You are here: Features > Configuration > Advanced Configuration > Event Rules

Event Rules

This section is used to configure active response operations used by the LCE daemon. LCE rules are configured to analyze LCE event content and fire if preset conditions are met. Active responses include the ability to send automatic emails (msmtp, sendmail), syslog alerts (syslog, cef), or run custom commands on the LCE system.

Email Syntax

Command: echo "body: $log" | sendmail rgula@example.com "subject: $event1 from $sip"

Command: echo "This is a test message." | /opt/lce/tools/msmtp -C /opt/lce/tools/msmtp.conf bob@example.com

Syslog Syntax

The following syslog line would forward any log that triggered the rule to the remote syslog server 10.10.10.10, port 514, with the default priority of 36 (severity=4, facility=4):

syslog: 10.10.10.10 "Possible password guessing evidence: $log"

The following syslog line would forward any log that triggered the rule to two remote syslog servers, 10.10.10.9, and 10.10.10.10, on port 515, with the specified priority of 116 (severity=4, facility=14):

syslog: 10.10.10.9, 10.10.10.10 "Your message goes here: $log" -priority 116 -port 515

Custom Command Syntax

Command: /path/to/scripts/my_custom_firewall_reconfig_command.sh -block $sip

LCE Rule Filters

The following fields are optional filters. A plus sign signifies that events matching the specified values will receive rule application, while a minus sign signifies that matching events will not. If no “+” filter is used, all events are matched by default for the field, unless excluded specifically with the minus “-” filter. Multiple values can be specified for any filter.

Note: Do not use spaces to precede LCE rules. If there is a space at the beginning of an option, that option will be ignored.

Option Description

IPS

This filter allows for the search of IP addresses that are or are not present as either source or destination. The following five formats are supported for both +IPS and -IPS:

  • 172.16.1.1/255.255.255.0
  • 172.16.1.1/32
  • 172.16.1.1-255
  • 172.16.1.1-172.16.1.255
  • 172.16.1.1

SrcIPS

This filter will search for source IP addresses that are or are not present. The following five formats are supported for both +SrcIPS and -SrcIPS:

  • 172.16.1.1/255.255.255.0
  • 172.16.1.1/32
  • 172.16.1.1-255
  • 172.16.1.1-172.16.1.255
  • 172.16.1.1

DstIPS

This filter will search for destination IP addresses that are or are not present. The following five formats are supported for both +DstIPS and -DstIPS:

  • 172.16.1.1/255.255.255.0
  • 172.16.1.1/32
  • 172.16.1.1-255
  • 172.16.1.1-172.16.1.255
  • 172.16.1.1

Events

Considers both the primary and secondary event names. Spaces are not allowed in event names. For example, if you entered "extinction level event," it would be interpreted as three separate events.

Sensors

Sensor that detected the LCE event

Types

LCE event type

Ports

Source or destination port within the LCE event

Protocols

Specified by TCP, UDP, ICMP or a number

Users

Username associated with the event

Text

Filter on any text token in the log that is or is not present (tokens can include spaces and punctuation but not commas) by using +Text or -Text.

IText

This is the same filter as above but the token can be case insensitive, and +IText or -IText must be used.

Vulnerable

"yes" or "no"

Ignore

Single keyword causes all events matching the rule's filters to be ignored by LCE. If an event is ignored in this manner, there will be no LCE database entry written for it, no other matching rules will fire and no TASLs filtering on the event will be executed.

RateLimit

A string indicating the maximum number of event responses per time period that will be allowed. When the quantity of incoming matching logs exceeds this constraint, the remaining logs will be queued or ignored. This string follows the format:

(integer) per [second, minute, hour, day, week, month, year]

Command

Runs the given command at the command line as user lce (e. g., echo "log matched" >> /opt/lce/my_log_file.log).

See the /opt/lce/tools/ directory for a tool supplied with LCE for emailing logs.

When using Command: to run a command, you may insert some or portions of the log into your command using the following replacement macros. The following example sends the original log text and the src IP:port dst IP:port via email for network or connection type logs:

 

Name: Example command

+Types: network,connection

Command: printf "To:auser@example.com

\nFrom:buser@example.com

\nSubject: Network Connection\n\n

LOG MATCHED RULE $sip:$sport -> $dip:$dport $log .\n" | /opt/lce/tools/msmtp -C /opt/lce/tools/msmtp.conf auser@example.com

MaxQueue

The maximum number of matching events to queue; those coming in while the queue is full will be ignored.

Threshold

A string indicating the minimum number of matching events that must occur in a given time period before event responses are generated. This string follows the format:

(integer) in a [second, minute, hour, day, week, month, year]

Log Forwarding

Logs that trigger a rule can be forwarded in syslog or Common Event Format (CEF). The log format for CEF is predetermined and forwarded in a fixed format. The syslog option can be sent with the priority and port specified, but it is not required. The syslog option can also contain LCE shell command options, which are explained in detail in the LCE Shell Command Options section.

An example of each is shown below.

For CEF forwarding: cef: 192.168.1.4

For syslog forwarding: syslog: 192.168.1.4 "Possible password guessing evidence: $log" -priority 36 -port 514

Note: Additional information and examples are available in the Event Rule Table topic.

LCE Shell Command Options

The following case sensitive variables may be included in the shell command string. Any command using the list of shell command variables below need to be encapsulated in double quotations ("").

Option Description

$sip

Source IP of event

$dip

Destination IP of event

$sport

Source port of event

$dport

Destination port of event

$proto

Protocol of event, displayed as N/A, TCP, UDP, ICMP, or a number for other protocols

$vuln

"no" if the event was not correlated with a vulnerability, "yes" otherwise.

$sensor

Name of sensor generating the event

$event1

Primary event name

$event2

Secondary event name

$type

Type name of event

$time

Time event was recorded at LCE (format: Mon MM, YYYY H:M:S)

$user

Username associated with the event

$log

Raw text of log

$queued_logs

All logs currently in the event rules queue. Use of this variable has the effect of emptying the rule's queue

Note: Additional information and examples are available in the Event Rule Table topic.

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.