2 Replies Latest reply on Jul 5, 2012 11:12 AM by bdoyle

    email log file entry when threat is detected

    bdoyle

      Hi All,

       

      We would like to set up a rule that will email the Access Log file line that is created when a threat is detected. Does anyone know how to do this? We already have it set up so that when a threat is detected, it sends an email, but all we have in the body of the email is the threat name. If anyone knows how to send the log file entry, we'd really appreciate it.

       

      We're running MWG7.2.

       

      Thanks,

       

      Brian

        • 1. Re: email log file entry when threat is detected

          In the Found Virus log, you can add the email event to include the logLine as the body:

          Email.Send ("Enter Valid Recipient Email", String.Concat ("Threat Alert from: ", System.HostName), User-Defined.logLine)<Default>

           

           

          However, that is going to be the raw log line format. pretty unreadable.

          Instead, you can reformat the line to suit your taste. Here how I happen to have mine:

           

          Events:
          Set User-Defined.logLine = "DateTime: "
          + DateTime.ToWebReporterString
          + String.CRLF
          + "System.HostName: "
          + String.ReplaceIfEquals (System.HostName, "", "-")
          + String.CRLF
          + "Authentication.UserName: "
          + String.ReplaceIfEquals (Authentication.UserName, "", "-")
          + String.CRLF
          + "Client.IP: "
          + String.ReplaceIfEquals (IP.ToString (Client.IP), "", "-")
          + String.CRLF
          + "URL.Destination.IP: "
          + String.ReplaceIfEquals (IP.ToString (URL.Destination.IP), "", "-")
          + String.CRLF
          + "URL.Host: "
          + String.ReplaceIfEquals (URL.Host, "", "-")
          + String.CRLF
          + "Response.StatusCode: "
          + String.ReplaceIfEquals (Number.ToString (Response.StatusCode), "", "-")
          + String.CRLF
          + "MediaType.FromHeader: "
          + String.ReplaceIfEquals (MediaType.ToString (MediaType.FromHeader), "", "-")
          + String.CRLF
          + "BytesFromClient: "
          + String.ReplaceIfEquals (Number.ToString (BytesFromClient), "", "-")
          + String.CRLF
          + "BytesFromServer: "
          + String.ReplaceIfEquals (Number.ToString (BytesFromServer), "", "-")
          + String.CRLF
          + "Request.Header.FirstLine: "
          + String.ReplaceIfEquals (String.ReplaceAll (Request.Header.FirstLine, "http", "hxxp"), "", "-")
          + String.CRLF
          + "URL.Categories: "
          + String.ReplaceIfEquals (List.OfCategory.ToString (URL.Categories), "", "-")
          + String.CRLF
          + "URL.ReputationString: "
          + String.ReplaceIfEquals (URL.ReputationString, "", "-")
          + String.CRLF
          + "URL.Reputation: "
          + String.ReplaceIfEquals (Number.ToString (URL.Reputation), "", "-")
          + String.CRLF
          + "Rules.CurrentRuleSet.Name: "
          + String.ReplaceIfEquals (Rules.CurrentRuleSet.Name, "", "-")
          + String.CRLF
          + "Rules.CurrentRule.Name: "
          + String.ReplaceIfEquals (Rules.CurrentRule.Name, "", "-")
          + String.CRLF
          + "Block.ID: "
          + String.ReplaceIfEquals (Number.ToString (Block.ID), "", "-")
          + String.CRLF
          + "Block.Reason: "
          + String.ReplaceIfEquals (Block.Reason, "", "-")
          + String.CRLF
          + "Antimalware.Infected: "
          + String.ReplaceIfEquals (Boolean.ToString (Antimalware.Infected), "", "-")
          + String.CRLF
          + "Antimalware.VirusNames: "
          + String.ReplaceIfEquals (List.OfString.ToString (Antimalware.VirusNames), "", "-")
          + String.CRLF
          + "Body.Modified: "
          + String.ReplaceIfEquals (Boolean.ToString (Body.Modified), "", "-")
          + String.CRLF
          + "Application.Reputation: "
          + String.ReplaceIfEquals (Application.Reputation, "", "-")
          + String.CRLF
          + "Application.Name: "
          + String.ReplaceIfEquals (Application.ToString (Application.Name), "", "-")
          + String.CRLF
          + "Referer: "
          + String.ReplaceIfEquals (String.ReplaceAll (Header.Request.Get ("Referer"), "http", "hxxp"), "", "-")
          + String.CRLF
          + "User-Agent: "
          + String.ReplaceIfEquals (Header.Request.Get ("User-Agent"), "", "-")
          + String.CRLF
          + "------------------------------"
          Email.Send ("Enter Valid Recipient Email", String.Concat ("Threat Alert from: ", System.HostName), User-Defined.logLine)<Default>

           

          The email body that is received looks like this:

          DateTime: [05/Jul/2012:15:13:47 +0000]

          System.HostName: reverse

          Authentication.UserName: -

          Client.IP: 192.168.2.2

          URL.Destination.IP: 188.40.238.250

          URL.Host: eicar.org

          Response.StatusCode: 403

          MediaType.FromHeader: -

          BytesFromClient: 474

          BytesFromServer: 381

          Request.Header.FirstLine: GET hxxp://eicar.org/download/eicar.com hxxp/1.1

          URL.Categories: Information Security

          URL.ReputationString: Minimal Risk

          URL.Reputation: 6

          Rules.CurrentRuleSet.Name: Gateway Anti-Malware

          Rules.CurrentRule.Name: Anti-Malware: Standard Setting for Trusted Sites

          Block.ID: 80

          Block.Reason: Malware found

          Antimalware.Infected: true

          Antimalware.VirusNames: McAfeeGW: EICAR test file

          Body.Modified: false

          Application.Reputation: -

          Application.Name: -

          Referer: hxxp://eicar.org/85-0-Download.html

          ------------------------------

           

          Note that I replace "http" with "hxxp" on URL and Referer. This is because when a URL is getting sent, it has a tendency to hotlink in the message. If this is a malware URL, you do not want it clickable for fear of accidental exposure.

           

           

           

           

          I attached my rules that go into the log handler. It also includes a greatly expanded FoundViruses.log, but you can delete that line if you want to keep the original format.

           

          Message was edited by: eelsasser on 7/5/12 12:05:10 PM EDT
          • 2. Re: email log file entry when threat is detected
            bdoyle

            Thanks again e.. works perfectly!