[Oisf-users] OISF IDS Suricata MIB - alpha release
Mark Ashley
mark at ibiblio.org
Mon Feb 10 07:03:53 UTC 2014
Hi folks,
Whilst we wait for the IANA to issue an enterprise number to the OISF for
their MIBs, here's what I'll be sending to our NMS so it can grok the traps
that barnyard2 is sending.
TODO: Replace the example enterprise number '999' with the real one when it
arrives.
The MIB copies the same OID numbers as defined in the snort one back in
2002... this mostly is for compatibility as the header file in the
barnyard2 SNMP module uses those. There's nothing stopping a full re-edit
etc, as long as there is a new spo_snmp.h created as well for barnyard2 to
be recompiled with. I added a timezone OID as it seemed useful.
The old MIB:
http://www.kolaja.eu/documents/bachelors_thesis/snort/snort-1.8.4/MIBS/SnortIDAlertMIB.txt
The new OISF MIB passes the full level 6 validation tests at
http://wwwsnmp.cs.utwente.nl/ietf/mibs/validate/
To improve the style OISF might want to split the file into a main OISF-MIB
for the enterprise and one for a OISF-SURICATA-MIB file. This serves as a
useful base to add in new fields as needed.
ta,
Mark.
The OID list I grew the MIB from is here:
suricata_oids.txt
oisf root
999
1.3.6.1.4.1.999
0 1.3.6.1.4.1.999.0 oisf.trap
1 1.3.6.1.4.1.999.0.1 oisf.trap.oisfTrapTrapID
Counter32
2 1.3.6.1.4.1.999.0.2 oisf.trap.oisfTrapTimeStamp
DisplayString(SIZE(0..26)) -- 2014-02-03_16:56:25.481721
3 1.3.6.1.4.1.999.0.3 oisf.trap.oisfTrapActionTaken
INTEGER (1..7)
1 alert
2 drop
3 streamdrop
4 reject
5 pass
6 log
7 log
4 1.3.6.1.4.1.999.0.4 oisf.trap.oisfTrapMsg
DisplayString(SIZE(0..255))
5 1.3.6.1.4.1.999.0.5 oisf.trap.oisfTrapMoreInfo
DisplayString(SIZE(0..255))
6 1.3.6.1.4.1.999.0.6 oisf.trap.oisfTrapSrcAddressType
InetAddressType
7 1.3.6.1.4.1.999.0.7 oisf.trap.oisfTrapSrcAddress
InetAddress
8 1.3.6.1.4.1.999.0.8 oisf.trap.oisfTrapDstAddressType
InetAddressType
9 1.3.6.1.4.1.999.0.9 oisf.trap.oisfTrapDstAddress
InetAddress
10 1.3.6.1.4.1.999.0.10 oisf.trap.oisfTrapSrcPort
InetPortNumber
11 1.3.6.1.4.1.999.0.11 oisf.trap.oisfTrapDstPort
InetPortNumber
12 1.3.6.1.4.1.999.0.12 oisf.trap.oisfTrapStartTime
DisplayString(SIZE(0..26))
13 1.3.6.1.4.1.999.0.13 oisf.trap.oisfTrapOccurences
Counter32
14 1.3.6.1.4.1.999.0.14 oisf.trap.oisfTrapImpact
INTEGER (1..12)
1 unknown
2 badUnknown
3 notSuspicious
4 attemptedAdmin
5 successfulAdmin
6 attemptedDos
7 successfulDos
8 attemptedRecon
9 successfulReconLimited
10 successfulReconLargescale
11 attemptedUser
12 successfulUser
15 1.3.6.1.4.1.999.0.15 oisf.trap.oisfTrapSrcAddressList
OCTET STRING (SIZE0..1024))
16 1.3.6.1.4.1.999.0.16 oisf.trap.oisfTrapDstAddressList
OCTET STRING (SIZE0..1024))
17 1.3.6.1.4.1.999.0.17 oisf.trap.oisfTrapSrcPortList
OCTET STRING (SIZE0..1024))
18 1.3.6.1.4.1.999.0.18 oisf.trap.oisfTrapDstPortList
OCTET STRING (SIZE0..1024))
19 1.3.6.1.4.1.999.0.19 oisf.trap.oisfTrapScanDuration
Counter32
10 1.3.6.1.4.1.999.0.20 oisf.trap.oisfTrapScanedHosts
Counter32
21 1.3.6.1.4.1.999.0.21 oisf.trap.oisfTrapTCPScanCount
Counter32
22 1.3.6.1.4.1.999.0.22 oisf.trap.oisfTrapUDPScanCount
Counter32
23 1.3.6.1.4.1.999.0.23 oisf.trap.oisfTrapScanType
INTEGER (1..4)
1 other
2 stealth
3 aggressive
4 unknown
24 1.3.6.1.4.1.999.0.24 oisf.trap.oisfTrapEventStatus
INTEGER (1..5)
1 other
2 start
3 inProgress
4 end
5 unknown
25 1.3.6.1.4.1.999.0.25 oisf.trap.oisfTrapEventPriority
INTEGER (1..255)
26 1.3.6.1.4.1.999.0.26 oisf.trap.oisfTrapSrcMACAddress
MacAddress
27 1.3.6.1.4.1.999.0.27 oisf.trap.oisfTrapDstMACAddress
MacAddress
28 1.3.6.1.4.1.999.0.28 oisf.trap.oisfTrapProto
DisplayString(SIZE(0..128))
29 1.3.6.1.4.1.999.0.29 oisf.trap.oisfSignatureID
Integer32
30 1.3.6.1.4.1.999.0.30 oisf.trap.oisfSignatureRev
Integer32
31 1.3.6.1.4.1.999.0.31 oisf.trap.oisfSignatureMsg
DisplayString(SIZE(0..255))
32 1.3.6.1.4.1.999.0.32 oisf.trap.oisfPacketPrint
DisplayString(SIZE(0..255))
33 1.3.6.1.4.1.999.0.33 oisf.trap.oisfGeneratorID
Integer32
34 1.3.6.1.4.1.999.0.34 oisf.trap.oisfSensorID
Integer32
35 1.3.6.1.4.1.999.0.35 oisf.trap.oisfClassification
DisplayString(SIZE(0..255))
36 1.3.6.1.4.1.999.0.36 oisf.trap.oisfInterface
DisplayString(SIZE(0..128))
37 1.3.6.1.4.1.999.0.37 oisf.trap.oisfTrapTimeZone
DisplayString(SIZE(0..128))
4 1.3.6.1.4.1.999.4 oisf.product
1 1.3.6.1.4.1.999.4.1 oisf.product.ids
1 1.3.6.1.4.1.999.4.1.1 oisf.product.ids.suricata
1 1.3.6.1.4.1.999.4.1.1.1
oisf.product.ids.suricata.oisfSuricataVersion
DisplayString(SIZE(0..128))
2 1.3.6.1.4.1.999.4.1.1.2
oisf.product.ids.suricata.oisfSuricataDescription
DisplayString(SIZE(0..128))
3 1.3.6.1.4.1.999.4.1.1.3
oisf.product.ids.suricata.oisfSuricataUptime
TimeStamp
and the full MIB file is:
OISF-MIB DEFINITIONS ::= BEGIN
--
-- Top-level infrastructure for the OISF enterprise MIB tree
--
IMPORTS
MODULE-IDENTITY,
OBJECT-TYPE,
Counter32,
Integer32,
enterprises
FROM SNMPv2-SMI
MODULE-COMPLIANCE,
OBJECT-GROUP
FROM SNMPv2-CONF
TEXTUAL-CONVENTION,
DisplayString,
MacAddress,
TimeStamp
FROM SNMPv2-TC
InetPortNumber,
InetAddress,
InetAddressType
FROM INET-ADDRESS-MIB;
oisf MODULE-IDENTITY
LAST-UPDATED "201402100000Z" -- 10th Feb 2014, midnight
ORGANIZATION "openinfosecfoundation.org"
CONTACT-INFO "postal: OISF
416 Main St Suite 3
Lafayette, Indiana, 47901
USA
email: oisf-team at openinfosecfoundation.org
phone: +1-765-429-0398
"
DESCRIPTION "Top-level infrastructure for the OISF Enterprise MIB tree
"
REVISION "201402100000Z" -- 10th Feb 2014, midnight
DESCRIPTION "First draft."
::= { enterprises 999}
--
-- Definitions for new textual conventions
--
OisfInetAddrList ::= TEXTUAL-CONVENTION
DISPLAY-HINT "1x:"
STATUS current
DESCRIPTION
"This data type is used to model a list of IP addresses.
The format will be as follows-
[Type:]FromIP[-ToIP]] [[Type]:FromIP[-ToIP]] .......]
It is essentially a set of zero or more IP address ranges
separated by a space character.
Each IP addres range is preceded by a Address type indecator
which is '4' or '6'. By default the address type is 4.
4 indicates that the address range pertains to the IPv4
address domain. 6 indicates that the address range pertains
to the IPv6 range."
SYNTAX OCTET STRING (SIZE (0..1024))
OisfInetPortList ::= TEXTUAL-CONVENTION
DISPLAY-HINT "1x:"
STATUS current
DESCRIPTION
"This data type is used to model a list of ports
The format will be as follows-
FromPort[-ToPort] [FromPort[-ToPort] .......]
It is essentially a set of zero or more port number ranges
separated by a space character."
SYNTAX OCTET STRING (SIZE (0..1024))
--
-- OISF SNMP trap definitions
--
oisfTrap OBJECT IDENTIFIER ::= { oisf 0 }
oisfTrapTrapID OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Unique identifier of the trap"
::= { oisfTrap 1 }
oisfTrapTimeStamp OBJECT-TYPE
SYNTAX DisplayString(SIZE(0..26)) -- 2014-02-16_16:56:25.481721
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Time stamp of when the trap was generated"
::= { oisfTrap 2 }
oisfTrapActionTaken OBJECT-TYPE
SYNTAX INTEGER {
alert(1),
drop(2),
streamDrop(3),
reject(4),
pass(5),
log(6),
none(7)
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Action that were taken on this alert. Multiple actions are
possible"
::= { oisfTrap 3 }
oisfTrapMsg OBJECT-TYPE
SYNTAX DisplayString(SIZE(0..255))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Message associated with the triggered alert.
If there is no message, this field will be blank"
::= { oisfTrap 4 }
oisfTrapMoreInfo OBJECT-TYPE
SYNTAX DisplayString(SIZE(0..255))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"More information pertaining to this alert. This might include
URLs
and other sources of reference information. If there is no
information,
this field will be blank"
::= { oisfTrap 5 }
oisfTrapSrcAddressType OBJECT-TYPE
SYNTAX InetAddressType
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The type of adddress that was the source of the alert"
::= { oisfTrap 6 }
oisfTrapSrcAddress OBJECT-TYPE
SYNTAX InetAddress
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The Internet address of the source of the alert, if known.
This will be a zero length string if the source address is
unknown,
not available or, not applicable."
::= { oisfTrap 7 }
oisfTrapDstAddressType OBJECT-TYPE
SYNTAX InetAddressType
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The type of adddress that was the target of the alert"
::= { oisfTrap 8 }
oisfTrapDstAddress OBJECT-TYPE
SYNTAX InetAddress
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The Internet address of the target of the alert, if known.
This will be a zero length string if the target address is
unknown,
not available or, not applicable."
::= { oisfTrap 9 }
oisfTrapSrcPort OBJECT-TYPE
SYNTAX InetPortNumber
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The port number, if known, from where the attack has
originated."
::= { oisfTrap 10 }
oisfTrapDstPort OBJECT-TYPE
SYNTAX InetPortNumber
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The port number to where the attack was targeted."
::= { oisfTrap 11 }
oisfTrapStartTime OBJECT-TYPE
SYNTAX DisplayString(SIZE(0..26)) -- 2014-02-16_16:56:25.481721
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Time stamp of when the event causing this alert was detected."
::= { oisfTrap 12 }
oisfTrapOccurences OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of occurences of the event that is being reported
in this alert."
::= { oisfTrap 13 }
oisfTrapImpact OBJECT-TYPE
SYNTAX INTEGER {
unknown(1),
badUnknown(2),
notSuspicious(3),
attemptedAdmin(4),
successfulAdmin(5),
attemptedDos(6),
successfulDos(7),
attemptedRecon(8),
successfulReconLimited(9),
successfulReconLargescale(10),
attemptedUser(11),
successfulUser(12)
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The evaluated impact of the attack."
::= { oisfTrap 14 }
oisfTrapSrcAddressList OBJECT-TYPE
SYNTAX OisfInetAddrList
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The list of source addresses applicable to this alert."
::= { oisfTrap 15 }
oisfTrapDstAddressList OBJECT-TYPE
SYNTAX OisfInetAddrList
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The list of destination addresses applicable to this alert."
::= { oisfTrap 16 }
oisfTrapSrcPortList OBJECT-TYPE
SYNTAX OisfInetPortList
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The list of source ports applicable to this alert."
::= { oisfTrap 17 }
oisfTrapDstPortList OBJECT-TYPE
SYNTAX OisfInetPortList
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The list of destination ports applicable to this alert."
::= { oisfTrap 18 }
oisfTrapScanDuration OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The duration of the scan being reported in this alert."
::= { oisfTrap 19 }
oisfTrapScanedHosts OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of hosts scanned by the attack being reported in
this alert."
::= { oisfTrap 20 }
oisfTrapTCPScanCount OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of TCP scans seen in the attack being reported in
this alert."
::= { oisfTrap 21 }
oisfTrapUDPScanCount OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of UDP scans seen in the attack being reported in
this alert."
::= { oisfTrap 22 }
oisfTrapScanType OBJECT-TYPE
SYNTAX INTEGER {
other(1),
stealth(2),
aggressive(3),
unknown(4)
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The type of scan being seen in the attack being reported in
this alert."
::= { oisfTrap 23 }
oisfTrapEventStatus OBJECT-TYPE
SYNTAX INTEGER {
other(1),
start(2),
inProgress(3),
end(4),
unknown(5)
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The status of the event being reported in the alert.
The alert may report the start or end of an event.
It may also provide intermediate reports on event
in progress."
::= { oisfTrap 24 }
oisfTrapEventPriority OBJECT-TYPE
SYNTAX Integer32 (1..255)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The priority of the event being reported in this alert."
::= { oisfTrap 25 }
oisfTrapSrcMACAddress OBJECT-TYPE
SYNTAX MacAddress
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The 802 MAC address seen in source address part of the
datagram carrying packet which has caused this alert."
::= { oisfTrap 26 }
oisfTrapDstMACAddress OBJECT-TYPE
SYNTAX MacAddress
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The 802 MAC address seen in destination address part of the
datagram carrying packet which has caused this alert."
::= { oisfTrap 27 }
oisfTrapProto OBJECT-TYPE
SYNTAX DisplayString(SIZE(0..128))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The traffic protocol of the attack that caused this alert"
::= { oisfTrap 28 }
oisfSignatureID OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The ID of the signature which matched the attack that caused
this alert"
::= { oisfTrap 29 }
oisfSignatureRev OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The revision of the signature which matched the attack that
caused this alert"
::= { oisfTrap 30 }
oisfSignatureMsg OBJECT-TYPE
SYNTAX DisplayString(SIZE(0..255))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The message from the signature which matched the attack that
caused this alert"
::= { oisfTrap 31 }
oisfPacketPrint OBJECT-TYPE
SYNTAX DisplayString(SIZE(0..255))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The hash of the invariant part of the packet that caused the
event.
The algorithm that generated the hash is documented in
oisfSensorHashAlgorithm.
The hash print has the following format
<The hash value generated by sidaSensorHashAlgorithm> ':'
<The length of the packet that was hashed> ':'
<The TTL of the packet>
NULL string termination character
The hash value is represented in hexadecimal notation."
::= { oisfTrap 32 }
oisfGeneratorID OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The ID of the generator in the source code which created the
alert."
::= { oisfTrap 33 }
oisfSensorID OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The ID of the sensor on the IDS which saw the traffic which
created the alert."
::= { oisfTrap 34 }
oisfClassification OBJECT-TYPE
SYNTAX DisplayString(SIZE(0..255))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The classification of the rule which caused the alert."
::= { oisfTrap 35 }
oisfInterface OBJECT-TYPE
SYNTAX DisplayString(SIZE(0..128))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The name of the interface from which the traffic came that
caused the alert."
::= { oisfTrap 36 }
oisfTrapTimeZone OBJECT-TYPE
SYNTAX DisplayString(SIZE(0..128))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The timezone of the IDS that caused the alert."
::= { oisfTrap 37 }
--
-- OISF / Product / IDS / Suricata information
--
oisfProduct OBJECT IDENTIFIER ::= { oisf 4 }
ids OBJECT IDENTIFIER ::= { oisfProduct 1 }
suricata OBJECT IDENTIFIER ::= { ids 1 }
oisfSuricataVersion OBJECT-TYPE
SYNTAX DisplayString (SIZE(0..25))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Version number of the Suricata software which generated the
SNMP trap"
::= { suricata 1 }
oisfSuricataDescription OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(0..1024))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Description of the Suricata software which generated the SNMP
trap"
::= { suricata 2 }
oisfSuricataUptime OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Time, in seconds, since the Suricata software was invoked"
::= { suricata 3 }
--
-- SNMP Conformance information
--
oisfConformance OBJECT IDENTIFIER ::= { oisf 3 }
oisfCompliances OBJECT IDENTIFIER ::= { oisfConformance 1 }
oisfGroups OBJECT IDENTIFIER ::= { oisfConformance 2 }
oisfTrapCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"The compliance statement for the SNMP entities which implement the
OISF MIB"
MODULE
MANDATORY-GROUPS { oisfTrapGroup, oisfIDSSuricataGroup }
::= { oisfCompliances 1 }
oisfTrapGroup OBJECT-GROUP
OBJECTS {
oisfClassification,
oisfGeneratorID,
oisfInterface,
oisfPacketPrint,
oisfSensorID,
oisfSignatureID,
oisfSignatureMsg,
oisfSignatureRev,
oisfTrapActionTaken,
oisfTrapDstAddress,
oisfTrapDstAddressList,
oisfTrapDstAddressType,
oisfTrapDstMACAddress,
oisfTrapDstPort,
oisfTrapDstPortList,
oisfTrapEventPriority,
oisfTrapEventStatus,
oisfTrapImpact,
oisfTrapMoreInfo,
oisfTrapMsg,
oisfTrapOccurences,
oisfTrapProto,
oisfTrapScanDuration,
oisfTrapScanType,
oisfTrapScanedHosts,
oisfTrapSrcAddress,
oisfTrapSrcAddressList,
oisfTrapSrcAddressType,
oisfTrapSrcMACAddress,
oisfTrapSrcPort,
oisfTrapSrcPortList,
oisfTrapStartTime,
oisfTrapTCPScanCount,
oisfTrapTimeStamp,
oisfTrapTimeZone,
oisfTrapTrapID,
oisfTrapUDPScanCount
}
STATUS current
DESCRIPTION
"The SNMP objects used to describe and dispatch the SNMP traps from
OISF IDS software."
::= { oisfGroups 1 }
oisfIDSSuricataGroup OBJECT-GROUP
OBJECTS {
oisfSuricataDescription,
oisfSuricataUptime,
oisfSuricataVersion
}
STATUS current
DESCRIPTION
"The SNMP objects used to describe the OISF IDS Suricata software."
::= { oisfGroups 2 }
END
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140210/e5f2d55c/attachment-0001.html>
More information about the Oisf-users
mailing list