mirror of
https://github.com/hsnodgrass/snmp_mib_archive.git
synced 2025-04-17 16:03:04 +00:00
562 lines
18 KiB
Plaintext
562 lines
18 KiB
Plaintext
-- *****************************************************************
|
|
-- CISCO-SERVICE-CONTROL-ATTACK-MIB.my
|
|
--
|
|
-- MIB file for Service Control entity Attack Detecting Mechanism.
|
|
-- May 2009, Or Dubnov-Raz.
|
|
--
|
|
-- Copyright (c) 2007-2009 by Cisco Systems Inc.
|
|
-- All rights reserved.
|
|
--
|
|
-- ***************************************************************
|
|
|
|
CISCO-SERVICE-CONTROL-ATTACK-MIB DEFINITIONS ::= BEGIN
|
|
|
|
IMPORTS
|
|
MODULE-IDENTITY,
|
|
OBJECT-TYPE,
|
|
Counter32,
|
|
NOTIFICATION-TYPE,
|
|
Gauge32,
|
|
Counter64,
|
|
Integer32
|
|
FROM SNMPv2-SMI
|
|
MODULE-COMPLIANCE,
|
|
NOTIFICATION-GROUP,
|
|
OBJECT-GROUP
|
|
FROM SNMPv2-CONF
|
|
entPhysicalIndex,
|
|
entPhysicalName
|
|
FROM ENTITY-MIB
|
|
InetAddressType,
|
|
InetAddress,
|
|
InetPortNumber
|
|
FROM INET-ADDRESS-MIB
|
|
TruthValue,
|
|
TimeStamp,
|
|
TimeInterval,
|
|
TEXTUAL-CONVENTION
|
|
FROM SNMPv2-TC
|
|
ciscoMgmt
|
|
FROM CISCO-SMI;
|
|
|
|
|
|
ciscoServiceControlAttackMIB MODULE-IDENTITY
|
|
LAST-UPDATED "200905050000Z"
|
|
ORGANIZATION "Cisco Systems, Inc."
|
|
CONTACT-INFO
|
|
"Cisco Systems
|
|
Customer Service
|
|
|
|
Postal: 170 W Tasman Drive
|
|
San Jose, CA 95134
|
|
USA
|
|
|
|
Tel: +1 800 553-NETS
|
|
|
|
E-mail: cs-excelsior-dev@cisco.com"
|
|
DESCRIPTION
|
|
"This MIB provides data related to different types of
|
|
attacks detected by a service control entity.
|
|
|
|
A service control entity is a network device which monitors and
|
|
controls traffic. The service control entity is used as a
|
|
platform for different service control applications which may
|
|
perform monitoring operations beyond packet counting and delve
|
|
|
|
deeper into the contents of network traffic. It provides
|
|
programmable stateful inspection of bidirectional
|
|
traffic flows and maps these flows with user/subscriber
|
|
ownership.
|
|
|
|
An attack is a malicious network activity with certain traffic
|
|
characteristics and which is targeted on a certain network
|
|
entity. An attack can be identified by its type, direction,
|
|
source address, destination address and ports.
|
|
|
|
Once an attack is detected, an attack filter is activated based
|
|
on the type of the attack and corresponding actions are taken
|
|
in
|
|
the monitored network - this is referred to as attack start.
|
|
For example the attack filter can drop the attacking traffic.
|
|
When the attack detector identifies that the attack
|
|
characteristics are no longer exist, it ends the mitigation
|
|
action - what is referred to as attack end. The attack
|
|
mitigation action is also referred to as attack filtering in
|
|
this MIB.
|
|
|
|
The time duration of attack filtering between attack start to
|
|
attack end along with the direction (upstream, downstream) is
|
|
also maintained by the service control entity. Attack
|
|
filtering
|
|
can be applied from the subscriber side to the network side, in
|
|
the upstream direction. The downstream attack filtering is
|
|
done
|
|
from the network side to the subscriber side.
|
|
|
|
This MIB also defines notifications generated by the service
|
|
control entity when an attack is detected on a monitored
|
|
network."
|
|
REVISION "200905050000Z"
|
|
DESCRIPTION
|
|
"Initial version of this MIB module."
|
|
::= { ciscoMgmt 693 }
|
|
|
|
|
|
|
|
CscaAttackType ::= TEXTUAL-CONVENTION
|
|
DISPLAY-HINT "d"
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A value which identifies the various attack types which may be
|
|
detected by the service control entity."
|
|
SYNTAX Integer32
|
|
ciscoServiceControlAttackMIBNotifs OBJECT IDENTIFIER
|
|
::= { ciscoServiceControlAttackMIB 0 }
|
|
|
|
ciscoServiceControlAttackMIBObjects OBJECT IDENTIFIER
|
|
::= { ciscoServiceControlAttackMIB 1 }
|
|
|
|
ciscoServiceControlAttackMIBConform OBJECT IDENTIFIER
|
|
::= { ciscoServiceControlAttackMIB 2 }
|
|
|
|
cscaFilterMIBObjects OBJECT IDENTIFIER
|
|
::= { ciscoServiceControlAttackMIBObjects 1 }
|
|
|
|
|
|
cscaTypeTable OBJECT-TYPE
|
|
SYNTAX SEQUENCE OF CscaTypeEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This table lists the aggregated statistics for each detected
|
|
attack in a network controlled by a service control entity."
|
|
::= { ciscoServiceControlAttackMIBObjects 2 }
|
|
|
|
cscaTypeEntry OBJECT-TYPE
|
|
SYNTAX CscaTypeEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This entry contains information for an attack detected by the
|
|
service control entity.
|
|
|
|
The service control entity can report a number of attack types,
|
|
the cscaTypeTable is created during the initialization of the
|
|
service control entity and is valid while the service control
|
|
entity is operational."
|
|
INDEX {
|
|
entPhysicalIndex,
|
|
cscaTypeIndex
|
|
}
|
|
::= { cscaTypeTable 1 }
|
|
|
|
CscaTypeEntry ::= SEQUENCE {
|
|
cscaTypeIndex CscaAttackType,
|
|
cscaTypeCurrentNumAttacks Gauge32,
|
|
cscaTypeTotalNumAttacks Counter32,
|
|
cscaTypeTotalNumFlows Counter64,
|
|
cscaTypeTotalNumSeconds Counter32,
|
|
cscaTypeOriginatedByNetworkSide TruthValue,
|
|
cscaTypeProtocol Integer32,
|
|
cscaTypeIsPortSpecific TruthValue,
|
|
cscaTypeIPsDetected Integer32
|
|
}
|
|
|
|
cscaTypeIndex OBJECT-TYPE
|
|
SYNTAX CscaAttackType (1..64)
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object uniquely identifies the attack type."
|
|
::= { cscaTypeEntry 1 }
|
|
|
|
cscaTypeCurrentNumAttacks OBJECT-TYPE
|
|
SYNTAX Gauge32
|
|
UNITS "attacks"
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object indicates the current number of ongoing attacks of
|
|
this type, that the service control entity has detected in the
|
|
network."
|
|
::= { cscaTypeEntry 2 }
|
|
|
|
cscaTypeTotalNumAttacks OBJECT-TYPE
|
|
SYNTAX Counter32
|
|
UNITS "attacks"
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object indicates the total number of attacks of this type
|
|
since the last discontinuity."
|
|
::= { cscaTypeEntry 3 }
|
|
|
|
cscaTypeTotalNumFlows OBJECT-TYPE
|
|
SYNTAX Counter64
|
|
UNITS "IP flows"
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object indicates the total number of IP flows on which
|
|
this type of attack has been detected, since the last
|
|
discontinuity."
|
|
::= { cscaTypeEntry 4 }
|
|
|
|
cscaTypeTotalNumSeconds OBJECT-TYPE
|
|
SYNTAX Counter32
|
|
UNITS "seconds"
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object indicates the accumulated duration in seconds
|
|
belonging to this attack type, since the last discontinuity."
|
|
::= { cscaTypeEntry 5 }
|
|
|
|
cscaTypeOriginatedByNetworkSide OBJECT-TYPE
|
|
SYNTAX TruthValue
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object indicates whether this attack type is originated
|
|
from the Network side or from the Subscriber side."
|
|
::= { cscaTypeEntry 6 }
|
|
|
|
cscaTypeProtocol OBJECT-TYPE
|
|
SYNTAX Integer32
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This enumerated object indicates the protocol type for this
|
|
type of attack (TCP/UDP/ICMP/etc). The values for this object
|
|
are:
|
|
|
|
(1) TCP
|
|
(2) UDP
|
|
(3) ICMP
|
|
(4) Other"
|
|
::= { cscaTypeEntry 7 }
|
|
|
|
cscaTypeIsPortSpecific OBJECT-TYPE
|
|
SYNTAX TruthValue
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object indicates whether the attack type is port-specific
|
|
or not."
|
|
::= { cscaTypeEntry 8 }
|
|
|
|
cscaTypeIPsDetected OBJECT-TYPE
|
|
SYNTAX Integer32
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object indicates which IPs are detected in this type of
|
|
attack. The enumerated values are:
|
|
(1) Originating Side IP is detected.
|
|
(2) Attacked Side IP is detected.
|
|
(3) Both side IPs are detected."
|
|
::= { cscaTypeEntry 9 }
|
|
|
|
|
|
|
|
cscaInfoTable OBJECT-TYPE
|
|
SYNTAX SEQUENCE OF CscaInfoEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This table lists information for attack mitigation, also
|
|
referred to as attack filtering, done by a service control
|
|
entity in the monitored network."
|
|
::= { ciscoServiceControlAttackMIBObjects 3 }
|
|
|
|
cscaInfoEntry OBJECT-TYPE
|
|
SYNTAX CscaInfoEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This entry contains information about attack mitigation done by
|
|
a physical service control entity, for attacks which it has
|
|
detected."
|
|
INDEX { entPhysicalIndex }
|
|
::= { cscaInfoTable 1 }
|
|
|
|
CscaInfoEntry ::= SEQUENCE {
|
|
cscaInfoUpStreamAttackFilteringTime Counter32,
|
|
cscaInfoUpStreamLastAttackFilteringTime TimeInterval,
|
|
cscaInfoDownStreamAttackFilteringTime Counter32,
|
|
cscaInfoDownStreamLastAttackFilteringTime TimeInterval
|
|
}
|
|
|
|
cscaInfoUpStreamAttackFilteringTime OBJECT-TYPE
|
|
SYNTAX Counter32
|
|
UNITS "seconds"
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object indicates the cumulative time during which attacks
|
|
in the up-stream direction were filtered."
|
|
::= { cscaInfoEntry 1 }
|
|
|
|
cscaInfoUpStreamLastAttackFilteringTime OBJECT-TYPE
|
|
SYNTAX TimeInterval
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object indicates the time since the previous attack in the
|
|
upstream direction has ended. Attack end is reached when the
|
|
service control entity attack detector identifies that the
|
|
attack characteristics (like high flow rate) no longer exist,
|
|
and the attack is suppressed in the up-stream traffic."
|
|
::= { cscaInfoEntry 2 }
|
|
|
|
cscaInfoDownStreamAttackFilteringTime OBJECT-TYPE
|
|
SYNTAX Counter32
|
|
UNITS "seconds"
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object indicates the cumulative time during which attacks
|
|
in the down-stream direction were filtered."
|
|
::= { cscaInfoEntry 3 }
|
|
|
|
cscaInfoDownStreamLastAttackFilteringTime OBJECT-TYPE
|
|
SYNTAX TimeInterval
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object indicates the time since the previous attack in the
|
|
downstream direction has ended. Attack end is reached when the
|
|
service control entity attack detector identifies that the
|
|
attack characteristics (like high flow rate) no longer exist,
|
|
and the attack is suppressed in the down-stream traffic."
|
|
::= { cscaInfoEntry 4 }
|
|
|
|
|
|
|
|
cscaType OBJECT-TYPE
|
|
SYNTAX CscaAttackType
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object indicates the type of an attack detected and
|
|
reported by the service control entity.
|
|
|
|
There are numerous attack types, based on the service control
|
|
entity's definition. The service control entity monitors and
|
|
mitigates a predefined set of attack type. The value of this
|
|
object should be used as index to table cscaTypeTable in order
|
|
to query for information regarding this attack type, such as
|
|
its
|
|
name and other statistics."
|
|
::= { cscaFilterMIBObjects 1 }
|
|
|
|
cscaSourceAddressType OBJECT-TYPE
|
|
SYNTAX InetAddressType
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object indicates the address type for cscaSourceAddress."
|
|
::= { cscaFilterMIBObjects 2 }
|
|
|
|
cscaSourceAddress OBJECT-TYPE
|
|
SYNTAX InetAddress
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object indicates the network address that is the source
|
|
end point of this attack."
|
|
::= { cscaFilterMIBObjects 3 }
|
|
|
|
cscaDestinationAddressType OBJECT-TYPE
|
|
SYNTAX InetAddressType
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object indicates the address type for
|
|
cscaDestinationAddress."
|
|
::= { cscaFilterMIBObjects 4 }
|
|
|
|
cscaDestinationAddress OBJECT-TYPE
|
|
SYNTAX InetAddress
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object indicates the network address that is the
|
|
destination end point of this attack."
|
|
::= { cscaFilterMIBObjects 5 }
|
|
|
|
cscaAttackedPort OBJECT-TYPE
|
|
SYNTAX InetPortNumber
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object indicates the port on which this attack occurs, if
|
|
relevant for this type of attack."
|
|
::= { cscaFilterMIBObjects 6 }
|
|
|
|
cscaFilterStatus OBJECT-TYPE
|
|
SYNTAX INTEGER {
|
|
activated(1),
|
|
deactivated(2)
|
|
}
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object indicates the status of the filter for this attack.
|
|
The values for this object are '1' (activated) and '2'
|
|
(de-activated)."
|
|
::= { cscaFilterMIBObjects 7 }
|
|
|
|
cscaNotifsEnabled OBJECT-TYPE
|
|
SYNTAX TruthValue
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object specifies whether the system generates the
|
|
cscaFilterChange notification."
|
|
::= { cscaFilterMIBObjects 8 }
|
|
|
|
cscaLastDiscontinuityTimeStamp OBJECT-TYPE
|
|
SYNTAX TimeStamp
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object indicates the value of sysUpTime when the last
|
|
discontinuity occurred."
|
|
::= { cscaFilterMIBObjects 9 }
|
|
|
|
cscaFilterChange NOTIFICATION-TYPE
|
|
OBJECTS {
|
|
entPhysicalName,
|
|
cscaType,
|
|
cscaSourceAddressType,
|
|
cscaSourceAddress,
|
|
cscaDestinationAddressType,
|
|
cscaDestinationAddress,
|
|
cscaAttackedPort,
|
|
cscaFilterStatus
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The system generates this notification to indicate that the
|
|
cscaFilterStatus of the attack filter for cscaType has changed
|
|
due to the reason determined by cscaDescription. The system
|
|
limits the generation of this notifications for the same
|
|
cscaType to a five-second interval."
|
|
::= { ciscoServiceControlAttackMIBNotifs 1 }
|
|
-- Conformance
|
|
|
|
cscaMIBCompliances OBJECT IDENTIFIER
|
|
::= { ciscoServiceControlAttackMIBConform 1 }
|
|
|
|
cscaMIBGroups OBJECT IDENTIFIER
|
|
::= { ciscoServiceControlAttackMIBConform 2 }
|
|
|
|
|
|
cscaMIBCompliance MODULE-COMPLIANCE
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The compliance statement for SNMP Agents which implement this
|
|
MIB."
|
|
MODULE -- this module
|
|
MANDATORY-GROUPS {
|
|
cscaMIBAttackTypeObjectGroup,
|
|
cscaMIBNotificationGroup,
|
|
cscaMIBAttackInfoObjectGroup,
|
|
cscaFilterObjectGroup,
|
|
cscaMIBNotifControlGroup
|
|
}
|
|
::= { cscaMIBCompliances 1 }
|
|
|
|
-- Units of Conformance
|
|
|
|
cscaMIBAttackTypeObjectGroup OBJECT-GROUP
|
|
OBJECTS {
|
|
cscaTypeCurrentNumAttacks,
|
|
cscaTypeTotalNumAttacks,
|
|
cscaTypeTotalNumFlows,
|
|
cscaTypeTotalNumSeconds,
|
|
cscaTypeOriginatedByNetworkSide,
|
|
cscaTypeProtocol,
|
|
cscaTypeIsPortSpecific,
|
|
cscaTypeIPsDetected
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A collection of objects which provides attack information."
|
|
::= { cscaMIBGroups 1 }
|
|
|
|
cscaMIBAttackInfoObjectGroup OBJECT-GROUP
|
|
OBJECTS {
|
|
cscaInfoUpStreamAttackFilteringTime,
|
|
cscaInfoUpStreamLastAttackFilteringTime,
|
|
cscaInfoDownStreamAttackFilteringTime,
|
|
cscaInfoDownStreamLastAttackFilteringTime
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A collection of objects which provides attack filtering times
|
|
for upstream and down stream attacks."
|
|
::= { cscaMIBGroups 2 }
|
|
|
|
cscaMIBNotificationGroup NOTIFICATION-GROUP
|
|
NOTIFICATIONS { cscaFilterChange }
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A collection of notification which provides status change
|
|
information for attack filters."
|
|
::= { cscaMIBGroups 3 }
|
|
|
|
cscaFilterObjectGroup OBJECT-GROUP
|
|
OBJECTS {
|
|
cscaType,
|
|
cscaSourceAddressType,
|
|
cscaSourceAddress,
|
|
cscaDestinationAddressType,
|
|
cscaDestinationAddress,
|
|
cscaAttackedPort,
|
|
cscaFilterStatus,
|
|
cscaLastDiscontinuityTimeStamp
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A collection of objects which define each attack filter and
|
|
its status."
|
|
::= { cscaMIBGroups 4 }
|
|
|
|
cscaMIBNotifControlGroup OBJECT-GROUP
|
|
OBJECTS { cscaNotifsEnabled }
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A collection of object(s) to control the enable/disable
|
|
state of notification generation."
|
|
::= { cscaMIBGroups 5 }
|
|
|
|
END
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|