2 Replies Latest reply on Dec 15, 2015 7:52 AM by feeeds

    Pulling Field Info from Event and sending to external script/firewall

    naes17

      Hi,

       

      I need to pull the data from two fields in a packet (username and IP address) and send the information to a firewall we have for it to create a dynamic rule.

       

      What would be the best way to accomplish this? 

       

      I have considered forwarding the event with the packet to an external script server that would then have to do all of the work of parsing the packet and sending the info to the firewall. 

      However, I am wondering if the ESM has the capability to send the information directly to the firewall?

       

      Thanks for any help in advance.

        • 1. Re: Pulling Field Info from Event and sending to external script/firewall
          Scott Taschler

          I don't believe there's a method to send the info you're looking for directly to the firewall.  However, we can send the fields you need to a script of your design, which can then take care of forwarding the info to the firewall as appropriate.  To accomplish this:

           

          1. Design your script and host it on a system that supports remote SSH authentication.  Script should support passing the parameters you need on the command line (e.g. "send_to_firewall username 10.10.1.1".
          2. Set up an alarm that triggers based on the conditions under which you'd like your script to be invoked.  This may require building a correlation rule (and triggering the alarm based on the rule firing), depending on how sophisticated you need the conditions to be.
          3. For an action, set the alarm to Execute Remote Command. 
            • Host/Port: IP and SSH port for your scripting host.
            • Username/Password: Credentials ESM should use to authenticate to this host.
            • Command String: "send_to_fiirewall [$%Source_UserID] [$Destination IP]"

                    If you have other fields you'd like to send to your script, you'll find them all in a popup menu underneath the green arrow icon.

           

          Scott

          1 of 1 people found this helpful
          • 2. Re: Pulling Field Info from Event and sending to external script/firewall
            feeeds

            Scott,

            Any way to create a log when the command executes? I see in the alarm that the action is logged, but the data is not getting to the epo server. My example is different than above, but this is my command string.  I have tried a pipe to a log file with no luck.

             

            python /lvdata/mcafee/tie/addhash.py[$%MD5_Hash][$%Filename][$%SHA1_Hash][$%SHA256_Has h]>>addhash.log

             

            Thanks,