1-- CISCO-CIDS-MIB.my : Cisco Intrusion Detection System MIB 2-- 3-- March 2006, Shane J London 4-- 5-- Copyright (c) 2003, 2005-2006-2009-2013 by Cisco Systems Inc. 6-- All rights reserved 7 8CISCO-CIDS-MIB DEFINITIONS ::= BEGIN 9 10IMPORTS 11 MODULE-IDENTITY, 12 OBJECT-TYPE, 13 NOTIFICATION-TYPE, 14 Integer32, 15 Unsigned32, 16 Counter32, 17 TimeTicks, 18 Gauge32, 19 OBJECT-IDENTITY 20 FROM SNMPv2-SMI 21 MODULE-COMPLIANCE, 22 NOTIFICATION-GROUP, 23 OBJECT-GROUP 24 FROM SNMPv2-CONF 25 TEXTUAL-CONVENTION, 26 TruthValue, 27 DateAndTime, 28 DisplayString 29 FROM SNMPv2-TC 30 SnmpAdminString 31 FROM SNMP-FRAMEWORK-MIB 32 InterfaceIndex 33 FROM IF-MIB 34 Unsigned64, 35 CiscoIpProtocol 36 FROM CISCO-TC 37 ciscoMgmt 38 FROM CISCO-SMI; 39 40 41ciscoCidsMIB MODULE-IDENTITY 42 LAST-UPDATED "201308090000Z" 43 ORGANIZATION "Cisco Systems, Inc." 44 CONTACT-INFO 45 "Cisco Systems 46 Customer Service 47 48 Postal: 170 W Tasman Drive 49 San Jose, CA 95134 50 USA 51 52 Tel: +1 800 553-NETS 53 54 E-mail: cs-netranger@cisco.com" 55 DESCRIPTION 56 "Cisco Intrusion Detection System MIB. Provides 57 trap definitions for the evAlert and evError 58 elements of the IDIOM (Intrusion Detection and 59 Operations Messages) document and read support 60 for the Intrusion Detection System (sensor) 61 health information, such as if the sensor is 62 in a memory critical stage." 63 REVISION "201308080000Z" 64 DESCRIPTION 65 "Added the following TEXTUAL-CONVENTIONS: 66 CidsApplicationStatus 67 CidsHealthStatusColor 68 69 Added the following health group: 70 ciscoCidsHealthObjectGroupRev1 71 72 Added the following TRAP notifications group: 73 ciscoCidsNotificationsGroupRev1 74 75 Deprecated cidsAlertInterfaceGroup to replace it with 76 cidsAlertVirtualSensor since the datatype is incorrect 77 (CSCsv26568)." 78 REVISION "200806260000Z" 79 DESCRIPTION 80 "Added the following alert action objects: 81 cidsAlertDenyPacket, 82 cidsAlertBlockHost, 83 cidsAlertTcpOneWayResetSent. 84 Added ciscoCidsOptionalObjectGroupRev2, 85 ciscoCidsMIBComplianceRev3." 86 REVISION "200603020000Z" 87 DESCRIPTION 88 "Added the CidsTargetValue and CidsAttackRelevance 89 textual conventions. Added the following alert 90 objects: 91 cidsAlertThreatValueRating 92 cidsAlertRiskRatingTargetValue 93 cidsAlertRiskRatingRelevance 94 cidsAlertRiskRatingWatchList" 95 REVISION "200510100000Z" 96 DESCRIPTION 97 "Added errEngineBuildFailed to the CidsErrorCode 98 textual convention. Added the following alert 99 action objects: 100 cidsAlertDeniedAttacker 101 cidsAlertDeniedFlow 102 cidsAlertDenyPacketReqNotPerf 103 cidsAlertDenyFlowReqNotPerf 104 cidsAlertDenyAttackerReqNotPerf 105 cidsAlertBlockConnectionReq 106 cidsAlertLogAttackerPacketsAct 107 cidsAlertLogVictimPacketsAct 108 cidsAlertLogPairPacketsActivated 109 cidsAlertRateLimitRequested 110 cidsAlertDeniedAttackVictimPair 111 cidsAlertDeniedAttackSericePair 112 cidsAlertDenyAttackVicReqNotPerf 113 cidsAlertDenyAttackSerReqNotPerf 114 Added the cidsAlertIfIndex and cidsAlertProtocol 115 objects." 116 REVISION "200312180000Z" 117 DESCRIPTION 118 "Initial version of this MIB module." 119 ::= { ciscoMgmt 383 } 120 121 122ciscoCidsMIBNotifs OBJECT IDENTIFIER 123 ::= { ciscoCidsMIB 0 } 124 125ciscoCidsMIBObjects OBJECT IDENTIFIER 126 ::= { ciscoCidsMIB 1 } 127 128ciscoCidsMIBConform OBJECT IDENTIFIER 129 ::= { ciscoCidsMIB 2 } 130 131cidsGeneral OBJECT IDENTIFIER 132 ::= { ciscoCidsMIBObjects 1 } 133 134cidsAlert OBJECT IDENTIFIER 135 ::= { ciscoCidsMIBObjects 2 } 136 137cidsError OBJECT IDENTIFIER 138 ::= { ciscoCidsMIBObjects 3 } 139 140 141CidsHealthStatusColor ::= TEXTUAL-CONVENTION 142 STATUS current 143 DESCRIPTION 144 "An enumerated value which identifies the status colors for 145 health related statistics. The colors are chosen since they are 146 commonly used in health dashboards when visualizing the status 147 of a component and should generally be understood. 148 149 green 150 Indicates sensor health status is good and currently no 151 issues. 152 153 yellow 154 Indicates degrade in health status. 155 please monitor closely until the status changes back to 156 green. 157 158 red 159 A problem has occurred and the status is unhealthy immediate 160 attention is needed." 161 SYNTAX INTEGER { 162 green(1), 163 yellow(2), 164 red(3) 165 } 166 167CidsApplicationStatus ::= TEXTUAL-CONVENTION 168 STATUS current 169 DESCRIPTION 170 "An enumerated value which identifies the status values that 171 are possible for a process. 172 173 notResponding 174 The process is no longer responding and may be down. 175 176 notRunning 177 The process is not currently running. 178 179 processingTransaction 180 The process is currently processing a control transaction. 181 182 reconfiguring 183 The configuration for this process is being changed. 184 185 running 186 The process is up and running. 187 188 starting 189 The process is starting and will be up and running 190 momentarily. 191 192 stopping 193 The process is currently being shut down. 194 195 unknown 196 Unable to determine the current process status. 197 198 upgradeInprogress 199 The process is currently being upgraded." 200 SYNTAX INTEGER { 201 notResponding(1), 202 notRunning(2), 203 processingTransaction(3), 204 reconfiguring(4), 205 running(5), 206 starting(6), 207 stopping(7), 208 unknown(8), 209 upgradeInprogress(9) 210 } 211cidsHealth OBJECT IDENTIFIER 212 ::= { ciscoCidsMIBObjects 4 } 213 214 215-- Textual Conventions 216 217CidsErrorCode ::= TEXTUAL-CONVENTION 218 STATUS current 219 DESCRIPTION 220 "An enumerated value which identifies the general 221 category of error that occurred. 222 223 errAuthenticationTokenExpired 224 The requested action could not be carried out 225 because the requestor has provided an 226 authentication token (e.g. password) that has 227 expired. 228 errConfigCollision 229 The value of the config-token request 230 parameter in a setComponentConfig control 231 transaction request does not match the 232 current configuration document on the target 233 host. Typically this indicates that the 234 configuration on the target host has been 235 modified by another user. 236 errInUse 237 The requested action could not be completed 238 because it requires access to a resource 239 that is in use. 240 errInvalidDocument 241 The request contained a document that was 242 not well-formed, contained an incorrect root 243 element, or contained additional elements or 244 attributes that are not permitted by the lax 245 IDIOM schema. 246 errLimitExceeded 247 The requested action could not be completed 248 because it would create a resource that 249 would exceed a system resource limit. 250 errNotAvailable 251 The requested action is supported but cannot 252 be performed due to the current 253 configuration of the target host. 254 errNotFound 255 A resource specified in the request does 256 not exist. 257 errNotSupported 258 The requested action is not supported on 259 the target host. 260 errPermissionDenied 261 The requestor does not have a sufficiently 262 high authorization level to perform the 263 requested action. 264 errSyslog 265 Used to convey messages of interest from 266 the host system's syslog. 267 errSystemError 268 A system error occurred, such as an 269 out-of-memory condition, disk access error, 270 etc. 271 errTransport 272 The requested action could not be carried 273 out because of a communications failure 274 with another host that is involved in the 275 action. 276 errUnacceptableValue 277 The request document was valid but 278 contained one or more values that could 279 not be accepted because they either: 280 (1) conflict with other values in the same 281 document or (2) are not acceptable due to 282 the current state of the system. 283 errUnclassified 284 Used to convey an unclassified error 285 condition. 286 errWarning 287 Used to convey a software warning 288 condition detected by an application 289 running on the host system. 290 errEngineBuildFailed 291 The system failed to build an intrusion 292 detection engine." 293 SYNTAX INTEGER { 294 errAuthenticationTokenExpired(1), 295 errConfigCollision(2), 296 errInUse(3), 297 errInvalidDocument(4), 298 errLimitExceeded(5), 299 errNotAvailable(6), 300 errNotFound(7), 301 errNotSupported(8), 302 errPermissionDenied(9), 303 errSyslog(10), 304 errSystemError(11), 305 errTransport(12), 306 errUnacceptableValue(13), 307 errUnclassified(14), 308 errWarning(15), 309 errEngineBuildFailed(16) 310 } 311 312CidsTargetValue ::= TEXTUAL-CONVENTION 313 STATUS current 314 DESCRIPTION 315 "An enumerated value which identifies the asset 316 value associated with a target. 317 318 zeroValue 319 Target has zero perceived value to the 320 network. 321 low 322 Target has low perceived value to the 323 network. 324 medium 325 Target has medium perceived value to the 326 network. 327 high 328 Target has high perceived value to the 329 network. 330 missionCritical 331 Target is a mission critical component 332 in the network." 333 SYNTAX INTEGER { 334 zeroValue(1), 335 low(2), 336 medium(3), 337 high(4), 338 missionCritical(5) 339 } 340 341CidsAttackRelevance ::= TEXTUAL-CONVENTION 342 STATUS current 343 DESCRIPTION 344 "An enumerated value which identifies an attack's 345 relevance to its target. 346 347 relevant 348 The attack is relevant to the target. 349 notRelevant 350 The attack is not relevant to the target. 351 unknown 352 The relevancy of the attack is unknown." 353 SYNTAX INTEGER { 354 relevant(1), 355 notRelevant(2), 356 unknown(3) 357 } 358 359-- General 360 361cidsGeneralEventId OBJECT-TYPE 362 SYNTAX Unsigned64 363 MAX-ACCESS accessible-for-notify 364 STATUS current 365 DESCRIPTION 366 "Identifies the sequence number of an event. 367 This value needs to be unique within the scope 368 of the originating host." 369 ::= { cidsGeneral 1 } 370 371cidsGeneralLocalTime OBJECT-TYPE 372 SYNTAX DateAndTime 373 MAX-ACCESS accessible-for-notify 374 STATUS current 375 DESCRIPTION 376 "The local time on the Cisco intrusion detection 377 system sensor when the alert was generated." 378 ::= { cidsGeneral 2 } 379 380cidsGeneralUTCTime OBJECT-TYPE 381 SYNTAX DateAndTime 382 MAX-ACCESS accessible-for-notify 383 STATUS current 384 DESCRIPTION 385 "The UTC time on the Cisco intrusion detection 386 system sensor when the alert was generated." 387 ::= { cidsGeneral 3 } 388 389cidsGeneralOriginatorHostId OBJECT-TYPE 390 SYNTAX SnmpAdminString 391 MAX-ACCESS accessible-for-notify 392 STATUS current 393 DESCRIPTION 394 "A globally unique identifier for a Cids host. Could 395 be a host name or an IP address." 396 ::= { cidsGeneral 4 } 397 398cidsGeneralOriginatorAppName OBJECT-TYPE 399 SYNTAX SnmpAdminString 400 MAX-ACCESS accessible-for-notify 401 STATUS current 402 DESCRIPTION 403 "The optional generic name of a Cids application." 404 ::= { cidsGeneral 5 } 405 406cidsGeneralOriginatorAppId OBJECT-TYPE 407 SYNTAX SnmpAdminString 408 MAX-ACCESS accessible-for-notify 409 STATUS current 410 DESCRIPTION 411 "The optional id of this instance of the application. 412 Typically the process id (pid)." 413 ::= { cidsGeneral 6 } 414 415cidsNotificationsEnabled OBJECT-TYPE 416 SYNTAX TruthValue 417 MAX-ACCESS read-write 418 STATUS current 419 DESCRIPTION 420 "Indicates whether notifications will or will not 421 be sent when an event is generated by the device." 422 DEFVAL { false } 423 ::= { cidsGeneral 7 } 424 425-- Alert 426 427cidsAlertSeverity OBJECT-TYPE 428 SYNTAX SnmpAdminString 429 MAX-ACCESS accessible-for-notify 430 STATUS current 431 DESCRIPTION 432 "The severity associated with a Cids signature 433 (informational, low, medium or high for 434 example)." 435 ::= { cidsAlert 1 } 436 437cidsAlertAlarmTraits OBJECT-TYPE 438 SYNTAX Unsigned32 439 MAX-ACCESS accessible-for-notify 440 STATUS current 441 DESCRIPTION 442 "The alarm traits is an unsigned 16-bit integer 443 representing the value of the 16 user-defined 444 alarm traits specified in the configuration for 445 the signature that triggered the alert. The 446 alarmTraits bits are used to classify signatures 447 into user-defined categories or groups." 448 ::= { cidsAlert 2 } 449 450cidsAlertSignature OBJECT-TYPE 451 SYNTAX SnmpAdminString (SIZE (1..64)) 452 MAX-ACCESS accessible-for-notify 453 STATUS current 454 DESCRIPTION 455 "Content is a string containing details about the 456 signature that fired, without any specifics tied 457 to this instance of the alert. The 458 cidsAlertSignatureSigName, cidsAlertSignatureSigId 459 and cidsAlertSignatureSubSigId attributes define 460 the signature that triggered this Alert." 461 ::= { cidsAlert 3 } 462 463cidsAlertSignatureSigName OBJECT-TYPE 464 SYNTAX SnmpAdminString (SIZE (1..64)) 465 MAX-ACCESS accessible-for-notify 466 STATUS current 467 DESCRIPTION 468 "The name of the Intrusion detection signature 469 that triggered this event." 470 ::= { cidsAlert 4 } 471 472cidsAlertSignatureSigId OBJECT-TYPE 473 SYNTAX Unsigned32 474 MAX-ACCESS accessible-for-notify 475 STATUS current 476 DESCRIPTION 477 "The ID of the Intrusion detection signature 478 that triggered this event. The ID combines 479 with the cidsAlertSignatureSubSigId to 480 create a unique key that identifies the 481 signature that generated this event." 482 ::= { cidsAlert 5 } 483 484cidsAlertSignatureSubSigId OBJECT-TYPE 485 SYNTAX Unsigned32 486 MAX-ACCESS accessible-for-notify 487 STATUS current 488 DESCRIPTION 489 "The optional Sub ID of the Intrusion detection 490 signature that triggered this event. The Sub 491 ID combines with the cidsAlertSignatureSigId 492 to create a unique key that identifies the 493 signature that generated this event." 494 ::= { cidsAlert 6 } 495 496cidsAlertSignatureVersion OBJECT-TYPE 497 SYNTAX SnmpAdminString (SIZE (1..64)) 498 MAX-ACCESS accessible-for-notify 499 STATUS current 500 DESCRIPTION 501 "The optional version attribute defines the version 502 number of the signature update in which the triggering 503 signature was introduced or was last modified. 504 Example: 4.1(1.1)S47(0.1)" 505 ::= { cidsAlert 7 } 506 507cidsAlertSummary OBJECT-TYPE 508 SYNTAX Unsigned32 509 MAX-ACCESS accessible-for-notify 510 STATUS current 511 DESCRIPTION 512 "Optional, if present, specifies that this is a 513 summary alert, representing one or more alerts with 514 common characteristics. The numeric value indicates 515 the number of times the signature fired since the 516 last summary alert with a matching 'initialAlert' 517 attribute value. The first and all subsequent 518 summary alerts in a sequence will use the eventId 519 of a previous non-summary evAlert in the initialAlert 520 attribute value. All alerts represented by the 521 summary alert share the same signature and 522 sub-signature id. The summaryType attribute defines 523 the common characteristic(s) of all alerts in the 524 summary. The 'final' attribute indicates whether 525 this is the last evAlert containing the same value 526 in the 'initialAlert' attribute. The 'final' 527 attribute may be omitted if and only if its value 528 is false." 529 ::= { cidsAlert 8 } 530 531cidsAlertSummaryType OBJECT-TYPE 532 SYNTAX SnmpAdminString (SIZE (0..16)) 533 MAX-ACCESS accessible-for-notify 534 STATUS current 535 DESCRIPTION 536 "Common characteristics shared by all non-summary 537 alerts included in a summary alert." 538 ::= { cidsAlert 9 } 539 540cidsAlertSummaryFinal OBJECT-TYPE 541 SYNTAX TruthValue 542 MAX-ACCESS accessible-for-notify 543 STATUS current 544 DESCRIPTION 545 "The optional 'final' attribute indicates whether 546 this is the last evAlert containing the same value 547 in the 'initialAlert' attribute. The 'final' 548 attribute may be omitted if and only if its value 549 is false." 550 ::= { cidsAlert 10 } 551 552cidsAlertSummaryInitialAlert OBJECT-TYPE 553 SYNTAX Unsigned64 554 MAX-ACCESS accessible-for-notify 555 STATUS current 556 DESCRIPTION 557 "Serial number for the initial alert, which is 558 guaranteed unique within the scope of the 559 originating host." 560 ::= { cidsAlert 11 } 561 562-- cidsAlertVirtualSensor object replaces cidsAlertInterfaceGroup 563-- object. 564 565cidsAlertInterfaceGroup OBJECT-TYPE 566 SYNTAX Integer32 (-2147483648..2147483647) 567 MAX-ACCESS accessible-for-notify 568 STATUS deprecated 569 DESCRIPTION 570 "This object indicates an optional numeric identifier for a 571 sniffing 572 interface group on this host." 573 ::= { cidsAlert 12 } 574 575cidsAlertVlan OBJECT-TYPE 576 SYNTAX Unsigned32 (0..65535) 577 MAX-ACCESS accessible-for-notify 578 STATUS current 579 DESCRIPTION 580 "An optional numeric identifier for a vlan. Identifies 581 the vlan that uses the number in ISL or 802.3.1q 582 headers." 583 ::= { cidsAlert 13 } 584 585cidsAlertVictimContext OBJECT-TYPE 586 SYNTAX SnmpAdminString 587 MAX-ACCESS accessible-for-notify 588 STATUS current 589 DESCRIPTION 590 "Optional Base64-encoded representation of the stream 591 data that was sourced by the victim." 592 ::= { cidsAlert 14 } 593 594cidsAlertAttackerContext OBJECT-TYPE 595 SYNTAX SnmpAdminString 596 MAX-ACCESS accessible-for-notify 597 STATUS current 598 DESCRIPTION 599 "Optional Base64-encoded representation of the stream 600 data that was sourced by the Attacker." 601 ::= { cidsAlert 15 } 602 603cidsAlertAttackerAddress OBJECT-TYPE 604 SYNTAX SnmpAdminString 605 MAX-ACCESS accessible-for-notify 606 STATUS current 607 DESCRIPTION 608 "Optional IP address and ports on a monitored 609 interface. The 'locality' attribute is a string 610 that indicates the relative location of the IP 611 address within the network mapping, such as whether 612 the address falls within the address range of a 613 protected network. The optional 'proxy' attribute 614 is 'true' if the sensor has reason to suspect that 615 the address given is not the address of the true 616 attacker. This could be a the result of address 617 spoofing or because the host has been compromised 618 and is acting as a 'zombie'. The 'proxy' attribute 619 may be omitted if and only if its value is false." 620 ::= { cidsAlert 16 } 621 622cidsAlertVictimAddress OBJECT-TYPE 623 SYNTAX SnmpAdminString 624 MAX-ACCESS accessible-for-notify 625 STATUS current 626 DESCRIPTION 627 "Optional IP address and ports on a monitored 628 interface. The 'locality' attribute is a string 629 that indicates the relative location of the IP 630 address within the network mapping, such as 631 whether the address falls within the address range 632 of a protected network. The 'osIdSource' attribute 633 represents the method that the operating system 634 of the victim was identified. The 'osType' 635 attribute represents the operating system of the 636 target system. The 'osRelevance' attribute 637 represents the relevance of an attack on the 638 operating system." 639 ::= { cidsAlert 17 } 640 641cidsAlertIpLoggingActivated OBJECT-TYPE 642 SYNTAX TruthValue 643 MAX-ACCESS accessible-for-notify 644 STATUS current 645 DESCRIPTION 646 "Indicates whether IP logging has been activated as 647 the result of the alert. A separate evIpLogStatus 648 event will be generated when logging has been 649 completed. The evIpLogStatus event contains the 650 URL where the log results may be obtained. This 651 element may be omitted if and only if its value 652 is false." 653 ::= { cidsAlert 18 } 654 655cidsAlertTcpResetSent OBJECT-TYPE 656 SYNTAX TruthValue 657 MAX-ACCESS accessible-for-notify 658 STATUS current 659 DESCRIPTION 660 "Indicates whether a attempt was made to reset a tcp 661 connection as the result of the alert. The addresses 662 and ports affected must be implied from the 663 information contained in the participant elements of 664 the evAlert. This element may be omitted if and only 665 if its value is false." 666 ::= { cidsAlert 19 } 667 668cidsAlertShunRequested OBJECT-TYPE 669 SYNTAX TruthValue 670 MAX-ACCESS accessible-for-notify 671 STATUS current 672 DESCRIPTION 673 "Indicates whether an IP address or tcp connection 674 has been requested to be shunned as a result of the 675 alert. Details about the addresses and ports 676 involved in the shun can be obtained from evNacStatus 677 events sent by the Network Access Controller 678 application. This element may be omitted if and only 679 if its value is false." 680 ::= { cidsAlert 20 } 681 682cidsAlertDetails OBJECT-TYPE 683 SYNTAX SnmpAdminString 684 MAX-ACCESS accessible-for-notify 685 STATUS current 686 DESCRIPTION 687 "Textual details about the specific alert instance, 688 not just the signature." 689 ::= { cidsAlert 21 } 690 691cidsAlertIpLogId OBJECT-TYPE 692 SYNTAX SnmpAdminString 693 MAX-ACCESS accessible-for-notify 694 STATUS current 695 DESCRIPTION 696 "IP log identifiers for IP logs that were added as 697 the result of this alert." 698 ::= { cidsAlert 22 } 699 700cidsThreatResponseStatus OBJECT-TYPE 701 SYNTAX SnmpAdminString 702 MAX-ACCESS accessible-for-notify 703 STATUS current 704 DESCRIPTION 705 "A brief textual description of the status of 706 the alarm given by the Cisco Systems Threat 707 Response engine." 708 ::= { cidsAlert 23 } 709 710cidsThreatResponseSeverity OBJECT-TYPE 711 SYNTAX Integer32 (-2147483648..2147483647) 712 MAX-ACCESS accessible-for-notify 713 STATUS current 714 DESCRIPTION 715 "The alarm severity as assigned by the Cisco Systems 716 Threat Response engine." 717 ::= { cidsAlert 24 } 718 719cidsAlertEventRiskRating OBJECT-TYPE 720 SYNTAX Unsigned32 721 MAX-ACCESS accessible-for-notify 722 STATUS current 723 DESCRIPTION 724 "A risk factor that incorporates several additional 725 pieces of information beyond the detection of a 726 potentially malicious action. The factors that 727 characterize this risk are the severity of the 728 attack if it were to succeed, the fidelity of the 729 signature, the relevance of the potential attack 730 with respect to the target host, and the overall 731 value of the target host to the customer." 732 ::= { cidsAlert 25 } 733 734cidsAlertIfIndex OBJECT-TYPE 735 SYNTAX InterfaceIndex 736 MAX-ACCESS accessible-for-notify 737 STATUS current 738 DESCRIPTION 739 "The ifIndex on which the activity was detected." 740 ::= { cidsAlert 26 } 741 742cidsAlertProtocol OBJECT-TYPE 743 SYNTAX CiscoIpProtocol 744 MAX-ACCESS accessible-for-notify 745 STATUS current 746 DESCRIPTION 747 "Identifies the IP protocol associated with the 748 alert." 749 ::= { cidsAlert 27 } 750 751cidsAlertDeniedAttacker OBJECT-TYPE 752 SYNTAX TruthValue 753 MAX-ACCESS accessible-for-notify 754 STATUS current 755 DESCRIPTION 756 "Indicates that the traffic from originating from 757 the attacker is being blocked as a result of the 758 alert. This element may be omitted if and only if 759 its value is false." 760 ::= { cidsAlert 28 } 761 762cidsAlertDeniedFlow OBJECT-TYPE 763 SYNTAX TruthValue 764 MAX-ACCESS accessible-for-notify 765 STATUS current 766 DESCRIPTION 767 "Indicates that the traffic on the TCP connection 768 being blocked as a result of the alert. This 769 element may be omitted if and only if its value 770 is false." 771 ::= { cidsAlert 29 } 772 773cidsAlertDenyPacketReqNotPerf OBJECT-TYPE 774 SYNTAX TruthValue 775 MAX-ACCESS accessible-for-notify 776 STATUS current 777 DESCRIPTION 778 "Indicates whether the packet that triggered the 779 alert would have been denied as a result of the 780 alert if the intrusion prevention system was 781 operating in inline mode. However, the packet 782 was not actually denied because the intrusion 783 prevention system was operating in promiscuous 784 mode. This element may be omitted if and only 785 if its value is false." 786 ::= { cidsAlert 30 } 787 788cidsAlertDenyFlowReqNotPerf OBJECT-TYPE 789 SYNTAX TruthValue 790 MAX-ACCESS accessible-for-notify 791 STATUS current 792 DESCRIPTION 793 "Indicates whether the flow that triggered the 794 alert would have been denied as a result of the 795 alert if the intrusion prevention system was 796 operating in inline mode. However, this action 797 was not actually taken because the intrusion 798 prevention system was operating in promiscuous 799 mode. This element may be omitted if and only 800 if its value is false." 801 ::= { cidsAlert 31 } 802 803cidsAlertDenyAttackerReqNotPerf OBJECT-TYPE 804 SYNTAX TruthValue 805 MAX-ACCESS accessible-for-notify 806 STATUS current 807 DESCRIPTION 808 "Indicates whether the traffic from the attacker 809 that triggered the alert would have been denied as 810 a result of the alert if the intrusion prevention 811 system was operating in inline mode. However, this 812 action was not actually taken because the intrusion 813 prevention system was operating in promiscuous 814 mode. This element may be omitted if and only if 815 its value is false." 816 ::= { cidsAlert 32 } 817 818cidsAlertBlockConnectionReq OBJECT-TYPE 819 SYNTAX TruthValue 820 MAX-ACCESS accessible-for-notify 821 STATUS current 822 DESCRIPTION 823 "Indicates that a TCP connection has been requested 824 to be blocked as a result of the alert. This element 825 may be omitted if and only if its value is false." 826 ::= { cidsAlert 33 } 827 828cidsAlertLogAttackerPacketsAct OBJECT-TYPE 829 SYNTAX TruthValue 830 MAX-ACCESS accessible-for-notify 831 STATUS current 832 DESCRIPTION 833 "Indicates that packets associated with the 834 attacker(s) identified by this alert are being 835 logged. This element may be omitted if and 836 only if its value is false." 837 ::= { cidsAlert 34 } 838 839cidsAlertLogVictimPacketsAct OBJECT-TYPE 840 SYNTAX TruthValue 841 MAX-ACCESS accessible-for-notify 842 STATUS current 843 DESCRIPTION 844 "Indicates that packets associated with the victim(s) 845 identified by this alert are being logged. This 846 element may be omitted if and only if its value is 847 false." 848 ::= { cidsAlert 35 } 849 850cidsAlertLogPairPacketsActivated OBJECT-TYPE 851 SYNTAX TruthValue 852 MAX-ACCESS accessible-for-notify 853 STATUS current 854 DESCRIPTION 855 "Indicates that packets associated with the 856 attacker/victim pair(s) identified by this alert 857 are being logged. This element may be omitted if 858 and only if its value is false." 859 ::= { cidsAlert 36 } 860 861cidsAlertRateLimitRequested OBJECT-TYPE 862 SYNTAX TruthValue 863 MAX-ACCESS accessible-for-notify 864 STATUS current 865 DESCRIPTION 866 "Indicates that traffic rate limiting based on the 867 source address and protocol associated with the alert 868 has been requested on external network devices. This 869 element may be omitted if and only if its value is 870 false." 871 ::= { cidsAlert 37 } 872 873cidsAlertDeniedAttackVictimPair OBJECT-TYPE 874 SYNTAX TruthValue 875 MAX-ACCESS accessible-for-notify 876 STATUS current 877 DESCRIPTION 878 "Indicates that traffic from originating from the 879 attackers address and destined for the victims address 880 identified in the alert is being denied as a result of 881 the alert. This element may be omitted if and only if 882 its value is false." 883 ::= { cidsAlert 38 } 884 885cidsAlertDeniedAttackSericePair OBJECT-TYPE 886 SYNTAX TruthValue 887 MAX-ACCESS accessible-for-notify 888 STATUS current 889 DESCRIPTION 890 "Indicates that traffic from originating from the 891 attackers address and destined for the destination 892 service port identified in the alert is being denied 893 as a result of the alert. This element may be omitted 894 if and only if its value is false." 895 ::= { cidsAlert 39 } 896 897cidsAlertDenyAttackVicReqNotPerf OBJECT-TYPE 898 SYNTAX TruthValue 899 MAX-ACCESS accessible-for-notify 900 STATUS current 901 DESCRIPTION 902 "Indicates that traffic from originating from the 903 attackers address and destined for the victims address 904 identified in the alert would have been denied as a 905 result of the alert if the intrusion prevention system 906 was operating in inline mode. However, this action was 907 not actually taken because the intrusion prevention 908 system was operating in promiscuous mode. This 909 element may be omitted if and only if its value is 910 false." 911 ::= { cidsAlert 40 } 912 913cidsAlertDenyAttackSerReqNotPerf OBJECT-TYPE 914 SYNTAX TruthValue 915 MAX-ACCESS accessible-for-notify 916 STATUS current 917 DESCRIPTION 918 "Indicates that traffic from originating from the 919 attackers address and destined for the destination 920 service port identified in the alert would have been 921 denied as a result of the alert if the intrusion 922 prevention system was operating in inline mode. 923 However, this action was not actually taken because 924 the intrusion prevention system was operating in 925 promiscuous mode. This element may be omitted if 926 and only if its value is false." 927 ::= { cidsAlert 41 } 928 929cidsAlertThreatValueRating OBJECT-TYPE 930 SYNTAX Unsigned32 931 MAX-ACCESS accessible-for-notify 932 STATUS current 933 DESCRIPTION 934 "Value that represents the calculated threat 935 associated with the detected activity. The threat 936 value consists of the cidsAlertEventRiskRating 937 adjusted for the mitigation action performed. 938 The threat value has a range between 0 and 100 939 (inclusive), where a value of 0 represents the 940 lowest threat and 100 the greatest threat." 941 ::= { cidsAlert 42 } 942 943cidsAlertRiskRatingTargetValue OBJECT-TYPE 944 SYNTAX CidsTargetValue 945 MAX-ACCESS accessible-for-notify 946 STATUS current 947 DESCRIPTION 948 "Represents the asset value associated with 949 a target identified in the alert." 950 ::= { cidsAlert 43 } 951 952cidsAlertRiskRatingRelevance OBJECT-TYPE 953 SYNTAX CidsAttackRelevance 954 MAX-ACCESS accessible-for-notify 955 STATUS current 956 DESCRIPTION 957 "Value that represents an attack's relevance to 958 the destination target of this alert." 959 ::= { cidsAlert 44 } 960 961cidsAlertRiskRatingWatchList OBJECT-TYPE 962 SYNTAX Unsigned32 963 MAX-ACCESS accessible-for-notify 964 STATUS current 965 DESCRIPTION 966 "Value that represents the amount that the risk 967 rating value was increased due to the source 968 of the activity associated with the alert being 969 on a watchlist." 970 ::= { cidsAlert 45 } 971 972cidsAlertDenyPacket OBJECT-TYPE 973 SYNTAX TruthValue 974 MAX-ACCESS accessible-for-notify 975 STATUS current 976 DESCRIPTION 977 "This object indicates that the traffic originating from 978 the attacker is being blocked as a result of the 979 alert. This element may be omitted if and only if 980 its value is 'false'." 981 ::= { cidsAlert 46 } 982 983cidsAlertBlockHost OBJECT-TYPE 984 SYNTAX TruthValue 985 MAX-ACCESS accessible-for-notify 986 STATUS current 987 DESCRIPTION 988 "This object indicates that a host has been requested 989 to be blocked as a result of the alert. This element 990 may be omitted if and only if its value is 'false'." 991 ::= { cidsAlert 47 } 992 993cidsAlertTcpOneWayResetSent OBJECT-TYPE 994 SYNTAX TruthValue 995 MAX-ACCESS accessible-for-notify 996 STATUS current 997 DESCRIPTION 998 "This object indicates an attempt to reset one side of the 999 connection (the victim side). The victim address and ports 1000 affected must be implied from the information contained in the 1001 participant elements of the alert. This element may be omitted 1002 if and only if its value is 'false'." 1003 ::= { cidsAlert 48 } 1004 1005cidsAlertVirtualSensor OBJECT-TYPE 1006 SYNTAX SnmpAdminString (SIZE (1..64)) 1007 MAX-ACCESS accessible-for-notify 1008 STATUS current 1009 DESCRIPTION 1010 "This object represents the name of the virtual sensor 1011 associated with an Intrusion Prevention System alert. From the 1012 virtual sensor name one can correlate which signature set and 1013 configuration to look at to trouble shoot or tune the behavior 1014 of the sensor. The virtual sensor name with the signature ID 1015 should help in identifying the correct instance of the signature 1016 that fired the alert." 1017 ::= { cidsAlert 49 } 1018 1019-- Error 1020 1021cidsErrorSeverity OBJECT-TYPE 1022 SYNTAX SnmpAdminString 1023 MAX-ACCESS accessible-for-notify 1024 STATUS current 1025 DESCRIPTION 1026 "Severity of an error (warning, error or fatal 1027 for example). An example of a type of error 1028 that could occur would be when a requested 1029 action could not be completed because it 1030 would create a resource that would exceed a 1031 system resource limit." 1032 ::= { cidsError 1 } 1033 1034cidsErrorName OBJECT-TYPE 1035 SYNTAX CidsErrorCode 1036 MAX-ACCESS accessible-for-notify 1037 STATUS current 1038 DESCRIPTION 1039 "An enumerated error code, which identifies a general 1040 class of errors." 1041 ::= { cidsError 2 } 1042 1043cidsErrorMessage OBJECT-TYPE 1044 SYNTAX SnmpAdminString 1045 MAX-ACCESS accessible-for-notify 1046 STATUS current 1047 DESCRIPTION 1048 "A textual description of the error that occurred." 1049 ::= { cidsError 3 } 1050 1051-- Health 1052 1053cidsHealthPacketLoss OBJECT-TYPE 1054 SYNTAX Integer32 (0..100) 1055 UNITS "percent" 1056 MAX-ACCESS read-only 1057 STATUS current 1058 DESCRIPTION 1059 "The percentage of packets lost at the device 1060 interface level." 1061 ::= { cidsHealth 1 } 1062 1063cidsHealthPacketDenialRate OBJECT-TYPE 1064 SYNTAX Integer32 (0..100) 1065 UNITS "percent" 1066 MAX-ACCESS read-only 1067 STATUS current 1068 DESCRIPTION 1069 "The percentage of packets denied due to 1070 protocol and security violations." 1071 ::= { cidsHealth 2 } 1072 1073cidsHealthAlarmsGenerated OBJECT-TYPE 1074 SYNTAX Counter32 1075 MAX-ACCESS read-only 1076 STATUS current 1077 DESCRIPTION 1078 "The number of alarms generated, includes 1079 all currently defined alarm severities." 1080 ::= { cidsHealth 3 } 1081 1082cidsHealthFragmentsInFRU OBJECT-TYPE 1083 SYNTAX Gauge32 1084 MAX-ACCESS read-only 1085 STATUS current 1086 DESCRIPTION 1087 "The number of fragments currently queued in the 1088 fragment reassembly unit." 1089 ::= { cidsHealth 4 } 1090 1091cidsHealthDatagramsInFRU OBJECT-TYPE 1092 SYNTAX Gauge32 1093 MAX-ACCESS read-only 1094 STATUS current 1095 DESCRIPTION 1096 "The number of datagrams currently queued in the 1097 fragment reassembly unit." 1098 ::= { cidsHealth 5 } 1099 1100cidsHealthTcpEmbryonicStreams OBJECT-TYPE 1101 SYNTAX Gauge32 1102 MAX-ACCESS read-only 1103 STATUS current 1104 DESCRIPTION 1105 "The number of embryonic TCP streams currently 1106 queued in the device. TCP streams are 1107 considered embryonic if they have not 1108 completed the TCP three-way handshake." 1109 ::= { cidsHealth 6 } 1110 1111cidsHealthTCPEstablishedStreams OBJECT-TYPE 1112 SYNTAX Gauge32 1113 MAX-ACCESS read-only 1114 STATUS current 1115 DESCRIPTION 1116 "The number of established TCP streams currently 1117 queued in the device. Once a stream has 1118 completed a TCP three-way handshake it will 1119 move to the established state." 1120 ::= { cidsHealth 7 } 1121 1122cidsHealthTcpClosingStreams OBJECT-TYPE 1123 SYNTAX Gauge32 1124 MAX-ACCESS read-only 1125 STATUS current 1126 DESCRIPTION 1127 "The number of closing TCP streams currently 1128 queued in the device. A stream will move 1129 from the established state to closing when 1130 a valid FIN or RST flag is received." 1131 ::= { cidsHealth 8 } 1132 1133cidsHealthTcpStreams OBJECT-TYPE 1134 SYNTAX Gauge32 1135 MAX-ACCESS read-only 1136 STATUS current 1137 DESCRIPTION 1138 "The number of TCP streams (embryonic, 1139 established and closing) currently queued 1140 in the device." 1141 ::= { cidsHealth 9 } 1142 1143cidsHealthActiveNodes OBJECT-TYPE 1144 SYNTAX Gauge32 1145 MAX-ACCESS read-only 1146 STATUS current 1147 DESCRIPTION 1148 "The number of active nodes currently queued in 1149 the device." 1150 ::= { cidsHealth 10 } 1151 1152cidsHealthTcpDualIpAndPorts OBJECT-TYPE 1153 SYNTAX Gauge32 1154 MAX-ACCESS read-only 1155 STATUS current 1156 DESCRIPTION 1157 "The number TCP nodes keyed on both IP addresses 1158 and both ports currently queued in the device." 1159 ::= { cidsHealth 11 } 1160 1161cidsHealthUdpDualIpAndPorts OBJECT-TYPE 1162 SYNTAX Gauge32 1163 MAX-ACCESS read-only 1164 STATUS current 1165 DESCRIPTION 1166 "The number UDP nodes keyed on both IP addresses 1167 and both ports currently queued in the device." 1168 ::= { cidsHealth 12 } 1169 1170cidsHealthIpDualIp OBJECT-TYPE 1171 SYNTAX Gauge32 1172 MAX-ACCESS read-only 1173 STATUS current 1174 DESCRIPTION 1175 "The number IP nodes keyed on both IP addresses 1176 currently queued in the device." 1177 ::= { cidsHealth 13 } 1178 1179cidsHealthIsSensorMemoryCritical OBJECT-TYPE 1180 SYNTAX Unsigned32 (0..10) 1181 MAX-ACCESS read-only 1182 STATUS current 1183 DESCRIPTION 1184 "A value between 0 and 10 that should rarely 1185 get above 3. If this is non-zero the sensor 1186 has stopped enforcing policy on some traffic in 1187 order to keep up with the current traffic load; 1188 the sensor is oversubscribed. The higher the 1189 number the more oversubscribed the sensor. It 1190 could be oversubscribed from a memory prospective 1191 and not traffic speed. For example on a 200 Mbit 1192 sensor this number might be 3 if the sensor was 1193 only seeing 100Mbit of traffic but 6000 1194 connections per second which is over the rated 1195 capacity of the sensor. When the sensor is 1196 in Memory Critical state then a ciscoCidsError 1197 trap will be sent accordingly." 1198 ::= { cidsHealth 14 } 1199 1200cidsHealthIsSensorActive OBJECT-TYPE 1201 SYNTAX TruthValue 1202 MAX-ACCESS read-only 1203 STATUS current 1204 DESCRIPTION 1205 "Indicates the failover status of the device. 1206 True indicates the device is currently active. 1207 False indicates it is in a standby mode." 1208 ::= { cidsHealth 15 } 1209 1210cidsHealthCommandAndControlPort OBJECT-TYPE 1211 SYNTAX SnmpAdminString 1212 MAX-ACCESS read-only 1213 STATUS current 1214 DESCRIPTION 1215 "The status and network statistics of the 1216 currently configured Command and Control 1217 interface on the device. The Command 1218 and Control interface is where all of the 1219 communications for command and control 1220 of the sensor occurs. This is important 1221 to identify what interface a user will 1222 communicate with to control the sensor 1223 remotely and general health statistics 1224 for that interface." 1225 ::= { cidsHealth 16 } 1226 1227cidsHealthSensorStatsResetTime OBJECT-TYPE 1228 SYNTAX TimeTicks 1229 MAX-ACCESS read-only 1230 STATUS current 1231 DESCRIPTION 1232 "The value of SNMPv2-MIB::sysUpTime 1233 when the Sensor specific statistics 1234 was reset. The reset time is 1235 collectively for the following objects: 1236 cidsHealthPacketLoss, 1237 cidsHealthPacketDenies, 1238 cidsHealthAlarmsGenerated, 1239 cidsHealthFragmentsInFRU, 1240 cidsHealthDatagramsInFRU, 1241 cidsHealthTcpEmbryonicStreams, 1242 cidsHealthTcpEstablishedStreams, 1243 cidsHealthTcpClosingStreams, 1244 cidsHealthTcpStreams" 1245 ::= { cidsHealth 17 } 1246 1247cidsHealthSecMonAvailability OBJECT-TYPE 1248 SYNTAX TruthValue 1249 MAX-ACCESS read-only 1250 STATUS current 1251 DESCRIPTION 1252 "This object indicates the availability of health and security 1253 monitor statistics. If the IPS health and security monitoring 1254 service is disabled, it will return false." 1255 ::= { cidsHealth 18 } 1256 1257cidsHealthSecMonOverallHealth OBJECT-TYPE 1258 SYNTAX CidsHealthStatusColor 1259 MAX-ACCESS read-only 1260 STATUS current 1261 DESCRIPTION 1262 "This object indicates IPS sensor's overall health value - 1263 green, yellow or red. The overall health status is set to the 1264 highest severity of all metrics that are configured to be 1265 applied to the IPS's health determination. For example, if the 1266 IPS is configured to use eight metrics to determine its health 1267 and seven of eight metrics are green while one of the metrics 1268 is 1269 red then the overall IPS health will be red. 1270 1271 This object is instantiated only if the value of cidsHealthSecMonAvailability is set to 'true'." 1272 ::= { cidsHealth 19 } 1273 1274cidsHealthSecMonSoftwareVersion OBJECT-TYPE 1275 SYNTAX DisplayString (SIZE (0..32)) 1276 MAX-ACCESS read-only 1277 STATUS current 1278 DESCRIPTION 1279 "This object indicates the IPS software version number (e.g., 1280 6.2(1)E3). 1281 1282 This object is instantiated only if the value of 1283 cidsHealthSecMonAvailability is set to 'true'." 1284 ::= { cidsHealth 20 } 1285 1286cidsHealthSecMonSignatureVersion OBJECT-TYPE 1287 SYNTAX DisplayString (SIZE (0..255)) 1288 MAX-ACCESS read-only 1289 STATUS current 1290 DESCRIPTION 1291 "This object indicates IPS signature version (e.g., 365.0). 1292 1293 This object is instantiated only if the value of 1294 cidsHealthSecMonAvailability is set to 'true'." 1295 ::= { cidsHealth 21 } 1296 1297cidsHealthSecMonLicenseStatus OBJECT-TYPE 1298 SYNTAX DisplayString (SIZE (0..255)) 1299 MAX-ACCESS read-only 1300 STATUS current 1301 DESCRIPTION 1302 "This object indicates IPS license status along with expiration 1303 date. For example it will contain the following possible 1304 values: 1305 1306 - signatureUpdateKey: Not expired until: <timestamp> 1307 - trialKey: Not expired until: <timestamp> 1308 - expiredLicense 1309 - noLicense 1310 - invalidLicense 1311 - unknown 1312 1313 The timestamp will be in the format: 1314 MM/DD/YYYY HH:MM:SS 1315 1316 This object is instantiated only if the value of 1317 cidsHealthSecMonAvailability is set to 'true'." 1318 ::= { cidsHealth 22 } 1319 1320cidsHealthSecMonOverallAppColor OBJECT-TYPE 1321 SYNTAX CidsHealthStatusColor 1322 MAX-ACCESS accessible-for-notify 1323 STATUS current 1324 DESCRIPTION 1325 "This object indicates the aggregate health status of the 1326 applications - Main, Analysis Engine, Collaboration - where the 1327 status is equal to the most severe status of all three 1328 applications. 1329 It is used in both the heart beat and the metric change health 1330 traps." 1331 ::= { cidsHealth 23 } 1332 1333cidsHealthSecMonMainAppStatus OBJECT-TYPE 1334 SYNTAX CidsApplicationStatus 1335 MAX-ACCESS read-only 1336 STATUS current 1337 DESCRIPTION 1338 "This object indicates the running status for the control plane. 1339 1340 This object is instantiated only if the value of 1341 cidsHealthSecMonAvailability is set to 'true'." 1342 ::= { cidsHealth 24 } 1343 1344cidsHealthSecMonAnalysisEngineStatus OBJECT-TYPE 1345 SYNTAX CidsApplicationStatus 1346 MAX-ACCESS read-only 1347 STATUS current 1348 DESCRIPTION 1349 "This object indicates the running status for the Analysis 1350 Engine. 1351 1352 This object is instantiated only if the value of cidsHealthSecMonAvailability is set to 'true'." 1353 ::= { cidsHealth 25 } 1354 1355cidsHealthSecMonCollaborationAppStatus OBJECT-TYPE 1356 SYNTAX CidsApplicationStatus 1357 MAX-ACCESS read-only 1358 STATUS current 1359 DESCRIPTION 1360 "This object indicates the running status for the Collaboration 1361 Application. 1362 1363 This object is instantiated only if the value of cidsHealthSecMonAvailability is set to 'true'." 1364 ::= { cidsHealth 26 } 1365 1366cidsHealthSecMonByPassMode OBJECT-TYPE 1367 SYNTAX TruthValue 1368 MAX-ACCESS accessible-for-notify 1369 STATUS current 1370 DESCRIPTION 1371 "This object indicates the bypass mode. A value of 'true' 1372 indicates bypass mode is on and a value of 'false' indicates it is off. 1373 1374 This object is instantiated only if the value of cidsHealthSecMonAvailability is set to 'true'." 1375 ::= { cidsHealth 27 } 1376 1377cidsHealthSecMonMissedPktPctAndThresh OBJECT-TYPE 1378 SYNTAX DisplayString (SIZE (0..255)) 1379 MAX-ACCESS read-only 1380 STATUS current 1381 DESCRIPTION 1382 "This object indicates the missed packet percentage and missed 1383 packets percentage threshold aggregated for all interfaces. 1384 For example, 'missedPacketPercentage=1 redThreshold=6 1385 yellowThreshold=1'. 1386 1387 This object is instantiated only if the value of 1388 cidsHealthSecMonAvailability is set to 'true'." 1389 ::= { cidsHealth 28 } 1390 1391cidsHealthSecMonAnalysisEngMemPercent OBJECT-TYPE 1392 SYNTAX Integer32 (0..100) 1393 UNITS "percent" 1394 MAX-ACCESS read-only 1395 STATUS current 1396 DESCRIPTION 1397 "This object indicates the percentage of memory used by Analysis 1398 Engine. 1399 1400 This object is instantiated only if the value of 1401 cidsHealthSecMonAvailability is set to 'true'." 1402 ::= { cidsHealth 29 } 1403 1404cidsHealthSecMonSensorLoad OBJECT-TYPE 1405 SYNTAX Integer32 (0..100) 1406 MAX-ACCESS read-only 1407 STATUS current 1408 DESCRIPTION 1409 "This object indicates sensor inspection load. 1410 1411 This object is instantiated only if the value of 1412 cidsHealthSecMonAvailability is set to 'true'." 1413 ::= { cidsHealth 30 } 1414 1415cidsHealthSecMonSensorLoadColor OBJECT-TYPE 1416 SYNTAX CidsHealthStatusColor 1417 MAX-ACCESS accessible-for-notify 1418 STATUS current 1419 DESCRIPTION 1420 "This object indicates the status of current sensor load, 1421 indicated 1422 using status colors. The color is determined based on the 1423 sensor load percentage and configured threshold value." 1424 ::= { cidsHealth 31 } 1425 1426cidsHealthSecMonVirtSensorStatusTable OBJECT-TYPE 1427 SYNTAX SEQUENCE OF CidsHealthSecMonVirtSensorStatusEntry 1428 MAX-ACCESS not-accessible 1429 STATUS current 1430 DESCRIPTION 1431 "This table contains the status of each virtual sensor. There 1432 will be one entry per virtual sensor in the system. This is the 1433 status of the network that the virtual sensor is monitoring. A 1434 virtual sensor can be added either through the configuration CLI 1435 or through a management application such as IME/CSM; once it is 1436 added to the system it will appear in this table. If a virtual 1437 sensor is removed from the system through one of the management 1438 interfaces it will no longer appear in this table. 1439 1440 This table is instantiated only if the value of cidsHealthSecMonAvailability is set to 'true'." 1441 ::= { cidsHealth 32 } 1442 1443cidsHealthSecMonVirtSensorStatusEntry OBJECT-TYPE 1444 SYNTAX CidsHealthSecMonVirtSensorStatusEntry 1445 MAX-ACCESS not-accessible 1446 STATUS current 1447 DESCRIPTION 1448 "An entry (conceptual row) in the 1449 cidsHealthSecMonVirtSensorStatusTable. There will be one per 1450 virtual sensor on the system. 1451 1452 A virtual sensor allows one to logically separate their sensor 1453 configuration for different sets of interfaces. For example 1454 virtual sensor vs0 may apply to one set of interfaces and vs1 1455 would apply to another set of interfaces. This table allows 1456 someone to get the status of each of the virtual sensors to 1457 determine the health of the associated networks. 1458 1459 For example you could have vs0 monitoring your finance networks 1460 and vs1 monitoring your engineering networks and track the 1461 health of each of these networks independently." 1462 INDEX { cidsHealthSecMonVirtSensorName } 1463 ::= { cidsHealthSecMonVirtSensorStatusTable 1 } 1464 1465CidsHealthSecMonVirtSensorStatusEntry ::= SEQUENCE { 1466 cidsHealthSecMonVirtSensorName DisplayString, 1467 cidsHealthSecMonVirtSensorStatus CidsHealthStatusColor 1468} 1469 1470cidsHealthSecMonVirtSensorName OBJECT-TYPE 1471 SYNTAX DisplayString (SIZE (1..64)) 1472 MAX-ACCESS not-accessible 1473 STATUS current 1474 DESCRIPTION 1475 "This object represents the name of the virtual sensor. Through 1476 the IPS configuration the sensor name can be correlated with 1477 the 1478 1479 sensor configuration and the associated interfaces to identify 1480 which networks are having good or bad health status. The reason 1481 there are multiple virtual sensor configurations is to allow 1482 different configurations for different sets of network 1483 interfaces." 1484 ::= { cidsHealthSecMonVirtSensorStatusEntry 1 } 1485 1486cidsHealthSecMonVirtSensorStatus OBJECT-TYPE 1487 SYNTAX CidsHealthStatusColor 1488 MAX-ACCESS read-only 1489 STATUS current 1490 DESCRIPTION 1491 "This object represents the virtual sensor network status level. 1492 From the color rating associated with the virtual sensor you 1493 can 1494 determine the overall health of the attached networks. If the 1495 color is green everything is fine, the IPS is not indicating a 1496 problem. If the color is yellow you should check as there 1497 maybe 1498 issues occuring on the attached network. If the status is red 1499 the network needs attention as problems are detected and network 1500 security is critical." 1501 ::= { cidsHealthSecMonVirtSensorStatusEntry 2 } 1502 1503 1504 1505cidsHealthSecMonDataStorageTable OBJECT-TYPE 1506 SYNTAX SEQUENCE OF CidsHealthSecMonDataStorageEntry 1507 MAX-ACCESS not-accessible 1508 STATUS current 1509 DESCRIPTION 1510 "This is the table of disk partition details: 1511 1512 Partition Name 1513 Total Space In Partition 1514 Utilized Space 1515 1516 This table tells how each of the file systems are utilized on 1517 the IPS. If the file systems approach 100% utilization that 1518 may indicate a problem. This table should remain fixed 1519 size unless an upgrade/install changes the partition count. 1520 The user does not have control over the number of partitions 1521 or the ability to add and remove partitions. 1522 1523 This table is instantiated only if the value of 1524 cidsHealthSecMonAvailability is set to 'true'." 1525 ::= { cidsHealth 33 } 1526 1527cidsHealthSecMonDataStorageEntry OBJECT-TYPE 1528 SYNTAX CidsHealthSecMonDataStorageEntry 1529 MAX-ACCESS not-accessible 1530 STATUS current 1531 DESCRIPTION 1532 "An entry (conceptual row) in the 1533 cidsHealthSecMonDataStorageTable. 1534 1535 There will be one row per partition. 1536 1537 This table is here to track the health of the storage on the 1538 IPS sensor. The following partitions will have their status 1539 displayed as part of the data storage table: 1540 1541 system 1542 This is the root file system on the sensor; this file system 1543 should not change too much over time and should not be full. 1544 1545 application-data 1546 This is the main file system where application binaries, 1547 application logs and configuration data is stored. This file 1548 system will change due to logging and configuration changes; if 1549 this file system is full it will present stability problems. 1550 This partition is the most important in the system to monitor. 1551 1552 boot 1553 Kernel/boot data storage partition; this should not change 1554 much other than during an image upgrade. 1555 1556 application-log 1557 This partition has fixed sized files to store IPLOG data. 1558 This will likely run near full capacity without being a 1559 problem. 1560 1561 The most important partition to monitor over time is the 1562 application-data partition; if it runs to capacity problems 1563 will occur as processes will no longer be able to write data to 1564 the file system. 1565 1566 Note: File system setup and utilization will vary per platform 1567 model; there are no perfect rules for monitoring these across 1568 all platforms however you should be able to use trends over 1569 time to indicate if you are going to fill up a file system that 1570 should not run at capacity such as the application-data 1571 partition." 1572 INDEX { cidsHealthSecMonPartitionName } 1573 ::= { cidsHealthSecMonDataStorageTable 1 } 1574 1575CidsHealthSecMonDataStorageEntry ::= SEQUENCE { 1576 cidsHealthSecMonPartitionName DisplayString, 1577 cidsHealthSecMonTotalPartitionSpace Unsigned32, 1578 cidsHealthSecMonUtilizedPartitionSpace Unsigned32 1579} 1580 1581cidsHealthSecMonPartitionName OBJECT-TYPE 1582 SYNTAX DisplayString (SIZE (1..64)) 1583 MAX-ACCESS not-accessible 1584 STATUS current 1585 DESCRIPTION 1586 "Name of the disk partition. For example: 1587 system 1588 application-data 1589 boot 1590 application-log" 1591 ::= { cidsHealthSecMonDataStorageEntry 1 } 1592 1593cidsHealthSecMonTotalPartitionSpace OBJECT-TYPE 1594 SYNTAX Unsigned32 1595 UNITS "MB" 1596 MAX-ACCESS read-only 1597 STATUS current 1598 DESCRIPTION 1599 "This object represents the total disk space on the partition in 1600 megabytes." 1601 ::= { cidsHealthSecMonDataStorageEntry 2 } 1602 1603cidsHealthSecMonUtilizedPartitionSpace OBJECT-TYPE 1604 SYNTAX Unsigned32 1605 UNITS "MB" 1606 MAX-ACCESS read-only 1607 STATUS current 1608 DESCRIPTION 1609 "This object represents the total amount of utilized disk space 1610 in megabytes." 1611 ::= { cidsHealthSecMonDataStorageEntry 3 } 1612 1613 1614 1615-- Notifications 1616-- 1617-- Since notifications with a large number of bound objects 1618-- can be rather large, the agent can provide two different 1619-- notification generation modes. One without optional objects 1620-- to try and keep the notification size below 484 bytes and 1621-- one with no size limits that will send all available optional 1622-- objects as well as those explicitly listed in the OBJECTS 1623-- clause of the notification definition. 1624-- 1625-- The following objects, defined elsewhere in this MIB module 1626-- as accessible-for-notify, are optional in that they are not 1627-- explicitly listed in a notification's OBJECTS clause. 1628-- When the notification generation mode is set to allow optional 1629-- objects to be bound, the association of the optional objects 1630-- to particular notifications is as follows: 1631-- 1632-- ciscoCidsAlert: 1633-- cidsGeneralOriginatorAppName 1634-- cidsGeneralOriginatorAppId 1635-- cidsAlertSignature 1636-- cidsAlertSignatureVersion 1637-- cidsAlertSummary 1638-- cidsAlertSummaryType 1639-- cidsAlertSummaryFinal 1640-- cidsAlertSummaryInitialAlert 1641-- cidsAlertInterfaceGroup 1642-- cidsAlertVlan 1643-- cidsAlertVictimContext 1644-- cidsAlertAttackerContext 1645-- cidsAlertIpLoggingActivated 1646-- cidsAlertTcpResetSent 1647-- cidsAlertShunRequested 1648-- cidsAlertDetails 1649-- cidsAlertIpLogId 1650-- cidsThreatResponseStatus 1651-- cidsThreatResponseSeverity 1652-- cidsAlertEventRiskRating 1653-- cidsAlertIfIndex 1654-- cidsAlertProtocol 1655-- cidsAlertDeniedAttacker 1656-- cidsAlertDeniedFlow 1657-- cidsAlertDenyPacketReqNotPerf 1658-- cidsAlertDenyFlowReqNotPerf 1659-- cidsAlertDenyAttackerReqNotPerf 1660-- cidsAlertBlockConnectionReq 1661-- cidsAlertLogAttackerPacketsAct 1662-- cidsAlertLogVictimPacketsAct 1663-- cidsAlertLogPairPacketsActivated 1664-- cidsAlertRateLimitRequested 1665-- cidsAlertDeniedAttackVictimPair 1666-- cidsAlertDeniedAttackSericePair 1667-- cidsAlertDenyAttackVicReqNotPerf 1668-- cidsAlertDenyAttackSerReqNotPerf 1669-- cidsAlertThreatValueRating 1670-- cidsAlertRiskRatingTargetValue 1671-- cidsAlertRiskRatingRelevance 1672-- cidsAlertRiskRatingWatchList 1673-- 1674-- ciscoCidsError: 1675-- cidsGeneralOriginatorAppName 1676-- cidsGeneralOriginatorAppId 1677 1678ciscoCidsAlert NOTIFICATION-TYPE 1679 OBJECTS { 1680 cidsGeneralEventId, 1681 cidsGeneralLocalTime, 1682 cidsGeneralUTCTime, 1683 cidsGeneralOriginatorHostId, 1684 cidsAlertSeverity, 1685 cidsAlertSignatureSigName, 1686 cidsAlertSignatureSigId, 1687 cidsAlertSignatureSubSigId, 1688 cidsAlertAlarmTraits, 1689 cidsAlertAttackerAddress, 1690 cidsAlertVictimAddress 1691 } 1692 STATUS current 1693 DESCRIPTION 1694 "Event indicating that some suspicious or malicious 1695 activity has been detected on a monitored network." 1696 ::= { ciscoCidsMIBNotifs 1 } 1697 1698ciscoCidsError NOTIFICATION-TYPE 1699 OBJECTS { 1700 cidsGeneralEventId, 1701 cidsGeneralLocalTime, 1702 cidsGeneralUTCTime, 1703 cidsGeneralOriginatorHostId, 1704 cidsErrorSeverity, 1705 cidsErrorName, 1706 cidsErrorMessage 1707 } 1708 STATUS current 1709 DESCRIPTION 1710 "Event indicating that an error has occurred." 1711 ::= { ciscoCidsMIBNotifs 2 } 1712 1713ciscoCidsHealthHeartBeat NOTIFICATION-TYPE 1714 OBJECTS { 1715 cidsGeneralEventId, 1716 cidsGeneralOriginatorHostId, 1717 cidsGeneralLocalTime, 1718 cidsGeneralUTCTime, 1719 cidsHealthSecMonOverallAppColor, 1720 cidsHealthSecMonSensorLoadColor, 1721 cidsHealthSecMonOverallHealth 1722 } 1723 STATUS current 1724 DESCRIPTION 1725 "This notification is triggered by the heart beat events 1726 (evStatus). The heartbeat is configured to run on a periodic 1727 basis and can be enabled/disabled through heart beat 1728 configuration under the health service. If the heart beat is 1729 disabled these notification events will not be sent. 1730 1731 This notification is supposed to mirror the heart beat evStatus 1732 message however it is a subset of the most critical pieces of 1733 data. Namely this will include the following pieces of data: 1734 1735 - Event ID 1736 - Host ID 1737 - Local Time 1738 - UTC Time 1739 - Overall Application Color 1740 - Sensor/Inspection Load Color 1741 - Overall Health" 1742 ::= { ciscoCidsMIBNotifs 3 } 1743 1744ciscoCidsHealthMetricChange NOTIFICATION-TYPE 1745 OBJECTS { 1746 cidsGeneralEventId, 1747 cidsGeneralOriginatorHostId, 1748 cidsGeneralLocalTime, 1749 cidsGeneralUTCTime, 1750 cidsHealthSecMonOverallAppColor, 1751 cidsHealthSecMonSensorLoadColor, 1752 cidsHealthSecMonOverallHealth 1753 } 1754 STATUS current 1755 DESCRIPTION 1756 "This notification notifies the recipient of health and 1757 security status changes. This notification is triggered when 1758 there is a change in the value of monitored metrics as indicated 1759 by evStatus message. This notification will include the 1760 following important subset of attributes from evStatus message: 1761 1762 - Event ID 1763 - Host ID 1764 - Local Time 1765 - UTC Time 1766 - Overall Application Color 1767 - Sensor/Inspection Load Color 1768 - Overall Health 1769 1770 This is similar to the heart beat, however the triggering 1771 condition is different. The heart beat fires on a regular 1772 interval and this is sent immediately after a change in a 1773 monitored metric. Metric change notifications can be enabled 1774 while the heart beat is disabled." 1775 ::= { ciscoCidsMIBNotifs 4 } 1776-- Conformance 1777 1778ciscoCidsMIBCompliances OBJECT IDENTIFIER 1779 ::= { ciscoCidsMIBConform 1 } 1780 1781ciscoCidsMIBGroups OBJECT IDENTIFIER 1782 ::= { ciscoCidsMIBConform 2 } 1783 1784 1785-- Compliance 1786 1787ciscoCidsMIBCompliance MODULE-COMPLIANCE 1788 STATUS deprecated 1789 DESCRIPTION 1790 "The compliance statement for entities which implement 1791 the Cids MIB" 1792 MODULE -- this module 1793 MANDATORY-GROUPS { 1794 ciscoCidsGeneralObjectGroup, 1795 ciscoCidsAlertObjectGroup, 1796 ciscoCidsErrorObjectGroup, 1797 ciscoCidsHealthObjectGroup 1798 } 1799 ::= { ciscoCidsMIBCompliances 1 } 1800 1801ciscoCidsMIBComplianceRev1 MODULE-COMPLIANCE 1802 STATUS deprecated 1803 DESCRIPTION 1804 "The compliance statement for entities which implement 1805 the Cids MIB" 1806 MODULE -- this module 1807 MANDATORY-GROUPS { 1808 ciscoCidsGeneralObjectGroupRev1, 1809 ciscoCidsAlertObjectGroupRev1, 1810 ciscoCidsErrorObjectGroup, 1811 ciscoCidsHealthObjectGroup, 1812 ciscoCidsNotificationsGroup 1813 } 1814 1815 GROUP ciscoCidsOptionalObjectGroup 1816 DESCRIPTION 1817 "Since notifications with a large number of 1818 bound objects can be rather large, the agent 1819 can provide two different notification 1820 generation modes. One without optional objects 1821 in the ciscoCidsOptionalObjectGroup to try and 1822 keep the notification size below 484 bytes and 1823 one with no size limits that will send all 1824 available optional objects in the 1825 ciscoCidsOptionalObjectGroup as well as those 1826 explicitly listed in the OBJECTS clause of the 1827 notification definition." 1828 ::= { ciscoCidsMIBCompliances 2 } 1829 1830ciscoCidsMIBComplianceRev2 MODULE-COMPLIANCE 1831 STATUS deprecated 1832 DESCRIPTION 1833 "The compliance statement for entities which implement 1834 the Cids MIB" 1835 MODULE -- this module 1836 MANDATORY-GROUPS { 1837 ciscoCidsGeneralObjectGroupRev1, 1838 ciscoCidsAlertObjectGroupRev1, 1839 ciscoCidsErrorObjectGroup, 1840 ciscoCidsHealthObjectGroup, 1841 ciscoCidsNotificationsGroup 1842 } 1843 1844 GROUP ciscoCidsOptionalObjectGroupRev1 1845 DESCRIPTION 1846 "Since notifications with a large number of 1847 bound objects can be rather large, the agent 1848 can provide two different notification 1849 generation modes. One without optional objects 1850 in the ciscoCidsOptionalObjectGroup to try and 1851 keep the notification size below 484 bytes and 1852 one with no size limits that will send all 1853 available optional objects in the 1854 ciscoCidsOptionalObjectGroup as well as those 1855 explicitly listed in the OBJECTS clause of the 1856 notification definition." 1857 ::= { ciscoCidsMIBCompliances 3 } 1858 1859ciscoCidsMIBComplianceRev3 MODULE-COMPLIANCE 1860 STATUS deprecated 1861 DESCRIPTION 1862 "The compliance statement for entities which implement 1863 the Cids MIB" 1864 MODULE -- this module 1865 MANDATORY-GROUPS { 1866 ciscoCidsGeneralObjectGroupRev1, 1867 ciscoCidsAlertObjectGroupRev1, 1868 ciscoCidsErrorObjectGroup, 1869 ciscoCidsHealthObjectGroup, 1870 ciscoCidsNotificationsGroup 1871 } 1872 1873 GROUP ciscoCidsOptionalObjectGroupRev2 1874 DESCRIPTION 1875 "Since notifications with a large number of 1876 bound objects can be rather large, the agent 1877 can provide two different notification 1878 generation modes. One without optional objects 1879 in the ciscoCidsOptionalObjectGroup to try and 1880 keep the notification size below 484 bytes and 1881 one with no size limits that will send all 1882 available optional objects in the 1883 ciscoCidsOptionalObjectGroup as well as those 1884 explicitly listed in the OBJECTS clause of the 1885 notification definition." 1886 1887 GROUP ciscoCidsOptionalObjectGroupRev1 1888 DESCRIPTION 1889 "Since notifications with a large number of 1890 bound objects can be rather large, the agent 1891 can provide two different notification 1892 generation modes. One without optional objects 1893 in the ciscoCidsOptionalObjectGroup to try and 1894 keep the notification size below 484 bytes and 1895 one with no size limits that will send all 1896 available optional objects in the 1897 ciscoCidsOptionalObjectGroup as well as those 1898 explicitly listed in the OBJECTS clause of the 1899 notification definition." 1900 ::= { ciscoCidsMIBCompliances 4 } 1901 1902ciscoCidsMIBComplianceRev4 MODULE-COMPLIANCE 1903 STATUS current 1904 DESCRIPTION 1905 "The compliance statement for entities which implement 1906 the Cids MIB" 1907 MODULE -- this module 1908 MANDATORY-GROUPS { 1909 ciscoCidsErrorObjectGroup, 1910 ciscoCidsGeneralObjectGroupRev1, 1911 ciscoCidsAlertObjectGroupRev2, 1912 ciscoCidsHealthObjectGroupRev1, 1913 ciscoCidsNotificationsGroupRev1, 1914 ciscoCidsHealthObjectGroup, 1915 ciscoCidsNotificationsGroup, 1916 ciscoCidsAlertObjectGroupRev1 1917 } 1918 1919 GROUP ciscoCidsOptionalObjectGroupRev3 1920 DESCRIPTION 1921 "A collection of optional objects which provide sensor events 1922 and alerts information." 1923 1924 GROUP ciscoCidsOptionalObjectGroupRev2 1925 DESCRIPTION 1926 "A collection of optional objects which provide sensor events 1927 and alerts information." 1928 1929 GROUP ciscoCidsOptionalObjectGroupRev1 1930 DESCRIPTION 1931 "A collection of optional objects which provide sensor alert 1932 information." 1933 ::= { ciscoCidsMIBCompliances 5 } 1934 1935-- Units of Conformance 1936 1937ciscoCidsGeneralObjectGroup OBJECT-GROUP 1938 OBJECTS { 1939 cidsGeneralEventId, 1940 cidsGeneralLocalTime, 1941 cidsGeneralUTCTime, 1942 cidsGeneralOriginatorHostId, 1943 cidsGeneralOriginatorAppName, 1944 cidsGeneralOriginatorAppId, 1945 cidsNotificationsEnabled 1946 } 1947 STATUS deprecated 1948 DESCRIPTION 1949 "General Objects." 1950 ::= { ciscoCidsMIBGroups 1 } 1951 1952ciscoCidsAlertObjectGroup OBJECT-GROUP 1953 OBJECTS { 1954 cidsAlertSeverity, 1955 cidsAlertAlarmTraits, 1956 cidsAlertSignature, 1957 cidsAlertSignatureSigName, 1958 cidsAlertSignatureSigId, 1959 cidsAlertSignatureSubSigId, 1960 cidsAlertSignatureVersion, 1961 cidsAlertSummary, 1962 cidsAlertSummaryType, 1963 cidsAlertSummaryFinal, 1964 cidsAlertSummaryInitialAlert, 1965 cidsAlertInterfaceGroup, 1966 cidsAlertVlan, 1967 cidsAlertVictimContext, 1968 cidsAlertAttackerContext, 1969 cidsAlertVictimAddress, 1970 cidsAlertAttackerAddress, 1971 cidsAlertIpLoggingActivated, 1972 cidsAlertTcpResetSent, 1973 cidsAlertShunRequested, 1974 cidsAlertDetails, 1975 cidsAlertIpLogId, 1976 cidsThreatResponseStatus, 1977 cidsThreatResponseSeverity, 1978 cidsAlertEventRiskRating 1979 } 1980 STATUS deprecated 1981 DESCRIPTION 1982 "Alert Objects." 1983 ::= { ciscoCidsMIBGroups 2 } 1984 1985ciscoCidsErrorObjectGroup OBJECT-GROUP 1986 OBJECTS { 1987 cidsErrorSeverity, 1988 cidsErrorName, 1989 cidsErrorMessage 1990 } 1991 STATUS current 1992 DESCRIPTION 1993 "Error Objects." 1994 ::= { ciscoCidsMIBGroups 3 } 1995 1996ciscoCidsNotificationsGroup NOTIFICATION-GROUP 1997 NOTIFICATIONS { 1998 ciscoCidsAlert, 1999 ciscoCidsError 2000 } 2001 STATUS current 2002 DESCRIPTION 2003 "The notifications which are required." 2004 ::= { ciscoCidsMIBGroups 4 } 2005 2006ciscoCidsHealthObjectGroup OBJECT-GROUP 2007 OBJECTS { 2008 cidsHealthPacketLoss, 2009 cidsHealthPacketDenialRate, 2010 cidsHealthAlarmsGenerated, 2011 cidsHealthFragmentsInFRU, 2012 cidsHealthDatagramsInFRU, 2013 cidsHealthTcpEmbryonicStreams, 2014 cidsHealthTCPEstablishedStreams, 2015 cidsHealthTcpClosingStreams, 2016 cidsHealthTcpStreams, 2017 cidsHealthActiveNodes, 2018 cidsHealthTcpDualIpAndPorts, 2019 cidsHealthUdpDualIpAndPorts, 2020 cidsHealthIpDualIp, 2021 cidsHealthIsSensorMemoryCritical, 2022 cidsHealthIsSensorActive, 2023 cidsHealthCommandAndControlPort, 2024 cidsHealthSensorStatsResetTime 2025 } 2026 STATUS current 2027 DESCRIPTION 2028 "Health Objects." 2029 ::= { ciscoCidsMIBGroups 5 } 2030 2031ciscoCidsGeneralObjectGroupRev1 OBJECT-GROUP 2032 OBJECTS { 2033 cidsGeneralEventId, 2034 cidsGeneralLocalTime, 2035 cidsGeneralUTCTime, 2036 cidsGeneralOriginatorHostId, 2037 cidsNotificationsEnabled 2038 } 2039 STATUS current 2040 DESCRIPTION 2041 "General Objects." 2042 ::= { ciscoCidsMIBGroups 6 } 2043 2044ciscoCidsAlertObjectGroupRev1 OBJECT-GROUP 2045 OBJECTS { 2046 cidsAlertSeverity, 2047 cidsAlertAlarmTraits, 2048 cidsAlertSignatureSigName, 2049 cidsAlertSignatureSigId, 2050 cidsAlertSignatureSubSigId, 2051 cidsAlertVictimAddress, 2052 cidsAlertAttackerAddress 2053 } 2054 STATUS current 2055 DESCRIPTION 2056 "Alert Objects." 2057 ::= { ciscoCidsMIBGroups 7 } 2058 2059ciscoCidsOptionalObjectGroup OBJECT-GROUP 2060 OBJECTS { 2061 cidsGeneralOriginatorAppName, 2062 cidsGeneralOriginatorAppId, 2063 cidsAlertSignature, 2064 cidsAlertSignatureVersion, 2065 cidsAlertSummary, 2066 cidsAlertSummaryType, 2067 cidsAlertSummaryFinal, 2068 cidsAlertSummaryInitialAlert, 2069 cidsAlertInterfaceGroup, 2070 cidsAlertVlan, 2071 cidsAlertVictimContext, 2072 cidsAlertAttackerContext, 2073 cidsAlertIpLoggingActivated, 2074 cidsAlertTcpResetSent, 2075 cidsAlertShunRequested, 2076 cidsAlertDetails, 2077 cidsAlertIpLogId, 2078 cidsThreatResponseStatus, 2079 cidsThreatResponseSeverity, 2080 cidsAlertEventRiskRating, 2081 cidsAlertIfIndex, 2082 cidsAlertProtocol, 2083 cidsAlertDeniedAttacker, 2084 cidsAlertDeniedFlow, 2085 cidsAlertDenyPacketReqNotPerf, 2086 cidsAlertDenyFlowReqNotPerf, 2087 cidsAlertDenyAttackerReqNotPerf, 2088 cidsAlertBlockConnectionReq, 2089 cidsAlertLogAttackerPacketsAct, 2090 cidsAlertLogVictimPacketsAct, 2091 cidsAlertLogPairPacketsActivated, 2092 cidsAlertRateLimitRequested, 2093 cidsAlertDeniedAttackVictimPair, 2094 cidsAlertDeniedAttackSericePair, 2095 cidsAlertDenyAttackVicReqNotPerf, 2096 cidsAlertDenyAttackSerReqNotPerf 2097 } 2098 STATUS deprecated 2099 DESCRIPTION 2100 "Optional Objects." 2101 ::= { ciscoCidsMIBGroups 8 } 2102 2103ciscoCidsOptionalObjectGroupRev1 OBJECT-GROUP 2104 OBJECTS { 2105 cidsGeneralOriginatorAppName, 2106 cidsGeneralOriginatorAppId, 2107 cidsAlertSignature, 2108 cidsAlertSignatureVersion, 2109 cidsAlertSummary, 2110 cidsAlertSummaryType, 2111 cidsAlertSummaryFinal, 2112 cidsAlertSummaryInitialAlert, 2113 cidsAlertInterfaceGroup, 2114 cidsAlertVlan, 2115 cidsAlertVictimContext, 2116 cidsAlertAttackerContext, 2117 cidsAlertIpLoggingActivated, 2118 cidsAlertTcpResetSent, 2119 cidsAlertShunRequested, 2120 cidsAlertDetails, 2121 cidsAlertIpLogId, 2122 cidsThreatResponseStatus, 2123 cidsThreatResponseSeverity, 2124 cidsAlertEventRiskRating, 2125 cidsAlertIfIndex, 2126 cidsAlertProtocol, 2127 cidsAlertDeniedAttacker, 2128 cidsAlertDeniedFlow, 2129 cidsAlertDenyPacketReqNotPerf, 2130 cidsAlertDenyFlowReqNotPerf, 2131 cidsAlertDenyAttackerReqNotPerf, 2132 cidsAlertBlockConnectionReq, 2133 cidsAlertLogAttackerPacketsAct, 2134 cidsAlertLogVictimPacketsAct, 2135 cidsAlertLogPairPacketsActivated, 2136 cidsAlertRateLimitRequested, 2137 cidsAlertDeniedAttackVictimPair, 2138 cidsAlertDeniedAttackSericePair, 2139 cidsAlertDenyAttackVicReqNotPerf, 2140 cidsAlertDenyAttackSerReqNotPerf, 2141 cidsAlertThreatValueRating, 2142 cidsAlertRiskRatingTargetValue, 2143 cidsAlertRiskRatingRelevance, 2144 cidsAlertRiskRatingWatchList 2145 } 2146 STATUS current 2147 DESCRIPTION 2148 "Optional Objects." 2149 ::= { ciscoCidsMIBGroups 9 } 2150 2151ciscoCidsOptionalObjectGroupRev2 OBJECT-GROUP 2152 OBJECTS { 2153 cidsAlertDenyPacket, 2154 cidsAlertBlockHost, 2155 cidsAlertTcpOneWayResetSent 2156 } 2157 STATUS current 2158 DESCRIPTION 2159 "A collection of optional objects which provide sensor events 2160 and alerts information." 2161 ::= { ciscoCidsMIBGroups 10 } 2162 2163ciscoCidsAlertObjectGroupRev2 OBJECT-GROUP 2164 OBJECTS { 2165 cidsAlertSignature, 2166 cidsAlertSignatureVersion, 2167 cidsAlertSummary, 2168 cidsAlertSummaryType, 2169 cidsAlertSummaryFinal, 2170 cidsAlertSummaryInitialAlert, 2171 cidsAlertVlan, 2172 cidsAlertVictimContext, 2173 cidsAlertAttackerContext, 2174 cidsAlertIpLoggingActivated, 2175 cidsAlertTcpResetSent, 2176 cidsAlertShunRequested, 2177 cidsAlertDetails, 2178 cidsAlertIpLogId, 2179 cidsThreatResponseStatus, 2180 cidsThreatResponseSeverity, 2181 cidsAlertEventRiskRating 2182 } 2183 STATUS current 2184 DESCRIPTION 2185 "A collection of objects that provide sensor alert 2186 information." 2187 ::= { ciscoCidsMIBGroups 11 } 2188 2189ciscoCidsHealthObjectGroupRev1 OBJECT-GROUP 2190 OBJECTS { 2191 cidsHealthSecMonAvailability, 2192 cidsHealthSecMonOverallHealth, 2193 cidsHealthSecMonSoftwareVersion, 2194 cidsHealthSecMonSignatureVersion, 2195 cidsHealthSecMonLicenseStatus, 2196 cidsHealthSecMonMainAppStatus, 2197 cidsHealthSecMonAnalysisEngineStatus, 2198 cidsHealthSecMonByPassMode, 2199 cidsHealthSecMonMissedPktPctAndThresh, 2200 cidsHealthSecMonAnalysisEngMemPercent, 2201 cidsHealthSecMonSensorLoad, 2202 cidsHealthSecMonVirtSensorStatus, 2203 cidsHealthSecMonCollaborationAppStatus, 2204 cidsHealthSecMonTotalPartitionSpace, 2205 cidsHealthSecMonUtilizedPartitionSpace, 2206 cidsHealthSecMonOverallAppColor, 2207 cidsHealthSecMonSensorLoadColor 2208 } 2209 STATUS current 2210 DESCRIPTION 2211 "A collection of objects that provide sensor health status." 2212 ::= { ciscoCidsMIBGroups 12 } 2213 2214ciscoCidsOptionalObjectGroupRev3 OBJECT-GROUP 2215 OBJECTS { cidsAlertVirtualSensor } 2216 STATUS current 2217 DESCRIPTION 2218 "A collection of optional objects which provide sensor events 2219 and alerts information." 2220 ::= { ciscoCidsMIBGroups 13 } 2221 2222ciscoCidsNotificationsGroupRev1 NOTIFICATION-GROUP 2223 NOTIFICATIONS { 2224 ciscoCidsHealthHeartBeat, 2225 ciscoCidsHealthMetricChange 2226 } 2227 STATUS current 2228 DESCRIPTION 2229 "A collection of objects that provide sensor health and metric 2230 change related trap information." 2231 ::= { ciscoCidsMIBGroups 14 } 2232 2233END 2234 2235 2236 2237 2238 2239 2240 2241 2242 2243 2244 2245 2246 2247 2248 2249 2250 2251 2252 2253 2254 2255 2256 2257 2258 2259 2260 2261 2262 2263 2264 2265 2266 2267 2268 2269 2270 2271 2272 2273 2274 2275 2276 2277 2278 2279 2280 2281 2282 2283 2284 2285 2286 2287 2288 2289 2290 2291 2292 2293 2294 2295 2296 2297 2298 2299 2300 2301 2302 2303 2304 2305 2306 2307 2308 2309 2310 2311 2312 2313 2314 2315 2316 2317 2318 2319 2320 2321 2322 2323 2324 2325 2326 2327 2328 2329 2330 2331 2332 2333 2334 2335 2336 2337 2338 2339 2340 2341 2342 2343 2344 2345 2346 2347 2348 2349 2350 2351 2352 2353 2354 2355 2356 2357 2358 2359 2360 2361 2362 2363 2364 2365 2366 2367 2368 2369 2370 2371 2372 2373 2374 2375 2376 2377 2378 2379 2380 2381 2382 2383 2384 2385 2386 2387 2388 2389 2390 2391 2392 2393 2394 2395 2396 2397 2398 2399 2400 2401 2402 2403 2404 2405 2406 2407 2408 2409 2410 2411 2412 2413 2414 2415 2416 2417 2418 2419 2420 2421 2422 2423 2424 2425 2426 2427 2428 2429 2430 2431 2432 2433 2434 2435 2436 2437 2438 2439 2440 2441 2442 2443 2444 2445 2446 2447 2448 2449 2450 2451 2452 2453 2454 2455 2456 2457 2458 2459 2460 2461 2462 2463 2464 2465 2466 2467 2468 2469 2470 2471 2472 2473 2474 2475 2476 2477 2478 2479 2480 2481 2482 2483 2484 2485 2486 2487 2488 2489 2490 2491 2492 2493 2494 2495 2496 2497 2498 2499 2500 2501 2502 2503 2504 2505 2506 2507 2508 2509 2510 2511 2512 2513 2514 2515 2516 2517 2518 2519 2520 2521 2522 2523 2524 2525 2526 2527 2528