topic RE: SIEM Right-Click sending trap to ASM in End of Service Products

SIEM Right-Click sending trap to ASM

An-Tin_Liu — Tue, 06 Oct 2015 13:17:00 GMT

who has asmright-click.pl

or

who can help me to check the pl file

#!/usr/bin/perl #Variables to change

$NETSIGHT_TRAP_SERVER = "192.168.30.134";

$SNMP_USERNAME = "snmpuser";

$AUTHENTICATION_TYPE = "MD5";

$AUTHENTICATION_PASSWORD = "snmpauthcred";

$PRIVACY_TYPE = "DES";

$PRIVACY_PASSWORD = "snmpprivcred";

$SENDER_ID = "SIEM";

$SENDER_NAME = "192.168.30.200";

$THREAT_NAME = "DSCC Intervention";

$THREAT_CATEGORY = "UserRemove";

$INITIATOR_ADDRESS = "1.1.1.1";

$TRAP_PORT = "162";

# DO NOT ALTER CODE FROM THIS LINE FORWARD

$NOTIFICATION_MESSAGE_OID = ".1.3.6.1.4.1.5624.1.2.45.1.0.3";

$CONSOLIDATED_DATA_OID = ".1.3.6.1.4.1.5624.1.2.45.1.1.12";

printf("AN SNMP trap has been sent to the Automated Security Manager (ASM) remediation server.\n");

printf("The user will be removed from the network.\n");

#$action .= "snmptrap -d -v 2c -c public 192.168.30.134 UCD-SNMP-MIB::ucdStart message s disk utilization exceed 80%";

$action .= "snmptrap -C i -v 3 -u $SNMP_USERNAME -a $AUTHENTICATION_TYPE -A $AUTHENTICATION_PASSWORD -x $PRIVACY_TYPE -X $PRIVACY_PASSWORD ";

$action .= "NETSIGHT_TRAP_SERVER:$TRAP_PORT O $NOTIFICATION_MESSAGE_OID $CONSOLIDATED_DATA_OID s "etsysThreatNotificationSenderName= '$SENDER_NAME' "" ;

$action .= ""etsysThreatNotificationThreatName='$THREAT_NAME' etsysThreatNotificationThreatCategory='$THREAT_CATEGORY' etsysThreatNotificationSenderID='$SENDER_ID' "";

$action .= ""etsysThreatNotificationInitiatorAddress='$INITIATOR_ADDRESS'\"""";

"

RE: SIEM Right-Click sending trap to ASM

Dudley__Jeff — Tue, 06 Oct 2015 18:08:00 GMT

Hi,

There would be built in support for sending traps over to ASM. Please take a moment and view a notification for any of the existing rules. Here you will see a SNMP/ASM options this may be the best option here.

Thanks
Jeff

RE: SIEM Right-Click sending trap to ASM

An-Tin_Liu — Wed, 07 Oct 2015 06:26:00 GMT

I understand SNMP/ASM option.
The trap only send etsysThreatNotificationInformationMessage3.
etsysThreatNotificationConsolidatedData is lost

etsysThreatNotificationConsolidatedData include some information like below :etsysThreatNotificationSenderID='192.168.30.200’

etsysThreatNotificationSenderName='SIEM’

etsysThreatNotificationThreatCategory='ASM_MISUSE’

etsysThreatNotificationThreatName='' etsysThreatNotificationInitiatorAddress='192.168.2.10'

RE: SIEM Right-Click sending trap to ASM

Dudley__Jeff — Wed, 07 Oct 2015 17:02:00 GMT

Hi

To be sure I understand can you tell me the origin of the two screenshots?

Thanks
Jeff

RE: SIEM Right-Click sending trap to ASM

An-Tin_Liu — Thu, 08 Oct 2015 04:29:00 GMT

the two screenshot is Netsight event.
The traps are all from SIEM.
One is used by SNMP/ASM option.(first screenshots)
Two is used by snmptrap command. (second screenshots)

My problem is that " why trap send by SNMP/ASM option is no etsysThreatNotificationConsolidatedData? "

RE: SIEM Right-Click sending trap to ASM

Dudley__Jeff — Fri, 09 Oct 2015 16:56:00 GMT

Hi,

Thanks for the reply. This may take some lab/recreation time to understand root cause. I will look closer at this.

Thanks
Jeff

RE: SIEM Right-Click sending trap to ASM

An-Tin_Liu — Fri, 09 Oct 2015 18:05:00 GMT

Thanks

RE: SIEM Right-Click sending trap to ASM

Dudley__Jeff — Fri, 09 Oct 2015 18:59:00 GMT

Hi,

So far seeing the same. May move to an escalation for product adjustment but too early to tell.

RE: SIEM Right-Click sending trap to ASM

Drew_C — Tue, 13 Oct 2015 21:49:00 GMT

Are there any updates to add to this thread?

RE: SIEM Right-Click sending trap to ASM

Dudley__Jeff — Tue, 13 Oct 2015 22:06:00 GMT

A case was created with the GTAC.

RE: SIEM Right-Click sending trap to ASM

An-Tin_Liu — Wed, 14 Oct 2015 05:49:00 GMT

Ｔhanks~~