SIEM Right-Click sending trap to ASM


Userlevel 1
who has asmright-click.pl

or

who can help me to check the pl file

#!/usr/bin/perl #Variables to change

$NETSIGHT_TRAP_SERVER = "192.168.30.134";

$SNMP_USERNAME = "snmpuser";

$AUTHENTICATION_TYPE = "MD5";

$AUTHENTICATION_PASSWORD = "snmpauthcred";

$PRIVACY_TYPE = "DES";

$PRIVACY_PASSWORD = "snmpprivcred";

$SENDER_ID = "SIEM";

$SENDER_NAME = "192.168.30.200";

$THREAT_NAME = "DSCC Intervention";

$THREAT_CATEGORY = "UserRemove";

$INITIATOR_ADDRESS = "1.1.1.1";

$TRAP_PORT = "162";



# DO NOT ALTER CODE FROM THIS LINE FORWARD



$NOTIFICATION_MESSAGE_OID = ".1.3.6.1.4.1.5624.1.2.45.1.0.3";

$CONSOLIDATED_DATA_OID = ".1.3.6.1.4.1.5624.1.2.45.1.1.12";



printf("AN SNMP trap has been sent to the Automated Security Manager (ASM) remediation server.\n");

printf("The user will be removed from the network.\n");



#$action .= "snmptrap -d -v 2c -c public 192.168.30.134 UCD-SNMP-MIB::ucdStart message s disk utilization exceed 80%";

$action .= "snmptrap -C i -v 3 -u $SNMP_USERNAME -a $AUTHENTICATION_TYPE -A $AUTHENTICATION_PASSWORD -x $PRIVACY_TYPE -X $PRIVACY_PASSWORD ";

$action .= "NETSIGHT_TRAP_SERVER:$TRAP_PORT O $NOTIFICATION_MESSAGE_OID $CONSOLIDATED_DATA_OID s "etsysThreatNotificationSenderName= '$SENDER_NAME' "" ;

$action .= ""etsysThreatNotificationThreatName='$THREAT_NAME' etsysThreatNotificationThreatCategory='$THREAT_CATEGORY' etsysThreatNotificationSenderID='$SENDER_ID' "";

$action .= ""etsysThreatNotificationInitiatorAddress='$INITIATOR_ADDRESS'\"""";



[i]

[i]



"

10 replies

Userlevel 3
Hi,

There would be built in support for sending traps over to ASM. Please take a moment and view a notification for any of the existing rules. Here you will see a SNMP/ASM options this may be the best option here.

Thanks
Jeff
Userlevel 1
I understand SNMP/ASM option.
The trap only send etsysThreatNotificationInformationMessage3.
etsysThreatNotificationConsolidatedData is lost


etsysThreatNotificationConsolidatedData include some information like below :etsysThreatNotificationSenderID='192.168.30.200’

etsysThreatNotificationSenderName='SIEM’

etsysThreatNotificationThreatCategory='ASM_MISUSE’

etsysThreatNotificationThreatName='' etsysThreatNotificationInitiatorAddress='192.168.2.10'

Userlevel 3
Hi

To be sure I understand can you tell me the origin of the two screenshots?

Thanks
Jeff
Userlevel 1
the two screenshot is Netsight event.
The traps are all from SIEM.
One is used by SNMP/ASM option.(first screenshots)
Two is used by snmptrap command. (second screenshots)

My problem is that " why trap send by SNMP/ASM option is no etsysThreatNotificationConsolidatedData? "
Userlevel 3
Hi,

Thanks for the reply. This may take some lab/recreation time to understand root cause. I will look closer at this.

Thanks
Jeff
Userlevel 1
Thanks
Userlevel 3
Hi,

So far seeing the same. May move to an escalation for product adjustment but too early to tell.

[i][i][i]
Userlevel 7
Are there any updates to add to this thread?
Userlevel 3
A case was created with the GTAC.
Userlevel 1
Thanks~~

Reply