External Alerting for Intrusion Events

The following topics describe how to configure external alerting for intrusion events:

About External Alerting for Intrusion Events

External intrusion event notification can help with critical-system monitoring:

  • SNMP—Configured per intrusion policy and sent from managed devices. You can enable SNMP alerting per intrusion rule.

  • Syslog—Configured per intrusion policy and sent from managed devices. When you enable syslog alerting in an intrusion policy, you turn it on for every rule in the policy.

  • Email—Configured across all intrusion policies and sent from the Firepower Management Center. You can enable email alerts per intrusion rule, as well as limit their length and frequency.

Keep in mind that if you configured intrusion event suppression or thresholding, the system may not generate intrusion events (and thus may not send alerts) every time a rule triggers.

In a multidomain deployment, you can configure external alerting in any domain. In ancestor domains, the system generates notifications for intrusion events in descendant domains.


Note


The Firepower Management Center also uses SNMP, syslog, and email alert responses to send different types of external alerts; see Firepower Management Center Alert Responses. The system does not use alert responses to send alerts based on individual intrusion events.

License Requirements for External Alerting for Intrusion Events

FTD License

Threat

Classic License

Protection

Requirements and Prerequisites for External Alerting for Intrusion Events

Model Support

Any.

Supported Domains

Any

User Roles

  • Admin

  • Intrusion Admin

Configuring SNMP Alerting for Intrusion Events

After you enable external SNMP alerting in an intrusion policy, you can configure individual rules to send SNMP alerts when they trigger. These alerts are sent from the managed device.

Procedure


Step 1

In the intrusion policy editor's navigation pane, click Advanced Settings.

Step 2

Make sure SNMP Alerting is Enabled, then click Edit.

A message at the bottom of the page identifies the intrusion policy layer that contains the configuration.

Step 3

Choose an SNMP Version, then specify configuration options as described in Intrusion SNMP Alert Options.

Step 4

In the navigation pane, click Rules.

Step 5

In the rules pane, choose the rules where you want to set SNMP alerts, then choose Alerting > Add SNMP Alert.

Step 6

To save changes you made in this policy since the last policy commit, choose Policy Information, then click Commit Changes.

If you leave the policy without committing changes, changes since the last commit are discarded if you edit a different policy.

What to do next

Intrusion SNMP Alert Options

If your network management system requires a management information base file (MIB), you can obtain it from the Firepower Management Center at /etc/sf/DCEALERT.MIB.

SNMP v2 Options

Option

Description

Trap Type

The trap type to use for IP addresses that appear in the alerts.

If your network management system correctly renders the INET_IPV4 address type, choose as Binary. Otherwise, choose as String. For example, HP OpenView requires as String.

Trap Server

The server that will receive SNMP traps notification.

You can specify a single IP address or hostname.

Community String

The community name.

SNMP v3 Options

Managed devices encode SNMPv3 alerts with an Engine ID value. To decode the alerts, your SNMP server requires this value, which is the hexadecimal version of the sending device's management interface IP address, appended with "01."

For example, if the device sending the SNMP alert has a management interface IP address of 172.16.1.50, the Engine ID value is 0xAC10013201.

Option

Description

Trap Type

The trap type to use for IP addresses that appear in the alerts.

If your network management system correctly renders the INET_IPV4 address type, choose as Binary. Otherwise, choose as String. For example, HP OpenView requires as String.

Trap Server

The server that will receive SNMP traps notification.

You can specify a single IP address or hostname.

Authentication Password

The password required for authentication. SNMP v3 uses either the Message Digest 5 (MD5) hash function or the Secure Hash Algorithm (SHA) hash function to encrypt this password, depending on configuration.

If you specify an authentication password, authentication is enabled.

Private Password

The SNMP key for privacy. SNMP v3 uses the Data Encryption Standard (DES) block cipher to encrypt this password. When you enter an SNMP v3 password, the password displays in plain text during initial configuration but is saved in encrypted format.

If you specify a private password, privacy is enabled, and you must also specify an authentication password.

User Name

Your SNMP user name.

Configuring Syslog Alerting for Intrusion Events

After you enable syslog alerting in an intrusion policy, the system sends all intrusion events to the syslog, either on the managed device itself or to an external host or hosts. If you specify an external host, syslog alerts are sent from the managed device.

Procedure


Step 1

In the intrusion policy editor's navigation pane, click Advanced Settings.

Step 2

Make sure Syslog Alerting is Enabled, then click Edit.

A message at the bottom of the page identifies the intrusion policy layer that contains the configuration. The Syslog Alerting page is added under Advanced Settings.

Step 3

Enter the IP addresses of the Logging Hosts where you want to send syslog alerts.

If you leave the Logging Hosts field blank, the logging hosts details are taken from Logging in the associated Access Control Policy.

The system builds a separate network map for each leaf domain. In a multidomain deployment, using literal IP addresses to constrain this configuration can have unexpected results. Using override-enabled objects allows descendant domain administrators to tailor Global configurations to their local environments.

Step 4

Choose Facility and Severity levels as described in Facilities and Severities for Intrusion Syslog Alerts.

Step 5

To save changes you made in this policy since the last policy commit, choose Policy Information, then click Commit Changes.

If you leave the policy without committing changes, changes since the last commit are discarded if you edit a different policy.

What to do next

Facilities and Severities for Intrusion Syslog Alerts

Managed devices can send intrusion events as syslog alerts using a particular facility and Severity, so that the logging host can categorize the alerts. The facility specifies the subsystem that generated it. These facility and Severity values do not appear in the actual syslog messages.

Choose values that make sense based on your environment. Local configuration files (such as syslog.conf on UNIX-based logging hosts) may indicate which facilities are saved to which log files.

Syslog Alert Facilities

Facility

Description

ALERT An alert message.

AUTH

A message associated with security and authorization.

AUTHPRIV

A restricted access message associated with security and authorization. On many systems, these messages are forwarded to a secure file.

CRON

A message generated by the clock daemon.

DAEMON

A message generated by a system daemon.

FTP

A message generated by the FTP daemon.

KERN

A message generated by the kernel. On many systems, these messages are printed to the console when they appear.

LOCAL0-LOCAL7

A message generated by an internal process.

LPR

A message generated by the printing subsystem.

MAIL

A message generated by a mail system.

NEWS

A message generated by the network news subsystem.

SYSLOG

A message generated by the syslog daemon.

USER

A message generated by a user-level process.

UUCP

A message generated by the UUCP subsystem.

Syslog Alert Severities

Level

Description

EMERG

A panic condition broadcast to all users

ALERT

A condition that should be corrected immediately

CRIT

A critical condition

ERR

An error condition

WARNING

Warning messages

NOTICE

Conditions that are not error conditions, but require attention

INFO

Informational messages

DEBUG

Messages that contain debug information

Configuring Email Alerting for Intrusion Events

If you enable intrusion email alerting, the system can send email when it generates an intrusion event, regardless of which managed device or intrusion policy detected the intrusion. These alerts are sent from the Firepower Management Center.

Before you begin

Procedure


Step 1

Choose Policies > Actions > Alerts.

Step 2

Click Intrusion Email.

Step 3

Choose alerting options, including the intrusion rules or rule groups for which you want to alert, as described in Intrusion Email Alert Options.

Step 4

Click Save.


Intrusion Email Alert Options

On/Off

Enables or disables intrusion email alerts.


Note


Enabling it will enable alerting for all rules unless individual rules are selected.


From/To Addresses

The email sender and recipients. You can specify a comma-separated list of recipients.

Max Alerts and Frequency

The maximum number of email alerts (Max Alerts) that the Firepower Management Center will send per time interval (Frequency).

Coalesce Alerts

Reduces the number of alerts sent by grouping alerts that have the same source IP and rule ID.

Summary Output

Enables brief alerts, suitable for text-limited devices. Brief alerts contain:

  • Timestamp

  • Protocol

  • Source and destination IPs and ports

  • Message

  • The number of intrusion events generated against the same source IP

For example: 2011-05-18 10:35:10 10.1.1.100 icmp 10.10.10.1:8 -> 10.2.1.3:0 snort_decoder: Unknown Datagram decoding problem! (116:108)

If you enable Summary Output, also consider enabling Coalesce Alerts. You may also want to lower Max Alerts to avoid exceeding text-message limits.

Time Zone

The time zone for alert timestamps.

Email Alerting on Specific Rules Configuration

Allows you to choose the rules where you want to set email alerts.