?
Solved

How can I configure Alienvault to send emails when Arpwatch discovers new mac address?

Posted on 2012-04-10
7
Medium Priority
?
2,492 Views
Last Modified: 2013-11-29
I have recently installed AV 3.1 and have it configured with arpwatch.  When an arpwatch event discovers a new device it is not sending me an email.  

I have tested the email and the test message goes out, but never an alert that there is a new device.

I have setup a correlation directive (probably wrong) but this did not help.


Thanks
0
Comment
Question by:DanRaposo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 4

Expert Comment

by:senseifedon
ID: 37839329
Hi;
You only have to create a correlation directives to asign risk >= 1 to this type of events.

Read this document to know how the risk is calculated
http://www.ossim.net/dokuwiki/doku.php?id=user_manual:dashbo ards:risk:risk_metrics

To create a user correlation directive do that:



Activate User Group: Edit file /etc/ossim/server/directives.xml and insert "&user;" into directives group
Restar the server: /etc/init.d/ossim-server restart
Go to Intelligence --> Correlation Directive
Click on Add directive
Put the name and select User Id: You can put here your priority and click save
Create a Rule: Put your rule name, select plugin id (arpwatch = 1512) and select the sid you want (you can click.... to insert its)
Click save
Restart the server



If you put priority = 5 and you have the default assets values when the risk is calculated you will have a least 10/25 so the Event Reliability has to be 3 or more to create an alarm.

To change the event reliability go to Configuration--> Colection and look for arpwatch plugin click it and you can see all their sids.



Regards
0
 
LVL 4

Expert Comment

by:senseifedon
ID: 37846011
Danraposo can you inform me?
0
 

Author Comment

by:DanRaposo
ID: 37857444
Sorry ...  I was out of office for a few days ...


Can you show me the syntax for adding the &user into the directives group?


Thanks
0
Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

 
LVL 4

Accepted Solution

by:
senseifedon earned 1500 total points
ID: 37858029
Hi again;

You can add &user directives like following lines:


<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE directives
SYSTEM '/etc/ossim/server/directives.dtd'
[
<!ENTITY generic SYSTEM '/etc/ossim/server/generic.xml'>
<!ENTITY attacks SYSTEM '/etc/ossim/server/attacks.xml'>
<!ENTITY worms SYSTEM '/etc/ossim/server/worms.xml'>
<!ENTITY webattack SYSTEM '/etc/ossim/server/webattack.xml'>
<!ENTITY dos SYSTEM '/etc/ossim/server/dos.xml'>
<!ENTITY scan SYSTEM '/etc/ossim/server/scan.xml'>
<!ENTITY abnormal SYSTEM '/etc/ossim/server/abnormal.xml'>
<!ENTITY network SYSTEM '/etc/ossim/server/network.xml'>
<!ENTITY trojans SYSTEM '/etc/ossim/server/trojans.xml'>
<!ENTITY misc SYSTEM '/etc/ossim/server/misc.xml'>
<!ENTITY user SYSTEM '/etc/ossim/server/user.xml'>
<!ENTITY alienvault-worms SYSTEM '/etc/ossim/server/alienvault-worms.xml'>
<!ENTITY alienvault-attacks SYSTEM '/etc/ossim/server/alienvault-attacks.xml'>
<!ENTITY alienvault-misc SYSTEM '/etc/ossim/server/alienvault-misc.xml'>
<!ENTITY alienvault-scada SYSTEM '/etc/ossim/server/alienvault-scada.xml'>
<!ENTITY alienvault-network SYSTEM '/etc/ossim/server/alienvault-network.xml'>
<!ENTITY alienvault-dos SYSTEM '/etc/ossim/server/alienvault-dos.xml'>
<!ENTITY alienvault-scan SYSTEM '/etc/ossim/server/alienvault-scan.xml'>
<!ENTITY alienvault-policy SYSTEM '/etc/ossim/server/alienvault-policy.xml'>
<!ENTITY alienvault-malware SYSTEM '/etc/ossim/server/alienvault-malware.xml'>
<!ENTITY alienvault-bruteforce SYSTEM '/etc/ossim/server/alienvault-bruteforce.xml'>
]>
<directives>
&alienvault-bruteforce;

&alienvault-malware;

&alienvault-policy;

&alienvault-scan;

&alienvault-dos;

&alienvault-network;

&alienvault-scada;

&alienvault-misc;

&alienvault-attacks;

&alienvault-worms;


&attacks;
&trojans;
&misc;
&worms;
&generic;
&user;

<groups>
<group name="GroupTest1">
<append-directive directive_id="1"/>
</group>
</groups>

</directives>

Open in new window

0
 

Author Comment

by:DanRaposo
ID: 37858057
I'm sorry I must be missing something ... you said
"Activate User Group: Edit file /etc/ossim/server/directives.xml and insert "&user;" into directives group "

Then you posted a directives.xml file that looks identical to mine.   Where should I be placing &user

I have &user in the directive secion but not the directives group which I considered to be this:

<groups>
<group name="GroupTest1">
<append-directive directive_id="1"/>
</group>
</groups>
0
 
LVL 4

Expert Comment

by:senseifedon
ID: 37858080
It goes under &generic; line before <groups> tag.

&attacks;
&trojans;
&misc;
&worms;
&generic;
&user;

<groups>
<group name="GroupTest1">
<append-directive directive_id="1"/>
</group>
</groups>

Open in new window

0
 

Author Comment

by:DanRaposo
ID: 37858221
That was already there.  So I did try to change Reliability from 1 to 5 on the ArpWatch New Mac Address  event.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question