Custom Actions

This part of the configuration can be found in Settings → Processing, in the Custom actions section. Note that the custom actions mentioned below are always performed only for the event trigger and not for the event updates (see Stream Processing for more details about event triggers and event updates).

Email notifications

The Flowmon ADS module allows you to define regular reports which are sent through email by the application.

Each email report must be bound to exactly one perspective. A report can be in an active or inactive state. An inactive report is defined in the system but is not being sent regularly. A report can have any number of recipient addresses - you can add them by clicking Add new email. There is also an option Do not send empty reports. If this option is enabled, empty daily or weekly summary reports are not sent (empty immediate reports, one-hour, or six-hour summary reports are never sent to prevent spamming of a mailbox). There is also an option to set a minimum priority of events to be reported (Minimal priority to be reported). Reports are sent per the following rules:

• CRITICAL: report immediately after processing of the flow data; a blank report is never sent.

• HIGH: report hourly summaries

• MEDIUM: report six-hour summaries

• LOW: report daily summaries

• INFORMATION: report weekly summaries

Other options:

• Active links: makes all links in the Full email reports clickable

• Show timezone info: shows timezone in Full, Compact, and Email per event email reports

The Flowmon ADS module allows you to send email reports in several formats:

Summary reports

The different summary reports are described below:

• The Full format provides the reports as an HTML-formatted table.

• The Compact format sends the reports as plain text.

• The Extra compact format is also as plain text, but with some information omitted (for example, event detail, event targets, and so on).

The report is also aggregated based on the event type. All three types are summary reports. They report all events for a specific time period and priority. The time period corresponds to the priority rules above.

Separate event reports

The email per event format only provides information about a single event and it is dedicated especially to automatic processing. It can generate a huge number of email reports (equal to several events). Like other formats, the email event reports are sent based on priority rules.

The RT email format

Flowmon ADS also allows you to send reports as tickets to the RT ticketing system. To enable this function, you need to set the format to the RT value. This format adds three attributes into the email header: X-RT-Tool-Name, X-RT-Incident-IP, and X-RT-Incident-Time. The first attribute is always set to “Flowmon ADS” and is concatenated with the name of the event. The others have assigned their values according to the reported events. In a single email or ticket, you see all events of the same type for one IP address, for example, 10 BLACKLISTS events for the IP address 1.1.1.1 in a single email or ticket. The time period corresponds to priority rules. The first event of the row is used as a leader event. All corresponding events are listed in the Event details.

Body of the email per event format:

<ID>: (unique event identifier);
<Category>: (code of the detection method);
<Type>: (name of the detection method);
<Perspective>: (name of the perspective assigned to the report);
<Severity>: (priority of the event);
<Time>: (start time in UTC);
<Protocol>: (protocol related to the event or empty value);
<Source>: (source IP address);
<Target IPs>: (first 10 target IP addresses);
<Ports involved>: (port numbers related to the event or empty value);

Body of the RT email, the event details were shortened:

IP: 192.168.1.1 // event source
Type: DNS traffic anomaly // detection method description
Severity:
Use of unauthorized DNS server (connections: 20). // leader event
detail Time: 2015-11-05 17:00:13 GMT+0100 // leader event detection time
Incident details: // event id, detection time, detail, targets
5102353 2015-11-05 17:00:13 GMT+0100 Use of ... (connections: 20). 8.8.8.8
5102382 2015-11-05 17:00:13 GMT+0100 Use of ... (connections: 20). 8.8.8.8

If the Attach flows parameter in the Storage settings section is activated, the flow samples used for event detection are attached to the reports formatted as the RT and the email per event reports.

Formerly, it was only possible to set the sending of reports using the customer's own SMS gateway upon request. Now, you can set this yourself using the Custom scripts feature (see the section Custom scripts below) which allows you to insert a user-defined script that sends SMS according to your needs.

Syslog

The application also supports event export in the Common Event Format (CEF). It is possible to set multiple targets for the syslog messages in the Settings → Processing → Syslog message section. Syslog messages are assigned to the local6 facility. It is possible to configure the following parameters:

• Name: Name of the configuration.

• Perspective: The perspective that serves as a base for the syslog messages. The priority is translated to the CEF severity and, with accordance to the configuration, also to the syslog severity (see the table below).

• Active: Activation of sending the syslog messages.

• Priority as severity: Activate the translation of the Flowmon ADS priority to the syslog severity. See the table below.

• Target: Choose whether the global Flowmon OS configuration should be applied (from the Flowmon Configuration Center) or whether to send syslog messages to the specific IP and port.

• Remote IP: IP address for sending of the syslog messages.

• Port: Port number (UDP protocol) for sending of the syslog messages.

• Use event ID: Adding the event ID to the syslog messages (can be used to find the event in the user interface).

• Divide by event targets: Decide whether to send event targets in one syslog message or in a single syslog message for each event target.

• Maximal number of messages per event: Maximal number of syslog messages (if syslog messages are divided according to the single event target assignment). The last message contains all the remaining event targets.

• Machine-readable detail: Activation of the event detail in the format suitable for the following machine processing. The variables of the event details are written in the form parameter:value.

In the following table there is a translation of Flowmon ADS priorities to syslog and CEF priorities:

SNMP

The application also supports the export of events using the SNMP. Events are generated as SNMP traps that are generated based on the MIB file FLOWMON-ADS-MIB.txt (this file can be downloaded from the authenticated subsection of the Flowmon portal). The SNMP event reports can be re-created several times with different targets and perspectives.

You can easily set a destination IP address, port, SNMP version, and the community string by selecting Target groups. These are defined in the Configuration Center module in System → SNMP Event Logging. In the ADS module, you can configure the following parameters:

• Name: Name of the respective configuration.

• Perspective: The perspective according to which the SNMP traps are generated.

• Active: Activation of sending SNMP traps.

• Target groups: Selection of destinations where the SNMP trap is to be sent.

Custom scripts

The Flowmon ADS application allows to use your own custom scripts for event export (or any executable – for example, in bash/sh, Perl, Python, C, C++, . . . ). The script functions are limited only by the permissions of the Flowmon system user. It is therefore recommended to validate the executables by an administrator. The user scripts can affect the duration of the flow data processing, therefore it is recommended to make these scripts fast enough.

Execution of the custom scripts is managed by the chosen perspective and a pre-set minimal priority. The scripts are executed immediately regardless of the priority of the given event.

The executables can be uploaded by the admin user, in the Settings → System Settings→** Custom scripts** view. The events are provided to the standard input of the script (one event per line).

Each event is described by the following fields (in this order):

• ID

• event detection time

• timestamp of the first flow

• event type

• type description

• perspective

• priority

• event detail

• port numbers

• protocol

• event source

• captured source name

• event targets

• data feed

• user identity

These fields are separated by a tab symbol. When a field is empty, it is replaced by a space character.

Additional parameters

It is possible to define additional command line parameters for the custom scripts. These parameters are used for handing over the supplementary information. The values of the parameters can be set separately for individual executions of the custom scripts. The parameters are optional and must be supported by the script. Parameters are passed to the script in the following order: ./script_name.sh PARAM_1 ’VAL_1’ PARAM_2 ’VAL_2’ ... PARAM_n ’VAL_n’

The name of the parameter must be nonempty. It may consist of alphanumeric characters, dash or underscore. The parameters are always handed over in the same order. Therefore, it is possible to reference them by a position number.

Demo script

The demo script is created after installation or after application of the configuration template. This script is used for sending event reports by email. The script can be generated manually on the Settings → System Settings → Custom scripts page and can also be downloaded. It is written as a Bash script. The script is using three parameters for passing the email address, the email body, and the email subject. The parameters are parsed using the standard getopt function. Email reports are sent by Flowmon PHP CLI, the SMTP configuration is obtained from the configuration of the application.

Traffic recording

To react to the detected events, you can enable automatic packet capture with the Flowmon Packet Investigator (FPI version 11.0 or higher is required). The capture can be started on a remote or a local device. To start capturing on a local device, use the Local for a script owner option. It will use the script Owner account to start local packet capturing. The mandatory parameters for the remote capture are FPI server, Login, and Password. The FPI Agency ID parameter is the numeric identifier of the FPI group (defined in the Flowmon Configuration Center) which is used for capturing.

Execution of the capture is managed by the chosen perspective. The captures are executed immediately for all events that have at least the Minimal priority. The capturing stops after the time interval defined in the Live recording duration parameter. The countdown of this interval starts when the live capture starts.

Flowmon Packet Investigator stores the packets from the past for a time interval that can be specified in Configuration center → Monitoring ports. For each monitoring interface, there is a Packet capture tab, where you can set this interval by specifying the TTL parameter. Because of this feature, you can include these packets captured in the past into the final capture file. For this purpose, use the parameter Recording start offset. It specifies the maximal number of seconds from the past that could be used for packet capture. For the actual start time the higher of these two is used: Detection time - Recording start offset or the first flow time that is part of every event. Packets from the interval specified by this parameter are then included in the final capture file together with the packets captured during the live traffic recording. If the value of the Recording start offset field is higher then the value of the TTL field for a specific interface, the notification in the GUI is shown and the value of the TTL parameter should be increased. When Recording start offset is set to zero - only live traffic is captured. After finishing the capture, the PCAP files with traffic are available for download in the event detail window. These PCAP files include the packets that were captured during the live packet capture together with packets from the past (packets that were captured before the event started).