zero ($hour); $min = add_zero ($min); $sec = add_zero ($sec); } } if (m/description="(.*?)"/) { $SigName = $1; } if (m/\ id="(.*?)"/) { $SigID = $1; } if (m/\<cid\:subsigId\>(.*)\<\/cid\:subsigId\>/) { $SubSig = $1; } if (m/\<cid\:riskRatingValue\>(.*)\<\/cid\:riskRatingValue\>/) { $RR = $1; } if (m/\<cid\:interface\>(.*)\<\/cid\:interface\>/) { $Intf = $1; } $attackerstring = "\<sd\:attacker.*\<\/sd\:attacker"; if ($attackerstring = find_addresses ($attackerstring)) { } $victimstring = "\<sd\:target.*\<\/sd\:target"; if ($victimstring = find_addresses ($victimstring)) { } if (m/\<cid\:alertDetails\>(.*)\<\/cid\:alertDetails\>/) { $AlertDetails = $1; } @actions = (); if (m/\<sd\:actions\>(.*)\<\/sd\:actions\>/) { $rawaction = $1; while ($rawaction =~ m/\<\w*?:(\w*?)\>(.*?)\</) { $rawaction = $'; if ($2 eq "true") { push @actions,$1; } } if (@actions) { $actiontaken = join(', ',@actions); } } else { $actiontaken = "None"; } ## Now write your email notification message. You're writing the following into ## the temporary file for the moment, but this will then be emailed. ## ## Again, make sure you escape special characters with a backslash (note the : between ## the SigID and the SubSig). ## ## Put your VMS servers IP address in the NSDB: line below to get a direct link ## to the signature details within the email. print(OUT "\n$hostid reported a $sev severity alert at $hour:$min:$sec on $mon/$mday/$year\n"); print(OUT "Signature: $SigName \($SigID\:$SubSig\)\n"); print(OUT "Attacker: $attackerstring ---> Victim: $victimstring\n"); print(OUT "Alert details: $AlertDetails \n"); print(OUT "Risk Rating: $RR, Interface: $Intf \n"); print(OUT "Actions taken: $actiontaken \n"); print(OUT "NSDB: https\://sec-srv/vms/nsdb/html/expsig_$SigID.html\n\n"); print(OUT "----------------------------------------------------\n"); } } close(OUT); ## Now call "blat" to send contents of the file in the body of an email message. ## Blat is a freeware email program for WinNT/95, it comes with VMS in the ## $BASE\CSCOpx\bin directory, make sure you install it first by running: ## ## blat -install <SMTP server address> <source email address> ## ## For more help on blat, just type "blat" at the command prompt on your VMS system (make ## sure it's in your path (feel free to move the executable to c:\winnt\system32 BEFORE ## you run the install, that'll make sure your system can always find it). system ("blat \"$TempIDSFile\" -t \"$EmailRcpt\" -s \"Received IDS alert\""); |
目前沒有適用於此組態的驗證程序。
請按照以下說明對配置進行故障排除。
在命令提示符下運行此命令,以檢查警報是否正常工作:
blat-t -s "Test message"
<filename>是VMS系統上任何文本檔案的完整路徑。如果電子郵件指令碼所指向的使用者在電子郵件正文中收到此檔案,則您知道此錯誤有效。
如果在觸發警報後未收到任何電子郵件,請嘗試從命令提示符視窗運行Perl指令碼。
這將突出顯示所有Perl或路徑型別問題。若要執行此操作,請開啟命令提示符並輸入:
>cd Program Files/CSCOpx/MDC/etc/ids/scripts >emailalert.pl ${Query}
您可能會收到Sybase錯誤,與本例類似。這是因為您傳遞的${Query}引數實際上不包含資訊,與從安全監視器傳遞時不同。
除了看到此錯誤外,指令碼還正確運行並傳送電子郵件。電子郵件正文中的所有警報引數均為空白。如果您收到任何Perl或路徑錯誤,則需要在傳送電子郵件之前修復這些錯誤。
修訂 | 發佈日期 | 意見 |
---|---|---|
1.0 |
12-Jul-2006 |
初始版本 |