Solved

How can I configure Alienvault to send emails when Arpwatch discovers new mac address?

Posted on 2012-04-10
7
2,289 Views
Last Modified: 2013-11-29
I have recently installed AV 3.1 and have it configured with arpwatch.  When an arpwatch event discovers a new device it is not sending me an email.  

I have tested the email and the test message goes out, but never an alert that there is a new device.

I have setup a correlation directive (probably wrong) but this did not help.


Thanks
0
Comment
Question by:DanRaposo
  • 4
  • 3
7 Comments
 
LVL 4

Expert Comment

by:senseifedon
ID: 37839329
Hi;
You only have to create a correlation directives to asign risk >= 1 to this type of events.

Read this document to know how the risk is calculated
http://www.ossim.net/dokuwiki/doku.php?id=user_manual:dashbo ards:risk:risk_metrics

To create a user correlation directive do that:



Activate User Group: Edit file /etc/ossim/server/directives.xml and insert "&user;" into directives group
Restar the server: /etc/init.d/ossim-server restart
Go to Intelligence --> Correlation Directive
Click on Add directive
Put the name and select User Id: You can put here your priority and click save
Create a Rule: Put your rule name, select plugin id (arpwatch = 1512) and select the sid you want (you can click.... to insert its)
Click save
Restart the server



If you put priority = 5 and you have the default assets values when the risk is calculated you will have a least 10/25 so the Event Reliability has to be 3 or more to create an alarm.

To change the event reliability go to Configuration--> Colection and look for arpwatch plugin click it and you can see all their sids.



Regards
0
 
LVL 4

Expert Comment

by:senseifedon
ID: 37846011
Danraposo can you inform me?
0
 

Author Comment

by:DanRaposo
ID: 37857444
Sorry ...  I was out of office for a few days ...


Can you show me the syntax for adding the &user into the directives group?


Thanks
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 
LVL 4

Accepted Solution

by:
senseifedon earned 500 total points
ID: 37858029
Hi again;

You can add &user directives like following lines:


<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE directives
SYSTEM '/etc/ossim/server/directives.dtd'
[
<!ENTITY generic SYSTEM '/etc/ossim/server/generic.xml'>
<!ENTITY attacks SYSTEM '/etc/ossim/server/attacks.xml'>
<!ENTITY worms SYSTEM '/etc/ossim/server/worms.xml'>
<!ENTITY webattack SYSTEM '/etc/ossim/server/webattack.xml'>
<!ENTITY dos SYSTEM '/etc/ossim/server/dos.xml'>
<!ENTITY scan SYSTEM '/etc/ossim/server/scan.xml'>
<!ENTITY abnormal SYSTEM '/etc/ossim/server/abnormal.xml'>
<!ENTITY network SYSTEM '/etc/ossim/server/network.xml'>
<!ENTITY trojans SYSTEM '/etc/ossim/server/trojans.xml'>
<!ENTITY misc SYSTEM '/etc/ossim/server/misc.xml'>
<!ENTITY user SYSTEM '/etc/ossim/server/user.xml'>
<!ENTITY alienvault-worms SYSTEM '/etc/ossim/server/alienvault-worms.xml'>
<!ENTITY alienvault-attacks SYSTEM '/etc/ossim/server/alienvault-attacks.xml'>
<!ENTITY alienvault-misc SYSTEM '/etc/ossim/server/alienvault-misc.xml'>
<!ENTITY alienvault-scada SYSTEM '/etc/ossim/server/alienvault-scada.xml'>
<!ENTITY alienvault-network SYSTEM '/etc/ossim/server/alienvault-network.xml'>
<!ENTITY alienvault-dos SYSTEM '/etc/ossim/server/alienvault-dos.xml'>
<!ENTITY alienvault-scan SYSTEM '/etc/ossim/server/alienvault-scan.xml'>
<!ENTITY alienvault-policy SYSTEM '/etc/ossim/server/alienvault-policy.xml'>
<!ENTITY alienvault-malware SYSTEM '/etc/ossim/server/alienvault-malware.xml'>
<!ENTITY alienvault-bruteforce SYSTEM '/etc/ossim/server/alienvault-bruteforce.xml'>
]>
<directives>
&alienvault-bruteforce;

&alienvault-malware;

&alienvault-policy;

&alienvault-scan;

&alienvault-dos;

&alienvault-network;

&alienvault-scada;

&alienvault-misc;

&alienvault-attacks;

&alienvault-worms;


&attacks;
&trojans;
&misc;
&worms;
&generic;
&user;

<groups>
<group name="GroupTest1">
<append-directive directive_id="1"/>
</group>
</groups>

</directives>

Open in new window

0
 

Author Comment

by:DanRaposo
ID: 37858057
I'm sorry I must be missing something ... you said
"Activate User Group: Edit file /etc/ossim/server/directives.xml and insert "&user;" into directives group "

Then you posted a directives.xml file that looks identical to mine.   Where should I be placing &user

I have &user in the directive secion but not the directives group which I considered to be this:

<groups>
<group name="GroupTest1">
<append-directive directive_id="1"/>
</group>
</groups>
0
 
LVL 4

Expert Comment

by:senseifedon
ID: 37858080
It goes under &generic; line before <groups> tag.

&attacks;
&trojans;
&misc;
&worms;
&generic;
&user;

<groups>
<group name="GroupTest1">
<append-directive directive_id="1"/>
</group>
</groups>

Open in new window

0
 

Author Comment

by:DanRaposo
ID: 37858221
That was already there.  So I did try to change Reliability from 1 to 5 on the ArpWatch New Mac Address  event.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

February 24, 2017 — On February 23, Travis Ormandy, a vulnerability researcher at Google, reported on Twitter (https://twitter.com/taviso/status/834900838837411840) that massive stores of data have been leaked by CloudFlare, a company that provide…
If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question