-- extracted from draft-glenn-id-notification-mib-00.txt -- at Mon Nov 15 17:11:17 1999 INTRUSION-DETECTION-MESSAGE-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, Counter32, Gauge32, OBJECT-TYPE , experimental -- will need to be removed when it joins mib-2 FROM SNMPv2-SMI -- mib-2 FROM RFC1213-MIB -- will be added when it joins mib-2 DisplayString, DateAndTime, TimeStamp FROM SNMPv2-TC MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF Ipv6Address -- draft-ietf-ipngwg-ipv6-mib-04.txt [16] FROM IPV6-TC Utf8String FROM SYSAPPL-MIB applIndex, DistinguishedName, URLString FROM NETWORK-SERVICES-MIB; idMIB MODULE-IDENTITY LAST-UPDATED "9908250000Z" -- 25th August 1999 ORGANIZATION "IETF Intrusion Detection Message Exchange Format Working Group" CONTACT-INFO " Glenn Mansfield Postal: Cyber Solutions Inc. 6-6-3, Minami Yoshinari Aoba-ku, Sendai, Japan 989-3204. Tel: +81-22-303-4012 Fax: +81-22-303-4015 E-mail: glenn@cysols.com Working Group E-mail: ietf-madman@innosoft.com To subscribe: ietf-madman-request@innosoft.com" DESCRIPTION " The MIB for Intrusion Detection Messages." -- revision information REVISION "9908250000Z" -- 25th August 1999 ::= { experimental NN } -- to be assigned by IANA idMessageObjects OBJECT-IDENTITY STATUS current DESCRIPTION " This is the base object for the objects used in the notifications." ::= {idMIB 1} idControlObjects OBJECT-IDENTITY STATUS current DESCRIPTION " This is the base object for the objects used in controlling the notifications." ::= {idMIB 2} idMessages OBJECT-IDENTITY STATUS current DESCRIPTION " This is the base object for the objects defining the notifications." ::= {idMIB 3} idLocalAddress OBJECT-TYPE SYNTAX Ipv6Address MAX-ACCESS read-only STATUS current DESCRIPTION "A local IP Address associated with the message" ::= {idMessageObjects 1} idMessageTimeStamp OBJECT-TYPE SYNTAX DateAndTime MAX-ACCESS read-only STATUS current DESCRIPTION " The Local date and time when this message was generated." ::= {idMessageObjects 2} -- the actions will probably be a comma separated list of action -- codes or a pointer to another MIB table from which the actions -- may be fetched. -- -- May be better to put this object as a secondary Object idMessageActionsTaken OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-only STATUS current DESCRIPTION " The list of automatic actions taken by the originator" ::= {idMessageObjects 3} -- the potential impact taxonomy will need be carried out and then -- the MO will need to be enumerated. idMessagePotentialImpact OBJECT-TYPE SYNTAX INTEGER { other(1), VerySerious(2), Serious(3), Others(4), etc(5) } MAX-ACCESS read-only STATUS current DESCRIPTION " An indication of the potentiall impact of the detected attack/intrusion" ::= {idMessageObjects 4} -- Do the following need to be in the primary set ? -- Probably secondary will be better -- Utf8String is 256 characters max. idMessageSysManufacturer OBJECT-TYPE SYNTAX Utf8String MAX-ACCESS read-only STATUS current DESCRIPTION " the Manufacturer of the tool that detected the event." ::= {idMessageObjects 5} idMessageSysProductName OBJECT-TYPE SYNTAX Utf8String MAX-ACCESS read-only STATUS current DESCRIPTION " the name of the product that detected the event." ::= {idMessageObjects 6} idMessageSysVersion OBJECT-TYPE SYNTAX Utf8String MAX-ACCESS read-only STATUS current DESCRIPTION " the version number of the tool that detected the event." ::= {idMessageObjects 7} idMessageAttackName OBJECT-TYPE SYNTAX Utf8String MAX-ACCESS read-only STATUS current DESCRIPTION " the name of the atack, if known. If not known this field will be inaccessible." ::= {idMessageObjects 8} idMessageToolLocation OBJECT-TYPE SYNTAX Utf8String MAX-ACCESS read-only STATUS current DESCRIPTION " the location of the tool that detected the event." ::= {idMessageObjects 9} idMessageMoreInfo OBJECT-TYPE SYNTAX OBJECT IDENTIFIER ACCESS read-only STATUS mandatory DESCRIPTION "A reference to MIB definitions specific to this message. If this information is not present, its value should be set to the OBJECT IDENTIFIER { 0 0 }, which is a syntatically valid object identifier." ::= { idMessageObjects 10 } idMessageTargetSource OBJECT-TYPE SYNTAX Ipv6Address MAX-ACCESS read-only STATUS current DESCRIPTION " One of the IP addresses of the entity from which the attack originated, if known. If not known this field will be inaccessible" ::= {idMessageObjects 11} idMessageTargetDestination OBJECT-TYPE SYNTAX Ipv6Address MAX-ACCESS read-only STATUS current DESCRIPTION " One of the IP addresses of the entity to which the attack was destined, if known. If not known, this field will be inaccessible" ::= {idMessageObjects 12} -- Only one advisory is provisioned for idMessageAdvisory OBJECT-TYPE SYNTAX URLString MAX-ACCESS read-only STATUS current DESCRIPTION " URL of the related advisory, if any" ::= {idMessageObjects 12} -- semantics of "degree of confidence needs to be well defined -- what happens when the message is not generated - just relayed? idMessageDegreeOfConfidence OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION " A measure of the degree of confidence the originator has on the report it is generating" ::= {idMessageObjects 13} -- Interaction table ? -- It may contain statistical data on the peer -- Managers with which the monitored Manager -- interacts or, attempts to interact. This table is -- It may provide a useful insight into the performance -- of the ID system on a large scale -- idMessageControlTable will contain rows for each type of message -- [ What are the types - taxonomy will need to be carried out by the -- implementors/deployers] -- Each row will carry the following columnns -- message/alert type -- enabled/disabled -- The associated idMessageDestinationTable will contain rows indexed -- by the message type and destination addresses. The rows will also -- contain a column showing whether the destination host is enabled for -- message sending. idMessageControlTable OBJECT-TYPE SYNTAX SEQUENCE OF IdMessageControlEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION " Each row of this table contains control information for each notification type." ::= { idControlObjects 1 } idMessageControlEntry OBJECT-TYPE SYNTAX IdMessageControlEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION " Entry containing control information pertaining to each message type." INDEX { idMessageIndex} ::= { idMessageControlTable 1 } IdMessageControlEntry ::= SEQUENCE { idMessageIndex INTEGER, idMessageEnable TruthValue, idMessageType INTEGER, idMessageDescription Utf8String } idMessageIndex OBJECT-TYPE SYNTAX INTEGER (1..2147483647) MAX-ACCESS not-accessible STATUS current DESCRIPTION " This gives a unique key to identify the conceptual row which contains the control information pertaining to a message." ::= {idMessssageControlEntry 1} idMessageType OBJECT-TYPE SYNTAX INTEGER (1..2147483647) MAX-ACCESS not-accessible STATUS current DESCRIPTION " The type of the message.." ::= {idMessssageControlEntry 2} idMessageEnable OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION " Indicates whether the message is of this type should be generated." ::= {idMessageControlEntry 3} idMessageDescription OBJECT-TYPE SYNTAX Utf8String MAX-ACCESS read-only STATUS current DESCRIPTION " A brief description of the message." ::= {idMessageControlEntry 4} idMessageDestinationTable OBJECT-TYPE SYNTAX SEQUENCE OF IdMessageDestinationEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION " Each row of this table contains destination information for each notification type." ::= { idControlObjects 1 } idMessageControlEntry OBJECT-TYPE SYNTAX IdMessageControlEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION " Entry containing control information pertaining to each message type." INDEX { idMessageIndex, idMessageDestination} ::= { idMessageDestinationTable 1 } IdMessageDestinationEntry ::= SEQUENCE { idMessageDestination Ipv6Address, idMessageDestinationEnable TruthValue, idMessageDestinationDescription Utf8String } idMessageDestination OBJECT-TYPE SYNTAX Ipv6Address MAX-ACCESS read-write STATUS current DESCRIPTION " The destination to which the message type defined by corresponding idMessageIndex is destined. Together with the idMessageIndex this MO forms a unique key which identifies the conceptual row which contains the control information pertaining to the destination of a message ." ::= {idMessssageDestinationlEntry 1} idDestinationMessageEnable OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION " Indicates whether the message is of this type should be sent to the destination defined in this row." ::= {idMessageDestinationEntry 2} idMessageDestinationDescription OBJECT-TYPE SYNTAX Utf8String MAX-ACCESS read-write STATUS current DESCRIPTION " A brief description of the destination." ::= {idMessageControlEntry 3} -- How many types of messages do we have - below there is only one idMessageGeneric NOTIFICATION-TYPE OBJECTS { idLocalAddress idMessageTimeStamp idMessageActionsTaken idMessagePotentialImpact idMessageSysManufacturer idMessageSysVersion idMessageAttackName idMessageToolLocation idMessageMoreInfo idMessageTargetSource idMessageTargetDestination idMessageAdvisory idMessageDegreeOfConfidence } STATUS current DESCRIPTION " This is the generic message that is sent when an intrusion is detected." ::= {idMessages 0 1} -- Conformance information idConformance OBJECT IDENTIFIER ::= { idMIB 4 } idGroups OBJECT IDENTIFIER ::= { idConformance 1 } idCompliances OBJECT IDENTIFIER ::= { idConformance 2 } -- Compliance statements idMessageCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for SNMP entities which implement the INTRUSION-DETECTION-MESSAGE-MIB." MODULE -- this module MANDATORY-GROUPS { idMessageGroup } ::= { idCompliances 1 } .bp -- Units of conformance idMessageGroup OBJECT-GROUP OBJECTS { idLocalAddress idMessageTimeStamp idMessageActionsTaken idMessagePotentialImpact idMessageSysManufacturer idMessageSysVersion idMessageAttackName idMessageToolLocation idMessageMoreInfo idMessageTargetSource idMessageTargetDestination idMessageAdvisory idMessageDegreeOfConfidence idMessageIndex idMessageEnable idMessageType idMessageDescription idMessageDestination Ipv6Address idMessageDestinationEnable idMessageDestinationDescription } STATUS current DESCRIPTION " A collection of objects for generation and despatch ofmessages pertaining to intrusions detected." ::= { idGroups 1 } END -- -- "Copyright (C) The Internet Society (date). All Rights -- Reserved. -- -- This document and translations of it may be copied and -- furnished to others, and derivative works that comment on or -- otherwise explain it or assist in its implmentation may be -- prepared, copied, published and distributed, in whole or in -- part, without restriction of any kind, provided that the above -- copyright notice and this paragraph are included on all such -- copies and derivative works. However, this document itself may -- not be modified in any way, such as by removing the copyright -- notice or references to the Internet Society or other Internet -- organizations, except as needed for the purpose of developing -- Internet standards in which case the procedures for copyrights -- defined in the Internet Standards process must be followed, or -- as required to translate it into languages other than English. -- -- The limited permissions granted above are perpetual and will -- not be revoked by the Internet Society or its successors or -- assigns. -- -- This document and the information contained herein is provided -- on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET -- ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR -- IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE -- OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY -- IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A -- PARTICULAR PURPOSE."