Setting Triggers
The sapd service bases all its actions on triggers. Each trigger consists
of a condition and an action. The condition defines when to launch an action.
To create a sample trigger, follow these steps:
Step 1 On the Director interface, click the Machine icon you want to
configure, and click Configure on the Security menu.
The Configuration Librarian opens.
Step 2 In the currently applied version, double-click Data Management.
The Data Management dialog box opens.
Step 3 Click the Triggers tab
Step 4 Click Add.
The Add New Trigger dialog box opens.
Step 5 Type the name of your condition in the Condition Name field.
Step 6 Type /usr/nr/bin in the Condition Directory field.
Step 7 Select the Number of Files check box and type 5 in the field next to
the check box.
Step 8 Select the Notify check box.
Step 9 Click OK to close the Add New Trigger dialog box.
Step 10 Click the Notification tab
Step 11 Type a valid e-mail address in the Notify Person #1 field.
NetRanger sends notifications to this e-mail address when
the number of files in /usr/nr/bin reaches 5.
Step 12 Edit the Notify Interval field to change the minimum time between
notifications.
The default interval is 60 minutes.
Step 13 Click OK to close the Data Management dialog box.
Custom email script...
if [[ $MessageType -eq 2 ]]; then
ErrorMessage=${10}
else
if [[ $MessageType -eq 3 ]]; then
SrcApplID=${10}
SrcHostID=${11}
SrcOrgID=${12}
CommandMessage=${13}
else
if [[ $MessageType -eq 4 ]]; then
SrcDirection=${10}
DstDirection=${11}
EventLevel=${12}
EventSigID=${13}
EventSubSigID=${14}
ProtocolType=${15}
if [[ "${ProtocolType}" = "TCP/IP" ]]; then
SrcIpAddr=${16}
DstIpAddr=${17}
SrcIpPort=${18}
DstIpPort=${19}
SourceAddr=${20}
EventMessage=${21}
fi
fi
fi
fi
If the record is an error message, then the contents of the error message
is stored in the variable $ErrorMessage.
If the record is a command, then the following variables are populated:
$SrcApplID---The ID of the Application that generated the command.
$SrcHostID---The ID of the Host that generated the command.
$SrcOrgID---The ID of the Organization that generated the command.
$CommandMessage---The generated command.
If the record is an alarm, then the following variables are populated:
$SrcDirection---The location of the attacking host or network,
relative to NetRanger's protected network. The values can be IN (from
inside the protected network) or OUT (from outside the
protected network).
$DstDirection---The location of the attacked host or network,
relative to NetRanger's protected network. The values can be IN (inside the
protected network) or OUT (outside the protected
network).
$EventLevel---The level of alarm activity. The default levels are
between 1 and 5.
$EventSigID---The ID of the signature triggered by the alarm.
$EventSubSigID---The ID of the subsignature, if any, triggered by the
alarm.
$ProtocolType---The protocol type of the alarm.
If the protocol type in $ProtocolType is TCP/IP, the following variables
are populated:
$SrcIpAddr---The IP address of the attacking host.
$DstIpAddr---The IP address of the attacked host.
$SrcIpPort---The IP Port of the attacking host (for example, "21" for
FTP).
$DstIpPort---The IP Port of the attacked host.
$SourceAddr---The IP address of the router.
$EventMessage---The generated alarm details, if any.
At 08:31 PM 8/7/00 +0000, Oscar Rau wrote:
>Is anyone using NetRanger IDS system from Cisco? If so, I would like to
>know how to
>send email alerts from the sensor instead of the NetRanger director. If
>anyone has
>done this, would you please share how accomplished this setup?
>
>Thank you in advance.
>
>Oscar Rau
>[EMAIL PROTECTED]
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
