Using Environment Variables in Alerts

When an alert contains a program to execute, ISA provides environment variables with the event information to the executing process. The environment variables contain the inserted strings data from the event log. For each inserted string a corresponding ALERT_PARAMETER_X is added, where X is the sequence number of that string.

You can use the environment variables to refine a response to an event. For example, you can use the string representing an attacker's IP address to respond appropriately to the attack. An appropriate response could be the creation of a packet filter that blocks all packets from that IP address.

Environment Variable Example

The VBScript provided below creates a blocking packet filter for an IP address received in an attack event. It's based on the sample script StaticFilter.vbs.

In order to use the script as a response to an attack, you should create a new alert with the following parameters:

1. Event - "Intrusion detected".
2. Additional condition - a condition of interest to you, such as "Well-known port scan attack".
3. Select Run a program as the action.
4. Specify the following command line:

   %windir%\system32\cscript.exe StaticFilter.vbs
   

   where %windir% is your Windows 2000 installation directory, and StaticFilter.vbs is the full path to the script you want to run.

5. For Use this account, leave the default Local system account.

'define the constants
const fpcBlockingPacketFilter = 2
const fpcCustomFilterType = 1
const fpcPfAnyProtocolIpIndex = 0
const fpcPfDirectionIndexBoth = 3
const fpcPfAnyPort = 1
const fpcPfAnyRemotePort = 1
const fpcPfDefaultProxyExternalIp = 1
const fpcPfSingleHost = 2

Private Sub SetStaticPacketFilter()
'Create the root object
Set ISA = CreateObject("FPC.Root")
ISA.Refresh

'Get the containing array
Set MyArray = ISA.Arrays.GetContainingArray


' Create blocked filter to all traffic from the attacker IP
Set pf = MyArray.ArrayPolicy.IpPacketFilters.Add("Block attacker",fpcBlockingPacketFilter)
pf.Description = "Block all traffic from attacker"

' set the filter parameters
pf.Enabled = True
pf.AllServers = True
pf.FilterType = fpcCustomFilterType
pf.ProtocolNumber = fpcPfAnyProtocolIpIndex

' allow bidirectional traffic so packets can be sent and received
pf.PacketDirection = fpcPfDirectionIndexBoth

' define the local host type
pf.SetLocalHost fpcPfDefaultProxyExternalIp

' set the local port type
pf.LocalPortType = fpcPfAnyPort

' set the protocol port type & number
pf.RemotePortType = fpcPfAnyRemotePort

' limited to only work with a specific attacker machine on the Internet

Set WshShell = WScript.CreateObject("WScript.Shell")
Set WshEnv = WshShell.Environment("Process")
'the environment variable 'ALERT_PARAMETER_1' contains the attacker IP
pf.SetRemoteHost fpcPfSingleHost, WshEnv("ALERT_PARAMETER_1")

MyArray.Save
End Sub

SetStaticPacketFilter