<div dir="ltr"><div><div><div><div><div>Hi folks,<br><br><br>Whilst we wait for the IANA to issue an enterprise number to the OISF for their MIBs, here's what I'll be sending to our NMS so it can grok the traps that barnyard2 is sending.<br>
<br></div>TODO: Replace the example enterprise number '999' with the real one when it arrives.<br><br></div>The MIB copies the same OID numbers as defined in the snort one back in 2002... this mostly is for compatibility as the header file in the barnyard2 SNMP module uses those. There's nothing stopping a full re-edit etc, as long as there is a new spo_snmp.h created as well for barnyard2 to be recompiled with. I added a timezone OID as it seemed useful.<br>
<br>The old MIB:<br><a href="http://www.kolaja.eu/documents/bachelors_thesis/snort/snort-1.8.4/MIBS/SnortIDAlertMIB.txt">http://www.kolaja.eu/documents/bachelors_thesis/snort/snort-1.8.4/MIBS/SnortIDAlertMIB.txt</a><br><br>
</div>The new OISF MIB passes the full level 6 validation tests at <a href="http://wwwsnmp.cs.utwente.nl/ietf/mibs/validate/">http://wwwsnmp.cs.utwente.nl/ietf/mibs/validate/</a><br><br></div><div>To improve the style OISF might want to split the file into a main OISF-MIB for the enterprise and one for a OISF-SURICATA-MIB file. This serves as a useful base to add in new fields as needed.<br>
</div><div><br></div><div>ta,<br>Mark.<br><br></div><div><br><br><br></div>The OID list I grew the MIB from is here:<br><br><span style="font-family:courier new,monospace">suricata_oids.txt<br><br>oisf root<br> 999<br>
1.3.6.1.4.1.999 <br> 0 1.3.6.1.4.1.999.0 oisf.trap<br> 1 1.3.6.1.4.1.999.0.1 oisf.trap.oisfTrapTrapID<br> Counter32<br> 2 1.3.6.1.4.1.999.0.2 oisf.trap.oisfTrapTimeStamp<br>
DisplayString(SIZE(0..26)) -- 2014-02-03_16:56:25.481721<br> 3 1.3.6.1.4.1.999.0.3 oisf.trap.oisfTrapActionTaken<br> INTEGER (1..7)<br> 1 alert<br>
2 drop<br> 3 streamdrop<br> 4 reject<br> 5 pass<br> 6 log<br> 7 log<br> 4 1.3.6.1.4.1.999.0.4 oisf.trap.oisfTrapMsg<br>
DisplayString(SIZE(0..255))<br> 5 1.3.6.1.4.1.999.0.5 oisf.trap.oisfTrapMoreInfo<br> DisplayString(SIZE(0..255))<br> 6 1.3.6.1.4.1.999.0.6 oisf.trap.oisfTrapSrcAddressType<br>
InetAddressType<br> 7 1.3.6.1.4.1.999.0.7 oisf.trap.oisfTrapSrcAddress<br> InetAddress<br> 8 1.3.6.1.4.1.999.0.8 oisf.trap.oisfTrapDstAddressType<br>
InetAddressType<br> 9 1.3.6.1.4.1.999.0.9 oisf.trap.oisfTrapDstAddress<br> InetAddress<br> 10 1.3.6.1.4.1.999.0.10 oisf.trap.oisfTrapSrcPort<br> InetPortNumber<br>
11 1.3.6.1.4.1.999.0.11 oisf.trap.oisfTrapDstPort<br> InetPortNumber<br> 12 1.3.6.1.4.1.999.0.12 oisf.trap.oisfTrapStartTime<br> DisplayString(SIZE(0..26))<br>
13 1.3.6.1.4.1.999.0.13 oisf.trap.oisfTrapOccurences<br> Counter32<br> 14 1.3.6.1.4.1.999.0.14 oisf.trap.oisfTrapImpact<br> INTEGER (1..12)<br> 1 unknown<br>
2 badUnknown<br> 3 notSuspicious<br> 4 attemptedAdmin<br> 5 successfulAdmin<br> 6 attemptedDos<br> 7 successfulDos<br>
8 attemptedRecon<br> 9 successfulReconLimited<br> 10 successfulReconLargescale<br> 11 attemptedUser<br> 12 successfulUser <br>
15 1.3.6.1.4.1.999.0.15 oisf.trap.oisfTrapSrcAddressList<br> OCTET STRING (SIZE0..1024))<br> 16 1.3.6.1.4.1.999.0.16 oisf.trap.oisfTrapDstAddressList<br> OCTET STRING (SIZE0..1024))<br>
17 1.3.6.1.4.1.999.0.17 oisf.trap.oisfTrapSrcPortList<br> OCTET STRING (SIZE0..1024))<br> 18 1.3.6.1.4.1.999.0.18 oisf.trap.oisfTrapDstPortList<br> OCTET STRING (SIZE0..1024))<br>
19 1.3.6.1.4.1.999.0.19 oisf.trap.oisfTrapScanDuration<br> Counter32<br> 10 1.3.6.1.4.1.999.0.20 oisf.trap.oisfTrapScanedHosts<br> Counter32<br> 21 1.3.6.1.4.1.999.0.21 oisf.trap.oisfTrapTCPScanCount<br>
Counter32<br> 22 1.3.6.1.4.1.999.0.22 oisf.trap.oisfTrapUDPScanCount<br> Counter32<br> 23 1.3.6.1.4.1.999.0.23 oisf.trap.oisfTrapScanType<br> INTEGER (1..4)<br>
1 other<br> 2 stealth<br> 3 aggressive<br> 4 unknown<br> 24 1.3.6.1.4.1.999.0.24 oisf.trap.oisfTrapEventStatus<br>
INTEGER (1..5)<br> 1 other<br> 2 start<br> 3 inProgress<br> 4 end<br> 5 unknown<br> 25 1.3.6.1.4.1.999.0.25 oisf.trap.oisfTrapEventPriority<br>
INTEGER (1..255)<br> 26 1.3.6.1.4.1.999.0.26 oisf.trap.oisfTrapSrcMACAddress<br> MacAddress<br> 27 1.3.6.1.4.1.999.0.27 oisf.trap.oisfTrapDstMACAddress<br>
MacAddress<br> 28 1.3.6.1.4.1.999.0.28 oisf.trap.oisfTrapProto<br> DisplayString(SIZE(0..128))<br> 29 1.3.6.1.4.1.999.0.29 oisf.trap.oisfSignatureID<br>
Integer32<br> 30 1.3.6.1.4.1.999.0.30 oisf.trap.oisfSignatureRev<br> Integer32<br> 31 1.3.6.1.4.1.999.0.31 oisf.trap.oisfSignatureMsg<br> DisplayString(SIZE(0..255))<br>
32 1.3.6.1.4.1.999.0.32 oisf.trap.oisfPacketPrint<br> DisplayString(SIZE(0..255))<br> 33 1.3.6.1.4.1.999.0.33 oisf.trap.oisfGeneratorID<br> Integer32<br>
34 1.3.6.1.4.1.999.0.34 oisf.trap.oisfSensorID<br> Integer32<br> 35 1.3.6.1.4.1.999.0.35 oisf.trap.oisfClassification<br> DisplayString(SIZE(0..255))<br>
36 1.3.6.1.4.1.999.0.36 oisf.trap.oisfInterface<br> DisplayString(SIZE(0..128))<br> 37 1.3.6.1.4.1.999.0.37 oisf.trap.oisfTrapTimeZone<br> DisplayString(SIZE(0..128))<br>
4 1.3.6.1.4.1.999.4 oisf.product<br> 1 1.3.6.1.4.1.999.4.1 oisf.product.ids<br> 1 1.3.6.1.4.1.999.4.1.1 oisf.product.ids.suricata<br> 1 1.3.6.1.4.1.999.4.1.1.1 oisf.product.ids.suricata.oisfSuricataVersion<br>
DisplayString(SIZE(0..128))<br> 2 1.3.6.1.4.1.999.4.1.1.2 oisf.product.ids.suricata.oisfSuricataDescription<br> DisplayString(SIZE(0..128))<br> 3 1.3.6.1.4.1.999.4.1.1.3 oisf.product.ids.suricata.oisfSuricataUptime<br>
TimeStamp<br></span><br><br><br></div>and the full MIB file is:<br><br><br><span style="font-family:courier new,monospace">OISF-MIB DEFINITIONS ::= BEGIN<br><br>--<br>-- Top-level infrastructure for the OISF enterprise MIB tree<br>
--<br><br>IMPORTS<br> MODULE-IDENTITY,<br> OBJECT-TYPE,<br> Counter32,<br> Integer32,<br> enterprises<br> FROM SNMPv2-SMI <br> MODULE-COMPLIANCE,<br> OBJECT-GROUP<br> FROM SNMPv2-CONF<br>
TEXTUAL-CONVENTION,<br> DisplayString,<br> MacAddress,<br> TimeStamp<br> FROM SNMPv2-TC<br> InetPortNumber,<br> InetAddress,<br> InetAddressType<br> FROM INET-ADDRESS-MIB;<br><br>oisf MODULE-IDENTITY<br>
LAST-UPDATED "201402100000Z" -- 10th Feb 2014, midnight<br> ORGANIZATION "<a href="http://openinfosecfoundation.org">openinfosecfoundation.org</a>"<br> CONTACT-INFO "postal: OISF<br>
416 Main St Suite 3<br> Lafayette, Indiana, 47901<br> USA<br><br> email: <a href="mailto:oisf-team@openinfosecfoundation.org">oisf-team@openinfosecfoundation.org</a><br>
phone: +1-765-429-0398<br> "<br> DESCRIPTION "Top-level infrastructure for the OISF Enterprise MIB tree<br> "<br> REVISION "201402100000Z" -- 10th Feb 2014, midnight<br>
DESCRIPTION "First draft."<br><br> ::= { enterprises 999}<br><br>--<br>-- Definitions for new textual conventions <br>--<br> OisfInetAddrList ::= TEXTUAL-CONVENTION<br> DISPLAY-HINT "1x:"<br>
STATUS current<br> DESCRIPTION<br> "This data type is used to model a list of IP addresses.<br> The format will be as follows-<br> [Type:]FromIP[-ToIP]] [[Type]:FromIP[-ToIP]] .......]<br>
It is essentially a set of zero or more IP address ranges <br> separated by a space character.<br> Each IP addres range is preceded by a Address type indecator<br> which is '4' or '6'. By default the address type is 4.<br>
4 indicates that the address range pertains to the IPv4 <br> address domain. 6 indicates that the address range pertains <br> to the IPv6 range."<br> SYNTAX OCTET STRING (SIZE (0..1024))<br>
<br> OisfInetPortList ::= TEXTUAL-CONVENTION<br> DISPLAY-HINT "1x:"<br> STATUS current<br> DESCRIPTION<br> "This data type is used to model a list of ports <br> The format will be as follows-<br>
FromPort[-ToPort] [FromPort[-ToPort] .......]<br> It is essentially a set of zero or more port number ranges<br> separated by a space character."<br> SYNTAX OCTET STRING (SIZE (0..1024))<br>
<br><br>--<br>-- OISF SNMP trap definitions<br>--<br>oisfTrap OBJECT IDENTIFIER ::= { oisf 0 }<br><br> oisfTrapTrapID OBJECT-TYPE<br> SYNTAX Counter32<br> MAX-ACCESS read-only<br> STATUS current<br>
DESCRIPTION<br> "Unique identifier of the trap"<br> ::= { oisfTrap 1 }<br><br> oisfTrapTimeStamp OBJECT-TYPE<br> SYNTAX DisplayString(SIZE(0..26)) -- 2014-02-16_16:56:25.481721<br>
MAX-ACCESS read-only<br> STATUS current<br> DESCRIPTION<br> "Time stamp of when the trap was generated"<br> ::= { oisfTrap 2 }<br><br> oisfTrapActionTaken OBJECT-TYPE<br>
SYNTAX INTEGER {<br> alert(1),<br> drop(2),<br> streamDrop(3),<br> reject(4),<br> pass(5),<br> log(6),<br> none(7)<br> }<br>
MAX-ACCESS read-only<br>
STATUS current<br> DESCRIPTION<br> "Action that were taken on this alert. Multiple actions are possible"<br> ::= { oisfTrap 3 }<br><br> oisfTrapMsg OBJECT-TYPE<br> SYNTAX DisplayString(SIZE(0..255))<br>
MAX-ACCESS read-only<br> STATUS current<br> DESCRIPTION<br> "Message associated with the triggered alert.<br> If there is no message, this field will be blank"<br>
::= { oisfTrap 4 }<br><br> oisfTrapMoreInfo OBJECT-TYPE<br> SYNTAX DisplayString(SIZE(0..255))<br> MAX-ACCESS read-only<br> STATUS current<br> DESCRIPTION<br> "More information pertaining to this alert. This might include URLs<br>
and other sources of reference information. If there is no information,<br> this field will be blank"<br> ::= { oisfTrap 5 }<br><br> oisfTrapSrcAddressType OBJECT-TYPE<br> SYNTAX InetAddressType<br>
MAX-ACCESS read-only<br> STATUS current<br> DESCRIPTION<br> "The type of adddress that was the source of the alert"<br> ::= { oisfTrap 6 }<br><br> oisfTrapSrcAddress OBJECT-TYPE<br>
SYNTAX InetAddress<br> MAX-ACCESS read-only<br> STATUS current<br> DESCRIPTION<br> "The Internet address of the source of the alert, if known.<br> This will be a zero length string if the source address is unknown,<br>
not available or, not applicable."<br> ::= { oisfTrap 7 }<br><br> oisfTrapDstAddressType OBJECT-TYPE<br> SYNTAX InetAddressType<br> MAX-ACCESS read-only<br> STATUS current<br>
DESCRIPTION<br> "The type of adddress that was the target of the alert"<br> ::= { oisfTrap 8 }<br><br> oisfTrapDstAddress OBJECT-TYPE<br> SYNTAX InetAddress<br> MAX-ACCESS read-only<br>
STATUS current<br> DESCRIPTION<br> "The Internet address of the target of the alert, if known.<br> This will be a zero length string if the target address is unknown,<br> not available or, not applicable."<br>
::= { oisfTrap 9 }<br><br> oisfTrapSrcPort OBJECT-TYPE<br> SYNTAX InetPortNumber<br> MAX-ACCESS read-only<br> STATUS current<br> DESCRIPTION<br> "The port number, if known, from where the attack has originated."<br>
::= { oisfTrap 10 }<br><br> oisfTrapDstPort OBJECT-TYPE<br> SYNTAX InetPortNumber<br> MAX-ACCESS read-only<br> STATUS current<br> DESCRIPTION<br> "The port number to where the attack was targeted."<br>
::= { oisfTrap 11 }<br><br> oisfTrapStartTime OBJECT-TYPE<br> SYNTAX DisplayString(SIZE(0..26)) -- 2014-02-16_16:56:25.481721<br> MAX-ACCESS read-only<br> STATUS current<br> DESCRIPTION<br>
"Time stamp of when the event causing this alert was detected."<br> ::= { oisfTrap 12 }<br><br> oisfTrapOccurences OBJECT-TYPE<br> SYNTAX Counter32<br> MAX-ACCESS read-only<br>
STATUS current<br> DESCRIPTION<br> "The number of occurences of the event that is being reported in this alert."<br> ::= { oisfTrap 13 }<br><br> oisfTrapImpact OBJECT-TYPE<br>
SYNTAX INTEGER {<br> unknown(1),<br> badUnknown(2),<br> notSuspicious(3),<br> attemptedAdmin(4),<br> successfulAdmin(5),<br> attemptedDos(6),<br>
successfulDos(7),<br> attemptedRecon(8),<br> successfulReconLimited(9),<br> successfulReconLargescale(10),<br> attemptedUser(11),<br> successfulUser(12)<br>
}<br> MAX-ACCESS read-only<br> STATUS current<br> DESCRIPTION<br> "The evaluated impact of the attack."<br> ::= { oisfTrap 14 }<br><br> oisfTrapSrcAddressList OBJECT-TYPE<br>
SYNTAX OisfInetAddrList<br> MAX-ACCESS read-only<br> STATUS current<br> DESCRIPTION<br> "The list of source addresses applicable to this alert."<br> ::= { oisfTrap 15 }<br>
<br> oisfTrapDstAddressList OBJECT-TYPE<br> SYNTAX OisfInetAddrList<br> MAX-ACCESS read-only<br> STATUS current<br> DESCRIPTION<br> "The list of destination addresses applicable to this alert."<br>
::= { oisfTrap 16 }<br><br> oisfTrapSrcPortList OBJECT-TYPE<br> SYNTAX OisfInetPortList<br> MAX-ACCESS read-only<br> STATUS current<br> DESCRIPTION<br> "The list of source ports applicable to this alert."<br>
::= { oisfTrap 17 }<br><br> oisfTrapDstPortList OBJECT-TYPE<br> SYNTAX OisfInetPortList<br> MAX-ACCESS read-only<br> STATUS current<br> DESCRIPTION<br> "The list of destination ports applicable to this alert."<br>
::= { oisfTrap 18 }<br><br> oisfTrapScanDuration OBJECT-TYPE<br> SYNTAX Counter32<br> MAX-ACCESS read-only<br> STATUS current<br> DESCRIPTION<br> "The duration of the scan being reported in this alert."<br>
::= { oisfTrap 19 }<br><br> oisfTrapScanedHosts OBJECT-TYPE<br> SYNTAX Counter32<br> MAX-ACCESS read-only<br> STATUS current<br> DESCRIPTION<br> "The number of hosts scanned by the attack being reported in this alert."<br>
::= { oisfTrap 20 }<br><br> oisfTrapTCPScanCount OBJECT-TYPE<br> SYNTAX Counter32<br> MAX-ACCESS read-only<br> STATUS current<br> DESCRIPTION<br> "The number of TCP scans seen in the attack being reported in this alert."<br>
::= { oisfTrap 21 }<br><br> oisfTrapUDPScanCount OBJECT-TYPE<br> SYNTAX Counter32<br> MAX-ACCESS read-only<br> STATUS current<br> DESCRIPTION<br> "The number of UDP scans seen in the attack being reported in this alert."<br>
::= { oisfTrap 22 }<br><br> oisfTrapScanType OBJECT-TYPE<br> SYNTAX INTEGER {<br> other(1),<br> stealth(2),<br> aggressive(3),<br> unknown(4)<br> }<br>
MAX-ACCESS read-only<br> STATUS current<br> DESCRIPTION<br> "The type of scan being seen in the attack being reported in this alert."<br> ::= { oisfTrap 23 }<br><br> oisfTrapEventStatus OBJECT-TYPE<br>
SYNTAX INTEGER {<br> other(1),<br> start(2),<br> inProgress(3),<br> end(4),<br> unknown(5)<br> }<br> MAX-ACCESS read-only<br> STATUS current<br>
DESCRIPTION<br> "The status of the event being reported in the alert.<br> The alert may report the start or end of an event. <br> It may also provide intermediate reports on event<br>
in progress."<br> ::= { oisfTrap 24 }<br><br> oisfTrapEventPriority OBJECT-TYPE<br> SYNTAX Integer32 (1..255)<br> MAX-ACCESS read-only<br> STATUS current<br> DESCRIPTION<br>
"The priority of the event being reported in this alert."<br> ::= { oisfTrap 25 }<br><br> oisfTrapSrcMACAddress OBJECT-TYPE<br> SYNTAX MacAddress<br> MAX-ACCESS read-only<br>
STATUS current<br> DESCRIPTION<br> "The 802 MAC address seen in source address part of the <br> datagram carrying packet which has caused this alert."<br> ::= { oisfTrap 26 }<br>
<br> oisfTrapDstMACAddress OBJECT-TYPE<br> SYNTAX MacAddress<br> MAX-ACCESS read-only<br> STATUS current<br> DESCRIPTION<br> "The 802 MAC address seen in destination address part of the <br>
datagram carrying packet which has caused this alert."<br> ::= { oisfTrap 27 }<br><br> oisfTrapProto OBJECT-TYPE<br> SYNTAX DisplayString(SIZE(0..128))<br> MAX-ACCESS read-only<br>
STATUS current<br> DESCRIPTION<br> "The traffic protocol of the attack that caused this alert"<br> ::= { oisfTrap 28 }<br><br> oisfSignatureID OBJECT-TYPE<br> SYNTAX Integer32<br>
MAX-ACCESS read-only<br> STATUS current<br> DESCRIPTION<br> "The ID of the signature which matched the attack that caused this alert"<br> ::= { oisfTrap 29 }<br><br>
oisfSignatureRev OBJECT-TYPE<br>
SYNTAX Integer32<br> MAX-ACCESS read-only<br> STATUS current<br> DESCRIPTION<br> "The revision of the signature which matched the attack that caused this alert"<br>
::= { oisfTrap 30 }<br><br> oisfSignatureMsg OBJECT-TYPE<br> SYNTAX DisplayString(SIZE(0..255))<br> MAX-ACCESS read-only<br> STATUS current<br> DESCRIPTION<br> "The message from the signature which matched the attack that caused this alert"<br>
::= { oisfTrap 31 }<br><br> oisfPacketPrint OBJECT-TYPE<br> SYNTAX DisplayString(SIZE(0..255))<br> MAX-ACCESS read-only<br> STATUS current<br> DESCRIPTION<br> "The hash of the invariant part of the packet that caused the event.<br>
The algorithm that generated the hash is documented in oisfSensorHashAlgorithm.<br> The hash print has the following format<br> <The hash value generated by sidaSensorHashAlgorithm> ':'<br>
<The length of the packet that was hashed> ':'<br> <The TTL of the packet> <br> NULL string termination character <br>
The hash value is represented in hexadecimal notation."<br> ::= { oisfTrap 32 }<br><br> oisfGeneratorID OBJECT-TYPE<br> SYNTAX Integer32<br> MAX-ACCESS read-only<br> STATUS current<br>
DESCRIPTION<br> "The ID of the generator in the source code which created the alert."<br> ::= { oisfTrap 33 }<br><br> oisfSensorID OBJECT-TYPE<br> SYNTAX Integer32<br> MAX-ACCESS read-only<br>
STATUS current<br> DESCRIPTION<br> "The ID of the sensor on the IDS which saw the traffic which created the alert."<br> ::= { oisfTrap 34 }<br><br> oisfClassification OBJECT-TYPE<br>
SYNTAX DisplayString(SIZE(0..255))<br> MAX-ACCESS read-only<br> STATUS current<br> DESCRIPTION<br> "The classification of the rule which caused the alert."<br> ::= { oisfTrap 35 }<br>
<br> oisfInterface OBJECT-TYPE<br> SYNTAX DisplayString(SIZE(0..128))<br> MAX-ACCESS read-only<br> STATUS current<br> DESCRIPTION<br> "The name of the interface from which the traffic came that caused the alert."<br>
::= { oisfTrap 36 }<br><br> oisfTrapTimeZone OBJECT-TYPE<br> SYNTAX DisplayString(SIZE(0..128))<br> MAX-ACCESS read-only<br> STATUS current<br> DESCRIPTION<br> "The timezone of the IDS that caused the alert."<br>
::= { oisfTrap 37 }<br><br>--<br>-- OISF / Product / IDS / Suricata information<br>--<br>oisfProduct OBJECT IDENTIFIER ::= { oisf 4 }<br>ids OBJECT IDENTIFIER ::= { oisfProduct 1 }<br>suricata OBJECT IDENTIFIER ::= { ids 1 }<br>
<br> oisfSuricataVersion OBJECT-TYPE<br> SYNTAX DisplayString (SIZE(0..25))<br> MAX-ACCESS read-only<br> STATUS current<br> DESCRIPTION<br> "Version number of the Suricata software which generated the SNMP trap"<br>
::= { suricata 1 }<br><br> oisfSuricataDescription OBJECT-TYPE<br> SYNTAX OCTET STRING (SIZE(0..1024))<br> MAX-ACCESS read-only<br> STATUS current<br> DESCRIPTION<br> "Description of the Suricata software which generated the SNMP trap"<br>
::= { suricata 2 }<br><br> oisfSuricataUptime OBJECT-TYPE<br> SYNTAX TimeStamp<br> MAX-ACCESS read-only<br> STATUS current<br> DESCRIPTION<br> "Time, in seconds, since the Suricata software was invoked"<br>
::= { suricata 3 }<br><br>--<br>-- SNMP Conformance information<br>--<br>oisfConformance OBJECT IDENTIFIER ::= { oisf 3 }<br>oisfCompliances OBJECT IDENTIFIER ::= { oisfConformance 1 }<br>oisfGroups OBJECT IDENTIFIER ::= { oisfConformance 2 }<br>
<br>oisfTrapCompliance MODULE-COMPLIANCE<br> STATUS current<br> DESCRIPTION<br> "The compliance statement for the SNMP entities which implement the OISF MIB"<br> MODULE<br> MANDATORY-GROUPS { oisfTrapGroup, oisfIDSSuricataGroup }<br>
::= { oisfCompliances 1 }<br><br>oisfTrapGroup OBJECT-GROUP<br> OBJECTS {<br> oisfClassification,<br> oisfGeneratorID,<br> oisfInterface,<br> oisfPacketPrint,<br> oisfSensorID,<br>
oisfSignatureID,<br> oisfSignatureMsg,<br> oisfSignatureRev,<br> oisfTrapActionTaken,<br> oisfTrapDstAddress,<br> oisfTrapDstAddressList,<br> oisfTrapDstAddressType,<br> oisfTrapDstMACAddress,<br>
oisfTrapDstPort,<br> oisfTrapDstPortList,<br> oisfTrapEventPriority,<br> oisfTrapEventStatus,<br> oisfTrapImpact,<br> oisfTrapMoreInfo,<br> oisfTrapMsg,<br> oisfTrapOccurences,<br>
oisfTrapProto,<br> oisfTrapScanDuration,<br> oisfTrapScanType,<br> oisfTrapScanedHosts,<br> oisfTrapSrcAddress,<br> oisfTrapSrcAddressList,<br> oisfTrapSrcAddressType,<br>
oisfTrapSrcMACAddress,<br> oisfTrapSrcPort,<br> oisfTrapSrcPortList,<br> oisfTrapStartTime,<br> oisfTrapTCPScanCount,<br> oisfTrapTimeStamp,<br> oisfTrapTimeZone,<br> oisfTrapTrapID,<br>
oisfTrapUDPScanCount<br> }<br> STATUS current<br> DESCRIPTION<br> "The SNMP objects used to describe and dispatch the SNMP traps from<br> OISF IDS software."<br> ::= { oisfGroups 1 }<br>
<br>oisfIDSSuricataGroup OBJECT-GROUP<br> OBJECTS {<br> oisfSuricataDescription,<br> oisfSuricataUptime,<br> oisfSuricataVersion<br> }<br> STATUS current<br> DESCRIPTION<br> "The SNMP objects used to describe the OISF IDS Suricata software."<br>
::= { oisfGroups 2 }<br><br>END</span><br><br></div>