1 of 1 people found this helpful
I don't believe there's a method to send the info you're looking for directly to the firewall. However, we can send the fields you need to a script of your design, which can then take care of forwarding the info to the firewall as appropriate. To accomplish this:
- Design your script and host it on a system that supports remote SSH authentication. Script should support passing the parameters you need on the command line (e.g. "send_to_firewall username 10.10.1.1".
- Set up an alarm that triggers based on the conditions under which you'd like your script to be invoked. This may require building a correlation rule (and triggering the alarm based on the rule firing), depending on how sophisticated you need the conditions to be.
- For an action, set the alarm to Execute Remote Command.
- Host/Port: IP and SSH port for your scripting host.
- Username/Password: Credentials ESM should use to authenticate to this host.
- Command String: "send_to_fiirewall [$%Source_UserID] [$Destination IP]"
If you have other fields you'd like to send to your script, you'll find them all in a popup menu underneath the green arrow icon.
Any way to create a log when the command executes? I see in the alarm that the action is logged, but the data is not getting to the epo server. My example is different than above, but this is my command string. I have tried a pipe to a log file with no luck.
python /lvdata/mcafee/tie/addhash.py[$%MD5_Hash][$%Filename][$%SHA1_Hash][$%SHA256_Has h]>>addhash.log