Showing results for 
Search instead for 
Did you mean: 
Level 7
Report Inappropriate Content
Message 1 of 3

Pulling Field Info from Event and sending to external script/firewall


I need to pull the data from two fields in a packet (username and IP address) and send the information to a firewall we have for it to create a dynamic rule.

What would be the best way to accomplish this? 

I have considered forwarding the event with the packet to an external script server that would then have to do all of the work of parsing the packet and sending the info to the firewall. 

However, I am wondering if the ESM has the capability to send the information directly to the firewall?

Thanks for any help in advance.

2 Replies

Re: Pulling Field Info from Event and sending to external script/firewall

I don't believe there's a method to send the info you're looking for directly to the firewall.  However, we can send the fields you need to a script of your design, which can then take care of forwarding the info to the firewall as appropriate.  To accomplish this:

  1. Design your script and host it on a system that supports remote SSH authentication.  Script should support passing the parameters you need on the command line (e.g. "send_to_firewall username".
  2. Set up an alarm that triggers based on the conditions under which you'd like your script to be invoked.  This may require building a correlation rule (and triggering the alarm based on the rule firing), depending on how sophisticated you need the conditions to be.
  3. For an action, set the alarm to Execute Remote Command. 
    • Host/Port: IP and SSH port for your scripting host.
    • Username/Password: Credentials ESM should use to authenticate to this host.
    • Command String: "send_to_fiirewall [$%Source_UserID] [$Destination IP]"

          If you have other fields you'd like to send to your script, you'll find them all in a popup menu underneath the green arrow icon.


Level 9
Report Inappropriate Content
Message 3 of 3

Re: Pulling Field Info from Event and sending to external script/firewall


Any way to create a log when the command executes? I see in the alarm that the action is logged, but the data is not getting to the epo server. My example is different than above, but this is my command string.  I have tried a pipe to a log file with no luck.

python /lvdata/mcafee/tie/[$%MD5_Hash][$%Filename][$%SHA1_Hash][$%SHA256_Hash]>>addhash.log