Steve,
The ISS RealSecure MIB has the info you requested. It gets installed with
the Sensor installations, I have attached it for your convenience. Let me
know if you have any other questions concerning it,
Thanks
John
At 11:04 AM 1/10/00 -0500, Administrator, Exchange wrote:
>TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
>[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
>----------------------------------------------------------------------------
>
>
>
> > -----Original Message-----
> > From: Lodin, Steven {IT 4~Indianapolis} [SMTP:[EMAIL PROTECTED]]
> > Sent: Thursday, December 16, 1999 10:29 AM
> > To: '[EMAIL PROTECTED]'
> > Subject: ISS RealSecure and SNMP
> >
> > Good day!
> >
> > Environment: ISS RealSecure 3.2 - Network Engine in Stealth mode on NT,
> Consoles on NT
> >
> > Situation: I'm trying to simulate thresholding capability in RealSecure
> (RS) by creating a user-defined event and sending an SNMP
> > trap for every occurance to my Tivoli TEC. Tivoli will then be able to
> apply the rule that if X events occur in Y time, then do
> > action Z (something I see lacking in RS).
> >
> > My Tivoli people are asking me for information about the SNMP trap I am
> sending them. They want to know specific SNMP information
> > such as the SNMP version, OID, the enterprise string, and MIB
> information. I couldn't find any information on SNMP other than
> > destination address and community string in the manuals and online help.
> >
> > Does anyone know this information or where I can find it? I don't
> think sniffing a packet will help since it is ASN.1 encoded,
> > right?
> >
> > Thanks for the help!
> >
> > Steve
> > --
> > Steve Lodin <[EMAIL PROTECTED]>
> > Manager - IT Security
> > Roche Diagnostics Corp
> > 317-845-2070
> >
-- ISS-MIB { iso org(3) dod(6) internet(1) private(4) enterprises(1) 2499 }
-- Title: Internet Security Systems Private Enterprise MIB
-- Version: 1.0
ISS-MIB DEFINITIONS ::= BEGIN
IMPORTS
enterprises FROM RFC1155-SMI
DisplayString FROM SNMPv2-TC
TRAP-TYPE FROM RFC-1215;
-- *******************************************************************
-- High-level identifiers
-- *******************************************************************
iss OBJECT IDENTIFIER ::= { enterprises 2499 }
products OBJECT IDENTIFIER ::= { iss 1 }
realSecure OBJECT IDENTIFIER ::= { products 1 }
internetScanner OBJECT IDENTIFIER ::= { products 2 }
systemSecurityScanner OBJECT IDENTIFIER ::= { products 3 }
common OBJECT IDENTIFIER ::= { products 4 }
logdata OBJECT IDENTIFIER ::= { common 1 }
v1-5 OBJECT IDENTIFIER ::= { realSecure 1 }
engine OBJECT IDENTIFIER ::= { v1-5 1 }
console OBJECT IDENTIFIER ::= { v1-5 2 }
daemon OBJECT IDENTIFIER ::= { v1-5 3 }
events OBJECT IDENTIFIER ::= { engine 1 }
v2-5 OBJECT IDENTIFIER ::= { realSecure 2 }
engine2-5 OBJECT IDENTIFIER ::= { v2-5 1 }
events2-5 OBJECT IDENTIFIER ::= { engine2-5 1 }
-- *******************************************************************
-- 1-5 EventData
-- *******************************************************************
eventTable OBJECT-TYPE
SYNTAX SEQUENCE OF EventEntry
ACCESS not-accessible
STATUS mandatory
DESCRIPTION ""
::= { events 1 }
eventEntry OBJECT-TYPE
SYNTAX EventEntry
ACCESS not-accessible
STATUS mandatory
DESCRIPTION ""
INDEX { eventEntryName }
::= { eventTable 1 }
EventEntry ::= SEQUENCE
{
eventEntryName DisplayString,
eventEntryTime DisplayString,
eventEntryAmask INTEGER,
eventEntryPriority INTEGER,
eventEntryProtocol INTEGER,
eventEntrySourceIpAddress DisplayString,
eventEntryDestinationIpAddress DisplayString,
eventEntrySourceName DisplayString,
eventEntryDestinationName DisplayString,
eventEntryIcmpType DisplayString,
eventEntryIcmpCode DisplayString,
eventEntrySourcePort INTEGER,
eventEntryDestinationPort INTEGER,
eventEntrySourcePortName DisplayString,
eventEntryDestinationPortName DisplayString,
eventEntryUserActionList DisplayString
}
eventEntryName OBJECT-TYPE
SYNTAX DisplayString
ACCESS read-only
STATUS mandatory
DESCRIPTION "The name of the decode/event for this trap."
::= { eventEntry 1 }
eventEntryTime OBJECT-TYPE
SYNTAX DisplayString
ACCESS read-only
STATUS mandatory
DESCRIPTION "The time the event was discovered relative to the RealSecure engine."
::= { eventEntry 2 }
eventEntryAmask OBJECT-TYPE
SYNTAX INTEGER
ACCESS read-only
STATUS mandatory
DESCRIPTION "A Mask to indicate what actions are configured for this event:
ACT_IGN (Ignore) = 0x00000000,
ACT_KILL (Kill Session) = 0x00000001,
ACT_VIEW_SESS (Send Stream to Console for View Session) = 0x00000002,
ACT_EMAIL (Send an e-mail message) = 0x00000004,
ACT_LOG_RAW (Record stream data for viewing) = 0x00000008,
ACT_DISPLAY (Send event to console) = 0x00000040,
ACT_LOG_DB (Record to database) = 0x00000200,
ACT_FIREWALL (Send message to lock firewall) = 0x00000400,
ACT_SNMP_TRAP (Send SNMP Trap) = 0x00000800,
ACT_USER_SPECIFIED1 (User Specified 1) = 0x00001000,
ACT_USER_SPECIFIED2 (User Specified 2) = 0x00002000,
ACT_USER_SPECIFIED3 (User Specified 3) = 0x00004000,
ACT_USER_SPECIFIED4 (User Specified 4) = 0x00008000 "
::= { eventEntry 3 }
eventEntryPriority OBJECT-TYPE
SYNTAX INTEGER { other(1), low(2), medium(3), high(4) }
ACCESS read-only
STATUS mandatory
DESCRIPTION "The priority of the decode as determined from the current engine
policy."
::= { eventEntry 4 }
eventEntryProtocol OBJECT-TYPE
SYNTAX INTEGER { other(1), tcp(2), udp(3), icmp(4) }
ACCESS read-only
STATUS mandatory
DESCRIPTION "Protocol type for this event."
::= { eventEntry 5 }
eventEntrySourceIpAddress OBJECT-TYPE
SYNTAX DisplayString
ACCESS read-only
STATUS mandatory
DESCRIPTION "Source Ip Address"
::= { eventEntry 6 }
eventEntryDestinationIpAddress OBJECT-TYPE
SYNTAX DisplayString
ACCESS read-only
STATUS mandatory
DESCRIPTION "Destination Ip Address"
::= { eventEntry 7 }
eventEntrySourceName OBJECT-TYPE
SYNTAX DisplayString
ACCESS read-only
STATUS mandatory
DESCRIPTION "Source Ip Address (engine no longer does dns lookup)"
::= { eventEntry 8 }
eventEntryDestinationName OBJECT-TYPE
SYNTAX DisplayString
ACCESS read-only
STATUS mandatory
DESCRIPTION "Destination Ip Address (engine no longer does dns lookup)"
::= { eventEntry 9 }
eventEntryIcmpType OBJECT-TYPE
SYNTAX DisplayString
ACCESS read-only
STATUS mandatory
DESCRIPTION "ICMP Type"
::= { eventEntry 10 }
eventEntryIcmpCode OBJECT-TYPE
SYNTAX DisplayString
ACCESS read-only
STATUS mandatory
DESCRIPTION "ICMP Code"
::= { eventEntry 11 }
eventEntrySourcePort OBJECT-TYPE
SYNTAX INTEGER
ACCESS read-only
STATUS mandatory
DESCRIPTION "Source Port"
::= { eventEntry 12 }
eventEntryDestinationPort OBJECT-TYPE
SYNTAX INTEGER
ACCESS read-only
STATUS mandatory
DESCRIPTION "Destination Port"
::= { eventEntry 13 }
eventEntrySourcePortName OBJECT-TYPE
SYNTAX DisplayString
ACCESS read-only
STATUS mandatory
DESCRIPTION "The name of the network service usually associated with the source
port."
::= { eventEntry 14 }
eventEntryDestinationPortName OBJECT-TYPE
SYNTAX DisplayString
ACCESS read-only
STATUS mandatory
DESCRIPTION "The name of the network service usually associated with the dest
port."
::= { eventEntry 15 }
eventEntryUserActionList OBJECT-TYPE
SYNTAX DisplayString
ACCESS read-only
STATUS mandatory
DESCRIPTION "This field is obsolete.
This same information can be found in the AMask field."
::= { eventEntry 16 }
-- *******************************************************************
-- Log Data
-- *******************************************************************
logTable OBJECT-TYPE
SYNTAX SEQUENCE OF LogEntry
ACCESS not-accessible
STATUS mandatory
DESCRIPTION ""
::= { logdata 1 }
logEntry OBJECT-TYPE
SYNTAX LogEntry
ACCESS not-accessible
STATUS mandatory
DESCRIPTION ""
INDEX { logEntryTime }
::= { logTable 1 }
LogEntry ::= SEQUENCE
{
logEntryTime TimeTicks,
logEntrySource DisplayString,
logEntryCategory DisplayString,
logEntryEventId INTEGER,
logEntryDescription DisplayString,
logEntryData OCTET STRING
}
logEntryTime OBJECT-TYPE
SYNTAX TimeTicks
ACCESS read-only
STATUS mandatory
DESCRIPTION "The TimeTicks when the log entry was written."
::= { logEntry 1 }
logEntrySource OBJECT-TYPE
SYNTAX DisplayString
ACCESS read-only
STATUS mandatory
DESCRIPTION "The Application that sent the message"
::= { logEntry 2 }
logEntryCategory OBJECT-TYPE
SYNTAX DisplayString
ACCESS read-only
STATUS mandatory
DESCRIPTION ""
::= { logEntry 3 }
logEntryEventId OBJECT-TYPE
SYNTAX INTEGER
ACCESS read-only
STATUS mandatory
DESCRIPTION ""
::= { logEntry 4 }
logEntryDescription OBJECT-TYPE
SYNTAX DisplayString
ACCESS read-only
STATUS mandatory
DESCRIPTION ""
::= { logEntry 5 }
logEntryData OBJECT-TYPE
SYNTAX OCTET STRING
ACCESS read-only
STATUS mandatory
DESCRIPTION ""
::= { logEntry 6 }
-- *******************************************************************
-- 2-5 EventData
-- *******************************************************************
event25Table OBJECT-TYPE
SYNTAX SEQUENCE OF Event25Entry
ACCESS not-accessible
STATUS mandatory
DESCRIPTION ""
::= { events2-5 1 }
event25Entry OBJECT-TYPE
SYNTAX Event25Entry
ACCESS not-accessible
STATUS mandatory
DESCRIPTION ""
INDEX { eventEntryName25 }
::= { event25Table 1 }
Event25Entry ::= SEQUENCE
{
eventEntryName25 DisplayString,
eventEntryTime25 DisplayString,
eventEntryProtocol25 DisplayString,
eventEntrySourceIpAddress25 DisplayString,
eventEntryDestinationIpAddress25 DisplayString,
eventEntryIcmpType25 DisplayString,
eventEntryIcmpCode25 DisplayString,
eventEntrySourcePort25 DisplayString,
eventEntryDestinationPort25 DisplayString,
eventEntryUserActionList25 DisplayString,
eventEntryEventSpecificInfo25 DisplayString
}
eventEntryName25 OBJECT-TYPE
SYNTAX DisplayString
ACCESS read-only
STATUS mandatory
DESCRIPTION "The name of the decode/event for this trap."
::= { event25Entry 1 }
eventEntryTime25 OBJECT-TYPE
SYNTAX DisplayString
ACCESS read-only
STATUS mandatory
DESCRIPTION "The time the event was discovered relative to the RealSecure engine."
::= { event25Entry 2 }
eventEntryProtocol25 OBJECT-TYPE
SYNTAX DisplayString
ACCESS read-only
STATUS mandatory
DESCRIPTION "Protocol type for this event."
::= { event25Entry 3 }
eventEntrySourceIpAddress25 OBJECT-TYPE
SYNTAX DisplayString
ACCESS read-only
STATUS mandatory
DESCRIPTION "Source Ip Address"
::= { event25Entry 4 }
eventEntryDestinationIpAddress25 OBJECT-TYPE
SYNTAX DisplayString
ACCESS read-only
STATUS mandatory
DESCRIPTION "Destination Ip Address"
::= { event25Entry 5 }
eventEntryIcmpType25 OBJECT-TYPE
SYNTAX DisplayString
ACCESS read-only
STATUS mandatory
DESCRIPTION "ICMP Type"
::= { event25Entry 6 }
eventEntryIcmpCode25 OBJECT-TYPE
SYNTAX DisplayString
ACCESS read-only
STATUS mandatory
DESCRIPTION "ICMP Code"
::= { event25Entry 7 }
eventEntrySourcePort25 OBJECT-TYPE
SYNTAX DisplayString
ACCESS read-only
STATUS mandatory
DESCRIPTION "Source Port"
::= { event25Entry 8 }
eventEntryDestinationPort25 OBJECT-TYPE
SYNTAX DisplayString
ACCESS read-only
STATUS mandatory
DESCRIPTION "Destination Port"
::= { event25Entry 9 }
eventEntryUserActionList25 OBJECT-TYPE
SYNTAX DisplayString
ACCESS read-only
STATUS mandatory
DESCRIPTION "A string which indicates what actions are configured for this event.
Currently available actions:
KILL (Kill Session - ends a tcp-based session)
VIEW_SESS (Send Stream to Console for View Session)
EMAIL (Send an e-mail message to a configured email account)
LOG_RAW (Record stream data for later analysis or viewing)
DISPLAY (Send event to console)
LOG_DB (Record the event to database)
FIREWALL (Send message to lock firewall)
SNMP_TRAP (Send SNMP Trap to configured SNMP manager)
USER_SPECIFIED1 (User Specified 1 - launch a program as configured per engine
setup)
USER_SPECIFIED2 (User Specified 2)
USER_SPECIFIED3 (User Specified 3)
USER_SPECIFIED4 (User Specified 4)"
::= { event25Entry 10 }
eventEntryEventSpecificInfo25 OBJECT-TYPE
SYNTAX DisplayString
ACCESS read-only
STATUS mandatory
DESCRIPTION "This variable contains a listing of other variables:values
which are specific to the given event."
::= { event25Entry 11 }
-- *******************************************************************
-- TRAPS
-- *******************************************************************
eventinfo TRAP-TYPE
ENTERPRISE iss
VARIABLES
{
eventEntryName,
eventEntryTime,
eventEntryAmask,
eventEntryPriority,
eventEntryProtocol,
eventEntrySourceIpAddress,
eventEntryDestinationIpAddress,
eventEntrySourceName,
eventEntryDestinationName,
eventEntryIcmpType,
eventEntryIcmpCode,
eventEntrySourcePort,
eventEntryDestinationPort,
eventEntrySourcePortName,
eventEntryDestinationPortName,
eventEntryUserActionList
}
DESCRIPTION
"This trap is sent from a RealSecure engine whenever a event
is encountered that the RealSecure engine is configured to send traps
for. The details of the event are contained in the trap."
::= 1
-- *******************************************************************
logdatatrap TRAP-TYPE
ENTERPRISE iss
VARIABLES
{
logEntryTime,
logEntrySource,
logEntryCategory,
logEntryEventId,
logEntryDescription,
logEntryData
}
DESCRIPTION
"This trap is sent for certain types of log data.
Only configured types of log data which will be sent as a trap."
::= 2
-- *******************************************************************
highpriorityevent TRAP-TYPE
ENTERPRISE iss
VARIABLES
{
eventEntryName25,
eventEntryTime25,
eventEntryProtocol25,
eventEntrySourceIpAddress25,
eventEntryDestinationIpAddress25,
eventEntryIcmpType25,
eventEntryIcmpCode25,
eventEntrySourcePort25,
eventEntryDestinationPort25,
eventEntryUserActionList25,
eventEntryEventSpecificInfo25
}
DESCRIPTION
"This trap is sent from a RealSecure engine whenever a high priority event
is encountered that the RealSecure engine is configured to send traps
for. The details of the event are contained in the trap."
::= 3
-- *******************************************************************
mediumpriorityevent TRAP-TYPE
ENTERPRISE iss
VARIABLES
{
eventEntryName25,
eventEntryTime25,
eventEntryProtocol25,
eventEntrySourceIpAddress25,
eventEntryDestinationIpAddress25,
eventEntryIcmpType25,
eventEntryIcmpCode25,
eventEntrySourcePort25,
eventEntryDestinationPort25,
eventEntryUserActionList25,
eventEntryEventSpecificInfo25
}
DESCRIPTION
"This trap is sent from a RealSecure engine whenever a medium priority event
is encountered that the RealSecure engine is configured to send traps
for. The details of the event are contained in the trap."
::= 4
-- *******************************************************************
lowpriorityevent TRAP-TYPE
ENTERPRISE iss
VARIABLES
{
eventEntryName25,
eventEntryTime25,
eventEntryProtocol25,
eventEntrySourceIpAddress25,
eventEntryDestinationIpAddress25,
eventEntryIcmpType25,
eventEntryIcmpCode25,
eventEntrySourcePort25,
eventEntryDestinationPort25,
eventEntryUserActionList25,
eventEntryEventSpecificInfo25
}
DESCRIPTION
"This trap is sent from a RealSecure engine whenever a low priority event
is encountered that the RealSecure engine is configured to send traps
for. The details of the event are contained in the trap."
::= 5
END
"Adaptive Network Security for the Enterprise"
John M. Rezabek Phone: 727.517.1500
Technical Product Manager Fax: 727.517.9090
ISS Internet Security Systems, Inc. Pager: 888.784.6185
NASDAQ (ISSX) E-Mail: [EMAIL PROTECTED]
