This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

SIEM Right-Click sending trap to ASM

SIEM Right-Click sending trap to ASM

An-Tin_Liu
New Contributor II

‎10-06-2015 06:17 AM

who has asmright-click.pl

or

who can help me to check the pl file

#!/usr/bin/perl #Variables to change

$NETSIGHT_TRAP_SERVER = "192.168.30.134";

$SNMP_USERNAME = "snmpuser";

$AUTHENTICATION_TYPE = "MD5";

$AUTHENTICATION_PASSWORD = "snmpauthcred";

$PRIVACY_TYPE = "DES";

$PRIVACY_PASSWORD = "snmpprivcred";

$SENDER_ID = "SIEM";

$SENDER_NAME = "192.168.30.200";

$THREAT_NAME = "DSCC Intervention";

$THREAT_CATEGORY = "UserRemove";

$INITIATOR_ADDRESS = "1.1.1.1";

$TRAP_PORT = "162";



# DO NOT ALTER CODE FROM THIS LINE FORWARD



$NOTIFICATION_MESSAGE_OID = ".1.3.6.1.4.1.5624.1.2.45.1.0.3";

$CONSOLIDATED_DATA_OID = ".1.3.6.1.4.1.5624.1.2.45.1.1.12";



printf("AN SNMP trap has been sent to the Automated Security Manager (ASM) remediation server.\n");

printf("The user will be removed from the network.\n");



#$action .= "snmptrap -d -v 2c -c public 192.168.30.134 UCD-SNMP-MIB::ucdStart message s disk utilization exceed 80%";

$action .= "snmptrap -C i -v 3 -u $SNMP_USERNAME -a $AUTHENTICATION_TYPE -A $AUTHENTICATION_PASSWORD -x $PRIVACY_TYPE -X $PRIVACY_PASSWORD ";

$action .= "NETSIGHT_TRAP_SERVER:$TRAP_PORT O $NOTIFICATION_MESSAGE_OID $CONSOLIDATED_DATA_OID s "etsysThreatNotificationSenderName= '$SENDER_NAME' "" ;

$action .= ""etsysThreatNotificationThreatName='$THREAT_NAME' etsysThreatNotificationThreatCategory='$THREAT_CATEGORY' etsysThreatNotificationSenderID='$SENDER_ID' "";

$action .= ""etsysThreatNotificationInitiatorAddress='$INITIATOR_ADDRESS'\"""";









"
0 Kudos
10 REPLIES 10

An-Tin_Liu
New Contributor II

‎10-09-2015 11:05 AM

Thanks

0 Kudos

Dudley__Jeff
Extreme Employee

‎10-09-2015 09:56 AM

Hi,

Thanks for the reply. This may take some lab/recreation time to understand root cause. I will look closer at this.

Thanks
Jeff
0 Kudos

An-Tin_Liu
New Contributor II

‎10-07-2015 09:29 PM

the two screenshot is Netsight event.
The traps are all from SIEM.
One is used by SNMP/ASM option.(first screenshots)
Two is used by snmptrap command. (second screenshots)

My problem is that " why trap send by SNMP/ASM option is no etsysThreatNotificationConsolidatedData? "
0 Kudos

Dudley__Jeff
Extreme Employee

‎10-07-2015 10:02 AM

Hi

To be sure I understand can you tell me the origin of the two screenshots?

Thanks
Jeff
0 Kudos

An-Tin_Liu
New Contributor II

‎10-06-2015 11:26 PM

I understand SNMP/ASM option.
The trap only send etsysThreatNotificationInformationMessage3.
etsysThreatNotificationConsolidatedData is lost

1087f47f36284acabc0a8fc023ce35fc_RackMultipart20151007-21331-1dxp4fm-no_info_inline.jpg


etsysThreatNotificationConsolidatedData include some information like below :etsysThreatNotificationSenderID='192.168.30.200’

etsysThreatNotificationSenderName='SIEM’

etsysThreatNotificationThreatCategory='ASM_MISUSE’

etsysThreatNotificationThreatName='' etsysThreatNotificationInitiatorAddress='192.168.2.10'

1087f47f36284acabc0a8fc023ce35fc_RackMultipart20151007-23134-17v9470-info_inline.jpg



0 Kudos
li.common.scroll-to.top
GTM-P2G8KFN