-- extracted from draft-glenn-id-notification-mib-02.txt -- at Tue Feb 1 07:10:12 2000 INTRUSION-DETECTION-MESSAGE-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, Counter32, Gauge32, OBJECT-TYPE mib-2 FROM SNMPv2-SMI DateAndTime, TimeStamp FROM SNMPv2-TC MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF SnmpEngineID, SnmpAdminString FROM SNMP-FRAMEWORK-MIB InetAddressType, InetAddress FROM INET-ADDRESS-MIB URLString FROM NETWORK-SERVICES-MIB; idMIB MODULE-IDENTITY LAST-UPDATED "200001250000Z" -- 25th January 2000 ORGANIZATION "IETF Intrusion Detection Message Exchange Format Working Group" CONTACT-INFO " Glenn Mansfield Postal: Cyber Solutions Inc. 6-6-3, Minami Yoshinari Aoba-ku, Sendai, Japan 989-3204. Tel: +81-22-303-4012 Fax: +81-22-303-4015 E-mail: glenn@cysols.com Dipankar Gupta Postal: Hewlett Packard Company 690 East Middlefield Road, MS 31R Mountain View California 94043. Tel: +1-650-919-8066 Fax: +1-650-919-8540 E-mail: dipankar_gupta@hp.com Working Group E-mail: idwg-public@zurich.ibm.com To subscribe: idwg-public-request@zurich.ibm.com" DESCRIPTION " The MIB for Intrusion Detection Messages." -- revision information REVISION "9911070000Z" -- 25th January 2000 DESCRIPTION "1. Added the tables for details at the source end and destination end of the attack 2. Added tables for containing the source and destination information in case of multiple attacks" REVISION "9910230000Z" -- 23rd October 1999 DESCRIPTION "1. fixed a few nits in the MODULE-INDENTITY 2. put the mib under the mib-2 tree 3. editorial changes" REVISION "9908250000Z" -- 25th August 1999 DESCRIPTION "First draft of the idMIB" ::= { mib-2 xxx } -- to be assigned by IANA idMessageObjects OBJECT-IDENTITY STATUS current DESCRIPTION " This is the base object for the objects used in the notifications." ::= {idMIB 1} idMessages OBJECT-IDENTITY STATUS current DESCRIPTION " This is the base object for the objects defining the notifications." ::= {idMIB 2} idMessageSysAddress OBJECT-TYPE SYNTAX SnmpEngineID MAX-ACCESS read-only STATUS current DESCRIPTION "An address associated with the message. This will be the engineID of the generator of the message. The first bit will be 1 and the syntax will be in accordance with the syntax specified in RFC 2571." ::= {idMessageObjects 1} idMessageSysProductID OBJECT-TYPE SYNTAX OBJECT IDENTIFIER ACCESS read-only STATUS mandatory DESCRIPTION "A reference to MIB definitions specific to the analyzer generating the message. If this information is not present, its value should be set to the OBJECT IDENTIFIER { 0 0 }, which is a syntatically valid object identifier." ::= { idMessageObjects 2 } -- SnmpAdminString length is 255 characters max. It contains -- information represented using the ISO/IEC IS 10646-1 -- character set, encoded using the UTF-8 transformation format -- to facilitate internationalization. idMessageSysManufacturer OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION " the Manufacturer of the tool that detected the event." ::= {idMessageObjects 3} idMessageSysProductName OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION " the name of the product that detected the event." ::= {idMessageObjects 4} idMessageSysVersion OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION " the version number of the tool that detected the event." ::= {idMessageObjects 5} idMessageSysLocation OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION " the location of the analyzer that detected the event." ::= {idMessageObjects 6} idMessageTable OBJECT-TYPE SYNTAX SEQUENCE OF IdMessageEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION " Each row of this table contains information pertaining to each message. " ::= { idMessageObjects 7 } idMessageEntry OBJECT-TYPE SYNTAX IdMessageEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION " Entry containing information pertaining to each message type." INDEX { idMessageIndex} ::= { idMessageTable 1 } IdMessageEntry ::= SEQUENCE { idMessageIndex INTEGER, idMessageTimeStamp DateAndTime, idMessageAttackName SnmpAdminString idMessageDetectionMethod SnmpAdminString idMessageActionsTaken SnmpAdminString, idMessagePotentialImpact INTEGER, idMessageSignature SnmpAdminString idMessageMoreInfo OBJECT IDENTIFIER idMessageAdvisory URLString idMessageDegreeOfConfidence INTEGER idMessageAttackToolName SNMPAdminString idMessageAttackProtocol OBJECT IDENTIFIER idMessageVulnerabilityName OBJECT-TYPE SNMPAdminString idMessageSrcs INTEGER idMessageDsts INTEGER } idMessageIndex OBJECT-TYPE SYNTAX INTEGER (1..2147483647) MAX-ACCESS read-only STATUS current DESCRIPTION " The index to uniquely identify the message in the message table maintained by the message generator." ::= {idMessageEntry 1} idMessageTimeStamp OBJECT-TYPE SYNTAX DateAndTime MAX-ACCESS read-only STATUS current DESCRIPTION " The local date and time when this message was generated." ::= {idMessageEntry 2} idMessageAttackName OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION " the name of the atack, if known. If not known this field will be inaccessile." ::= {idMessageEntry 3} idMessageDetectionMethod OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION " the name of the method used to detect the ID, if known. If not known this field will be inaccessile." ::= {idMessageEntry 4} -- the actions will probably be a comma separated list of action -- codes or a pointer to another MIB table from which the actions -- may be fetched. -- -- May be better to put this object as a secondary Object idMessageActionsTaken OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION " The list of automatic actions taken by the originator" ::= {idMessageEntry 5} -- the potential impact taxonomy will need be carried out and -- then the MO will need to be enumerated. idMessagePotentialImpact OBJECT-TYPE SYNTAX INTEGER { VeryVerySerious(1), VerySerious(2), Serious(3), Others(4), etc(5) } MAX-ACCESS read-only STATUS current DESCRIPTION " An indication of the potentiall impact of the detected attack/intrusion" ::= {idMessageEntry 6} -- -- relation between Signature and Method needs to be clarified -- idMessageSignature OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION " The description of the signature based on which the attack is detected" ::= {idMessageEntry 7} -- Do the following need to be in the primary set ? -- Probably secondary will be better -- idMessageMoreInfo OBJECT-TYPE SYNTAX OBJECT IDENTIFIER ACCESS read-only STATUS mandatory DESCRIPTION "A reference to MIB definitions specific to this message. If this information is not present, its value should be set to the OBJECT IDENTIFIER { 0 0 }, which is a syntatically valid object identifier." ::= { idMessageEntry 8} -- Only one advisory is provisioned for idMessageAdvisory OBJECT-TYPE SYNTAX URLString MAX-ACCESS read-only STATUS current DESCRIPTION " URL of the related advisory, if any" ::= {idMessageEntry 9} -- semantics of "degree of confidence needs to be well defined -- what happens when the message is not generated - just relayed? idMessageDegreeOfConfidence OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION " A measure of the degree of confidence the originator has on the report it is generating" ::= {idMessageEntry 10} -- there may be many names or potential names of the tool used -- in the attack idMessageAttackToolName OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION " The name of the tool that was used in the attack" ::= {idMessageEntry 11} idMessageAttackProtocol OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION " The protocol that is the base or the target of the attack. It will be one of the IANA assigned protocol IDs" ::= {idMessageEntry 12} idMessageVulnerabilityName OBJECT-TYPE SYNTAX SNMPAdminString MAX-ACCESS read-only STATUS current DESCRIPTION " The well known name of the vulnerability." REFERENCE "Refer to the CVE recommendations " ::= {idMessageEntry 13} idMessageSrcs OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The number of source(s) from which the attack is being launched." ::= {idMessageDstEntry 14} idMessageDsts OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION " The number of destinations being targeted for the attack " ::= {idMessageDstEntry 15} -- This table contains the information related to source end(s) of -- the attack. In case of a network-based attack there will be -- atleast one entry for the attack in this table. -- idMessageSrcDetailsTable OBJECT-TYPE SYNTAX SEQUENCE OF IdMessageSrcEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION " Each row of this table contains information pertaining to the source related details of each attack. " ::= { idMessageObjects 8} idMessageSrcEntry OBJECT-TYPE SYNTAX IdMessageSrcEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION " Entry containing information pertaining to the source related details of an attack." INDEX { idMessageIndex, idMessageSrcIndex} ::= { idMessageSrcDetailsTable 1 } IdMessageSrcEntry{ idMessageSrcIndex INTEGER idMessageSrcInetAddrType InetAddressType idMessageSrcInetAddr InetAddress idMessageSrcToInetAddr InetAddress idMessageSrcAddrSpoofed INTEGER idMessageSrcPorts INTEGER idMessageSrcPortTableIndex INTEGER idMessageUserIDOnSrc SNMPAdminString } idMessageSrcIndex OBJECT-TYPE SYNTAX INTEGER (1..2147483647) MAX-ACCESS read-only STATUS current DESCRIPTION "An index to uniquely identify the source information row in the source information table." ::= {idMessageSrcEntry 1} idMessageSrcInetAddrType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of the Internet address that is being described in the following Object." ::= {idMessageSrcEntry 2} idMessageSrcInetAddr OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-only STATUS current DESCRIPTION " One of the Internet addresses of the entity from which the attack originated, if known. If not known this field will be inaccessible." ::= {idMessageSrcEntry 3} idMessageSrcToInetAddr OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-only STATUS current DESCRIPTION " One of the Internet addresses of the entity from which the attack originated, if known. If not known this field will be inaccessible." ::= {idMessageSrcEntry 4} idMessageSrcAddrSpoofed OBJECT-TYPE SYNTAX INTEGER { true(1), false(2), } MAX-ACCESS read-only STATUS current DESCRIPTION " An indication that the source address is spoofed." ::= {idMessageSrcEntry 5} idMessageSrcPorts OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION " The number of ports on the host from where the attack is launched " ::= {idMessageSrcEntry 6} -- In the most general case the there will be a port list for -- every source and the idMessageSrcIndex should suffice as an -- index for the port list -- But to allow more flexibility the following -- idMessageSrcPortTableIndex is provided. It allows several hosts -- to have the same the port list. In this case all the hosts that -- are attacked on the same ports will have the same -- idMessageSrcPortTableIndex value. idMessageSrcPortTableIndex OBJECT-TYPE SYNTAX INTEGER (1..2147483647) MAX-ACCESS read-only STATUS current DESCRIPTION "An index that along with idMessageIndex uniquely identifies the rows describing the ports of the source from which attacks have originated. This index allows several hosts to point to the same range of port addresses." ::= {idMessageSrcEntry 7} idMessageUserIDOnSrc OBJECT-TYPE SYNTAX SNMPAdminString MAX-ACCESS read-only STATUS current DESCRIPTION " The identifier of the user on the machine originating the attack" ::= {idMessageSrcEntry 8} -- This table contains the information related to target end(s) of -- the attack. In case of a network-based attack there will be atleast -- one entry for the attack in this table -- A Range of addresses - a set of contiguous addresses- -- is represented by a TO Address in the row. -- The absence of the TOaddress indicates the existence of a single -- address in the range. -- Note: Though a host may be represented by its v4, v6, address or DNS -- name, for a range both the addresses MUST be the IP(v4/v6) addresses. idMessageDstDetailsTable OBJECT-TYPE SYNTAX SEQUENCE OF IdMessageDstEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION " Each row of this table contains information pertaining to the destination related details of each attack. " ::= { idMessageObjects 9 } idMessageDstEntry OBJECT-TYPE SYNTAX IdMessageDstEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION " Entry containing information pertaining to the destination related details of an attack." INDEX { idMessageIndex, idMessageDstIndex} ::= { idMessageDstDetailsTable 1 } IdMessageDstEntry{ idMessageDstIndex INTEGER idMessageDstInetAddrType InetAddressType idMessageDstInetAddr InetAddress idMessageToDstInetAddr InetAddress idMessageDstPorts INTEGER idMessageDstPortTableIndex INTEGER idMessageUserLoginIDOnDst SNMPAdminString idMessageUserPresentIDOnDst SNMPAdminString idMessageFileID SNMPAdminString idMessageFileOperationType INTEGER idMessageProcessID SNMPAdminString idMessageProcessOwner SNMPAdminString idMessageProcessPermissions SNMPAdminString } idMessageDstIndex OBJECT-TYPE SYNTAX INTEGER (1..2147483647) MAX-ACCESS read-only STATUS current DESCRIPTION "An index to uniquely identify the destination information row in the destination information table." ::= {idMessageDstEntry 1} idMessageDstInetAddrType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of the Internet address that is being described in the following Object." ::= {idMessageDstEntry 2} idMessageDstInetAddr OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-only STATUS current DESCRIPTION " One of the IP addresses of the entity to which the attack was destined, if known. If not known, this field will be inaccessible" ::= {idMessageDstEntry 3} idMessageDstToInetAddr OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-only STATUS current DESCRIPTION " The upper end of the contiguous range of addresses which were the the attack was destined. If it has a value of zero then this range contains a single address only." ::= {idMessageDstEntry 4} idMessageDstPorts OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION " The number of ports on the host(s) which were targets of the attack." ::= {idMessageSrcEntry 5} -- see discussion on idMessageSrcPortTableIndex idMessageDstPortTableIndex OBJECT-TYPE SYNTAX INTEGER (1..2147483647) MAX-ACCESS read-only STATUS current DESCRIPTION "An index that along with idMessageIndex uniquely identifies the rows describing the ports of the destination(s) that have been attacked. This index allows several hosts to point to the same range of port addresses." ::= {idMessageSrcEntry 6} idMessageUserLoginIDOnDst OBJECT-TYPE SYNTAX SNMPAdminString MAX-ACCESS read-only STATUS current DESCRIPTION " The ID with which the user logged onto the target Machine" ::= {idMessageDstEntry 7} idMessageUserPresentIDOnDst OBJECT-TYPE SYNTAX SNMPAdminString MAX-ACCESS read-only STATUS current DESCRIPTION " The current identifier of the user on the target Machine" ::= {idMessageDstEntry 8} idMessageFileID OBJECT-TYPE SYNTAX SNMPAdminString MAX-ACCESS read-only STATUS current DESCRIPTION " The full path and name of the file that is being accessed" ::= {idMessageDstEntry 9} idMessageFileOperationType OBJECT-TYPE SYNTAX SNMPAdminString MAX-ACCESS read-only STATUS current DESCRIPTION " The illegal operation on the file that gave rise to the alert" ::= {idMessageDstEntry 10} idMessageProcessID OBJECT-TYPE SYNTAX SNMPAdminString MAX-ACCESS read-only STATUS current DESCRIPTION " The identifier of the process involved in the illegal access" ::= {idMessageDstEntry 11} idMessageProcessOwner OBJECT-TYPE SYNTAX SNMPAdminString MAX-ACCESS read-only STATUS current DESCRIPTION " The identifier of the owner of the process involved in the illegal access" ::= {idMessageDstEntry 12} idMessageProcessPermissions OBJECT-TYPE SYNTAX SNMPAdminString MAX-ACCESS read-only STATUS current DESCRIPTION " The permissions of the process involved in the illegal access" ::= {idMessageDstEntry 13} idMessageSrcPortTable OBJECT-TYPE SYNTAX SEQUENCE OF IdMessageSrcPortRangeEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION " Each row of this table contains a part of the range of ports that are the sources of the intrusion." ::= { idMessageObjects 10 } idMessageSrcPortRangeEntry OBJECT-TYPE SYNTAX IdMessageSrcPortRangeEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION " Entry representing a list of contiguous addresses that are the sources of the intrusion." INDEX { idMessageIndex, idMessageSrcPortTableIndex, idMessageSrcPortRangeIndex} ::= { idMessageSrcPortRangeTable 1 } IdMessageSrcPortRangeEntry ::= SEQUENCE { idMessageSrcPortRangeIndex INTEGER idMessageSrcPort INTEGER idMessageToSrcPort INTEGER } idMessageSrcPortRangeIndex OBJECT-TYPE SYNTAX INTEGER (1..2147483647) MAX-ACCESS read-only STATUS current DESCRIPTION "An index to uniquely identify the destination information row in the destination information table." ::= {idMessageSrcPortRangeEntry 1} idMessageSrcPort OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION " The port number from which the attack originated" ::= {idMessageSrcPortRangeEntry 2} idMessageToSrcPort OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION " The upper end of the port number range from which the attack originated" ::= {idMessageSrcPortRangeEntry 3} idMessageDstPortTable OBJECT-TYPE SYNTAX SEQUENCE OF IdMessageDstPortRangeEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION " Each row of this table contains a part of the range of ports that are the destinations of the intrusion." ::= { idMessageObjects 11 } idMessageDstPortRangeEntry OBJECT-TYPE SYNTAX IdMessageDstPortRangeEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION " Entry representing a list of contiguous addresses that are the destinations of the intrusion." INDEX { idMessageIndex, idMessageDstPortTableIndex, idMessageDstPortRangeIndex} ::= { idMessageDstPortTable 1 } IdMessageDstPortRangeEntry ::= SEQUENCE { idMessageDstPortRangeIndex INTEGER idMessageFromDstInetPort INTEGER idMessageToDstInetPort INTEGER } idMessageReferencesTable OBJECT-TYPE SYNTAX SEQUENCE OF IdMessageReferenceEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION " Each row of this table points to a message that should be referenced in connection with the current intrusion related message." ::= { idMessageObjects 12 } idMessageReferenceEntry OBJECT-TYPE SYNTAX IdMessageReferenceEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION " A pointer to the referenced message in the Messages table." INDEX { idMessageIndex, idMessageReferenceIndex} ::= { idMessageReferencesTable 1 } IdMessageReferenceEntry ::= SEQUENCE { idMessageReferenceIndex INTEGER idMessageReferencePointer INDEX } -- Interaction table ? It may contain statistical data on the peer -- Managers with which the monitored Manager interacts or, attempts -- to interact. This table may provide a useful insight into the -- performance of the ID system on a large scale -- The control may be carried out using the SNMP tables available -- for configuring Informs. idMessageGeneric NOTIFICATION-TYPE OBJECTS { idMessageIndex idMessageTimeStamp idMessageAttackName idMessageDetectionMethod idMessageActionsTaken idMessagePotentialImpact idMessageSignature idMessageMoreInfo idMessageAdvisory idMessageDegreeOfConfidence idMessageVulnerabilityName } STATUS current DESCRIPTION " This is the generic message that is sent when an intrusion is detected." ::= {idMessages 1} idMessageSingleSrc NOTIFICATION-TYPE OBJECTS { idMessageIndex idMessageTimeStamp idMessageAttackName idMessageDetectionMethod idMessageActionsTaken idMessagePotentialImpact idMessageSignature idMessageMoreInfo idMessageAdvisory idMessageDegreeOfConfidence idMessageVulnerabilityName idMessageSrcInetAddrType idMessageSrcInetAddr idMessageSrcToInetAddr idMessageSrcAddrSpoofed idMessageSrcPorts idMessageSrcPortTableIndex idMessageUserIDOnSrc } STATUS current DESCRIPTION " This is the generic message that is sent when an intrusion is detected and it is from a single source." ::= {idMessages 2} idMessageMultipleSrc NOTIFICATION-TYPE OBJECTS { idMessageIndex idMessageTimeStamp idMessageAttackName idMessageDetectionMethod idMessageActionsTaken idMessagePotentialImpact idMessageSignature idMessageMoreInfo idMessageAdvisory idMessageDegreeOfConfidence idMessageVulnerabilityName idMessageSrcs idMessageSrcPortTableIndex } STATUS current DESCRIPTION " This is the generic message that is sent when an intrusion is detected and it is from multiple sources." ::= {idMessages 3} idMessageSingleDst NOTIFICATION-TYPE OBJECTS { idMessageIndex idMessageTimeStamp idMessageAttackName idMessageDetectionMethod idMessageActionsTaken idMessagePotentialImpact idMessageSignature idMessageMoreInfo idMessageAdvisory idMessageDegreeOfConfidence idMessageVulnerabilityName idMessageDstInetAddrType idMessageDstInetAddr idMessageToDstInetAddr idMessageDstPorts idMessageDstPortTableIndex idMessageUserLoginIDOnDst idMessageUserPresentIDOnDst idMessageFileID idMessageFileOperationType idMessageProcessID idMessageProcessOwner idMessageProcessPermissions } STATUS current DESCRIPTION " This is the generic message that is sent when an intrusion is detected and it is targeted to a single destination." ::= {idMessages 4} idMessageMultipleDst NOTIFICATION-TYPE OBJECTS { idMessageIndex idMessageTimeStamp idMessageAttackName idMessageDetectionMethod idMessageActionsTaken idMessagePotentialImpact idMessageSignature idMessageMoreInfo idMessageAdvisory idMessageDegreeOfConfidence idMessageVulnerabilityName idMessageDsts idMessageDstPortTableIndex } STATUS current DESCRIPTION " This is the generic message that is sent when an intrusion is detected and it is targeted to a single destination." ::= {idMessages 5} idMessageSingleSrcSingleDst NOTIFICATION-TYPE OBJECTS { idMessageIndex idMessageTimeStamp idMessageAttackName idMessageDetectionMethod idMessageActionsTaken idMessagePotentialImpact idMessageSignature idMessageMoreInfo idMessageAdvisory idMessageDegreeOfConfidence idMessageVulnerabilityName -- Source details idMessageSrcInetAddrType idMessageSrcInetAddr idMessageSrcToInetAddr idMessageSrcAddrSpoofed idMessageSrcPorts idMessageSrcPortTableIndex idMessageUserIDOnSrc -- Destination details idMessageDstInetAddrType idMessageDstInetAddr idMessageToDstInetAddr idMessageDstPorts idMessageDstPortTableIndex idMessageUserLoginIDOnDst idMessageUserPresentIDOnDst idMessageFileID idMessageFileOperationType idMessageProcessID idMessageProcessOwner idMessageProcessPermissions } STATUS current DESCRIPTION " This is the generic message that is sent when an intrusion is detected and it is from a single source and directed to multiple destinations." ::= {idMessages 6} idMessageSingleSrcMultipleDst NOTIFICATION-TYPE OBJECTS { idMessageIndex idMessageTimeStamp idMessageAttackName idMessageDetectionMethod idMessageActionsTaken idMessagePotentialImpact idMessageSignature idMessageMoreInfo idMessageAdvisory idMessageDegreeOfConfidence idMessageVulnerabilityName -- Source details idMessageSrcInetAddrType idMessageSrcInetAddr idMessageSrcToInetAddr idMessageSrcAddrSpoofed idMessageSrcPorts idMessageSrcPortTableIndex idMessageUserIDOnSrc -- Destination details idMessageDsts idMessageDstPortTableIndex } STATUS current DESCRIPTION " This is the generic message that is sent when an intrusion is detected and it is from multiple sources." ::= {idMessages 7} idMessageMultipleSrcSingleDst NOTIFICATION-TYPE OBJECTS { idMessageIndex idMessageTimeStamp idMessageAttackName idMessageDetectionMethod idMessageActionsTaken idMessagePotentialImpact idMessageSignature idMessageMoreInfo idMessageAdvisory idMessageDegreeOfConfidence idMessageVulnerabilityName -- Source details idMessageSrcs idMessageSrcPortTableIndex -- Destination details idMessageDstInetAddrType idMessageDstInetAddr idMessageToDstInetAddr idMessageDstPorts idMessageDstPortTableIndex idMessageUserLoginIDOnDst idMessageUserPresentIDOnDst idMessageFileID idMessageFileOperationType idMessageProcessID idMessageProcessOwner idMessageProcessPermissions } STATUS current DESCRIPTION " This is the generic message that is sent when an intrusion is detected and it is from multiple sources." ::= {idMessages 8} idMessageMultipleSrcMultipleDst NOTIFICATION-TYPE OBJECTS { idMessageIndex idMessageTimeStamp idMessageAttackName idMessageDetectionMethod idMessageActionsTaken idMessagePotentialImpact idMessageSignature idMessageMoreInfo idMessageAdvisory idMessageDegreeOfConfidence idMessageVulnerabilityName -- Source details idMessageSrcs idMessageSrcPortTableIndex -- Destination details idMessageDsts idMessageDstPortTableIndex } STATUS current DESCRIPTION " This is the generic message that is sent when an intrusion is detected and it is from multiple sources." ::= {idMessages 9} -- Conformance information idConformance OBJECT IDENTIFIER ::= { idMIB 4 } idGroups OBJECT IDENTIFIER ::= { idConformance 1 } idCompliances OBJECT IDENTIFIER ::= { idConformance 2 } -- Compliance statements idMessageCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for SNMP entities which implement the INTRUSION-DETECTION-MESSAGE-MIB." MODULE -- this module MANDATORY-GROUPS { idMessageGroup } ::= { idCompliances 1 } -- Units of conformance idMessageGroup OBJECT-GROUP OBJECTS { idMessageSysAddress idMessageSysProductID idMessageSysManufacture idMessageSysProductName idMessageSysVersion idMessageSysLocation idMessageIndex idMessageTimeStamp idMessageAttackName idMessageDetectionMethod idMessageActionsTaken idMessagePotentialImpact idMessageSignature idMessageMoreInfo idMessageAdvisory idMessageDegreeOfConfidence idMessageAttackToolName idMessageAttackProtocol idMessageVulnerabilityName idMessageSrcs idMessageDsts idMessageSrcIndex idMessageSrcInetAddrType idMessageSrcInetAddr idMessageSrcToInetAddr idMessageSrcAddrSpoofed idMessageSrcPorts idMessageSrcPortTableIndex idMessageUserIDOnSrc idMessageDstIndex idMessageDstInetAddrType idMessageDstInetAddr idMessageToDstInetAddr idMessageDstPorts idMessageDstPortTableIndex idMessageUserLoginIDOnDst idMessageUserPresentIDOnDst idMessageFileID idMessageFileOperationType idMessageProcessID idMessageProcessOwner idMessageProcessPermissions idMessageReferenceIndex idMessageReferencePointer idMessageGeneric idMessageSingleSrc idMessageMultipleSrc idMessageSingleDst idMessageMultipleDst idMessageSingleSrcSingleDst idMessageSingleSrcMultipleDst idMessageMultipleSrcSingleDst idMessageMultipleSrcMultipleDst } STATUS current DESCRIPTION " A collection of objects for generation and despatch of messages pertaining to Intrusions detected." ::= { idGroups 1 } END -- -- "Copyright (C) The Internet Society (date). All Rights -- Reserved. -- -- This document and translations of it may be copied and -- furnished to others, and derivative works that comment on or -- otherwise explain it or assist in its implmentation may be -- prepared, copied, published and distributed, in whole or in -- part, without restriction of any kind, provided that the above -- copyright notice and this paragraph are included on all such -- copies and derivative works. However, this document itself may -- not be modified in any way, such as by removing the copyright -- notice or references to the Internet Society or other Internet -- organizations, except as needed for the purpose of developing -- Internet standards in which case the procedures for copyrights -- defined in the Internet Standards process must be followed, or -- as required to translate it into languages other than English. -- -- The limited permissions granted above are perpetual and will -- not be revoked by the Internet Society or its successors or -- assigns. -- -- This document and the information contained herein is provided -- on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET -- ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR -- IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE -- OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY -- IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A -- PARTICULAR PURPOSE."