cancel
Showing results for 
Search instead for 
Did you mean: 
bdoyle
Level 7

email log file entry when threat is detected

Jump to solution

Hi All,

We would like to set up a rule that will email the Access Log file line that is created when a threat is detected. Does anyone know how to do this? We already have it set up so that when a threat is detected, it sends an email, but all we have in the body of the email is the threat name. If anyone knows how to send the log file entry, we'd really appreciate it.

We're running MWG7.2.

Thanks,

Brian

0 Kudos
1 Solution

Accepted Solutions
eelsasser
Level 15

Re: email log file entry when threat is detected

Jump to solution

In the Found Virus log, you can add the email event to include the logLine as the body:

Email.Send ("Enter Valid Recipient Email", String.Concat ("Threat Alert from: ", System.HostName), User-Defined.logLine)<Default>

However, that is going to be the raw log line format. pretty unreadable.

Instead, you can reformat the line to suit your taste. Here how I happen to have mine:

Events:
Set User-Defined.logLine = "DateTime: "
+ DateTime.ToWebReporterString
+ String.CRLF
+ "System.HostName: "
+ String.ReplaceIfEquals (System.HostName, "", "-")
+ String.CRLF
+ "Authentication.UserName: "
+ String.ReplaceIfEquals (Authentication.UserName, "", "-")
+ String.CRLF
+ "Client.IP: "
+ String.ReplaceIfEquals (IP.ToString (Client.IP), "", "-")
+ String.CRLF
+ "URL.Destination.IP: "
+ String.ReplaceIfEquals (IP.ToString (URL.Destination.IP), "", "-")
+ String.CRLF
+ "URL.Host: "
+ String.ReplaceIfEquals (URL.Host, "", "-")
+ String.CRLF
+ "Response.StatusCode: "
+ String.ReplaceIfEquals (Number.ToString (Response.StatusCode), "", "-")
+ String.CRLF
+ "MediaType.FromHeader: "
+ String.ReplaceIfEquals (MediaType.ToString (MediaType.FromHeader), "", "-")
+ String.CRLF
+ "BytesFromClient: "
+ String.ReplaceIfEquals (Number.ToString (BytesFromClient), "", "-")
+ String.CRLF
+ "BytesFromServer: "
+ String.ReplaceIfEquals (Number.ToString (BytesFromServer), "", "-")
+ String.CRLF
+ "Request.Header.FirstLine: "
+ String.ReplaceIfEquals (String.ReplaceAll (Request.Header.FirstLine, "http", "hxxp"), "", "-")
+ String.CRLF
+ "URL.Categories: "
+ String.ReplaceIfEquals (List.OfCategory.ToString (URL.Categories), "", "-")
+ String.CRLF
+ "URL.ReputationString: "
+ String.ReplaceIfEquals (URL.ReputationString, "", "-")
+ String.CRLF
+ "URL.Reputation: "
+ String.ReplaceIfEquals (Number.ToString (URL.Reputation), "", "-")
+ String.CRLF
+ "Rules.CurrentRuleSet.Name: "
+ String.ReplaceIfEquals (Rules.CurrentRuleSet.Name, "", "-")
+ String.CRLF
+ "Rules.CurrentRule.Name: "
+ String.ReplaceIfEquals (Rules.CurrentRule.Name, "", "-")
+ String.CRLF
+ "Block.ID: "
+ String.ReplaceIfEquals (Number.ToString (Block.ID), "", "-")
+ String.CRLF
+ "Block.Reason: "
+ String.ReplaceIfEquals (Block.Reason, "", "-")
+ String.CRLF
+ "Antimalware.Infected: "
+ String.ReplaceIfEquals (Boolean.ToString (Antimalware.Infected), "", "-")
+ String.CRLF
+ "Antimalware.VirusNames: "
+ String.ReplaceIfEquals (List.OfString.ToString (Antimalware.VirusNames), "", "-")
+ String.CRLF
+ "Body.Modified: "
+ String.ReplaceIfEquals (Boolean.ToString (Body.Modified), "", "-")
+ String.CRLF
+ "Application.Reputation: "
+ String.ReplaceIfEquals (Application.Reputation, "", "-")
+ String.CRLF
+ "Application.Name: "
+ String.ReplaceIfEquals (Application.ToString (Application.Name), "", "-")
+ String.CRLF
+ "Referer: "
+ String.ReplaceIfEquals (String.ReplaceAll (Header.Request.Get ("Referer"), "http", "hxxp"), "", "-")
+ String.CRLF
+ "User-Agent: "
+ String.ReplaceIfEquals (Header.Request.Get ("User-Agent"), "", "-")
+ String.CRLF
+ "------------------------------"
Email.Send ("Enter Valid Recipient Email", String.Concat ("Threat Alert from: ", System.HostName), User-Defined.logLine)<Default>

The email body that is received looks like this:

DateTime: [05/Jul/2012:15:13:47 +0000]

System.HostName: reverse

Authentication.UserName: -

Client.IP: 192.168.2.2

URL.Destination.IP: 188.40.238.250

URL.Host: eicar.org

Response.StatusCode: 403

MediaType.FromHeader: -

BytesFromClient: 474

BytesFromServer: 381

Request.Header.FirstLine: GET hxxp://eicar.org/download/eicar.com hxxp/1.1

URL.Categories: Information Security

URL.ReputationString: Minimal Risk

URL.Reputation: 6

Rules.CurrentRuleSet.Name: Gateway Anti-Malware

Rules.CurrentRule.Name: Anti-Malware: Standard Setting for Trusted Sites

Block.ID: 80

Block.Reason: Malware found

Antimalware.Infected: true

Antimalware.VirusNames: McAfeeGW: EICAR test file

Body.Modified: false

Application.Reputation: -

Application.Name: -

Referer: hxxp://eicar.org/85-0-Download.html

------------------------------

Note that I replace "http" with "hxxp" on URL and Referer. This is because when a URL is getting sent, it has a tendency to hotlink in the message. If this is a malware URL, you do not want it clickable for fear of accidental exposure.

I attached my rules that go into the log handler. It also includes a greatly expanded FoundViruses.log, but you can delete that line if you want to keep the original format.

Message was edited by: eelsasser on 7/5/12 12:05:10 PM EDT
0 Kudos
2 Replies
eelsasser
Level 15

Re: email log file entry when threat is detected

Jump to solution

In the Found Virus log, you can add the email event to include the logLine as the body:

Email.Send ("Enter Valid Recipient Email", String.Concat ("Threat Alert from: ", System.HostName), User-Defined.logLine)<Default>

However, that is going to be the raw log line format. pretty unreadable.

Instead, you can reformat the line to suit your taste. Here how I happen to have mine:

Events:
Set User-Defined.logLine = "DateTime: "
+ DateTime.ToWebReporterString
+ String.CRLF
+ "System.HostName: "
+ String.ReplaceIfEquals (System.HostName, "", "-")
+ String.CRLF
+ "Authentication.UserName: "
+ String.ReplaceIfEquals (Authentication.UserName, "", "-")
+ String.CRLF
+ "Client.IP: "
+ String.ReplaceIfEquals (IP.ToString (Client.IP), "", "-")
+ String.CRLF
+ "URL.Destination.IP: "
+ String.ReplaceIfEquals (IP.ToString (URL.Destination.IP), "", "-")
+ String.CRLF
+ "URL.Host: "
+ String.ReplaceIfEquals (URL.Host, "", "-")
+ String.CRLF
+ "Response.StatusCode: "
+ String.ReplaceIfEquals (Number.ToString (Response.StatusCode), "", "-")
+ String.CRLF
+ "MediaType.FromHeader: "
+ String.ReplaceIfEquals (MediaType.ToString (MediaType.FromHeader), "", "-")
+ String.CRLF
+ "BytesFromClient: "
+ String.ReplaceIfEquals (Number.ToString (BytesFromClient), "", "-")
+ String.CRLF
+ "BytesFromServer: "
+ String.ReplaceIfEquals (Number.ToString (BytesFromServer), "", "-")
+ String.CRLF
+ "Request.Header.FirstLine: "
+ String.ReplaceIfEquals (String.ReplaceAll (Request.Header.FirstLine, "http", "hxxp"), "", "-")
+ String.CRLF
+ "URL.Categories: "
+ String.ReplaceIfEquals (List.OfCategory.ToString (URL.Categories), "", "-")
+ String.CRLF
+ "URL.ReputationString: "
+ String.ReplaceIfEquals (URL.ReputationString, "", "-")
+ String.CRLF
+ "URL.Reputation: "
+ String.ReplaceIfEquals (Number.ToString (URL.Reputation), "", "-")
+ String.CRLF
+ "Rules.CurrentRuleSet.Name: "
+ String.ReplaceIfEquals (Rules.CurrentRuleSet.Name, "", "-")
+ String.CRLF
+ "Rules.CurrentRule.Name: "
+ String.ReplaceIfEquals (Rules.CurrentRule.Name, "", "-")
+ String.CRLF
+ "Block.ID: "
+ String.ReplaceIfEquals (Number.ToString (Block.ID), "", "-")
+ String.CRLF
+ "Block.Reason: "
+ String.ReplaceIfEquals (Block.Reason, "", "-")
+ String.CRLF
+ "Antimalware.Infected: "
+ String.ReplaceIfEquals (Boolean.ToString (Antimalware.Infected), "", "-")
+ String.CRLF
+ "Antimalware.VirusNames: "
+ String.ReplaceIfEquals (List.OfString.ToString (Antimalware.VirusNames), "", "-")
+ String.CRLF
+ "Body.Modified: "
+ String.ReplaceIfEquals (Boolean.ToString (Body.Modified), "", "-")
+ String.CRLF
+ "Application.Reputation: "
+ String.ReplaceIfEquals (Application.Reputation, "", "-")
+ String.CRLF
+ "Application.Name: "
+ String.ReplaceIfEquals (Application.ToString (Application.Name), "", "-")
+ String.CRLF
+ "Referer: "
+ String.ReplaceIfEquals (String.ReplaceAll (Header.Request.Get ("Referer"), "http", "hxxp"), "", "-")
+ String.CRLF
+ "User-Agent: "
+ String.ReplaceIfEquals (Header.Request.Get ("User-Agent"), "", "-")
+ String.CRLF
+ "------------------------------"
Email.Send ("Enter Valid Recipient Email", String.Concat ("Threat Alert from: ", System.HostName), User-Defined.logLine)<Default>

The email body that is received looks like this:

DateTime: [05/Jul/2012:15:13:47 +0000]

System.HostName: reverse

Authentication.UserName: -

Client.IP: 192.168.2.2

URL.Destination.IP: 188.40.238.250

URL.Host: eicar.org

Response.StatusCode: 403

MediaType.FromHeader: -

BytesFromClient: 474

BytesFromServer: 381

Request.Header.FirstLine: GET hxxp://eicar.org/download/eicar.com hxxp/1.1

URL.Categories: Information Security

URL.ReputationString: Minimal Risk

URL.Reputation: 6

Rules.CurrentRuleSet.Name: Gateway Anti-Malware

Rules.CurrentRule.Name: Anti-Malware: Standard Setting for Trusted Sites

Block.ID: 80

Block.Reason: Malware found

Antimalware.Infected: true

Antimalware.VirusNames: McAfeeGW: EICAR test file

Body.Modified: false

Application.Reputation: -

Application.Name: -

Referer: hxxp://eicar.org/85-0-Download.html

------------------------------

Note that I replace "http" with "hxxp" on URL and Referer. This is because when a URL is getting sent, it has a tendency to hotlink in the message. If this is a malware URL, you do not want it clickable for fear of accidental exposure.

I attached my rules that go into the log handler. It also includes a greatly expanded FoundViruses.log, but you can delete that line if you want to keep the original format.

Message was edited by: eelsasser on 7/5/12 12:05:10 PM EDT
0 Kudos
bdoyle
Level 7

Re: email log file entry when threat is detected

Jump to solution

Thanks again e.. works perfectly!

0 Kudos