CISCO-CIDS-MIB: View SNMP OID List / Download MIB

Cisco Intrusion Detection System MIB. Provides trap definitions for the evAlert and evError elements of the IDIOM (Intrusion Detection and Operations Messages) document and read support for the Intrusion Detection System (sensor) health information, such as if the sensor is in a memory critical stage.

Event indicating that some suspicious or malicious activity has been detected on a monitored network.

Event indicating that an error has occurred.

This notification is triggered by the heart beat events (evStatus). The heartbeat is configured to run on a periodic basis and can be enabled/disabled through heart beat configuration under the health service. If the heart beat is disabled these notification events will not be sent. This notification is supposed to mirror the heart beat evStatus message however it is a subset of the most critical pieces of data. Namely this will include the following pieces of data: - Event ID - Host ID - Local Time - UTC Time - Overall Application Color - Sensor/Inspection Load Color - Overall Health

This notification notifies the recipient of health and security status changes. This notification is triggered when there is a change in the value of monitored metrics as indicated by evStatus message. This notification will include the following important subset of attributes from evStatus message: - Event ID - Host ID - Local Time - UTC Time - Overall Application Color - Sensor/Inspection Load Color - Overall Health This is similar to the heart beat, however the triggering condition is different. The heart beat fires on a regular interval and this is sent immediately after a change in a monitored metric. Metric change notifications can be enabled while the heart beat is disabled.

Identifies the sequence number of an event. This value needs to be unique within the scope of the originating host.

The local time on the Cisco intrusion detection system sensor when the alert was generated.

The UTC time on the Cisco intrusion detection system sensor when the alert was generated.

A globally unique identifier for a Cids host. Could be a host name or an IP address.

The optional generic name of a Cids application.

The optional id of this instance of the application. Typically the process id (pid).

Indicates whether notifications will or will not be sent when an event is generated by the device.

The severity associated with a Cids signature (informational, low, medium or high for example).

The alarm traits is an unsigned 16-bit integer representing the value of the 16 user-defined alarm traits specified in the configuration for the signature that triggered the alert. The alarmTraits bits are used to classify signatures into user-defined categories or groups.

Content is a string containing details about the signature that fired, without any specifics tied to this instance of the alert. The cidsAlertSignatureSigName, cidsAlertSignatureSigId and cidsAlertSignatureSubSigId attributes define the signature that triggered this Alert.

The name of the Intrusion detection signature that triggered this event.

The ID of the Intrusion detection signature that triggered this event. The ID combines with the cidsAlertSignatureSubSigId to create a unique key that identifies the signature that generated this event.

The optional Sub ID of the Intrusion detection signature that triggered this event. The Sub ID combines with the cidsAlertSignatureSigId to create a unique key that identifies the signature that generated this event.

The optional version attribute defines the version number of the signature update in which the triggering signature was introduced or was last modified. Example: 4.1(1.1)S47(0.1)

Optional, if present, specifies that this is a summary alert, representing one or more alerts with common characteristics. The numeric value indicates the number of times the signature fired since the last summary alert with a matching 'initialAlert' attribute value. The first and all subsequent summary alerts in a sequence will use the eventId of a previous non-summary evAlert in the initialAlert attribute value. All alerts represented by the summary alert share the same signature and sub-signature id. The summaryType attribute defines the common characteristic(s) of all alerts in the summary. The 'final' attribute indicates whether this is the last evAlert containing the same value in the 'initialAlert' attribute. The 'final' attribute may be omitted if and only if its value is false.

Common characteristics shared by all non-summary alerts included in a summary alert.

The optional 'final' attribute indicates whether this is the last evAlert containing the same value in the 'initialAlert' attribute. The 'final' attribute may be omitted if and only if its value is false.

Serial number for the initial alert, which is guaranteed unique within the scope of the originating host.

This object indicates an optional numeric identifier for a sniffing interface group on this host.

An optional numeric identifier for a vlan. Identifies the vlan that uses the number in ISL or 802.3.1q headers.

Optional Base64-encoded representation of the stream data that was sourced by the victim.

Optional Base64-encoded representation of the stream data that was sourced by the Attacker.

Optional IP address and ports on a monitored interface. The 'locality' attribute is a string that indicates the relative location of the IP address within the network mapping, such as whether the address falls within the address range of a protected network. The optional 'proxy' attribute is 'true' if the sensor has reason to suspect that the address given is not the address of the true attacker. This could be a the result of address spoofing or because the host has been compromised and is acting as a 'zombie'. The 'proxy' attribute may be omitted if and only if its value is false.

Optional IP address and ports on a monitored interface. The 'locality' attribute is a string that indicates the relative location of the IP address within the network mapping, such as whether the address falls within the address range of a protected network. The 'osIdSource' attribute represents the method that the operating system of the victim was identified. The 'osType' attribute represents the operating system of the target system. The 'osRelevance' attribute represents the relevance of an attack on the operating system.

Indicates whether IP logging has been activated as the result of the alert. A separate evIpLogStatus event will be generated when logging has been completed. The evIpLogStatus event contains the URL where the log results may be obtained. This element may be omitted if and only if its value is false.

Indicates whether a attempt was made to reset a tcp connection as the result of the alert. The addresses and ports affected must be implied from the information contained in the participant elements of the evAlert. This element may be omitted if and only if its value is false.

Indicates whether an IP address or tcp connection has been requested to be shunned as a result of the alert. Details about the addresses and ports involved in the shun can be obtained from evNacStatus events sent by the Network Access Controller application. This element may be omitted if and only if its value is false.

Textual details about the specific alert instance, not just the signature.

IP log identifiers for IP logs that were added as the result of this alert.

A brief textual description of the status of the alarm given by the Cisco Systems Threat Response engine.

The alarm severity as assigned by the Cisco Systems Threat Response engine.

A risk factor that incorporates several additional pieces of information beyond the detection of a potentially malicious action. The factors that characterize this risk are the severity of the attack if it were to succeed, the fidelity of the signature, the relevance of the potential attack with respect to the target host, and the overall value of the target host to the customer.

The ifIndex on which the activity was detected.

Identifies the IP protocol associated with the alert.

Indicates that the traffic from originating from the attacker is being blocked as a result of the alert. This element may be omitted if and only if its value is false.

Indicates that the traffic on the TCP connection being blocked as a result of the alert. This element may be omitted if and only if its value is false.

Indicates whether the packet that triggered the alert would have been denied as a result of the alert if the intrusion prevention system was operating in inline mode. However, the packet was not actually denied because the intrusion prevention system was operating in promiscuous mode. This element may be omitted if and only if its value is false.

Indicates whether the flow that triggered the alert would have been denied as a result of the alert if the intrusion prevention system was operating in inline mode. However, this action was not actually taken because the intrusion prevention system was operating in promiscuous mode. This element may be omitted if and only if its value is false.

Indicates whether the traffic from the attacker that triggered the alert would have been denied as a result of the alert if the intrusion prevention system was operating in inline mode. However, this action was not actually taken because the intrusion prevention system was operating in promiscuous mode. This element may be omitted if and only if its value is false.

Indicates that a TCP connection has been requested to be blocked as a result of the alert. This element may be omitted if and only if its value is false.

Indicates that packets associated with the attacker(s) identified by this alert are being logged. This element may be omitted if and only if its value is false.

Indicates that packets associated with the victim(s) identified by this alert are being logged. This element may be omitted if and only if its value is false.

Indicates that packets associated with the attacker/victim pair(s) identified by this alert are being logged. This element may be omitted if and only if its value is false.

Indicates that traffic rate limiting based on the source address and protocol associated with the alert has been requested on external network devices. This element may be omitted if and only if its value is false.

Indicates that traffic from originating from the attackers address and destined for the victims address identified in the alert is being denied as a result of the alert. This element may be omitted if and only if its value is false.

Indicates that traffic from originating from the attackers address and destined for the destination service port identified in the alert is being denied as a result of the alert. This element may be omitted if and only if its value is false.

Indicates that traffic from originating from the attackers address and destined for the victims address identified in the alert would have been denied as a result of the alert if the intrusion prevention system was operating in inline mode. However, this action was not actually taken because the intrusion prevention system was operating in promiscuous mode. This element may be omitted if and only if its value is false.

Indicates that traffic from originating from the attackers address and destined for the destination service port identified in the alert would have been denied as a result of the alert if the intrusion prevention system was operating in inline mode. However, this action was not actually taken because the intrusion prevention system was operating in promiscuous mode. This element may be omitted if and only if its value is false.

Value that represents the calculated threat associated with the detected activity. The threat value consists of the cidsAlertEventRiskRating adjusted for the mitigation action performed. The threat value has a range between 0 and 100 (inclusive), where a value of 0 represents the lowest threat and 100 the greatest threat.

Represents the asset value associated with a target identified in the alert.

Value that represents an attack's relevance to the destination target of this alert.

Value that represents the amount that the risk rating value was increased due to the source of the activity associated with the alert being on a watchlist.

This object indicates that the traffic originating from the attacker is being blocked as a result of the alert. This element may be omitted if and only if its value is 'false'.

This object indicates that a host has been requested to be blocked as a result of the alert. This element may be omitted if and only if its value is 'false'.

This object indicates an attempt to reset one side of the connection (the victim side). The victim address and ports affected must be implied from the information contained in the participant elements of the alert. This element may be omitted if and only if its value is 'false'.

This object represents the name of the virtual sensor associated with an Intrusion Prevention System alert. From the virtual sensor name one can correlate which signature set and configuration to look at to trouble shoot or tune the behavior of the sensor. The virtual sensor name with the signature ID should help in identifying the correct instance of the signature that fired the alert.

Severity of an error (warning, error or fatal for example). An example of a type of error that could occur would be when a requested action could not be completed because it would create a resource that would exceed a system resource limit.

An enumerated error code, which identifies a general class of errors.

A textual description of the error that occurred.

The percentage of packets lost at the device interface level.

The percentage of packets denied due to protocol and security violations.

The number of alarms generated, includes all currently defined alarm severities.

The number of fragments currently queued in the fragment reassembly unit.

The number of datagrams currently queued in the fragment reassembly unit.

The number of embryonic TCP streams currently queued in the device. TCP streams are considered embryonic if they have not completed the TCP three-way handshake.

The number of established TCP streams currently queued in the device. Once a stream has completed a TCP three-way handshake it will move to the established state.

The number of closing TCP streams currently queued in the device. A stream will move from the established state to closing when a valid FIN or RST flag is received.

The number of TCP streams (embryonic, established and closing) currently queued in the device.

The number of active nodes currently queued in the device.

The number TCP nodes keyed on both IP addresses and both ports currently queued in the device.

The number UDP nodes keyed on both IP addresses and both ports currently queued in the device.

The number IP nodes keyed on both IP addresses currently queued in the device.

A value between 0 and 10 that should rarely get above 3. If this is non-zero the sensor has stopped enforcing policy on some traffic in order to keep up with the current traffic load; the sensor is oversubscribed. The higher the number the more oversubscribed the sensor. It could be oversubscribed from a memory prospective and not traffic speed. For example on a 200 Mbit sensor this number might be 3 if the sensor was only seeing 100Mbit of traffic but 6000 connections per second which is over the rated capacity of the sensor. When the sensor is in Memory Critical state then a ciscoCidsError trap will be sent accordingly.

Indicates the failover status of the device. True indicates the device is currently active. False indicates it is in a standby mode.

The status and network statistics of the currently configured Command and Control interface on the device. The Command and Control interface is where all of the communications for command and control of the sensor occurs. This is important to identify what interface a user will communicate with to control the sensor remotely and general health statistics for that interface.

The value of SNMPv2-MIB::sysUpTime when the Sensor specific statistics was reset. The reset time is collectively for the following objects: cidsHealthPacketLoss, cidsHealthPacketDenies, cidsHealthAlarmsGenerated, cidsHealthFragmentsInFRU, cidsHealthDatagramsInFRU, cidsHealthTcpEmbryonicStreams, cidsHealthTcpEstablishedStreams, cidsHealthTcpClosingStreams, cidsHealthTcpStreams

This object indicates the availability of health and security monitor statistics. If the IPS health and security monitoring service is disabled, it will return false.

This object indicates IPS sensor's overall health value - green, yellow or red. The overall health status is set to the highest severity of all metrics that are configured to be applied to the IPS's health determination. For example, if the IPS is configured to use eight metrics to determine its health and seven of eight metrics are green while one of the metrics is red then the overall IPS health will be red. This object is instantiated only if the value of cidsHealthSecMonAvailability is set to 'true'.

This object indicates the IPS software version number (e.g., 6.2(1)E3). This object is instantiated only if the value of cidsHealthSecMonAvailability is set to 'true'.

This object indicates IPS signature version (e.g., 365.0). This object is instantiated only if the value of cidsHealthSecMonAvailability is set to 'true'.

This object indicates IPS license status along with expiration date. For example it will contain the following possible values: - signatureUpdateKey: Not expired until: - trialKey: Not expired until: - expiredLicense - noLicense - invalidLicense - unknown The timestamp will be in the format: MM/DD/YYYY HH:MM:SS This object is instantiated only if the value of cidsHealthSecMonAvailability is set to 'true'.

This object indicates the aggregate health status of the applications - Main, Analysis Engine, Collaboration - where the status is equal to the most severe status of all three applications. It is used in both the heart beat and the metric change health traps.

This object indicates the running status for the control plane. This object is instantiated only if the value of cidsHealthSecMonAvailability is set to 'true'.

This object indicates the running status for the Analysis Engine. This object is instantiated only if the value of cidsHealthSecMonAvailability is set to 'true'.

This object indicates the running status for the Collaboration Application. This object is instantiated only if the value of cidsHealthSecMonAvailability is set to 'true'.

This object indicates the bypass mode. A value of 'true' indicates bypass mode is on and a value of 'false' indicates it is off. This object is instantiated only if the value of cidsHealthSecMonAvailability is set to 'true'.

This object indicates the missed packet percentage and missed packets percentage threshold aggregated for all interfaces. For example, 'missedPacketPercentage=1 redThreshold=6 yellowThreshold=1'. This object is instantiated only if the value of cidsHealthSecMonAvailability is set to 'true'.

This object indicates the percentage of memory used by Analysis Engine. This object is instantiated only if the value of cidsHealthSecMonAvailability is set to 'true'.

This object indicates sensor inspection load. This object is instantiated only if the value of cidsHealthSecMonAvailability is set to 'true'.

This object indicates the status of current sensor load, indicated using status colors. The color is determined based on the sensor load percentage and configured threshold value.

This table contains the status of each virtual sensor. There will be one entry per virtual sensor in the system. This is the status of the network that the virtual sensor is monitoring. A virtual sensor can be added either through the configuration CLI or through a management application such as IME/CSM; once it is added to the system it will appear in this table. If a virtual sensor is removed from the system through one of the management interfaces it will no longer appear in this table. This table is instantiated only if the value of cidsHealthSecMonAvailability is set to 'true'.

An entry (conceptual row) in the cidsHealthSecMonVirtSensorStatusTable. There will be one per virtual sensor on the system. A virtual sensor allows one to logically separate their sensor configuration for different sets of interfaces. For example virtual sensor vs0 may apply to one set of interfaces and vs1 would apply to another set of interfaces. This table allows someone to get the status of each of the virtual sensors to determine the health of the associated networks. For example you could have vs0 monitoring your finance networks and vs1 monitoring your engineering networks and track the health of each of these networks independently.

This object represents the name of the virtual sensor. Through the IPS configuration the sensor name can be correlated with the sensor configuration and the associated interfaces to identify which networks are having good or bad health status. The reason there are multiple virtual sensor configurations is to allow different configurations for different sets of network interfaces.

This object represents the virtual sensor network status level. From the color rating associated with the virtual sensor you can determine the overall health of the attached networks. If the color is green everything is fine, the IPS is not indicating a problem. If the color is yellow you should check as there maybe issues occuring on the attached network. If the status is red the network needs attention as problems are detected and network security is critical.

This is the table of disk partition details: Partition Name Total Space In Partition Utilized Space This table tells how each of the file systems are utilized on the IPS. If the file systems approach 100% utilization that may indicate a problem. This table should remain fixed size unless an upgrade/install changes the partition count. The user does not have control over the number of partitions or the ability to add and remove partitions. This table is instantiated only if the value of cidsHealthSecMonAvailability is set to 'true'.

An entry (conceptual row) in the cidsHealthSecMonDataStorageTable. There will be one row per partition. This table is here to track the health of the storage on the IPS sensor. The following partitions will have their status displayed as part of the data storage table: system This is the root file system on the sensor; this file system should not change too much over time and should not be full. application-data This is the main file system where application binaries, application logs and configuration data is stored. This file system will change due to logging and configuration changes; if this file system is full it will present stability problems. This partition is the most important in the system to monitor. boot Kernel/boot data storage partition; this should not change much other than during an image upgrade. application-log This partition has fixed sized files to store IPLOG data. This will likely run near full capacity without being a problem. The most important partition to monitor over time is the application-data partition; if it runs to capacity problems will occur as processes will no longer be able to write data to the file system. Note: File system setup and utilization will vary per platform model; there are no perfect rules for monitoring these across all platforms however you should be able to use trends over time to indicate if you are going to fill up a file system that should not run at capacity such as the application-data partition.

Name of the disk partition. For example: system application-data boot application-log

This object represents the total disk space on the partition in megabytes.

This object represents the total amount of utilized disk space in megabytes.

The compliance statement for entities which implement the Cids MIB

The compliance statement for entities which implement the Cids MIB

The compliance statement for entities which implement the Cids MIB

The compliance statement for entities which implement the Cids MIB

The compliance statement for entities which implement the Cids MIB

General Objects.

Alert Objects.

Error Objects.

The notifications which are required.

Health Objects.

General Objects.

Alert Objects.

Optional Objects.

Optional Objects.

A collection of optional objects which provide sensor events and alerts information.

A collection of objects that provide sensor alert information.

A collection of objects that provide sensor health status.

A collection of optional objects which provide sensor events and alerts information.

A collection of objects that provide sensor health and metric change related trap information.