Solved

How can I configure Alienvault to send emails when Arpwatch discovers new mac address?

Posted on 2012-04-10
7
2,347 Views
Last Modified: 2013-11-29
I have recently installed AV 3.1 and have it configured with arpwatch.  When an arpwatch event discovers a new device it is not sending me an email.  

I have tested the email and the test message goes out, but never an alert that there is a new device.

I have setup a correlation directive (probably wrong) but this did not help.


Thanks
0
Comment
Question by:DanRaposo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 4

Expert Comment

by:senseifedon
ID: 37839329
Hi;
You only have to create a correlation directives to asign risk >= 1 to this type of events.

Read this document to know how the risk is calculated
http://www.ossim.net/dokuwiki/doku.php?id=user_manual:dashbo ards:risk:risk_metrics

To create a user correlation directive do that:



Activate User Group: Edit file /etc/ossim/server/directives.xml and insert "&user;" into directives group
Restar the server: /etc/init.d/ossim-server restart
Go to Intelligence --> Correlation Directive
Click on Add directive
Put the name and select User Id: You can put here your priority and click save
Create a Rule: Put your rule name, select plugin id (arpwatch = 1512) and select the sid you want (you can click.... to insert its)
Click save
Restart the server



If you put priority = 5 and you have the default assets values when the risk is calculated you will have a least 10/25 so the Event Reliability has to be 3 or more to create an alarm.

To change the event reliability go to Configuration--> Colection and look for arpwatch plugin click it and you can see all their sids.



Regards
0
 
LVL 4

Expert Comment

by:senseifedon
ID: 37846011
Danraposo can you inform me?
0
 

Author Comment

by:DanRaposo
ID: 37857444
Sorry ...  I was out of office for a few days ...


Can you show me the syntax for adding the &user into the directives group?


Thanks
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 4

Accepted Solution

by:
senseifedon earned 500 total points
ID: 37858029
Hi again;

You can add &user directives like following lines:


<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE directives
SYSTEM '/etc/ossim/server/directives.dtd'
[
<!ENTITY generic SYSTEM '/etc/ossim/server/generic.xml'>
<!ENTITY attacks SYSTEM '/etc/ossim/server/attacks.xml'>
<!ENTITY worms SYSTEM '/etc/ossim/server/worms.xml'>
<!ENTITY webattack SYSTEM '/etc/ossim/server/webattack.xml'>
<!ENTITY dos SYSTEM '/etc/ossim/server/dos.xml'>
<!ENTITY scan SYSTEM '/etc/ossim/server/scan.xml'>
<!ENTITY abnormal SYSTEM '/etc/ossim/server/abnormal.xml'>
<!ENTITY network SYSTEM '/etc/ossim/server/network.xml'>
<!ENTITY trojans SYSTEM '/etc/ossim/server/trojans.xml'>
<!ENTITY misc SYSTEM '/etc/ossim/server/misc.xml'>
<!ENTITY user SYSTEM '/etc/ossim/server/user.xml'>
<!ENTITY alienvault-worms SYSTEM '/etc/ossim/server/alienvault-worms.xml'>
<!ENTITY alienvault-attacks SYSTEM '/etc/ossim/server/alienvault-attacks.xml'>
<!ENTITY alienvault-misc SYSTEM '/etc/ossim/server/alienvault-misc.xml'>
<!ENTITY alienvault-scada SYSTEM '/etc/ossim/server/alienvault-scada.xml'>
<!ENTITY alienvault-network SYSTEM '/etc/ossim/server/alienvault-network.xml'>
<!ENTITY alienvault-dos SYSTEM '/etc/ossim/server/alienvault-dos.xml'>
<!ENTITY alienvault-scan SYSTEM '/etc/ossim/server/alienvault-scan.xml'>
<!ENTITY alienvault-policy SYSTEM '/etc/ossim/server/alienvault-policy.xml'>
<!ENTITY alienvault-malware SYSTEM '/etc/ossim/server/alienvault-malware.xml'>
<!ENTITY alienvault-bruteforce SYSTEM '/etc/ossim/server/alienvault-bruteforce.xml'>
]>
<directives>
&alienvault-bruteforce;

&alienvault-malware;

&alienvault-policy;

&alienvault-scan;

&alienvault-dos;

&alienvault-network;

&alienvault-scada;

&alienvault-misc;

&alienvault-attacks;

&alienvault-worms;


&attacks;
&trojans;
&misc;
&worms;
&generic;
&user;

<groups>
<group name="GroupTest1">
<append-directive directive_id="1"/>
</group>
</groups>

</directives>

Open in new window

0
 

Author Comment

by:DanRaposo
ID: 37858057
I'm sorry I must be missing something ... you said
"Activate User Group: Edit file /etc/ossim/server/directives.xml and insert "&user;" into directives group "

Then you posted a directives.xml file that looks identical to mine.   Where should I be placing &user

I have &user in the directive secion but not the directives group which I considered to be this:

<groups>
<group name="GroupTest1">
<append-directive directive_id="1"/>
</group>
</groups>
0
 
LVL 4

Expert Comment

by:senseifedon
ID: 37858080
It goes under &generic; line before <groups> tag.

&attacks;
&trojans;
&misc;
&worms;
&generic;
&user;

<groups>
<group name="GroupTest1">
<append-directive directive_id="1"/>
</group>
</groups>

Open in new window

0
 

Author Comment

by:DanRaposo
ID: 37858221
That was already there.  So I did try to change Reliability from 1 to 5 on the ArpWatch New Mac Address  event.
0

Featured Post

Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
google exe file 5 153
Standalone trial or freeware to do SSL scan 4 56
SOC, SIEM, IPS and FW 4 51
Testing site for http code 200 or curl equiv for Windows 2 52
Smart phones, smart watches, Bluetooth-connected devices—the IoT is all around us. In this article, we take a look at the security implications of our highly connected world.
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question