SIEM Right-Click sending trap to ASM

  • 0
  • 1
  • Problem
  • Updated 3 years ago
  • Solved
who has asmright-click.pl

or

who can help me to check the pl file


#!/usr/bin/perl 

#Variables to change

$NETSIGHT_TRAP_SERVER           = "192.168.30.134";

$SNMP_USERNAME                         = "snmpuser";

$AUTHENTICATION_TYPE               = "MD5";

$AUTHENTICATION_PASSWORD    = "snmpauthcred";

$PRIVACY_TYPE                               = "DES";

$PRIVACY_PASSWORD                   = "snmpprivcred";

$SENDER_ID                                     = "SIEM";

$SENDER_NAME                              = "192.168.30.200";

$THREAT_NAME                               = "DSCC Intervention";

$THREAT_CATEGORY                      = "UserRemove";

$INITIATOR_ADDRESS                     = "1.1.1.1";

$TRAP_PORT                                    = "162";


# DO NOT ALTER CODE FROM THIS LINE FORWARD


$NOTIFICATION_MESSAGE_OID       =  ".1.3.6.1.4.1.5624.1.2.45.1.0.3";

$CONSOLIDATED_DATA_OID             =  ".1.3.6.1.4.1.5624.1.2.45.1.1.12";


printf("AN SNMP trap has been sent to the Automated Security Manager (ASM) remediation server.\n");

printf("The user will be removed from the network.\n");


#$action .= "snmptrap -d -v 2c -c public 192.168.30.134 UCD-SNMP-MIB::ucdStart message s  disk utilization exceed 80%";

$action .= "snmptrap -C i -v 3 -u $SNMP_USERNAME -a $AUTHENTICATION_TYPE -A   $AUTHENTICATION_PASSWORD -x $PRIVACY_TYPE -X $PRIVACY_PASSWORD ";

$action .= "NETSIGHT_TRAP_SERVER:$TRAP_PORT O $NOTIFICATION_MESSAGE_OID $CONSOLIDATED_DATA_OID s \" etsysThreatNotificationSenderName= '$SENDER_NAME' " ;

$action .= "etsysThreatNotificationThreatName='$THREAT_NAME' etsysThreatNotificationThreatCategory='$THREAT_CATEGORY' etsysThreatNotificationSenderID='$SENDER_ID' ";

$action .= "etsysThreatNotificationInitiatorAddress='$INITIATOR_ADDRESS'\"";


         


                                                                                                                                                               

                                                                                                                                                                 

Photo of An-Tin Liu

An-Tin Liu

  • 478 Points 250 badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Dudley, Jeff

Dudley, Jeff, Employee

  • 1,024 Points 1k badge 2x thumb
Hi,

There would be built in support for sending traps over to ASM.  Please take a moment and view a notification for any of the existing rules.  Here you will see a SNMP/ASM options  this may be the best option here.

Thanks
Jeff
Photo of An-Tin Liu

An-Tin Liu

  • 478 Points 250 badge 2x thumb
I understand SNMP/ASM option.
The trap only send  etsysThreatNotificationInformationMessage3.
etsysThreatNotificationConsolidatedData is lost


etsysThreatNotificationConsolidatedData  include some information like below :

etsysThreatNotificationSenderID='192.168.30.200’ 

etsysThreatNotificationSenderName='SIEM’ 

etsysThreatNotificationThreatCategory='ASM_MISUSE’ 

etsysThreatNotificationThreatName='' etsysThreatNotificationInitiatorAddress='192.168.2.10' 


Photo of Dudley, Jeff

Dudley, Jeff, Employee

  • 1,024 Points 1k badge 2x thumb
Hi

To be sure I understand can you tell me the origin of the two screenshots? 

Thanks
Jeff
Photo of An-Tin Liu

An-Tin Liu

  • 478 Points 250 badge 2x thumb
the two screenshot is  Netsight event.
The traps are all  from SIEM.
One is used by SNMP/ASM option.(first screenshots)
Two is used by snmptrap command. (second screenshots)

My problem is that  " why trap send by SNMP/ASM option is no etsysThreatNotificationConsolidatedData? "
Photo of Dudley, Jeff

Dudley, Jeff, Employee

  • 1,024 Points 1k badge 2x thumb
Hi,

Thanks for the reply.  This may take some lab/recreation time to understand root cause.  I will look closer at this.

Thanks
Jeff
Photo of An-Tin Liu

An-Tin Liu

  • 478 Points 250 badge 2x thumb
Thanks
Photo of Dudley, Jeff

Dudley, Jeff, Employee

  • 1,024 Points 1k badge 2x thumb
Hi,

So far seeing the same.  May move to an escalation for product adjustment but too early to tell.

Photo of Drew C.

Drew C., Community Manager

  • 40,724 Points 20k badge 2x thumb
Are there any updates to add to this thread?
Photo of Dudley, Jeff

Dudley, Jeff, Employee

  • 1,024 Points 1k badge 2x thumb
A case was created with the GTAC.
Photo of An-Tin Liu

An-Tin Liu

  • 478 Points 250 badge 2x thumb
Thanks~~