The function below checks the message for specific PIX message numbers and passes the explanation to a custom message field. The custom fields can then be used in a "Send e-mail" action.
The values used in this script are found on the Cisco web site at:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v53/syslog/pixemsgs.htm
Run Script action setup.
Common fields: Read=yes
Custom fields: Write=yes
Rules setup
Rules
Rule: Lookup PIX msg
Filters
Filter: Host IP address: Simple: Match PIX firewall address
Actions
Action: Run Script: Lookup PIX msg
Action: Send e-mail
To: helpdesk@company.com:
Subject: Problem with PIX
Body: %MsgText
Explanation: %VarCustom01
Action to take: %VarCustom02
Function Main()
' Set the return value to OK
Main = "OK"
' By default, skip to the next rule, don't take the actions that follow
' If we exit the function before we get to the end, the default 'skip to next rule'
' will be used.
Fields.ActionQuit = 100
' Example of a PIX message
' %PIX-4-209004: Invalid IP fragment...
Dim M ' Message
Dim E ' Explanation
Dim A ' Action
' Copy message to local variable for speed
M = Fields.VarCleanMessageText
' If message length is too short, exit function
If Len(M) < 15 then exit function
' Grab the first 15 chrs
M = Left(M,15)
' Check the message is a valid PIX message
If Mid(M,1,5) <> "%PIX-" then exit function
' Add any additional checks you want to perform here
' Grab the important part ("4-209004")
M = Mid(M,6,8)
E = ""
A = ""
' Now lookup the values and create an explanation and action for each match
Select Case M
Case "4-209004"
E = "An IP fragment is malformed. The total size of the reassembled IP packet exceeds the maximum possible size of 65,535 bytes"
A = "A possible intrusion event may be in progress. If this message persists, contact the remote peer's administrator or upstream provider."
Case "2-106012"
E = "This is a connection-related message. A IP packet was seen with IP options. Because IP options are considered a security risk, the packet was discarded."
A = "A security breach was probably attempted. Check the local site for loose source or strict source routing."
' Insert other values to lookup here
End Select
' Exit if we don't have any values to pass
If len(E) = 0 then exit function
If len(A) = 0 then exit function
' Pass the Explanation and Action to take to the custom variables
Fields.VarCustom01 = E
Fields.VarCustom02 = A
' Since we have a valid match, we want to execute the send e-mail action which follows.
' Setting ActionQuit to 0 means we won't skip any actions.
Fields.ActionQuit = 0
End function