Hi,

I want to have traps that I receive from one model (a QRADAR server) be attributed to the model whose IP is in varbind 9 of the trap.

QRADAR's Event CRE Notification

localHostAddress = {O 1}
timeString = {S 2}
ruleName = {S 3}
ruleDescription = {S 4}
attackerIP = {O 5}
attackerPort = {I 6}
attackersUserName = {S 7}
attackerNetworks = {S 8}
targetIP = {O 9}
targetPort = {I 10}
targetsUserName = {S 11}
targetNetworks = {S 12}
protocol = {I 13}
qid = {I 14}
eventName = {S 15}
eventDescription = {S 16}
category = {S 17}

Is there something special I need to do to make this happen? The event now is always attributed to the server model that actually sent the trap. Not "targetIP" as I would like.

Regards,

Rick

Use the South Bound Gateway and set targetIP to varbind 8 which is Target Address in South Bound Gateway:

Variable ID Field 8 (Target Address)
This field lets you specify the IP address of the model you would like the event data to be sent to. Use
this field if you want to send data to a model other than the EventModel. For example, if you specify
the IP address 10.253.97.2 in the Target Address field, Southbound Gateway searches the existing
models to find a model with this IP address. If Southbound Gateway finds this model, it sends the
event data to this model for processing.

Hi Joe,

Thanks for that. MY AlertMap now looks like this:

# eventCRENotification localHostAddress
1.3.6.1.4.1.20212.1.6.1 0xfff00fc3 1.3.6.1.4.1.20212.2.1(1,0)\
# timeString
1.3.6.1.4.1.20212.2.2(2,0)\
# ruleName
1.3.6.1.4.1.20212.2.34(3,0)\
# ruleDescription
1.3.6.1.4.1.20212.2.35(4,0)\
# attackerIP
1.3.6.1.4.1.20212.2.12(5,0)\
# attackerPort
1.3.6.1.4.1.20212.2.46(6,0)\
# attackersUserName
1.3.6.1.4.1.20212.2.13(7,0)\
# attackerNetworks
1.3.6.1.4.1.20212.2.17(9,0)\
# targetIP
1.3.6.1.4.1.20212.2.18(8,0)\
# targetPort
1.3.6.1.4.1.20212.2.47(10,0)\
# targetsUserName
1.3.6.1.4.1.20212.2.19(11,0)\
# targetNetworks
1.3.6.1.4.1.20212.2.23(12,0)\
# protocol
1.3.6.1.4.1.20212.2.45(13,0)\
# qid
1.3.6.1.4.1.20212.2.38(14,0)\
# eventName
1.3.6.1.4.1.20212.2.39(15,0)\
# eventDescription
1.3.6.1.4.1.20212.2.40(16,0)\
# category
1.3.6.1.4.1.20212.2.28(17,0)

But it's still not working. Enable_SouthboundGateway 0x116296e is "Yes".

Any further suggestion?

Regards,

Rick
 

Also, modelTypeName of the actual sender is Host_Device. Is that a problem? 

Rick,

You also have to "tell" South Bound Gateway to process the event for South Bound Gateway purposes. You have to add the event id to the EventDisp file used to tell South Bound Gateway to process the event for South Bound Gateway purposes.

If you are using the EventAdmin model type to receive the initial trap, then you would use the $SPECROOT/SS/CsVendor/gen_app_gw/EventAdmin/EventDisp file.

If you are using the Host_systemEDGE model type to receive the initial trap, then you would use the $SPECROOT/SS/CsVendor/Ctron_Gen_HOST/Host_systemEDGE/EventDisp file.

Reference the South Bound Gateway Toolkit section of the documentation form more details on using and configuring the South Bound Gateway.

Joe

Thanks, Joe.

Hi, I don't know anything about "South Bound Gateway" : is it something external to Spectrum for which we need to buy licenses ? thanks, Veronique

No extra licenses needed. It comes as part of the trap mapping functionality of Spectrum out of the box and is quite versatile:

https://docops.ca.com/ca-spectrum/10-2/en/integrating/southbound-gateway-toolkit

Cheers

Jay