PIX message lookup

 Top  Previous  Next

 

The function below checks the message for specific PIX message numbers and passes the explanation to a custom message field. The custom fields can then be used in a "Send e-mail" action.

 

The values used in this script are found on the Cisco web site at:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v53/syslog/pixemsgs.htm

 

 

Run Script action setup.

Common fields: Read=yes

Custom fields: Write=yes

 

 

Rules setup

 

Rules

 Rule: Lookup PIX msg

   Filters

     Filter: Host IP address: Simple: Match PIX firewall address

   Actions

     Action: Run Script: Lookup PIX msg

     Action: Send e-mail

             To: helpdesk@company.com:

             Subject: Problem with PIX

             Body: %MsgText

                   Explanation: %VarCustom01

                 Action to take: %VarCustom02

 

 

Function Main()

 

' Set the return value to OK

Main = "OK"

 

' By default, skip to the next rule, don't take the actions that follow

' If we exit the function before we get to the end, the default 'skip to next rule'

' will be used.

Fields.ActionQuit = 100

 

' Example of a PIX message

' %PIX-4-209004: Invalid IP fragment...

 

Dim M ' Message

Dim E ' Explanation

Dim A ' Action

 

' Copy message to local variable for speed

M = Fields.VarCleanMessageText

 

' If message length is too short, exit function

If Len(M) < 15 then exit function

 

' Grab the first 15 chrs

M = Left(M,15)

 

' Check the message is a valid PIX message

If Mid(M,1,5) <> "%PIX-" then exit function

 

' Add any additional checks you want to perform here

 

' Grab the important part ("4-209004")

M = Mid(M,6,8)

 

E = ""

A = ""

 

' Now lookup the values and create an explanation and action for each match

Select Case M

 Case "4-209004"

      E = "An IP fragment is malformed. The total size of the reassembled IP packet exceeds the maximum possible size of 65,535 bytes"

       A = "A possible intrusion event may be in progress. If this message persists, contact the remote peer's administrator or upstream provider."

 Case "2-106012"

 E = "This is a connection-related message. A IP packet was seen with IP options.  Because IP options are considered a security risk, the packet was discarded."

 A = "A security breach was probably attempted. Check the local site for loose source or strict source routing."

 

' Insert other values to lookup here

 

End Select

 

' Exit if we don't have any values to pass

If len(E) = 0 then exit function

If len(A) = 0 then exit function

 

' Pass the Explanation and Action to take to the custom variables

Fields.VarCustom01 = E

Fields.VarCustom02 = A

 

' Since we have a valid match, we want to execute the send e-mail action which follows.

' Setting ActionQuit to 0 means we won't skip any actions.

Fields.ActionQuit = 0

 

End function