Adding Web (HTTP) Servers to be Notified Using the CLI

To set up HTTP servers, perform the following subtasks:

Add the HTTP servers
Configure the HTTP server settings

To add an HTTP server:

Enable the CLI configuration mode:

hostname > enable

hostname # configure terminal
Enable HTTP notifications:

hostname (config) # fenotify http enable
Specify the name of the HTTP server (for example, NX7400) to receive the notification. URLs and email addresses are not allowed.
hostname (config) # fenotify http service <service-name>
Specify which servers will post HTTP notifications (one server per command):

hostname (config) # fenotify http service <service_name> enable
Specify the URL for each HTTP server to receive the notification:

hostname (config) # fenotify http service <service_name> server-url <url>

Save the configuration:
hostname (config) # write memory

To configure the HTTP server listing:

Enable the CLI configuration mode:
hostname > enable
hostname # configure terminal
Enable HTTP notifications:
hostname (config) # fenotify http enable

(Optional) If authentication is required for the server, enable authentication and then specify the user name and password for HTTP authentication:
hostname (config) # fenotify http service <service_name> auth enable
hostname (config) # fenotify http service <service_name> auth username <user_name>
hostname (config) # fenotify http service <service_name> auth password <password>

Select the event type:
hostname (config) # fenotify http alert domain-match
hostname (config) # fenotify http alert infection-match
hostname (config) # fenotify http alert ips-event
hostname (config) # fenotify http alert malware-callback
hostname (conifg) # fenotify http alert malware-object
hostname (config) # fenotify http alert web-infection

Enable the specified servers to post HTTP notifications when ATI alert updates are detected (one server per command):

hostname (config) # fenotify http service <service_name> alerts-update enable

Specify the delivery frequency for HTTP notifications:
FireEye recommends using per-event notifications.
- To receive information about all events detected in the past 24 hours, enter:
  hostname (config) # fenotify http service <service_name> prefer message delivery daily-digest
- To receive a daily notification for each entity that was the source of the event, enter:
  hostname (config) # fenotify http service <service_name> prefer message delivery daily-per-source
- To receive an hourly notification for each entity that was the source of the event, enter:
  hostname (config) # fenotify http service <service_name> prefer message delivery hourly-per-source
- To receive a notification every minute for each entity that was the source of the event, enter:
  hostname (config) # fenotify http service <service_name> prefer message delivery per-1min-per-source
- To receive a notification every 5 minutes for each entity that was the source of the event, enter:
  hostname (config) # fenotify http service <service_name> prefer message delivery per-5min-per-source
- To receive information about each event, sent when the event is triggered, enter:
  hostname (config) # fenotify http service <service_name> prefer message delivery per-event

Specify the delivery schedule for HTTP notifications:
FireEye recommends using per-event notifications.
- To send a daily notification of all malware objects detected the past 24 hours in the selected format and level of details (default is Concise), enter:
  hostname (config) # fenotify http service <service_name> prefer message delivery daily-digest
- To send a notification each time a malware object is detected, enter:
  hostname (config) # fenotify http service <service_name> prefer message delivery per-event
(Optional) If you want to use SSL for notifications:
hostname (config) # fenotify http service <service_name> ssl enable
hostname (config) # fenotify http service <service_name> ssl verify

Specify the service provider. The default service provider is generic.
FireEye recommends using the generic service provider.
- To select the generic provider, enter:
  hostname (config) # fenotify http service <service_name> provider generic
- To select Aruba as the provider, enter:
  hostname (config) # fenotify http service <service_name> provider aruba
Select XML, JavaScript Object Notation (JSON), or Text for the format of the HTTP notifications:
The json_legacy-concise, json_legacy-extended, and json_legacy-normal formats are deprecated.
- To post notifications in XML Concise format containing basic information such as alert type, ID, source IP, malware name, hostname, and alert URL, enter:
  hostname (config) # fenotify http service service_name provider generic message format xml-concise
- To post notifications in XML Extended format containing detailed information and abstracts including data-theft information (if any) and static-analysis details (XML Extended provides all details about files and objects modified during analysis.), enter:
  hostname (config) # fenotify http service service_name provider generic message format xml-extended
- To post notifications in XML Normal format containing detailed information and abstracts such as alert type, ID, source IP, malware name, hostname, and alert URL without any redundant information, enter:
  hostname (config) # fenotify http service service_name provider generic message format xml-normal
- To post notifications in JSON Concise format containing basic information such as alert type, ID, source IP, malware name, hostname, and alert URL, enter:
  hostname (config) # fenotify http service service_name provider generic message format json-concise
- To post notifications in JSON Extended format containing detailed information and abstracts including data-theft information (if any) and static-analysis details (JSON Extended provides all details about files and objects modified during analysis.), enter:
  hostname (config) # fenotify http service service_name provider generic message format json-extended
- To post notifications in JSON Normal format containing detailed information and abstracts such as alert type, ID, source IP, malware name, hostname, and alert URL without any redundant information, enter:
  hostname (config) # fenotify http service service_name provider generic message format json-normal
- To post notifications in Text Concise format containing basic information such as alert type, ID, source IP, malware name, hostname, and alert URL, enter:
  hostname (config) # fenotify http service service_name provider generic message format text-concise
- To post notifications in Text Extended format containing detailed information and abstracts including data-theft information (if any) and static-analysis details (Text Extended provides all details about files and objects modified during analysis.), enter:
  hostname (config) # fenotify http service service_name provider generic message format text-extended
- To post notifications in Text Normal format containing detailed information and abstracts such as alert type, ID, source IP, malware name, hostname, and alert URL without any redundant information, enter:
  hostname (config) # fenotify http service service_name provider generic message format text-normal
Save the configuration:
hostname (config) # write memory
Verify the HTTP notifications status.

hostname (config) # show fenotify http

Notification Protocol: http

   Configuration:

      Protocol Enabled:                no

      default-delivery                 per-event

      default-provider                 generic

      provider-generic-message-format  xml-normal

   Alerts:

      domain-match                      yes

      infection-match                   yes

      ips-event                         no

      malware-callback                  yes

      malware-object                    yes

      web-infection                     yes

   Consumers:

    sname

      enabled:                         yes

      alerts-update                    true