VMS e-mail alert

facundog · ‎04-15-2004

Hi, my name is Facundo and I would like to any suggestion regarding VMS e-mail alerts.

We are currentely running CiscoWorks Common Services 2.2 and IDS MC 1.2 and we have several 4210/4215/IDSM-2 sensors, some of then are 4.x version and some 3.x are still working. However 3.x will be uograded soon.

Although we are able to receive e-mail notifications for some specific signatures that we have chosen, the information inclued in the e-mail text is not good enough for us. We would like to include information about the attacker address, victim address, signature ID, signature name, date and time in those e-mails.

Do you think it is possible to do that?

Could you help us to do it.

Best regards.

Facundo

brok3n · ‎04-15-2004

Greetings Facundo,

The email alerts are quite inadequate in my opinion as well. I have modified the emailalert.pl script to my liking to include source and destination ports, etc.

I would suggest doing the following in emailalert.pl:

Under the main loop (search for text: #Loop until there's no more alerts), add an if statement right below the $attackerstring if statement that reads as:

if (m/\(.*)\<\/port\>\<\/attacker\>/) {

$srcport = $1;

}

Add another under victim string that reads as:

if (m/\(.*)\<\/port\>\<\/victim\>\<\/attack\>/) {

$dstport = $1;

}

Now you have two new vars $srcport and $dstport.

Insert these into the "print(OUT" that is right before the blat execution. Mine reads:

print(OUT "\n$hostid $SigName $attackerstring SP $srcport $victimstring DP $dstport\n");

The Time variables are available as $hour $min and $sec. You can change that print statement to whatever text combination you would like.

Hope this helps.

-wP!