[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

How can I configure Alienvault to send emails when Arpwatch discovers new mac address?

Posted on 2012-04-10
7
Medium Priority
?
2,578 Views
Last Modified: 2013-11-29
I have recently installed AV 3.1 and have it configured with arpwatch.  When an arpwatch event discovers a new device it is not sending me an email.  

I have tested the email and the test message goes out, but never an alert that there is a new device.

I have setup a correlation directive (probably wrong) but this did not help.


Thanks
0
Comment
Question by:DanRaposo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 4

Expert Comment

by:senseifedon
ID: 37839329
Hi;
You only have to create a correlation directives to asign risk >= 1 to this type of events.

Read this document to know how the risk is calculated
http://www.ossim.net/dokuwiki/doku.php?id=user_manual:dashbo ards:risk:risk_metrics

To create a user correlation directive do that:



Activate User Group: Edit file /etc/ossim/server/directives.xml and insert "&user;" into directives group
Restar the server: /etc/init.d/ossim-server restart
Go to Intelligence --> Correlation Directive
Click on Add directive
Put the name and select User Id: You can put here your priority and click save
Create a Rule: Put your rule name, select plugin id (arpwatch = 1512) and select the sid you want (you can click.... to insert its)
Click save
Restart the server



If you put priority = 5 and you have the default assets values when the risk is calculated you will have a least 10/25 so the Event Reliability has to be 3 or more to create an alarm.

To change the event reliability go to Configuration--> Colection and look for arpwatch plugin click it and you can see all their sids.



Regards
0
 
LVL 4

Expert Comment

by:senseifedon
ID: 37846011
Danraposo can you inform me?
0
 

Author Comment

by:DanRaposo
ID: 37857444
Sorry ...  I was out of office for a few days ...


Can you show me the syntax for adding the &user into the directives group?


Thanks
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 4

Accepted Solution

by:
senseifedon earned 1500 total points
ID: 37858029
Hi again;

You can add &user directives like following lines:


<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE directives
SYSTEM '/etc/ossim/server/directives.dtd'
[
<!ENTITY generic SYSTEM '/etc/ossim/server/generic.xml'>
<!ENTITY attacks SYSTEM '/etc/ossim/server/attacks.xml'>
<!ENTITY worms SYSTEM '/etc/ossim/server/worms.xml'>
<!ENTITY webattack SYSTEM '/etc/ossim/server/webattack.xml'>
<!ENTITY dos SYSTEM '/etc/ossim/server/dos.xml'>
<!ENTITY scan SYSTEM '/etc/ossim/server/scan.xml'>
<!ENTITY abnormal SYSTEM '/etc/ossim/server/abnormal.xml'>
<!ENTITY network SYSTEM '/etc/ossim/server/network.xml'>
<!ENTITY trojans SYSTEM '/etc/ossim/server/trojans.xml'>
<!ENTITY misc SYSTEM '/etc/ossim/server/misc.xml'>
<!ENTITY user SYSTEM '/etc/ossim/server/user.xml'>
<!ENTITY alienvault-worms SYSTEM '/etc/ossim/server/alienvault-worms.xml'>
<!ENTITY alienvault-attacks SYSTEM '/etc/ossim/server/alienvault-attacks.xml'>
<!ENTITY alienvault-misc SYSTEM '/etc/ossim/server/alienvault-misc.xml'>
<!ENTITY alienvault-scada SYSTEM '/etc/ossim/server/alienvault-scada.xml'>
<!ENTITY alienvault-network SYSTEM '/etc/ossim/server/alienvault-network.xml'>
<!ENTITY alienvault-dos SYSTEM '/etc/ossim/server/alienvault-dos.xml'>
<!ENTITY alienvault-scan SYSTEM '/etc/ossim/server/alienvault-scan.xml'>
<!ENTITY alienvault-policy SYSTEM '/etc/ossim/server/alienvault-policy.xml'>
<!ENTITY alienvault-malware SYSTEM '/etc/ossim/server/alienvault-malware.xml'>
<!ENTITY alienvault-bruteforce SYSTEM '/etc/ossim/server/alienvault-bruteforce.xml'>
]>
<directives>
&alienvault-bruteforce;

&alienvault-malware;

&alienvault-policy;

&alienvault-scan;

&alienvault-dos;

&alienvault-network;

&alienvault-scada;

&alienvault-misc;

&alienvault-attacks;

&alienvault-worms;


&attacks;
&trojans;
&misc;
&worms;
&generic;
&user;

<groups>
<group name="GroupTest1">
<append-directive directive_id="1"/>
</group>
</groups>

</directives>

Open in new window

0
 

Author Comment

by:DanRaposo
ID: 37858057
I'm sorry I must be missing something ... you said
"Activate User Group: Edit file /etc/ossim/server/directives.xml and insert "&user;" into directives group "

Then you posted a directives.xml file that looks identical to mine.   Where should I be placing &user

I have &user in the directive secion but not the directives group which I considered to be this:

<groups>
<group name="GroupTest1">
<append-directive directive_id="1"/>
</group>
</groups>
0
 
LVL 4

Expert Comment

by:senseifedon
ID: 37858080
It goes under &generic; line before <groups> tag.

&attacks;
&trojans;
&misc;
&worms;
&generic;
&user;

<groups>
<group name="GroupTest1">
<append-directive directive_id="1"/>
</group>
</groups>

Open in new window

0
 

Author Comment

by:DanRaposo
ID: 37858221
That was already there.  So I did try to change Reliability from 1 to 5 on the ArpWatch New Mac Address  event.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes Administrators rights are not enough. These cases call for the SYSTEM account. The process in this article outlines the steps required to execute commands using the SYSTEM account.
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question