CISCO-THREAT-MITIGATION-SERVICE-MIB
File:
CISCO-THREAT-MITIGATION-SERVICE-MIB.mib (37137 bytes)
Imported modules
Imported symbols
Defined Types
CTmsConsumerState |
|
This textual description represents the state
of the consumer. The semantics are as follows.
disabled(1)
Consumer is disabled.
enabled(2)
Consumer is enabled.
|
TEXTUAL-CONVENTION |
|
|
|
|
INTEGER |
disabled(1), enabled(2) |
|
CTmsConsumerRegistrationStatus |
|
This textual description represents the status of
registration of consumer with the controller. The
semantics are as follows.
notRegistered(1)
Consumer is not registered to the controller.
registrationRequestSent(2)
A registration request has been sent to the controller
and consumer is waiting for the response.
registered(3)
Consumer is registered with the controller.
registrationFailed(4)
The most recent registration attempt has failed.
|
TEXTUAL-CONVENTION |
|
|
|
|
INTEGER |
notRegistered(1), registrationRequestSent(2), registered(3), registrationFailed(4) |
|
CTmsThreatStatus |
|
This textual convention represents the status of the threat
received from a controller in a TIDP group on the consumer.
unknown(1)
Unknown state.
active(2)
Threat is successfully activated, i.e. mitigation action
has been successfully enforced.
inactive(3)
Threat is inactivated by controller, i.e. mitigation
action is not enforced.
created(4)
Consumer has recorded the information about the threat
mitigation action enforcement and other processing
pending for successful activation.
pending(5)
Mitigation action initiated and waiting for the result.
activationFailed(6)
Threat activation failed.
inactivationFailed(7)
Inactivation of threat failed.
deleted(8)
Threat mitigation is removed from the consumer.
|
TEXTUAL-CONVENTION |
|
|
|
|
INTEGER |
unknown(1), active(2), inactive(3), created(4), pending(5), activationFailed(6), inactivationFailed(7), deleted(8) |
|
CTmsActionType |
|
This textual convention represents the types of actions
that can be applied to mitigate a threat.
ignore(1)
No action, threat ignored.
aclDrop(2)
ACL drop action.
fpmDrop(3)
FPM drop.
redirect(4)
Redirect traffic to a particular host.
police(5)
Police the traffic.
setIPDscp(6)
Set the DSCP in IP header of packet to a specific value.
localException(7)
Local exception enforced for the threat.
quarantine(8)
Quarantine the infected host.
|
TEXTUAL-CONVENTION |
|
|
|
|
INTEGER |
ignore(1), aclDrop(2), fpmDrop(3), redirect(4), police(5), setIPDscp(6), localException(7), quarantine(8) |
|
CTmsActionParamIdType |
|
This textual convention represents the type of action
parameters. The semantics are as follows.
noParams(1),
No parameters required for the action.
cir(2),
police : Committed information rate.
bir(3),
police : Peak information rate.
be(4),
police : Excess burst.
nexthop(5),
redirect : Address of host to redirect the traffic to.
dscpVal(6),
setIpDscp : DSCP value in IP header to be set to.
vlanId(7)
Quarantine : Quarantine the host to this vlan.
|
TEXTUAL-CONVENTION |
|
|
|
|
INTEGER |
noParams(1), cir(2), bir(3), be(4), nexthop(5), dscpVal(6), vlanId(7) |
|
CTmsActionParamType |
|
This textual convention represents the type of the action
parameter. The semantics as follows.
unsigned(1),
Unsigned integer.
networkAddress(2),
represents a network address e,g, IPv4 and IPv6 address.
string(3)
A sequence of octets.
|
TEXTUAL-CONVENTION |
|
|
|
|
INTEGER |
unsigned(1), networkAddress(2), string(3) |
|
CiTmsGroupEntry |
|
SEQUENCE |
|
|
|
|
ciTmsGroupId |
Unsigned32 |
|
|
ciTmsControllerIpType |
InetAddressType |
|
|
ciTmsControllerIp |
InetAddress |
|
|
ciTmsGroupConsumerRegStatus |
CTmsConsumerRegistrationStatus |
|
|
ciTmsGroupNotifEnable |
TruthValue |
|
|
ciTmsGroupStorageType |
StorageType |
|
|
ciTmsGroupRowStatus |
RowStatus |
|
CiTmsThreatEntry |
|
SEQUENCE |
|
|
|
|
ciTmsThreatOwner |
Unsigned32 |
|
|
ciTmsThreatId |
Unsigned32 |
|
|
ciTmsThreatVer |
Unsigned32 |
|
|
ciTmsThreatStatus |
CTmsThreatStatus |
|
|
ciTmsThreatClass |
SnmpAdminString |
|
|
ciTmsThreatName |
SnmpAdminString |
|
|
ciTmsThreatActiveTimeDuration |
DateAndTime |
|
|
ciTmsThreatPriority |
Unsigned32 |
|
|
ciTmsThreatTcdf |
SnmpAdminString |
|
CiTmsThreatActionEntry |
|
SEQUENCE |
|
|
|
|
ciTmsThreatAction |
CTmsActionType |
|
|
ciTmsThreatActionParamId |
CTmsActionParamIdType |
|
|
ciTmsThreatActionParamType |
CTmsActionParamType |
|
|
ciTmsThreatActionParamLength |
Unsigned32 |
|
|
ciTmsThreatActionParamValue |
SnmpAdminString |
|
|
ciTmsThreatActionFailReason |
SnmpAdminString |
|
CiTmsThreatInterfaceEntry |
|
SEQUENCE |
|
|
|
|
ciThreatInterfaceMitigationApplied |
TruthValue |
|
Defined Values
ciscoThreatMitigationServiceMIB |
1.3.6.1.4.1.9.9.603 |
This MIB provides management information about the Threat
Mitigation Service(TMS) entity named 'Consumer'. TMS is part
of Cisco's Network Infection Containment (NIC) security
framework. The MIB is expected to be implemented on all
entities that act as TMS consumers.
The NIC framework deals with threat mitigation. The NIC
architecture consists of controllers and one or more consumers
registered with these controllers. The controller is
responsible for detecting threats and conveying the
information about the same to one or more consumers that
could be the potential targets of the detected threat.
Upon receiving the information about the threat from
the controller, the consumer responds with appropriate
mitigation actions according to the policies configured
on it and as indicated in the threat notification message.
TMS protocol is used for distribution and management of threat
related information from the controller to consumers.
TMS runs over TIDP layer which is used as distribution layer.
TIDP layer provides a secured connection between the
controller and the consumers. TIDP also provides group
management services.
Each consumer needs to participate in a TIDP group in order
to receive threat notification message from controller
in that TIDP group. To participate in a TIDP group consumer
needs to register with the controller of that group,
from which it intends to receive threat messages.
When the controller needs to distribute the information
about a threat to one or more target TIDP groups or to
one particular consumer in a TIDP group, it delivers
the information to the respective entities through
TMS protocol messages. Upon receiving the threat
notification message, consumer determines the appropriate
mitigation action to be executed, with the corresponding
action parameters, based on the configuration and information
available in threat message. The respective action is then
executed.
The state of threat is set according to the result of
enforcement action, e.g., upon successful application of
enforcement action it is marked as Active. The consumer then
responds to the controller with the results of the
mitigation action carried out for the threat.
GLOSSARY
--------
Active Threat : A threat is active on a consumer if mitigation
action corresponding to the threat has been enforced
successfully.
Inactive Threat : A threat is inactive on a consumer if
mitigation action corresponding to the threat has been
undone successfully.
ACL : Access Control List is the list of rules which are
used to filter or classify packets based on protocol
parameters.
ACL drop : ACL drop action refers to the drop action taken
on packets matching any of the filters in the access list.
DSCP : Differentiated Service Code Point is same as 'Type of
Service' field in IP header, used in reference to quality
of service.
FPM : Flexible Packet Matching is a framework which provides
packet filtering based on pattern at any offset in the packet.
FPM drop : FPM drop action refers to the drop action taken on
packet filtered by FPM.
TCDF : Traffic Classification Definition File gives
the XML description of traffic class.
TIDP : Threat Information Distribution Protocol is a
distribution protocol, which provides a secured connectivity
between network devices. It also provides a group management
function.
TIDP group : A closed group of network devices which share
authentication and encryption keys for message exchange.
TMS : TMS protocol provides information about threats and the
mitigation action required for the threats in a TIDP network.
TIDP network : TIDP network comprises of one or more
TIDP groups. |
MODULE-IDENTITY |
|
|
|
ciTmsActiveThreats |
1.3.6.1.4.1.9.9.603.1.1.1 |
This object represents the total number of active threats in
the consumer. |
Status: current |
Access: read-only |
OBJECT-TYPE |
|
|
|
|
Unsigned32 |
1..65535 |
|
ciTmsInActiveThreats |
1.3.6.1.4.1.9.9.603.1.1.2 |
This object represents the total number of inactive threats
in the consumer. |
Status: current |
Access: read-only |
OBJECT-TYPE |
|
|
|
|
Unsigned32 |
1..65535 |
|
ciTmsConsumerDeviceId |
1.3.6.1.4.1.9.9.603.1.1.3 |
This object is used for configuring the name of
the consumer. This could be any generic string,
e.g. 'Consumer-1'. |
Status: current |
Access: read-write |
OBJECT-TYPE |
|
|
|
|
SnmpAdminString |
|
|
ciTmsGroupsMaxEntries |
1.3.6.1.4.1.9.9.603.1.1.4 |
This object represents the maximum number of rows
in ciTmsGroupTable. |
Status: current |
Access: read-write |
OBJECT-TYPE |
|
|
|
|
Unsigned32 |
1..65535 |
|
ciTmsThreatsMaxEntries |
1.3.6.1.4.1.9.9.603.1.1.5 |
This object represents the maximum number of rows in
ciTmsThreatTable. |
Status: current |
Access: read-write |
OBJECT-TYPE |
|
|
|
|
Unsigned32 |
1..65535 |
|
ciTmsThreatActionMaxEntries |
1.3.6.1.4.1.9.9.603.1.1.6 |
This object represents the maximum number of rows in
ciTmsThreatActionTable. |
Status: current |
Access: read-write |
OBJECT-TYPE |
|
|
|
|
Unsigned32 |
1..65535 |
|
ciTmsInterfaceMaxEntries |
1.3.6.1.4.1.9.9.603.1.1.7 |
This object represents the maximum number of rows in
ciTmsThreatInterfaceTable. |
Status: current |
Access: read-write |
OBJECT-TYPE |
|
|
|
|
Unsigned32 |
1..65535 |
|
ciTmsGroupTable |
1.3.6.1.4.1.9.9.603.1.2.1 |
Consumer can participate in one of more TIDP groups, each
group having one or more controllers. The table represents
the list of controllers in a particular group.
A row is added to the table when a controller's IP address
is added to the list of known controllers.
A row is deleted from the table when a controller's
IP address is removed from the list of known controllers. |
Status: current |
Access: not-accessible |
OBJECT-TYPE |
|
|
|
|
SEQUENCE OF |
|
|
|
|
CiTmsGroupEntry |
|
ciTmsGroupEntry |
1.3.6.1.4.1.9.9.603.1.2.1.1 |
Each entry represents a conceptual row in ciTmsGroupTable
and corresponds to the information about the controller
and TIDP group a consumer is registered with. |
Status: current |
Access: not-accessible |
OBJECT-TYPE |
|
|
|
|
CiTmsGroupEntry |
|
|
ciTmsGroupId |
1.3.6.1.4.1.9.9.603.1.2.1.1.1 |
This object represents the TIDP group Id. |
Status: current |
Access: not-accessible |
OBJECT-TYPE |
|
|
|
|
Unsigned32 |
1..4294967295 |
|
ciTmsControllerIpType |
1.3.6.1.4.1.9.9.603.1.2.1.1.2 |
This object represents the type of the network address
available through ciTmsControllerIp. |
Status: current |
Access: not-accessible |
OBJECT-TYPE |
|
|
|
|
InetAddressType |
|
|
ciTmsControllerIp |
1.3.6.1.4.1.9.9.603.1.2.1.1.3 |
This object represents the network address of the controller.
The type of the address is represented by
ciTmsControllerIpType. |
Status: current |
Access: not-accessible |
OBJECT-TYPE |
|
|
|
|
InetAddress |
|
|
ciTmsGroupNotifEnable |
1.3.6.1.4.1.9.9.603.1.2.1.1.5 |
This object indicates whether following notifications should
be generated for a group :
1. ciscoTmsControllerUnreachable
2. ciscoTmsThreatStatusChange
3. ciscoTmsMitigationActionFailed
Setting this object to 'true' enables the group level
notifications, while setting it to 'false' disables
the group level notifications. |
Status: current |
Access: read-create |
OBJECT-TYPE |
|
|
|
|
TruthValue |
|
|
ciTmsGroupRowStatus |
1.3.6.1.4.1.9.9.603.1.2.1.1.7 |
The status of this conceptual row.
An entry can be created/deleted using this object.
A row may be deleted by setting the RowStatus to 'destroy'. |
Status: current |
Access: read-create |
OBJECT-TYPE |
|
|
|
|
RowStatus |
|
|
ciTmsThreatTable |
1.3.6.1.4.1.9.9.603.1.3.1 |
This table represents the information about the
threats the consumer has received from various
controllers belonging to different TIDP groups it is
registered with. A threat received from one controller
in a TIDP group is uniquely identified by the threat id
and owner id.
A row is added to the table when a threat notification
message is received by the consumer from the controller in
a TIDP group.
A row is deleted from the table when the consumer deletes
the information about a threat received from a controller
in a TIDP group. |
Status: current |
Access: not-accessible |
OBJECT-TYPE |
|
|
|
|
SEQUENCE OF |
|
|
|
|
CiTmsThreatEntry |
|
ciTmsThreatEntry |
1.3.6.1.4.1.9.9.603.1.3.1.1 |
Each entry represents a conceptual row in ciTmsThreatTable
and corresponds to the information about a threat and it's
various attributes, received from a controller in a given
TIDP group. |
Status: current |
Access: not-accessible |
OBJECT-TYPE |
|
|
|
|
CiTmsThreatEntry |
|
|
ciTmsThreatOwner |
1.3.6.1.4.1.9.9.603.1.3.1.1.1 |
This object identifies the controller that has notified the
consumer about the threat. |
Status: current |
Access: not-accessible |
OBJECT-TYPE |
|
|
|
|
Unsigned32 |
1..4294967295 |
|
ciTmsThreatId |
1.3.6.1.4.1.9.9.603.1.3.1.1.2 |
This object represents the identifier for the particular
threat. |
Status: current |
Access: not-accessible |
OBJECT-TYPE |
|
|
|
|
Unsigned32 |
1..65535 |
|
ciTmsThreatVer |
1.3.6.1.4.1.9.9.603.1.3.1.1.3 |
This object represents the version of the
threat. |
Status: current |
Access: read-only |
OBJECT-TYPE |
|
|
|
|
Unsigned32 |
0..255 |
|
ciTmsThreatStatus |
1.3.6.1.4.1.9.9.603.1.3.1.1.4 |
This object represents the current status of the threat on
the consumer. This is evaluated locally on consumer. |
Status: current |
Access: read-only |
OBJECT-TYPE |
|
|
|
|
CTmsThreatStatus |
|
|
ciTmsThreatClass |
1.3.6.1.4.1.9.9.603.1.3.1.1.5 |
This object represents the class of threat. An example of
class is 'Worm'. |
Status: current |
Access: read-only |
OBJECT-TYPE |
|
|
|
|
SnmpAdminString |
|
|
ciTmsThreatName |
1.3.6.1.4.1.9.9.603.1.3.1.1.6 |
This object represents name of the threat. An example of
threat name is 'WittyWorm'. |
Status: current |
Access: read-only |
OBJECT-TYPE |
|
|
|
|
SnmpAdminString |
|
|
ciTmsThreatPriority |
1.3.6.1.4.1.9.9.603.1.3.1.1.8 |
This object represents the priority at which the consumer
responds to this threat. A higher value indicates a lower
priority for the threat and vice versa. |
Status: current |
Access: read-only |
OBJECT-TYPE |
|
|
|
|
Unsigned32 |
1..32 |
|
ciTmsThreatTcdf |
1.3.6.1.4.1.9.9.603.1.3.1.1.9 |
This object represents the TCDF related information received
in the threat. For example,
. |
Status: current |
Access: read-only |
OBJECT-TYPE |
|
|
|
|
SnmpAdminString |
|
|
ciTmsThreatActionTable |
1.3.6.1.4.1.9.9.603.1.3.2 |
This table represents mitigation action for the respective
threat. A threat is uniquely represented by the threat id,
owner id, controller IP and TIDP group ID and hence
corresponding objects are used as indices.
A row is added to the table when the consumer enforces a
mitigation action as a result of receiving a threat message
from a controller in a TIDP group.
A row is deleted from the table when the consumer removes
the mitigation action taken for the threat received from a
controller in a TIDP group. |
Status: current |
Access: not-accessible |
OBJECT-TYPE |
|
|
|
|
SEQUENCE OF |
|
|
|
|
CiTmsThreatActionEntry |
|
ciTmsThreatActionEntry |
1.3.6.1.4.1.9.9.603.1.3.2.1 |
Each entry represents a conceptual row in
ciTmsThreatActionTable and corresponds to the
information about the mitigation action
applied for a particular threat. |
Status: current |
Access: not-accessible |
OBJECT-TYPE |
|
|
|
|
CiTmsThreatActionEntry |
|
|
ciTmsThreatAction |
1.3.6.1.4.1.9.9.603.1.3.2.1.1 |
This object represents the mitigation action taken by
the consumer for a threat. |
Status: current |
Access: not-accessible |
OBJECT-TYPE |
|
|
|
|
CTmsActionType |
|
|
ciTmsThreatActionParamLength |
1.3.6.1.4.1.9.9.603.1.3.2.1.4 |
This object represents the length of the action parameter
identified by ciTmsThreatActionParamId. |
Status: current |
Access: read-only |
OBJECT-TYPE |
|
|
|
|
Unsigned32 |
1..65535 |
|
ciTmsThreatActionParamValue |
1.3.6.1.4.1.9.9.603.1.3.2.1.5 |
This object represents the value of the parameter identified
by ciTmsThreatActionParamId. This value should be interpreted
using type and length of the parameter value represented by
ciTmsThreatActionParamType and ciTmsThreatActionParamLength
respectively.
In case of ciTmsThreatActionParamType being 'networkAddress',
the first octet of this object will indicate the type of
network address, i.e. it will be set to one of
InetAddressType values as appropriate. The subsequent
octets will carry the network address. For example,
the first octet of ciTmsThreatActionParamValue will carry
the value ipv4(1) and the next four octets will carry the
respective octets of the IP address. |
Status: current |
Access: read-only |
OBJECT-TYPE |
|
|
|
|
SnmpAdminString |
|
|
ciTmsThreatActionFailReason |
1.3.6.1.4.1.9.9.603.1.3.2.1.6 |
This object specifies the reason for the failure of
a particular threat mitigation action. 'OER mitigation not
supported' is an example of the value populated for this
object. For successfully mitigated threats, this will be
a zero-length string. |
Status: current |
Access: read-only |
OBJECT-TYPE |
|
|
|
|
SnmpAdminString |
|
|
ciTmsThreatInterfaceTable |
1.3.6.1.4.1.9.9.603.1.3.3 |
The application of threat mitigation is typically done on one
or more interfaces. This table represents the status of
mitigation action applied on the respective interfaces.
A row is added to the table when the consumer enforces a
mitigation action on a interface as a result of receiving
a threat message from a controller in a TIDP group.
A row is deleted from the table when the consumer removes a
mitigation action taken on a interface as a result of threat
received from a controller in a TIDP group. |
Status: current |
Access: not-accessible |
OBJECT-TYPE |
|
|
|
|
SEQUENCE OF |
|
|
|
|
CiTmsThreatInterfaceEntry |
|
ciTmsThreatInterfaceEntry |
1.3.6.1.4.1.9.9.603.1.3.3.1 |
Each entry represents a row in ciTmsThreatInterfaceTable
and corresponds to the information about the interface on
which the threat mitigation action is applied. |
Status: current |
Access: not-accessible |
OBJECT-TYPE |
|
|
|
|
CiTmsThreatInterfaceEntry |
|
|
ciThreatInterfaceMitigationApplied |
1.3.6.1.4.1.9.9.603.1.3.3.1.1 |
This object indicates whether the mitigation action
for a particular threat has been successfully applied
on an interface or not. A value of 'true' indicates
the successful application of mitigation action, while a
value of 'false' indicates that the mitigation
action couldn't be successfully applied on the interface. |
Status: current |
Access: read-only |
OBJECT-TYPE |
|
|
|
|
TruthValue |
|
|
ciTmsConsStateChangeNotifEnable |
1.3.6.1.4.1.9.9.603.1.4.1 |
This object is used to control the generation of the
ciscoTmsConsStateChange notifications. A value of
'true' indicates that the agent is enabled to generate this
notification. A value of 'false' indicates the generation
of this notification is currently disabled. |
Status: current |
Access: read-write |
OBJECT-TYPE |
|
|
|
|
TruthValue |
|
|
ciscoTmsConsStateChange |
1.3.6.1.4.1.9.9.603.0.1 |
This notification is generated to indicate the current
operational state of the consumer, when the consumer
undergoes a state change. |
Status: current |
Access: read-write |
NOTIFICATION-TYPE |
|
|
|
ciscoTmsControllerUnreachable |
1.3.6.1.4.1.9.9.603.0.2 |
This notification is generated by the consumer when the
controller it has registered with becomes unreachable.
This notification will be generated only when notification
generation is enabled for the corresponding TIDP group
through ciTmsGroupNotifEnable. |
Status: current |
Access: read-write |
NOTIFICATION-TYPE |
|
|
|
ciscoTmsThreatStatusChange |
1.3.6.1.4.1.9.9.603.0.3 |
This notification is generated by the consumer when
consumer acts upon a particular threat and changes the state
of the threat.
This notification will be generated only when notification
generation is enabled for the corresponding TIDP group
through ciTmsGroupNotifEnable. |
Status: current |
Access: read-write |
NOTIFICATION-TYPE |
|
|
|
ciscoTmsMitigationActionFailed |
1.3.6.1.4.1.9.9.603.0.4 |
This notification is generated by the consumer when the
mitigation action enforced for a particular threat fails.
The notification contains the information about the failed
mitigation action and the reason for the failure indicated
by ciTmsThreatActionFailReason.
This notification will be generated only when notification
generation is enabled for the corresponding TIDP group
through ciTmsGroupNotifEnable. |
Status: current |
Access: read-write |
NOTIFICATION-TYPE |
|
|
|
ciscoTmsMIBCompliance |
1.3.6.1.4.1.9.9.603.2.1.1 |
The compliance statement for the SNMP entities that
implement the ciscoThreatMitigationServiceMIB module. |
Status: current |
Access: read-write |
MODULE-COMPLIANCE |
|
|
|
ciscoTmsConsumerGroup |
1.3.6.1.4.1.9.9.603.2.2.1 |
This collection of objects represent the information about
the TIDP groups, the controller(s) in a TIDP group and the
status of a consumer's registration with the controller
in the TIDP group. |
Status: current |
Access: read-write |
OBJECT-GROUP |
|
|
|
ciscoTmsThreatGroup |
1.3.6.1.4.1.9.9.603.2.2.2 |
This collection of objects represents the information
about the threats detected, as being targeted towards a
consumer, by a controller in a TIDP group. |
Status: current |
Access: read-write |
OBJECT-GROUP |
|
|
|
ciscoTmsThreatActionGroup |
1.3.6.1.4.1.9.9.603.2.2.3 |
This collection of objects represent the information about
the mitigation actions taken for the respective threats by
the consumer. |
Status: current |
Access: read-write |
OBJECT-GROUP |
|
|
|
ciscoTmsThreatInterfaceGroup |
1.3.6.1.4.1.9.9.603.2.2.4 |
This collection of objects represent the information about
the interfaces on which the mitigation action for a
particular threat is applied. |
Status: current |
Access: read-write |
OBJECT-GROUP |
|
|
|
ciscoTmsNotificationGroup |
1.3.6.1.4.1.9.9.603.2.2.5 |
This collection of objects represent the notifications
generated by the consumer. |
Status: current |
Access: read-write |
NOTIFICATION-GROUP |
|
|
|