Solved

How can I configure Alienvault to send emails when Arpwatch discovers new mac address?

Posted on 2012-04-10
7
2,260 Views
Last Modified: 2013-11-29
I have recently installed AV 3.1 and have it configured with arpwatch.  When an arpwatch event discovers a new device it is not sending me an email.  

I have tested the email and the test message goes out, but never an alert that there is a new device.

I have setup a correlation directive (probably wrong) but this did not help.


Thanks
0
Comment
Question by:DanRaposo
  • 4
  • 3
7 Comments
 
LVL 4

Expert Comment

by:senseifedon
ID: 37839329
Hi;
You only have to create a correlation directives to asign risk >= 1 to this type of events.

Read this document to know how the risk is calculated
http://www.ossim.net/dokuwiki/doku.php?id=user_manual:dashbo ards:risk:risk_metrics

To create a user correlation directive do that:



Activate User Group: Edit file /etc/ossim/server/directives.xml and insert "&user;" into directives group
Restar the server: /etc/init.d/ossim-server restart
Go to Intelligence --> Correlation Directive
Click on Add directive
Put the name and select User Id: You can put here your priority and click save
Create a Rule: Put your rule name, select plugin id (arpwatch = 1512) and select the sid you want (you can click.... to insert its)
Click save
Restart the server



If you put priority = 5 and you have the default assets values when the risk is calculated you will have a least 10/25 so the Event Reliability has to be 3 or more to create an alarm.

To change the event reliability go to Configuration--> Colection and look for arpwatch plugin click it and you can see all their sids.



Regards
0
 
LVL 4

Expert Comment

by:senseifedon
ID: 37846011
Danraposo can you inform me?
0
 

Author Comment

by:DanRaposo
ID: 37857444
Sorry ...  I was out of office for a few days ...


Can you show me the syntax for adding the &user into the directives group?


Thanks
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 4

Accepted Solution

by:
senseifedon earned 500 total points
ID: 37858029
Hi again;

You can add &user directives like following lines:


<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE directives
SYSTEM '/etc/ossim/server/directives.dtd'
[
<!ENTITY generic SYSTEM '/etc/ossim/server/generic.xml'>
<!ENTITY attacks SYSTEM '/etc/ossim/server/attacks.xml'>
<!ENTITY worms SYSTEM '/etc/ossim/server/worms.xml'>
<!ENTITY webattack SYSTEM '/etc/ossim/server/webattack.xml'>
<!ENTITY dos SYSTEM '/etc/ossim/server/dos.xml'>
<!ENTITY scan SYSTEM '/etc/ossim/server/scan.xml'>
<!ENTITY abnormal SYSTEM '/etc/ossim/server/abnormal.xml'>
<!ENTITY network SYSTEM '/etc/ossim/server/network.xml'>
<!ENTITY trojans SYSTEM '/etc/ossim/server/trojans.xml'>
<!ENTITY misc SYSTEM '/etc/ossim/server/misc.xml'>
<!ENTITY user SYSTEM '/etc/ossim/server/user.xml'>
<!ENTITY alienvault-worms SYSTEM '/etc/ossim/server/alienvault-worms.xml'>
<!ENTITY alienvault-attacks SYSTEM '/etc/ossim/server/alienvault-attacks.xml'>
<!ENTITY alienvault-misc SYSTEM '/etc/ossim/server/alienvault-misc.xml'>
<!ENTITY alienvault-scada SYSTEM '/etc/ossim/server/alienvault-scada.xml'>
<!ENTITY alienvault-network SYSTEM '/etc/ossim/server/alienvault-network.xml'>
<!ENTITY alienvault-dos SYSTEM '/etc/ossim/server/alienvault-dos.xml'>
<!ENTITY alienvault-scan SYSTEM '/etc/ossim/server/alienvault-scan.xml'>
<!ENTITY alienvault-policy SYSTEM '/etc/ossim/server/alienvault-policy.xml'>
<!ENTITY alienvault-malware SYSTEM '/etc/ossim/server/alienvault-malware.xml'>
<!ENTITY alienvault-bruteforce SYSTEM '/etc/ossim/server/alienvault-bruteforce.xml'>
]>
<directives>
&alienvault-bruteforce;

&alienvault-malware;

&alienvault-policy;

&alienvault-scan;

&alienvault-dos;

&alienvault-network;

&alienvault-scada;

&alienvault-misc;

&alienvault-attacks;

&alienvault-worms;


&attacks;
&trojans;
&misc;
&worms;
&generic;
&user;

<groups>
<group name="GroupTest1">
<append-directive directive_id="1"/>
</group>
</groups>

</directives>

Open in new window

0
 

Author Comment

by:DanRaposo
ID: 37858057
I'm sorry I must be missing something ... you said
"Activate User Group: Edit file /etc/ossim/server/directives.xml and insert "&user;" into directives group "

Then you posted a directives.xml file that looks identical to mine.   Where should I be placing &user

I have &user in the directive secion but not the directives group which I considered to be this:

<groups>
<group name="GroupTest1">
<append-directive directive_id="1"/>
</group>
</groups>
0
 
LVL 4

Expert Comment

by:senseifedon
ID: 37858080
It goes under &generic; line before <groups> tag.

&attacks;
&trojans;
&misc;
&worms;
&generic;
&user;

<groups>
<group name="GroupTest1">
<append-directive directive_id="1"/>
</group>
</groups>

Open in new window

0
 

Author Comment

by:DanRaposo
ID: 37858221
That was already there.  So I did try to change Reliability from 1 to 5 on the ArpWatch New Mac Address  event.
0

Featured Post

Master Your Team's Linux and Cloud Stack!

The average business loses $13.5M per year to ineffective training (per 1,000 employees). Keep ahead of the competition and combine in-person quality with online cost and flexibility by training with Linux Academy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

An analysis of the phishing scam that has been affecting Google users, along with steps to take for protection, as well as what to do if you receive one of the emails.
The 21st century solution to antiquated pagers.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question