mirror of
https://github.com/hsnodgrass/snmp_mib_archive.git
synced 2025-04-17 16:03:04 +00:00
956 lines
35 KiB
Plaintext
956 lines
35 KiB
Plaintext
-- CISCO-CIDS-MIB.my : Cisco Intrusion Detection System MIB
|
|
--
|
|
-- December 2003, Shane J London
|
|
--
|
|
-- Copyright (c) 2003 by Cisco Systems, Inc.
|
|
-- All rights reserved.
|
|
|
|
CISCO-CIDS-MIB DEFINITIONS ::= BEGIN
|
|
|
|
IMPORTS
|
|
MODULE-IDENTITY,
|
|
OBJECT-TYPE,
|
|
NOTIFICATION-TYPE,
|
|
Integer32,
|
|
Unsigned32,
|
|
Counter32,
|
|
TimeTicks,
|
|
Gauge32
|
|
FROM SNMPv2-SMI
|
|
MODULE-COMPLIANCE,
|
|
NOTIFICATION-GROUP,
|
|
OBJECT-GROUP
|
|
FROM SNMPv2-CONF
|
|
TEXTUAL-CONVENTION,
|
|
TruthValue,
|
|
DateAndTime
|
|
FROM SNMPv2-TC
|
|
SnmpAdminString
|
|
FROM SNMP-FRAMEWORK-MIB
|
|
Unsigned64
|
|
FROM CISCO-TC
|
|
ciscoMgmt
|
|
FROM CISCO-SMI;
|
|
|
|
ciscoCidsMIB MODULE-IDENTITY
|
|
LAST-UPDATED "200312180000Z"
|
|
ORGANIZATION "Cisco Systems, Inc."
|
|
CONTACT-INFO
|
|
" Cisco Systems
|
|
Customer Service
|
|
|
|
Postal: 170 W Tasman Drive
|
|
San Jose, CA 95134
|
|
USA
|
|
|
|
Tel: +1 800 553-NETS
|
|
|
|
E-mail: cs-netranger@cisco.com"
|
|
DESCRIPTION
|
|
"Cisco Intrusion Detection System MIB. Provides
|
|
trap definitions for the evAlert and evError
|
|
elements of the IDIOM (Intrusion Detection and
|
|
Operations Messages) document and read support
|
|
for the Intrusion Detection System (sensor)
|
|
health information, such as if the sensor is
|
|
in a memory critical stage."
|
|
REVISION "200312180000Z"
|
|
DESCRIPTION
|
|
"Initial version of this MIB module."
|
|
::= { ciscoMgmt 383 }
|
|
|
|
ciscoCidsMIBNotifs OBJECT IDENTIFIER ::= { ciscoCidsMIB 0 }
|
|
ciscoCidsMIBObjects OBJECT IDENTIFIER ::= { ciscoCidsMIB 1 }
|
|
ciscoCidsMIBConform OBJECT IDENTIFIER ::= { ciscoCidsMIB 2 }
|
|
|
|
cidsGeneral OBJECT IDENTIFIER ::= { ciscoCidsMIBObjects 1 }
|
|
cidsAlert OBJECT IDENTIFIER ::= { ciscoCidsMIBObjects 2 }
|
|
cidsError OBJECT IDENTIFIER ::= { ciscoCidsMIBObjects 3 }
|
|
cidsHealth OBJECT IDENTIFIER ::= { ciscoCidsMIBObjects 4 }
|
|
|
|
-- Textual Conventions
|
|
CidsErrorCode ::= TEXTUAL-CONVENTION
|
|
STATUS current
|
|
DESCRIPTION
|
|
"An enumerated value which identifies the general
|
|
category of error that occurred.
|
|
|
|
errAuthenticationTokenExpired
|
|
The requested action could not be carried out
|
|
because the requestor has provided an
|
|
authentication token (e.g. password) that has
|
|
expired.
|
|
errConfigCollision
|
|
The value of the config-token request
|
|
parameter in a setComponentConfig control
|
|
transaction request does not match the
|
|
current configuration document on the target
|
|
host. Typically this indicates that the
|
|
configuration on the target host has been
|
|
modified by another user.
|
|
errInUse
|
|
The requested action could not be completed
|
|
because it requires access to a resource
|
|
that is in use.
|
|
errInvalidDocument
|
|
The request contained a document that was
|
|
not well-formed, contained an incorrect root
|
|
element, or contained additional elements or
|
|
attributes that are not permitted by the lax
|
|
IDIOM schema.
|
|
errLimitExceeded
|
|
The requested action could not be completed
|
|
because it would create a resource that
|
|
would exceed a system resource limit.
|
|
errNotAvailable
|
|
The requested action is supported but cannot
|
|
be performed due to the current
|
|
configuration of the target host.
|
|
errNotFound
|
|
A resource specified in the request does
|
|
not exist.
|
|
errNotSupported
|
|
The requested action is not supported on
|
|
the target host.
|
|
errPermissionDenied
|
|
The requestor does not have a sufficiently
|
|
high authorization level to perform the
|
|
requested action.
|
|
errSyslog
|
|
Used to convey messages of interest from
|
|
the host system's syslog.
|
|
errSystemError
|
|
A system error occurred, such as an
|
|
out-of-memory condition, disk access error,
|
|
etc.
|
|
errTransport
|
|
The requested action could not be carried
|
|
out because of a communications failure
|
|
with another host that is involved in the
|
|
action.
|
|
errUnacceptableValue
|
|
The request document was valid but
|
|
contained one or more values that could
|
|
not be accepted because they either:
|
|
(1) conflict with other values in the same
|
|
document or (2) are not acceptable due to
|
|
the current state of the system.
|
|
errUnclassified
|
|
Used to convey an unclassified error
|
|
condition.
|
|
errWarning
|
|
Used to convey a software warning
|
|
condition detected by an application
|
|
running on the host system.
|
|
"
|
|
|
|
SYNTAX INTEGER {
|
|
errAuthenticationTokenExpired(1),
|
|
errConfigCollision(2),
|
|
errInUse(3),
|
|
errInvalidDocument(4),
|
|
errLimitExceeded(5),
|
|
errNotAvailable(6),
|
|
errNotFound(7),
|
|
errNotSupported(8),
|
|
errPermissionDenied(9),
|
|
errSyslog(10),
|
|
errSystemError(11),
|
|
errTransport(12),
|
|
errUnacceptableValue(13),
|
|
errUnclassified(14),
|
|
errWarning(15)
|
|
}
|
|
|
|
-- General
|
|
|
|
cidsGeneralEventId OBJECT-TYPE
|
|
SYNTAX Unsigned64
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Identifies the sequence number of an event.
|
|
This value needs to be unique within the scope
|
|
of the originating host."
|
|
::= { cidsGeneral 1 }
|
|
|
|
cidsGeneralLocalTime OBJECT-TYPE
|
|
SYNTAX DateAndTime
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The local time on the Cisco intrusion detection
|
|
system sensor when the alert was generated."
|
|
::= { cidsGeneral 2 }
|
|
|
|
cidsGeneralUTCTime OBJECT-TYPE
|
|
SYNTAX DateAndTime
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The UTC time on the Cisco intrusion detection
|
|
system sensor when the alert was generated."
|
|
::= { cidsGeneral 3 }
|
|
|
|
cidsGeneralOriginatorHostId OBJECT-TYPE
|
|
SYNTAX SnmpAdminString
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A globally unique identifier for a Cids host. Could
|
|
be a host name or an ip address."
|
|
::= { cidsGeneral 4 }
|
|
|
|
cidsGeneralOriginatorAppName OBJECT-TYPE
|
|
SYNTAX SnmpAdminString
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The optional generic name of a Cids application."
|
|
::= { cidsGeneral 5 }
|
|
|
|
cidsGeneralOriginatorAppId OBJECT-TYPE
|
|
SYNTAX SnmpAdminString
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The optional id of this instance of the application.
|
|
Typically the process id (pid)."
|
|
::= { cidsGeneral 6 }
|
|
|
|
cidsNotificationsEnabled OBJECT-TYPE
|
|
SYNTAX TruthValue
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Indicates whether notifications will or will not
|
|
be sent when an event is generated by the device."
|
|
DEFVAL { false }
|
|
::= { cidsGeneral 7 }
|
|
|
|
-- Alert
|
|
|
|
cidsAlertSeverity OBJECT-TYPE
|
|
SYNTAX SnmpAdminString
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The severity associated with a Cids signature
|
|
(informational, low, medium or high for
|
|
example)."
|
|
::= { cidsAlert 1 }
|
|
|
|
cidsAlertAlarmTraits OBJECT-TYPE
|
|
SYNTAX Unsigned32
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The alarm traits is an unsigned 16-bit integer
|
|
representing the value of the 16 user-defined
|
|
alarm traits specified in the configuration for
|
|
the signature that triggered the alert. The
|
|
alarmTraits bits are used to classify signatures
|
|
into user-defined categories or groups."
|
|
::= { cidsAlert 2 }
|
|
|
|
cidsAlertSignature OBJECT-TYPE
|
|
SYNTAX SnmpAdminString ( SIZE ( 1..64 ) )
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Content is a string containing details about the
|
|
signature that fired, without any specifics tied
|
|
to this instance of the alert. The
|
|
cidsAlertSignatureSigName, cidsAlertSignatureSigId
|
|
and cidsAlertSignatureSubSigId attributes define
|
|
the signature that triggered this Alert."
|
|
::= { cidsAlert 3 }
|
|
|
|
cidsAlertSignatureSigName OBJECT-TYPE
|
|
SYNTAX SnmpAdminString ( SIZE ( 1..64 ) )
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The name of the Intrusion detection signature
|
|
that triggered this event."
|
|
::= { cidsAlert 4 }
|
|
|
|
cidsAlertSignatureSigId OBJECT-TYPE
|
|
SYNTAX Unsigned32
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The ID of the Intrusion detection signature
|
|
that triggered this event. The ID combines
|
|
with the cidsAlertSignatureSubSigId to
|
|
create a unique key that identifies the
|
|
signature that generated this event."
|
|
::= { cidsAlert 5 }
|
|
|
|
cidsAlertSignatureSubSigId OBJECT-TYPE
|
|
SYNTAX Unsigned32
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The optional Sub ID of the Intrusion detection
|
|
signature that triggered this event. The Sub
|
|
ID combines with the cidsAlertSignatureSigId
|
|
to create a unique key that identifies the
|
|
signature that generated this event."
|
|
::= { cidsAlert 6 }
|
|
|
|
cidsAlertSignatureVersion OBJECT-TYPE
|
|
SYNTAX SnmpAdminString ( SIZE ( 1..64 ) )
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The optional version attribute defines the version
|
|
number of the signature update in which the triggering
|
|
signature was introduced or was last modified.
|
|
Example: 4.1(1.1)S47(0.1)"
|
|
::= { cidsAlert 7 }
|
|
|
|
cidsAlertSummary OBJECT-TYPE
|
|
SYNTAX Unsigned32
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Optional, if present, specifies that this is a
|
|
summary alert, representing one or more alerts with
|
|
common characteristics. The numeric value indicates
|
|
the number of times the signature fired since the
|
|
last summary alert with a matching 'initialAlert'
|
|
attribute value. The first and all subsequent
|
|
summary alerts in a sequence will use the eventId
|
|
of a previous non-summary evAlert in the initialAlert
|
|
attribute value. All alerts represented by the
|
|
summary alert share the same signature and
|
|
sub-signature id. The summaryType attribute defines
|
|
the common characteristic(s) of all alerts in the
|
|
summary. The 'final' attribute indicates whether
|
|
this is the last evAlert containing the same value
|
|
in the 'initialAlert' attribute. The 'final'
|
|
attribute may be omitted if and only if its value
|
|
is false."
|
|
::= { cidsAlert 8 }
|
|
|
|
cidsAlertSummaryType OBJECT-TYPE
|
|
SYNTAX SnmpAdminString ( SIZE ( 0..16 ) )
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Common characteristics shared by all non-summary
|
|
alerts included in a summary alert."
|
|
::= { cidsAlert 9 }
|
|
|
|
cidsAlertSummaryFinal OBJECT-TYPE
|
|
SYNTAX TruthValue
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The optional 'final' attribute indicates whether
|
|
this is the last evAlert containing the same value
|
|
in the 'initialAlert' attribute. The 'final'
|
|
attribute may be omitted if and only if its value
|
|
is false."
|
|
::= { cidsAlert 10 }
|
|
|
|
cidsAlertSummaryInitialAlert OBJECT-TYPE
|
|
SYNTAX Unsigned64
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Serial number for the initial alert, which is
|
|
guaranteed unique within the scope of the
|
|
originating host."
|
|
::= { cidsAlert 11 }
|
|
|
|
cidsAlertInterfaceGroup OBJECT-TYPE
|
|
SYNTAX Integer32 ( -2147483648..2147483647 )
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Optional numeric identifier for a sniffing
|
|
interface group on this host."
|
|
::= { cidsAlert 12 }
|
|
|
|
cidsAlertVlan OBJECT-TYPE
|
|
SYNTAX Unsigned32 ( 0..65535 )
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS current
|
|
DESCRIPTION
|
|
"An optional numeric identifier for a vlan. Identifies
|
|
the vlan that uses the number in ISL or 802.3.1q
|
|
headers."
|
|
::= { cidsAlert 13 }
|
|
|
|
cidsAlertVictimContext OBJECT-TYPE
|
|
SYNTAX SnmpAdminString
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Optional Base64-encoded representation of the stream
|
|
data that was sourced by the victim."
|
|
::= { cidsAlert 14 }
|
|
|
|
cidsAlertAttackerContext OBJECT-TYPE
|
|
SYNTAX SnmpAdminString
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Optional Base64-encoded representation of the stream
|
|
data that was sourced by the Attacker."
|
|
::= { cidsAlert 15 }
|
|
|
|
cidsAlertAttackerAddress OBJECT-TYPE
|
|
SYNTAX SnmpAdminString
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Optional ip address and ports on a monitored
|
|
interface. The 'locality' attribute is a string
|
|
that indicates the relative location of the ip
|
|
address within the network mapping, such as whether
|
|
the address falls within the address range of a
|
|
protected network. The optional 'proxy' attribute
|
|
is 'true' if the sensor has reason to suspect that
|
|
the address given is not the address of the true
|
|
attacker. This could be a the result of address
|
|
spoofing or because the host has been compromised
|
|
and is acting as a 'zombie'. The 'proxy' attribute
|
|
may be omitted if and only if its value is false."
|
|
::= { cidsAlert 16 }
|
|
|
|
cidsAlertVictimAddress OBJECT-TYPE
|
|
SYNTAX SnmpAdminString
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Optional ip address and ports on a monitored
|
|
interface. The 'locality' attribute is a string
|
|
that indicates the relative location of the ip
|
|
address within the network mapping, such as
|
|
whether the address falls within the address range
|
|
of a protected network."
|
|
::= { cidsAlert 17 }
|
|
|
|
cidsAlertIpLoggingActivated OBJECT-TYPE
|
|
SYNTAX TruthValue
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Optional. Indicates whether ip logging has been
|
|
activated as the result of the alert. A separate
|
|
evIpLogStatus event will be generated when logging
|
|
has been completed. The evIpLogStatus event contains
|
|
the URL where the log results may be obtained. This
|
|
element may be omitted if and only if its value
|
|
is false."
|
|
::= { cidsAlert 18 }
|
|
|
|
cidsAlertTcpResetSent OBJECT-TYPE
|
|
SYNTAX TruthValue
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Optional. Indicates whether a attempt was made to
|
|
reset a tcp connection as the result of the alert.
|
|
The addresses and ports affected must be implied from
|
|
the information contained in the participant elements
|
|
of the evAlert. This element may be omitted if and
|
|
only if its value is false."
|
|
::= { cidsAlert 19 }
|
|
|
|
cidsAlertShunRequested OBJECT-TYPE
|
|
SYNTAX TruthValue
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Optional. Indicates whether an ip address or tcp
|
|
connection has been requested to be shunned as a
|
|
result of the alert. Details about the addresses
|
|
and ports involved in the shun can be obtained from
|
|
evNacStatus events sent by the Network Access
|
|
Controller application. This element may be omitted
|
|
if and only if its value is false."
|
|
::= { cidsAlert 20 }
|
|
|
|
cidsAlertDetails OBJECT-TYPE
|
|
SYNTAX SnmpAdminString
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Optional. Textual details about the specific alert
|
|
instance, not just the signature."
|
|
::= { cidsAlert 21 }
|
|
|
|
cidsAlertIpLogId OBJECT-TYPE
|
|
SYNTAX SnmpAdminString
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS current
|
|
DESCRIPTION
|
|
"IP log identifiers for IP logs that were added as
|
|
the result of this alert."
|
|
::= { cidsAlert 22 }
|
|
|
|
cidsThreatResponseStatus OBJECT-TYPE
|
|
SYNTAX SnmpAdminString
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A brief textual description of the status of
|
|
the alarm given by the Cisco Systems Threat
|
|
Response engine."
|
|
::= { cidsAlert 23 }
|
|
|
|
cidsThreatResponseSeverity OBJECT-TYPE
|
|
SYNTAX Integer32 ( -2147483648..2147483647 )
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The alarm severity as assigned by the Cisco Systems
|
|
Threat Response engine."
|
|
::= { cidsAlert 24 }
|
|
|
|
cidsAlertEventRiskRating OBJECT-TYPE
|
|
SYNTAX Unsigned32
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A risk factor that incorporates several additional
|
|
pieces of information beyond the detection of a
|
|
potentially malicious action. The factors that
|
|
characterize this risk are the severity of the
|
|
attack if it were to succeed, the fidelity of the
|
|
signature, the relevance of the potential attack
|
|
with respect to the target host, and the overall
|
|
value of the target host to the customer."
|
|
::= { cidsAlert 25 }
|
|
|
|
--Error
|
|
|
|
cidsErrorSeverity OBJECT-TYPE
|
|
SYNTAX SnmpAdminString
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Severity of an error (warning, error or fatal
|
|
for example). An example of a type of error
|
|
that could occur would be when a requested
|
|
action could not be completed because it
|
|
would create a resource that would exceed a
|
|
system resource limit."
|
|
::= { cidsError 1 }
|
|
|
|
cidsErrorName OBJECT-TYPE
|
|
SYNTAX CidsErrorCode
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS current
|
|
DESCRIPTION
|
|
"An enumerated error code, which identifies a general
|
|
class of errors."
|
|
::= { cidsError 2 }
|
|
|
|
cidsErrorMessage OBJECT-TYPE
|
|
SYNTAX SnmpAdminString
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A textual description of the error that occurred."
|
|
::= { cidsError 3 }
|
|
|
|
--Health
|
|
|
|
cidsHealthPacketLoss OBJECT-TYPE
|
|
SYNTAX Integer32 ( 0..100 )
|
|
UNITS "percent"
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The percentage of packets lost at the device
|
|
interface level."
|
|
::= { cidsHealth 1 }
|
|
|
|
cidsHealthPacketDenialRate OBJECT-TYPE
|
|
SYNTAX Integer32 ( 0..100 )
|
|
UNITS "percent"
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The percentage of packets denied due to
|
|
protocol and security violations."
|
|
::= { cidsHealth 2 }
|
|
|
|
cidsHealthAlarmsGenerated OBJECT-TYPE
|
|
SYNTAX Counter32
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The number of alarms generated, includes
|
|
all currently defined alarm severities."
|
|
::= { cidsHealth 3 }
|
|
|
|
cidsHealthFragmentsInFRU OBJECT-TYPE
|
|
SYNTAX Gauge32
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The number of fragments currently queued in the
|
|
fragment reassembly unit."
|
|
::= { cidsHealth 4 }
|
|
|
|
cidsHealthDatagramsInFRU OBJECT-TYPE
|
|
SYNTAX Gauge32
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The number of datagrams currently queued in the
|
|
fragment reassembly unit."
|
|
::= { cidsHealth 5 }
|
|
|
|
cidsHealthTcpEmbryonicStreams OBJECT-TYPE
|
|
SYNTAX Gauge32
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The number of embryonic TCP streams currently
|
|
queued in the device. TCP streams are
|
|
considered embryonic if they have not
|
|
completed the TCP three-way handshake."
|
|
::= { cidsHealth 6 }
|
|
|
|
cidsHealthTCPEstablishedStreams OBJECT-TYPE
|
|
SYNTAX Gauge32
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The number of established TCP streams currently
|
|
queued in the device. Once a stream has
|
|
completed a TCP three-way handshake it will
|
|
move to the established state."
|
|
::= { cidsHealth 7 }
|
|
|
|
cidsHealthTcpClosingStreams OBJECT-TYPE
|
|
SYNTAX Gauge32
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The number of closing TCP streams currently
|
|
queued in the device. A stream will move
|
|
from the established state to closing when
|
|
a valid FIN or RST flag is received."
|
|
::= { cidsHealth 8 }
|
|
|
|
cidsHealthTcpStreams OBJECT-TYPE
|
|
SYNTAX Gauge32
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The number of TCP streams (embryonic,
|
|
established and closing) currently queued
|
|
in the device."
|
|
::= { cidsHealth 9 }
|
|
|
|
cidsHealthActiveNodes OBJECT-TYPE
|
|
SYNTAX Gauge32
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The number of active nodes currently queued in
|
|
the device."
|
|
::= { cidsHealth 10 }
|
|
|
|
cidsHealthTcpDualIpAndPorts OBJECT-TYPE
|
|
SYNTAX Gauge32
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The number TCP nodes keyed on both IP addresses
|
|
and both ports currently queued in the device."
|
|
::= { cidsHealth 11 }
|
|
|
|
cidsHealthUdpDualIpAndPorts OBJECT-TYPE
|
|
SYNTAX Gauge32
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The number UDP nodes keyed on both IP addresses
|
|
and both ports currently queued in the device."
|
|
::= { cidsHealth 12 }
|
|
|
|
cidsHealthIpDualIp OBJECT-TYPE
|
|
SYNTAX Gauge32
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The number IP nodes keyed on both IP addresses
|
|
currently queued in the device."
|
|
::= { cidsHealth 13 }
|
|
|
|
cidsHealthIsSensorMemoryCritical OBJECT-TYPE
|
|
SYNTAX Unsigned32 ( 0..10 )
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A value between 0 and 10 that should rarely
|
|
get above 3. If this is non-zero the sensor
|
|
has stopped enforcing policy on some traffic in
|
|
order to keep up with the current traffic load;
|
|
the sensor is oversubscribed. The higher the
|
|
number the more oversubscribed the sensor. It
|
|
could be oversubscribed from a memory prospective
|
|
and not traffic speed. For example on a 200 Mbit
|
|
sensor this number might be 3 if the sensor was
|
|
only seeing 100Mbit of traffic but 6000
|
|
connections per second which is over the rated
|
|
capacity of the sensor. When the sensor is
|
|
in Memory Critical state then a ciscoCidsError
|
|
trap will be sent accordingly."
|
|
::= { cidsHealth 14 }
|
|
|
|
cidsHealthIsSensorActive OBJECT-TYPE
|
|
SYNTAX TruthValue
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Indicates the failover status of the device.
|
|
True indicates the device is currently active.
|
|
False indicates it is in a standby mode."
|
|
::= { cidsHealth 15 }
|
|
|
|
cidsHealthCommandAndControlPort OBJECT-TYPE
|
|
SYNTAX SnmpAdminString
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The status and network statistics of the
|
|
currently configured Command and Control
|
|
interface on the device. The Command
|
|
and Control interface is where all of the
|
|
communications for command and control
|
|
of the sensor occurs. This is important
|
|
to identify what interface a user will
|
|
communicate with to control the sensor
|
|
remotely and general health statistics
|
|
for that interface."
|
|
::= { cidsHealth 16 }
|
|
|
|
cidsHealthSensorStatsResetTime OBJECT-TYPE
|
|
SYNTAX TimeTicks
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The value of SNMPv2-MIB::sysUpTime
|
|
when the Sensor specific statistics
|
|
was reset. The reset time is
|
|
collectively for the following objects:
|
|
cidsHealthPacketLoss,
|
|
cidsHealthPacketDenies,
|
|
cidsHealthAlarmsGenerated,
|
|
cidsHealthFragmentsInFRU,
|
|
cidsHealthDatagramsInFRU,
|
|
cidsHealthTcpEmbryonicStreams,
|
|
cidsHealthTcpEstablishedStreams,
|
|
cidsHealthTcpClosingStreams,
|
|
cidsHealthTcpStreams"
|
|
::= { cidsHealth 17 }
|
|
|
|
-- Notifications
|
|
|
|
-- Since notifications with a large number of bound objects
|
|
-- can be rather large, the agent can provide two different
|
|
-- notification generation modes. One without optional objects
|
|
-- to try and keep the notification size below 484 bytes and
|
|
-- one with no size limits that will send all available optional
|
|
-- objects as well as those explicitly listed in the OBJECTS
|
|
-- clause of the notification definition.
|
|
--
|
|
-- The following objects, defined elsewhere in this MIB module
|
|
-- as accessible-for-notify, are optional in that they are not
|
|
-- explicitly listed in a notification's OBJECTS clause.
|
|
-- When the notification generation mode is set to allow optional
|
|
-- objects to be bound, the association of the optional objects
|
|
-- to particular notifications is as follows:
|
|
--
|
|
-- ciscoCidsAlert:
|
|
-- cidsGeneralOriginatorAppName
|
|
-- cidsGeneralOriginatorAppId
|
|
-- cidsAlertSignature
|
|
-- cidsAlertSignatureVersion
|
|
-- cidsAlertSummary
|
|
-- cidsAlertSummaryType
|
|
-- cidsAlertSummaryFinal
|
|
-- cidsAlertSummaryInitialAlert
|
|
-- cidsAlertInterfaceGroup
|
|
-- cidsAlertVlan
|
|
-- cidsAlertVictimContext
|
|
-- cidsAlertAttackerContext
|
|
-- cidsAlertIpLoggingActivated
|
|
-- cidsAlertTcpResetSent
|
|
-- cidsAlertShunRequested
|
|
-- cidsAlertDetails
|
|
-- cidsAlertIpLogId
|
|
-- cidsThreatResponseStatus
|
|
-- cidsThreatResponseSeverity
|
|
-- cidsAlertEventRiskRating
|
|
--
|
|
-- ciscoCidsError:
|
|
-- cidsGeneralOriginatorAppName
|
|
-- cidsGeneralOriginatorAppId
|
|
|
|
ciscoCidsAlert NOTIFICATION-TYPE
|
|
OBJECTS {
|
|
cidsGeneralEventId,
|
|
cidsGeneralLocalTime,
|
|
cidsGeneralUTCTime,
|
|
cidsGeneralOriginatorHostId,
|
|
cidsAlertSeverity,
|
|
cidsAlertSignatureSigName,
|
|
cidsAlertSignatureSigId,
|
|
cidsAlertSignatureSubSigId,
|
|
cidsAlertAlarmTraits,
|
|
cidsAlertAttackerAddress,
|
|
cidsAlertVictimAddress
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Event indicating that some suspicious or malicious
|
|
activity has been detected on a monitored network."
|
|
::= { ciscoCidsMIBNotifs 1 }
|
|
|
|
ciscoCidsError NOTIFICATION-TYPE
|
|
OBJECTS {
|
|
cidsGeneralEventId,
|
|
cidsGeneralLocalTime,
|
|
cidsGeneralUTCTime,
|
|
cidsGeneralOriginatorHostId,
|
|
cidsErrorSeverity,
|
|
cidsErrorName,
|
|
cidsErrorMessage
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Event indicating that an error has occurred."
|
|
::= { ciscoCidsMIBNotifs 2 }
|
|
|
|
-- Conformance
|
|
|
|
ciscoCidsMIBCompliances OBJECT IDENTIFIER ::= { ciscoCidsMIBConform 1 }
|
|
ciscoCidsMIBGroups OBJECT IDENTIFIER ::= { ciscoCidsMIBConform 2 }
|
|
|
|
-- Compliance
|
|
|
|
ciscoCidsMIBCompliance MODULE-COMPLIANCE
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The compliance statement for entities which implement
|
|
the Cids MIB"
|
|
MODULE -- this module
|
|
MANDATORY-GROUPS {
|
|
ciscoCidsGeneralObjectGroup,
|
|
ciscoCidsAlertObjectGroup,
|
|
ciscoCidsErrorObjectGroup,
|
|
ciscoCidsHealthObjectGroup
|
|
}
|
|
::= { ciscoCidsMIBCompliances 1 }
|
|
|
|
|
|
-- Units of Conformance
|
|
|
|
ciscoCidsGeneralObjectGroup OBJECT-GROUP
|
|
OBJECTS {
|
|
cidsGeneralEventId,
|
|
cidsGeneralLocalTime,
|
|
cidsGeneralUTCTime,
|
|
cidsGeneralOriginatorHostId,
|
|
cidsGeneralOriginatorAppName,
|
|
cidsGeneralOriginatorAppId,
|
|
cidsNotificationsEnabled
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"General Objects."
|
|
::= { ciscoCidsMIBGroups 1 }
|
|
|
|
ciscoCidsAlertObjectGroup OBJECT-GROUP
|
|
OBJECTS {
|
|
cidsAlertSeverity,
|
|
cidsAlertAlarmTraits,
|
|
cidsAlertSignature,
|
|
cidsAlertSignatureSigName,
|
|
cidsAlertSignatureSigId,
|
|
cidsAlertSignatureSubSigId,
|
|
cidsAlertSignatureVersion,
|
|
cidsAlertSummary,
|
|
cidsAlertSummaryType,
|
|
cidsAlertSummaryFinal,
|
|
cidsAlertSummaryInitialAlert,
|
|
cidsAlertInterfaceGroup,
|
|
cidsAlertVlan,
|
|
cidsAlertVictimContext,
|
|
cidsAlertAttackerContext,
|
|
cidsAlertVictimAddress,
|
|
cidsAlertAttackerAddress,
|
|
cidsAlertIpLoggingActivated,
|
|
cidsAlertTcpResetSent,
|
|
cidsAlertShunRequested,
|
|
cidsAlertDetails,
|
|
cidsAlertIpLogId,
|
|
cidsThreatResponseStatus,
|
|
cidsThreatResponseSeverity,
|
|
cidsAlertEventRiskRating
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Alert Objects."
|
|
::= { ciscoCidsMIBGroups 2 }
|
|
|
|
ciscoCidsErrorObjectGroup OBJECT-GROUP
|
|
OBJECTS {
|
|
cidsErrorSeverity,
|
|
cidsErrorName,
|
|
cidsErrorMessage
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Error Objects."
|
|
::= { ciscoCidsMIBGroups 3 }
|
|
|
|
|
|
ciscoCidsNotificationsGroup NOTIFICATION-GROUP
|
|
NOTIFICATIONS {
|
|
ciscoCidsAlert,
|
|
ciscoCidsError
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The notifications which are required."
|
|
::= { ciscoCidsMIBGroups 4 }
|
|
|
|
ciscoCidsHealthObjectGroup OBJECT-GROUP
|
|
OBJECTS {
|
|
cidsHealthPacketLoss,
|
|
cidsHealthPacketDenialRate,
|
|
cidsHealthAlarmsGenerated,
|
|
cidsHealthFragmentsInFRU,
|
|
cidsHealthDatagramsInFRU,
|
|
cidsHealthTcpEmbryonicStreams,
|
|
cidsHealthTCPEstablishedStreams,
|
|
cidsHealthTcpClosingStreams,
|
|
cidsHealthTcpStreams,
|
|
cidsHealthActiveNodes,
|
|
cidsHealthTcpDualIpAndPorts,
|
|
cidsHealthUdpDualIpAndPorts,
|
|
cidsHealthIpDualIp,
|
|
cidsHealthIsSensorMemoryCritical,
|
|
cidsHealthIsSensorActive,
|
|
cidsHealthCommandAndControlPort,
|
|
cidsHealthSensorStatsResetTime
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Health Objects."
|
|
::= { ciscoCidsMIBGroups 5 }
|
|
|
|
END
|