1-- ***************************************************************** 2-- CISCO-THREAT-MITIGATION-SERVICE-MIB.my MIB for TMS(Threat 3-- Mitigation Service). 4-- 5-- January 2007, Alok K Sinha 6-- 7-- Copyright (c) 2007 by Cisco Systems, Inc. 8-- All rights reserved. 9-- 10-- ***************************************************************** 11 12CISCO-THREAT-MITIGATION-SERVICE-MIB DEFINITIONS ::= BEGIN 13 14IMPORTS 15 Unsigned32, 16 MODULE-IDENTITY, 17 NOTIFICATION-TYPE, 18 OBJECT-TYPE 19 FROM SNMPv2-SMI 20 MODULE-COMPLIANCE, 21 NOTIFICATION-GROUP, 22 OBJECT-GROUP 23 FROM SNMPv2-CONF 24 ifIndex 25 FROM IF-MIB 26 StorageType, 27 RowStatus, 28 DateAndTime, 29 TruthValue, 30 TEXTUAL-CONVENTION 31 FROM SNMPv2-TC 32 InetAddress, 33 InetAddressType 34 FROM INET-ADDRESS-MIB 35 SnmpAdminString 36 FROM SNMP-FRAMEWORK-MIB 37 ciscoMgmt 38 FROM CISCO-SMI; 39 40 41ciscoThreatMitigationServiceMIB MODULE-IDENTITY 42 LAST-UPDATED "200701090000Z" 43 ORGANIZATION "Cisco Systems, Inc." 44 CONTACT-INFO 45 "Cisco Systems 46 Customer Service 47 48 Postal:170 W. Tasman Drive 49 San Jose, CA 95134 50 USA 51 52 Tel:+1 800 553-NETS 53 54 E-mail:cs-tms@cisco.com" 55 DESCRIPTION 56 " 57 This MIB provides management information about the Threat 58 Mitigation Service(TMS) entity named 'Consumer'. TMS is part 59 of Cisco's Network Infection Containment (NIC) security 60 framework. The MIB is expected to be implemented on all 61 entities that act as TMS consumers. 62 63 The NIC framework deals with threat mitigation. The NIC 64 architecture consists of controllers and one or more consumers 65 registered with these controllers. The controller is 66 responsible for detecting threats and conveying the 67 information about the same to one or more consumers that 68 could be the potential targets of the detected threat. 69 Upon receiving the information about the threat from 70 the controller, the consumer responds with appropriate 71 mitigation actions according to the policies configured 72 on it and as indicated in the threat notification message. 73 74 TMS protocol is used for distribution and management of threat 75 related information from the controller to consumers. 76 TMS runs over TIDP layer which is used as distribution layer. 77 TIDP layer provides a secured connection between the 78 controller and the consumers. TIDP also provides group 79 management services. 80 81 Each consumer needs to participate in a TIDP group in order 82 to receive threat notification message from controller 83 in that TIDP group. To participate in a TIDP group consumer 84 needs to register with the controller of that group, 85 from which it intends to receive threat messages. 86 87 When the controller needs to distribute the information 88 about a threat to one or more target TIDP groups or to 89 one particular consumer in a TIDP group, it delivers 90 the information to the respective entities through 91 TMS protocol messages. Upon receiving the threat 92 notification message, consumer determines the appropriate 93 mitigation action to be executed, with the corresponding 94 action parameters, based on the configuration and information 95 available in threat message. The respective action is then 96 executed. 97 98 The state of threat is set according to the result of 99 enforcement action, e.g., upon successful application of 100 enforcement action it is marked as Active. The consumer then 101 responds to the controller with the results of the 102 mitigation action carried out for the threat. 103 104 GLOSSARY 105 -------- 106 107 Active Threat : A threat is active on a consumer if mitigation 108 action corresponding to the threat has been enforced 109 successfully. 110 111 Inactive Threat : A threat is inactive on a consumer if 112 mitigation action corresponding to the threat has been 113 undone successfully. 114 115 ACL : Access Control List is the list of rules which are 116 used to filter or classify packets based on protocol 117 parameters. 118 119 ACL drop : ACL drop action refers to the drop action taken 120 on packets matching any of the filters in the access list. 121 122 DSCP : Differentiated Service Code Point is same as 'Type of 123 Service' field in IP header, used in reference to quality 124 of service. 125 126 FPM : Flexible Packet Matching is a framework which provides 127 packet filtering based on pattern at any offset in the packet. 128 129 FPM drop : FPM drop action refers to the drop action taken on 130 packet filtered by FPM. 131 132 TCDF : Traffic Classification Definition File gives 133 the XML description of traffic class. 134 135 TIDP : Threat Information Distribution Protocol is a 136 distribution protocol, which provides a secured connectivity 137 between network devices. It also provides a group management 138 function. 139 140 TIDP group : A closed group of network devices which share 141 authentication and encryption keys for message exchange. 142 143 TMS : TMS protocol provides information about threats and the 144 mitigation action required for the threats in a TIDP network. 145 146 TIDP network : TIDP network comprises of one or more 147 TIDP groups." 148 REVISION "200701090000Z" 149 DESCRIPTION 150 "Initial version of this MIB module." 151 ::= { ciscoMgmt 603 } 152 153 154ciscoTmsMIBNotifs OBJECT IDENTIFIER 155 ::= { ciscoThreatMitigationServiceMIB 0 } 156 157ciscoTmsMIBObjects OBJECT IDENTIFIER 158 ::= { ciscoThreatMitigationServiceMIB 1 } 159 160ciscoTmsMIBConform OBJECT IDENTIFIER 161 ::= { ciscoThreatMitigationServiceMIB 2 } 162 163ciTmsConsumerGlobals OBJECT IDENTIFIER 164 ::= { ciscoTmsMIBObjects 1 } 165 166ciTmsConsumerGroup OBJECT IDENTIFIER 167 ::= { ciscoTmsMIBObjects 2 } 168 169ciTmsConsumerThreat OBJECT IDENTIFIER 170 ::= { ciscoTmsMIBObjects 3 } 171 172ciTiTmsConsumerNotifs OBJECT IDENTIFIER 173 ::= { ciscoTmsMIBObjects 4 } 174 175-- Textual Conventions 176 177CTmsConsumerState ::= TEXTUAL-CONVENTION 178 STATUS current 179 DESCRIPTION 180 "This textual description represents the state 181 of the consumer. The semantics are as follows. 182 183 disabled(1) 184 Consumer is disabled. 185 186 enabled(2) 187 Consumer is enabled. 188 189 " 190 SYNTAX INTEGER { 191 disabled(1), 192 enabled(2) 193 } 194 195CTmsConsumerRegistrationStatus ::= TEXTUAL-CONVENTION 196 STATUS current 197 DESCRIPTION 198 "This textual description represents the status of 199 registration of consumer with the controller. The 200 semantics are as follows. 201 202 notRegistered(1) 203 Consumer is not registered to the controller. 204 205 registrationRequestSent(2) 206 A registration request has been sent to the controller 207 and consumer is waiting for the response. 208 209 registered(3) 210 Consumer is registered with the controller. 211 212 registrationFailed(4) 213 The most recent registration attempt has failed. 214 " 215 SYNTAX INTEGER { 216 notRegistered(1), 217 registrationRequestSent(2), 218 registered(3), 219 registrationFailed(4) 220 } 221 222CTmsThreatStatus ::= TEXTUAL-CONVENTION 223 STATUS current 224 DESCRIPTION 225 "This textual convention represents the status of the threat 226 received from a controller in a TIDP group on the consumer. 227 228 unknown(1) 229 Unknown state. 230 231 active(2) 232 Threat is successfully activated, i.e. mitigation action 233 has been successfully enforced. 234 235 inactive(3) 236 Threat is inactivated by controller, i.e. mitigation 237 action is not enforced. 238 239 created(4) 240 Consumer has recorded the information about the threat 241 mitigation action enforcement and other processing 242 pending for successful activation. 243 244 pending(5) 245 Mitigation action initiated and waiting for the result. 246 247 activationFailed(6) 248 Threat activation failed. 249 250 inactivationFailed(7) 251 Inactivation of threat failed. 252 253 deleted(8) 254 Threat mitigation is removed from the consumer. 255 256 " 257 SYNTAX INTEGER { 258 unknown(1), 259 active(2), 260 inactive(3), 261 created(4), 262 pending(5), 263 activationFailed(6), 264 inactivationFailed(7), 265 deleted(8) 266 } 267 268CTmsActionType ::= TEXTUAL-CONVENTION 269 STATUS current 270 DESCRIPTION 271 "This textual convention represents the types of actions 272 that can be applied to mitigate a threat. 273 274 ignore(1) 275 No action, threat ignored. 276 277 aclDrop(2) 278 ACL drop action. 279 280 fpmDrop(3) 281 FPM drop. 282 283 redirect(4) 284 Redirect traffic to a particular host. 285 286 police(5) 287 Police the traffic. 288 289 setIPDscp(6) 290 Set the DSCP in IP header of packet to a specific value. 291 292 localException(7) 293 Local exception enforced for the threat. 294 295 quarantine(8) 296 Quarantine the infected host. 297 " 298 SYNTAX INTEGER { 299 ignore(1), 300 aclDrop(2), 301 fpmDrop(3), 302 redirect(4), 303 police(5), 304 setIPDscp(6), 305 localException(7), 306 quarantine(8) 307 } 308 309CTmsActionParamIdType ::= TEXTUAL-CONVENTION 310 STATUS current 311 DESCRIPTION 312 "This textual convention represents the type of action 313 parameters. The semantics are as follows. 314 315 noParams(1), 316 No parameters required for the action. 317 318 cir(2), 319 police : Committed information rate. 320 321 bir(3), 322 police : Peak information rate. 323 324 be(4), 325 police : Excess burst. 326 327 nexthop(5), 328 redirect : Address of host to redirect the traffic to. 329 330 dscpVal(6), 331 setIpDscp : DSCP value in IP header to be set to. 332 333 vlanId(7) 334 Quarantine : Quarantine the host to this vlan. 335 " 336 SYNTAX INTEGER { 337 noParams(1), 338 cir(2), 339 bir(3), 340 be(4), 341 nexthop(5), 342 dscpVal(6), 343 vlanId(7) 344 } 345 346CTmsActionParamType ::= TEXTUAL-CONVENTION 347 STATUS current 348 DESCRIPTION 349 "This textual convention represents the type of the action 350 parameter. The semantics as follows. 351 352 unsigned(1), 353 Unsigned integer. 354 355 networkAddress(2), 356 represents a network address e,g, IPv4 and IPv6 address. 357 358 string(3) 359 A sequence of octets. 360 " 361 SYNTAX INTEGER { 362 unsigned(1), 363 networkAddress(2), 364 string(3) 365 } 366 367-- Scalar objects 368ciTmsActiveThreats OBJECT-TYPE 369 SYNTAX Unsigned32 (1..65535 ) 370 MAX-ACCESS read-only 371 STATUS current 372 DESCRIPTION 373 "This object represents the total number of active threats in 374 the consumer." 375 ::= { ciTmsConsumerGlobals 1 } 376 377ciTmsInActiveThreats OBJECT-TYPE 378 SYNTAX Unsigned32 (1..65535 ) 379 MAX-ACCESS read-only 380 STATUS current 381 DESCRIPTION 382 "This object represents the total number of inactive threats 383 in the consumer." 384 ::= { ciTmsConsumerGlobals 2 } 385 386ciTmsConsumerDeviceId OBJECT-TYPE 387 SYNTAX SnmpAdminString 388 MAX-ACCESS read-write 389 STATUS current 390 DESCRIPTION 391 "This object is used for configuring the name of 392 the consumer. This could be any generic string, 393 e.g. 'Consumer-1'." 394 DEFVAL { "" } 395 ::= { ciTmsConsumerGlobals 3 } 396 397ciTmsGroupsMaxEntries OBJECT-TYPE 398 SYNTAX Unsigned32 (1..65535 ) 399 MAX-ACCESS read-write 400 STATUS current 401 DESCRIPTION 402 "This object represents the maximum number of rows 403 in ciTmsGroupTable." 404 DEFVAL { 32767 } 405 ::= { ciTmsConsumerGlobals 4 } 406 407ciTmsThreatsMaxEntries OBJECT-TYPE 408 SYNTAX Unsigned32 (1..65535 ) 409 MAX-ACCESS read-write 410 STATUS current 411 DESCRIPTION 412 "This object represents the maximum number of rows in 413 ciTmsThreatTable." 414 DEFVAL { 65535 } 415 ::= { ciTmsConsumerGlobals 5 } 416 417ciTmsThreatActionMaxEntries OBJECT-TYPE 418 SYNTAX Unsigned32 (1..65535 ) 419 MAX-ACCESS read-write 420 STATUS current 421 DESCRIPTION 422 "This object represents the maximum number of rows in 423 ciTmsThreatActionTable." 424 DEFVAL { 65535 } 425 ::= { ciTmsConsumerGlobals 6 } 426 427ciTmsInterfaceMaxEntries OBJECT-TYPE 428 SYNTAX Unsigned32 (1..65535 ) 429 MAX-ACCESS read-write 430 STATUS current 431 DESCRIPTION 432 "This object represents the maximum number of rows in 433 ciTmsThreatInterfaceTable." 434 DEFVAL { 65535 } 435 ::= { ciTmsConsumerGlobals 7 } 436 437ciTmsConsumerState OBJECT-TYPE 438 SYNTAX CTmsConsumerState 439 MAX-ACCESS read-write 440 STATUS current 441 DESCRIPTION 442 "This object represents the current state of the consumer." 443 ::= { ciTmsConsumerGlobals 8 } 444-- Table for group controller to status mapping 445 446ciTmsGroupTable OBJECT-TYPE 447 SYNTAX SEQUENCE OF CiTmsGroupEntry 448 MAX-ACCESS not-accessible 449 STATUS current 450 DESCRIPTION 451 "Consumer can participate in one of more TIDP groups, each 452 group having one or more controllers. The table represents 453 the list of controllers in a particular group. 454 455 A row is added to the table when a controller's IP address 456 is added to the list of known controllers. 457 A row is deleted from the table when a controller's 458 IP address is removed from the list of known controllers." 459 ::= { ciTmsConsumerGroup 1 } 460 461ciTmsGroupEntry OBJECT-TYPE 462 SYNTAX CiTmsGroupEntry 463 MAX-ACCESS not-accessible 464 STATUS current 465 DESCRIPTION 466 "Each entry represents a conceptual row in ciTmsGroupTable 467 and corresponds to the information about the controller 468 and TIDP group a consumer is registered with." 469 INDEX { 470 ciTmsGroupId, 471 ciTmsControllerIpType, 472 ciTmsControllerIp 473 } 474 ::= { ciTmsGroupTable 1 } 475 476CiTmsGroupEntry ::= SEQUENCE { 477 ciTmsGroupId Unsigned32, 478 ciTmsControllerIpType InetAddressType, 479 ciTmsControllerIp InetAddress, 480 ciTmsGroupConsumerRegStatus CTmsConsumerRegistrationStatus, 481 ciTmsGroupNotifEnable TruthValue, 482 ciTmsGroupStorageType StorageType, 483 ciTmsGroupRowStatus RowStatus 484} 485 486ciTmsGroupId OBJECT-TYPE 487 SYNTAX Unsigned32 (1..4294967295 ) 488 MAX-ACCESS not-accessible 489 STATUS current 490 DESCRIPTION "This object represents the TIDP group Id." 491 ::= { ciTmsGroupEntry 1 } 492 493ciTmsControllerIpType OBJECT-TYPE 494 SYNTAX InetAddressType 495 MAX-ACCESS not-accessible 496 STATUS current 497 DESCRIPTION 498 "This object represents the type of the network address 499 available through ciTmsControllerIp." 500 ::= { ciTmsGroupEntry 2 } 501 502ciTmsControllerIp OBJECT-TYPE 503 SYNTAX InetAddress 504 MAX-ACCESS not-accessible 505 STATUS current 506 DESCRIPTION 507 "This object represents the network address of the controller. 508 The type of the address is represented by 509 ciTmsControllerIpType." 510 ::= { ciTmsGroupEntry 3 } 511 512ciTmsGroupConsumerRegStatus OBJECT-TYPE 513 SYNTAX CTmsConsumerRegistrationStatus 514 MAX-ACCESS read-only 515 STATUS current 516 DESCRIPTION 517 "This object represents the status of consumer's registration 518 with the controller in a TIDP group." 519 ::= { ciTmsGroupEntry 4 } 520 521ciTmsGroupNotifEnable OBJECT-TYPE 522 SYNTAX TruthValue 523 MAX-ACCESS read-create 524 STATUS current 525 DESCRIPTION 526 "This object indicates whether following notifications should 527 be generated for a group : 528 1. ciscoTmsControllerUnreachable 529 2. ciscoTmsThreatStatusChange 530 3. ciscoTmsMitigationActionFailed 531 532 Setting this object to 'true' enables the group level 533 notifications, while setting it to 'false' disables 534 the group level notifications." 535 DEFVAL { false } 536 ::= { ciTmsGroupEntry 5 } 537 538ciTmsGroupStorageType OBJECT-TYPE 539 SYNTAX StorageType 540 MAX-ACCESS read-create 541 STATUS current 542 DESCRIPTION "The storage type for this conceptual row." 543 DEFVAL { nonVolatile } 544 ::= { ciTmsGroupEntry 6 } 545 546ciTmsGroupRowStatus OBJECT-TYPE 547 SYNTAX RowStatus 548 MAX-ACCESS read-create 549 STATUS current 550 DESCRIPTION 551 "The status of this conceptual row. 552 An entry can be created/deleted using this object. 553 A row may be deleted by setting the RowStatus to 'destroy'." 554 ::= { ciTmsGroupEntry 7 } 555 556 557-- Table for threat information 558 559ciTmsThreatTable OBJECT-TYPE 560 SYNTAX SEQUENCE OF CiTmsThreatEntry 561 MAX-ACCESS not-accessible 562 STATUS current 563 DESCRIPTION 564 "This table represents the information about the 565 threats the consumer has received from various 566 controllers belonging to different TIDP groups it is 567 registered with. A threat received from one controller 568 in a TIDP group is uniquely identified by the threat id 569 and owner id. 570 571 A row is added to the table when a threat notification 572 message is received by the consumer from the controller in 573 a TIDP group. 574 A row is deleted from the table when the consumer deletes 575 the information about a threat received from a controller 576 in a TIDP group." 577 ::= { ciTmsConsumerThreat 1 } 578 579ciTmsThreatEntry OBJECT-TYPE 580 SYNTAX CiTmsThreatEntry 581 MAX-ACCESS not-accessible 582 STATUS current 583 DESCRIPTION 584 "Each entry represents a conceptual row in ciTmsThreatTable 585 and corresponds to the information about a threat and it's 586 various attributes, received from a controller in a given 587 TIDP group." 588 INDEX { 589 ciTmsThreatOwner, 590 ciTmsThreatId, 591 ciTmsGroupId, 592 ciTmsControllerIpType, 593 ciTmsControllerIp 594 } 595 ::= { ciTmsThreatTable 1 } 596 597CiTmsThreatEntry ::= SEQUENCE { 598 ciTmsThreatOwner Unsigned32, 599 ciTmsThreatId Unsigned32, 600 ciTmsThreatVer Unsigned32, 601 ciTmsThreatStatus CTmsThreatStatus, 602 ciTmsThreatClass SnmpAdminString, 603 ciTmsThreatName SnmpAdminString, 604 ciTmsThreatActiveTimeDuration DateAndTime, 605 ciTmsThreatPriority Unsigned32, 606 ciTmsThreatTcdf SnmpAdminString 607} 608 609ciTmsThreatOwner OBJECT-TYPE 610 SYNTAX Unsigned32 (1..4294967295 ) 611 MAX-ACCESS not-accessible 612 STATUS current 613 DESCRIPTION 614 "This object identifies the controller that has notified the 615 consumer about the threat." 616 ::= { ciTmsThreatEntry 1 } 617 618ciTmsThreatId OBJECT-TYPE 619 SYNTAX Unsigned32 (1..65535 ) 620 MAX-ACCESS not-accessible 621 STATUS current 622 DESCRIPTION 623 "This object represents the identifier for the particular 624 threat." 625 ::= { ciTmsThreatEntry 2 } 626 627ciTmsThreatVer OBJECT-TYPE 628 SYNTAX Unsigned32 (0..255 ) 629 MAX-ACCESS read-only 630 STATUS current 631 DESCRIPTION 632 "This object represents the version of the 633 threat." 634 ::= { ciTmsThreatEntry 3 } 635 636ciTmsThreatStatus OBJECT-TYPE 637 SYNTAX CTmsThreatStatus 638 MAX-ACCESS read-only 639 STATUS current 640 DESCRIPTION 641 "This object represents the current status of the threat on 642 the consumer. This is evaluated locally on consumer." 643 ::= { ciTmsThreatEntry 4 } 644 645ciTmsThreatClass OBJECT-TYPE 646 SYNTAX SnmpAdminString 647 MAX-ACCESS read-only 648 STATUS current 649 DESCRIPTION 650 "This object represents the class of threat. An example of 651 class is 'Worm'." 652 ::= { ciTmsThreatEntry 5 } 653 654ciTmsThreatName OBJECT-TYPE 655 SYNTAX SnmpAdminString 656 MAX-ACCESS read-only 657 STATUS current 658 DESCRIPTION 659 "This object represents name of the threat. An example of 660 threat name is 'WittyWorm'." 661 ::= { ciTmsThreatEntry 6 } 662 663ciTmsThreatActiveTimeDuration OBJECT-TYPE 664 SYNTAX DateAndTime 665 MAX-ACCESS read-only 666 STATUS current 667 DESCRIPTION 668 "This object represents the duration the threat has been 669 active for." 670 ::= { ciTmsThreatEntry 7 } 671 672ciTmsThreatPriority OBJECT-TYPE 673 SYNTAX Unsigned32 (1..32 ) 674 MAX-ACCESS read-only 675 STATUS current 676 DESCRIPTION 677 "This object represents the priority at which the consumer 678 responds to this threat. A higher value indicates a lower 679 priority for the threat and vice versa." 680 ::= { ciTmsThreatEntry 8 } 681 682ciTmsThreatTcdf OBJECT-TYPE 683 SYNTAX SnmpAdminString 684 MAX-ACCESS read-only 685 STATUS current 686 DESCRIPTION 687 "This object represents the TCDF related information received 688 in the threat. For example, 689 <tcdf> <match> <eq field='ip.dst_addr' value='10.10.10.1'> 690 </eq> </match> </tcdf>." 691 ::= { ciTmsThreatEntry 9 } 692 693 694-- Threat Action table 695 696ciTmsThreatActionTable OBJECT-TYPE 697 SYNTAX SEQUENCE OF CiTmsThreatActionEntry 698 MAX-ACCESS not-accessible 699 STATUS current 700 DESCRIPTION 701 "This table represents mitigation action for the respective 702 threat. A threat is uniquely represented by the threat id, 703 owner id, controller IP and TIDP group ID and hence 704 corresponding objects are used as indices. 705 A row is added to the table when the consumer enforces a 706 mitigation action as a result of receiving a threat message 707 from a controller in a TIDP group. 708 A row is deleted from the table when the consumer removes 709 the mitigation action taken for the threat received from a 710 controller in a TIDP group." 711 ::= { ciTmsConsumerThreat 2 } 712 713ciTmsThreatActionEntry OBJECT-TYPE 714 SYNTAX CiTmsThreatActionEntry 715 MAX-ACCESS not-accessible 716 STATUS current 717 DESCRIPTION 718 "Each entry represents a conceptual row in 719 ciTmsThreatActionTable and corresponds to the 720 information about the mitigation action 721 applied for a particular threat." 722 INDEX { 723 ciTmsThreatOwner, 724 ciTmsThreatId, 725 ciTmsGroupId, 726 ciTmsControllerIpType, 727 ciTmsControllerIp, 728 ciTmsThreatAction, 729 ciTmsThreatActionParamId 730 } 731 ::= { ciTmsThreatActionTable 1 } 732 733CiTmsThreatActionEntry ::= SEQUENCE { 734 ciTmsThreatAction CTmsActionType, 735 ciTmsThreatActionParamId CTmsActionParamIdType, 736 ciTmsThreatActionParamType CTmsActionParamType, 737 ciTmsThreatActionParamLength Unsigned32, 738 ciTmsThreatActionParamValue SnmpAdminString, 739 ciTmsThreatActionFailReason SnmpAdminString 740} 741 742ciTmsThreatAction OBJECT-TYPE 743 SYNTAX CTmsActionType 744 MAX-ACCESS not-accessible 745 STATUS current 746 DESCRIPTION 747 "This object represents the mitigation action taken by 748 the consumer for a threat." 749 ::= { ciTmsThreatActionEntry 1 } 750 751ciTmsThreatActionParamId OBJECT-TYPE 752 SYNTAX CTmsActionParamIdType 753 MAX-ACCESS not-accessible 754 STATUS current 755 DESCRIPTION "This object identifies an action parameter." 756 ::= { ciTmsThreatActionEntry 2 } 757 758ciTmsThreatActionParamType OBJECT-TYPE 759 SYNTAX CTmsActionParamType 760 MAX-ACCESS read-only 761 STATUS current 762 DESCRIPTION 763 "This object represents the type of an action parameter." 764 ::= { ciTmsThreatActionEntry 3 } 765 766ciTmsThreatActionParamLength OBJECT-TYPE 767 SYNTAX Unsigned32 (1..65535 ) 768 MAX-ACCESS read-only 769 STATUS current 770 DESCRIPTION 771 "This object represents the length of the action parameter 772 identified by ciTmsThreatActionParamId." 773 ::= { ciTmsThreatActionEntry 4 } 774 775ciTmsThreatActionParamValue OBJECT-TYPE 776 SYNTAX SnmpAdminString 777 MAX-ACCESS read-only 778 STATUS current 779 DESCRIPTION 780 "This object represents the value of the parameter identified 781 by ciTmsThreatActionParamId. This value should be interpreted 782 using type and length of the parameter value represented by 783 ciTmsThreatActionParamType and ciTmsThreatActionParamLength 784 respectively. 785 In case of ciTmsThreatActionParamType being 'networkAddress', 786 the first octet of this object will indicate the type of 787 network address, i.e. it will be set to one of 788 InetAddressType values as appropriate. The subsequent 789 octets will carry the network address. For example, 790 the first octet of ciTmsThreatActionParamValue will carry 791 the value ipv4(1) and the next four octets will carry the 792 respective octets of the IP address." 793 ::= { ciTmsThreatActionEntry 5 } 794 795ciTmsThreatActionFailReason OBJECT-TYPE 796 SYNTAX SnmpAdminString 797 MAX-ACCESS read-only 798 STATUS current 799 DESCRIPTION 800 "This object specifies the reason for the failure of 801 a particular threat mitigation action. 'OER mitigation not 802 supported' is an example of the value populated for this 803 object. For successfully mitigated threats, this will be 804 a zero-length string." 805 ::= { ciTmsThreatActionEntry 6 } 806 807 808-- Threat Interface table 809 810ciTmsThreatInterfaceTable OBJECT-TYPE 811 SYNTAX SEQUENCE OF CiTmsThreatInterfaceEntry 812 MAX-ACCESS not-accessible 813 STATUS current 814 DESCRIPTION 815 "The application of threat mitigation is typically done on one 816 or more interfaces. This table represents the status of 817 mitigation action applied on the respective interfaces. 818 819 A row is added to the table when the consumer enforces a 820 mitigation action on a interface as a result of receiving 821 a threat message from a controller in a TIDP group. 822 A row is deleted from the table when the consumer removes a 823 mitigation action taken on a interface as a result of threat 824 received from a controller in a TIDP group." 825 ::= { ciTmsConsumerThreat 3 } 826 827ciTmsThreatInterfaceEntry OBJECT-TYPE 828 SYNTAX CiTmsThreatInterfaceEntry 829 MAX-ACCESS not-accessible 830 STATUS current 831 DESCRIPTION 832 "Each entry represents a row in ciTmsThreatInterfaceTable 833 and corresponds to the information about the interface on 834 which the threat mitigation action is applied." 835 INDEX { 836 ciTmsThreatId, 837 ciTmsThreatOwner, 838 ciTmsGroupId, 839 ciTmsControllerIpType, 840 ciTmsControllerIp, 841 ifIndex 842 } 843 ::= { ciTmsThreatInterfaceTable 1 } 844 845CiTmsThreatInterfaceEntry ::= SEQUENCE { 846 ciThreatInterfaceMitigationApplied TruthValue 847} 848 849ciThreatInterfaceMitigationApplied OBJECT-TYPE 850 SYNTAX TruthValue 851 MAX-ACCESS read-only 852 STATUS current 853 DESCRIPTION 854 "This object indicates whether the mitigation action 855 for a particular threat has been successfully applied 856 on an interface or not. A value of 'true' indicates 857 the successful application of mitigation action, while a 858 value of 'false' indicates that the mitigation 859 action couldn't be successfully applied on the interface. " 860 ::= { ciTmsThreatInterfaceEntry 1 } 861 862 863 864-- notifications 865ciTmsConsStateChangeNotifEnable OBJECT-TYPE 866 SYNTAX TruthValue 867 MAX-ACCESS read-write 868 STATUS current 869 DESCRIPTION 870 "This object is used to control the generation of the 871 ciscoTmsConsStateChange notifications. A value of 872 'true' indicates that the agent is enabled to generate this 873 notification. A value of 'false' indicates the generation 874 of this notification is currently disabled." 875 DEFVAL { false } 876 ::= { ciTiTmsConsumerNotifs 1 } 877 878 879ciscoTmsConsStateChange NOTIFICATION-TYPE 880 OBJECTS { ciTmsConsumerState } 881 STATUS current 882 DESCRIPTION 883 "This notification is generated to indicate the current 884 operational state of the consumer, when the consumer 885 undergoes a state change." 886 ::= { ciscoTmsMIBNotifs 1 } 887 888 889ciscoTmsControllerUnreachable NOTIFICATION-TYPE 890 OBJECTS { ciTmsGroupConsumerRegStatus } 891 STATUS current 892 DESCRIPTION 893 "This notification is generated by the consumer when the 894 controller it has registered with becomes unreachable. 895 This notification will be generated only when notification 896 generation is enabled for the corresponding TIDP group 897 through ciTmsGroupNotifEnable." 898 ::= { ciscoTmsMIBNotifs 2 } 899 900 901ciscoTmsThreatStatusChange NOTIFICATION-TYPE 902 OBJECTS { 903 ciTmsThreatVer, 904 ciTmsThreatStatus, 905 ciTmsThreatPriority 906 } 907 STATUS current 908 DESCRIPTION 909 "This notification is generated by the consumer when 910 consumer acts upon a particular threat and changes the state 911 of the threat. 912 This notification will be generated only when notification 913 generation is enabled for the corresponding TIDP group 914 through ciTmsGroupNotifEnable." 915 ::= { ciscoTmsMIBNotifs 3 } 916 917 918ciscoTmsMitigationActionFailed NOTIFICATION-TYPE 919 OBJECTS { 920 ciTmsThreatActionParamType, 921 ciTmsThreatActionParamLength, 922 ciTmsThreatActionParamValue, 923 ciTmsThreatActionFailReason 924 } 925 STATUS current 926 DESCRIPTION 927 "This notification is generated by the consumer when the 928 mitigation action enforced for a particular threat fails. 929 The notification contains the information about the failed 930 mitigation action and the reason for the failure indicated 931 by ciTmsThreatActionFailReason. 932 This notification will be generated only when notification 933 generation is enabled for the corresponding TIDP group 934 through ciTmsGroupNotifEnable." 935 ::= { ciscoTmsMIBNotifs 4 } 936-- conformance information 937ciscoTmsMIBCompliances OBJECT IDENTIFIER 938 ::= { ciscoTmsMIBConform 1 } 939 940ciscoTmsMIBGroups OBJECT IDENTIFIER 941 ::= { ciscoTmsMIBConform 2 } 942 943 944-- compliance statement 945ciscoTmsMIBCompliance MODULE-COMPLIANCE 946 STATUS current 947 DESCRIPTION 948 "The compliance statement for the SNMP entities that 949 implement the ciscoThreatMitigationServiceMIB module." 950 MODULE -- this module 951 MANDATORY-GROUPS { 952 ciscoTmsConsumerGroup, 953 ciscoTmsThreatGroup, 954 ciscoTmsThreatActionGroup, 955 ciscoTmsThreatInterfaceGroup, 956 ciscoTmsNotificationGroup 957 } 958 ::= { ciscoTmsMIBCompliances 1 } 959 960-- units of conformance 961ciscoTmsConsumerGroup OBJECT-GROUP 962 OBJECTS { 963 ciTmsConsumerDeviceId, 964 ciTmsGroupsMaxEntries, 965 ciTmsThreatsMaxEntries, 966 ciTmsThreatActionMaxEntries, 967 ciTmsInterfaceMaxEntries, 968 ciTmsConsumerState, 969 ciTmsConsStateChangeNotifEnable, 970 ciTmsGroupConsumerRegStatus, 971 ciTmsGroupNotifEnable, 972 ciTmsGroupStorageType, 973 ciTmsGroupRowStatus 974 } 975 STATUS current 976 DESCRIPTION 977 "This collection of objects represent the information about 978 the TIDP groups, the controller(s) in a TIDP group and the 979 status of a consumer's registration with the controller 980 in the TIDP group." 981 ::= { ciscoTmsMIBGroups 1 } 982 983ciscoTmsThreatGroup OBJECT-GROUP 984 OBJECTS { 985 ciTmsActiveThreats, 986 ciTmsInActiveThreats, 987 ciTmsThreatVer, 988 ciTmsThreatStatus, 989 ciTmsThreatClass, 990 ciTmsThreatName, 991 ciTmsThreatActiveTimeDuration, 992 ciTmsThreatPriority, 993 ciTmsThreatTcdf 994 } 995 STATUS current 996 DESCRIPTION 997 "This collection of objects represents the information 998 about the threats detected, as being targeted towards a 999 consumer, by a controller in a TIDP group." 1000 ::= { ciscoTmsMIBGroups 2 } 1001 1002ciscoTmsThreatActionGroup OBJECT-GROUP 1003 OBJECTS { 1004 ciTmsThreatActionParamType, 1005 ciTmsThreatActionParamLength, 1006 ciTmsThreatActionParamValue, 1007 ciTmsThreatActionFailReason 1008 } 1009 STATUS current 1010 DESCRIPTION 1011 "This collection of objects represent the information about 1012 the mitigation actions taken for the respective threats by 1013 the consumer." 1014 ::= { ciscoTmsMIBGroups 3 } 1015 1016ciscoTmsThreatInterfaceGroup OBJECT-GROUP 1017 OBJECTS { ciThreatInterfaceMitigationApplied } 1018 STATUS current 1019 DESCRIPTION 1020 "This collection of objects represent the information about 1021 the interfaces on which the mitigation action for a 1022 particular threat is applied." 1023 ::= { ciscoTmsMIBGroups 4 } 1024 1025ciscoTmsNotificationGroup NOTIFICATION-GROUP 1026 NOTIFICATIONS { 1027 ciscoTmsConsStateChange, 1028 ciscoTmsControllerUnreachable, 1029 ciscoTmsThreatStatusChange, 1030 ciscoTmsMitigationActionFailed 1031 } 1032 STATUS current 1033 DESCRIPTION 1034 "This collection of objects represent the notifications 1035 generated by the consumer." 1036 ::= { ciscoTmsMIBGroups 5 } 1037 1038END 1039 1040 1041 1042