Commit version 24.12.13800
This commit is contained in:
@ -1,417 +1,476 @@
|
||||
--******************************************************************************
|
||||
-- HM2-DOS-MITIGATION-MIB: Managed objects for
|
||||
--
|
||||
-- March 2012
|
||||
--
|
||||
-- Copyright (c) Hirschmann Automation & Control GmbH 2012
|
||||
--******************************************************************************
|
||||
|
||||
HM2-DOS-MITIGATION-MIB DEFINITIONS ::= BEGIN
|
||||
IMPORTS
|
||||
OBJECT-TYPE, MODULE-IDENTITY,
|
||||
Unsigned32
|
||||
FROM SNMPv2-SMI
|
||||
RowStatus, TEXTUAL-CONVENTION
|
||||
FROM SNMPv2-TC
|
||||
MODULE-COMPLIANCE, OBJECT-GROUP
|
||||
FROM SNMPv2-CONF
|
||||
InterfaceIndex
|
||||
FROM IF-MIB
|
||||
hm2ConfigurationMibs, HmEnabledStatus
|
||||
FROM HM2-TC-MIB
|
||||
;
|
||||
|
||||
hm2DosMitigationMib MODULE-IDENTITY
|
||||
LAST-UPDATED "201209180000Z" -- September 18, 2012
|
||||
ORGANIZATION "Hirschmann Automation and Control GmbH"
|
||||
CONTACT-INFO
|
||||
"Postal: Stuttgarter Str. 45-51
|
||||
72654 Neckartenzlingen
|
||||
Germany
|
||||
Phone: +49 7127 140
|
||||
E-mail: hac.support@belden.com"
|
||||
DESCRIPTION
|
||||
"Hirschmann Denial of Service MIB
|
||||
Copyright (C) 2012. All Rights Reserved."
|
||||
REVISION "201209180000Z" -- September 18, 2012
|
||||
DESCRIPTION
|
||||
"Change the range of valid values for
|
||||
hm2DosMitigationTcpMinimalHeaderSize
|
||||
MIB object from (0..255) to (20..255)."
|
||||
REVISION "201208200000Z" -- August 20, 2012
|
||||
DESCRIPTION
|
||||
"hm2DosMitigationTcpFrag MIB object removed."
|
||||
REVISION "201206060000Z" -- June 06, 2012
|
||||
DESCRIPTION
|
||||
"Add MIB objects for all features supported by XGS4 switch."
|
||||
REVISION "201203190000Z" -- Mar 19, 2012
|
||||
DESCRIPTION
|
||||
"Initial version."
|
||||
::= { hm2ConfigurationMibs 82 }
|
||||
|
||||
DosFeatureValue ::= TEXTUAL-CONVENTION
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"Type of feature support:
|
||||
- hw(1): Supported in Hardware
|
||||
- sw(2): Supported in Software
|
||||
- noSup(3): Not implemented (no support)"
|
||||
SYNTAX INTEGER {
|
||||
hw(1),
|
||||
sw(2),
|
||||
noSup(3)
|
||||
}
|
||||
|
||||
|
||||
|
||||
hm2DosMitigationNotifications OBJECT IDENTIFIER ::= { hm2DosMitigationMib 0 }
|
||||
hm2DosMitigationObjects OBJECT IDENTIFIER ::= { hm2DosMitigationMib 1 }
|
||||
hm2DosMitigationConformance OBJECT IDENTIFIER ::= { hm2DosMitigationMib 2}
|
||||
|
||||
--******************************************************************************
|
||||
-- General Settings
|
||||
--******************************************************************************
|
||||
|
||||
hm2DosMitigationGeneralSettings OBJECT IDENTIFIER ::= { hm2DosMitigationObjects 1 }
|
||||
|
||||
hm2DosMitigationTcpHdrChecks OBJECT IDENTIFIER ::= { hm2DosMitigationGeneralSettings 1 }
|
||||
|
||||
hm2DosMitigationTcpNullScan OBJECT-TYPE
|
||||
SYNTAX HmEnabledStatus
|
||||
MAX-ACCESS read-write
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"When enabled, TCP Null scans (TCP flags and sequence number
|
||||
set to 0) are filtered by the device."
|
||||
DEFVAL { disable }
|
||||
::= { hm2DosMitigationTcpHdrChecks 1 }
|
||||
|
||||
|
||||
hm2DosMitigationTcpXmasScan OBJECT-TYPE
|
||||
SYNTAX HmEnabledStatus
|
||||
MAX-ACCESS read-write
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"When enabled TCP Xmas scans (TCP flags FIN,
|
||||
URG and PSH all set to 1 and a TCP sequence
|
||||
number = 0) are filtered by the device."
|
||||
DEFVAL { disable }
|
||||
::= { hm2DosMitigationTcpHdrChecks 4 }
|
||||
|
||||
hm2DosMitigationTcpSynFinScan OBJECT-TYPE
|
||||
SYNTAX HmEnabledStatus
|
||||
MAX-ACCESS read-write
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"When enabled TCP packets with SYN and FIN flags set are
|
||||
filtered by the device."
|
||||
DEFVAL { disable }
|
||||
::= { hm2DosMitigationTcpHdrChecks 7 }
|
||||
|
||||
hm2DosMitigationTcpMinimalHeader OBJECT-TYPE
|
||||
SYNTAX HmEnabledStatus
|
||||
MAX-ACCESS read-write
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"When enabled all TCP frames are checked for a minimal valid
|
||||
header size. Packets that contain an invalid header size are
|
||||
discarded."
|
||||
DEFVAL { disable }
|
||||
::= { hm2DosMitigationTcpHdrChecks 10 }
|
||||
|
||||
hm2DosMitigationTcpMinimalHeaderSize OBJECT-TYPE
|
||||
SYNTAX Unsigned32 (20..255)
|
||||
MAX-ACCESS read-write
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
" Specifies the minimum size of a valid TCP frame header size."
|
||||
DEFVAL { 20 }
|
||||
::= { hm2DosMitigationTcpHdrChecks 11 }
|
||||
|
||||
hm2DosMitigationLandAttack OBJECT-TYPE
|
||||
SYNTAX HmEnabledStatus
|
||||
MAX-ACCESS read-write
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"When enabled all IP frames are checked for equality of
|
||||
src and dst IP address (known as land attack). Packets that
|
||||
contain such a combination are silently discarded when
|
||||
enabled."
|
||||
DEFVAL { disable }
|
||||
::= { hm2DosMitigationTcpHdrChecks 13 }
|
||||
|
||||
hm2DosMitigationTcpOffsetEqu1 OBJECT-TYPE
|
||||
SYNTAX HmEnabledStatus
|
||||
MAX-ACCESS read-write
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"Enable/Disable TCP offset DoS protection. All packets
|
||||
ingress having a TCP header offset equal to 1 are dropped."
|
||||
DEFVAL { disable }
|
||||
::= { hm2DosMitigationTcpHdrChecks 14 }
|
||||
|
||||
hm2DosMitigationTcpPrivilegedSrcPort OBJECT-TYPE
|
||||
SYNTAX HmEnabledStatus
|
||||
MAX-ACCESS read-write
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"Enable/Disable TCP SYN and L4 source port smaller than 1024
|
||||
DoS protection. All packets ingress having the TCP SYN flag set
|
||||
and a L4 source port from 0 to 1023 are dropped."
|
||||
DEFVAL { disable }
|
||||
::= { hm2DosMitigationTcpHdrChecks 15 }
|
||||
|
||||
hm2DosMitigationTcpSrcDstPortEqu OBJECT-TYPE
|
||||
SYNTAX HmEnabledStatus
|
||||
MAX-ACCESS read-write
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"Enable/Disable L4 source port equals L4 destination port
|
||||
DoS protection. All TCP or UDP packets ingress having the
|
||||
L4 source port equal to L4 destination port are dropped."
|
||||
DEFVAL { disable }
|
||||
::= { hm2DosMitigationTcpHdrChecks 16 }
|
||||
|
||||
|
||||
hm2DosMitigationIcmpChecks OBJECT IDENTIFIER ::= { hm2DosMitigationGeneralSettings 2 }
|
||||
|
||||
hm2DosMitigationIcmpFrags OBJECT-TYPE
|
||||
SYNTAX HmEnabledStatus
|
||||
MAX-ACCESS read-write
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"When enabled, all fragmented ICMP packets are filtered by the
|
||||
device."
|
||||
DEFVAL { disable }
|
||||
::= { hm2DosMitigationIcmpChecks 1 }
|
||||
|
||||
|
||||
hm2DosMitigationIcmpPacketSize OBJECT-TYPE
|
||||
SYNTAX Unsigned32 (0..1472)
|
||||
MAX-ACCESS read-write
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"Specifies the max. allowed payload size of ICMP packets.
|
||||
Packets having bigger payload are filtered by the device
|
||||
if the hm2DosMitigationIcmpPacketSizeMode is enabled."
|
||||
DEFVAL { 512 }
|
||||
::= { hm2DosMitigationIcmpChecks 4 }
|
||||
|
||||
hm2DosMitigationIcmpPacketSizeMode OBJECT-TYPE
|
||||
SYNTAX HmEnabledStatus
|
||||
MAX-ACCESS read-write
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"When enabled all ICMP ingress packets having the
|
||||
payload bigger than hm2DosMitigationIcmpPacketSize
|
||||
are filtered by device. "
|
||||
DEFVAL { disable }
|
||||
::= { hm2DosMitigationIcmpChecks 5 }
|
||||
|
||||
hm2DosMitigationIcmpSmurfAttack OBJECT-TYPE
|
||||
SYNTAX HmEnabledStatus
|
||||
MAX-ACCESS read-write
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"When enabled, all ingress ICMP packets having
|
||||
the type set to ECHO_REQ (ping) and a broadcast
|
||||
destination IP are dropped. "
|
||||
DEFVAL { disable }
|
||||
::= { hm2DosMitigationIcmpChecks 6 }
|
||||
|
||||
hm2DosMitigationL2Checks OBJECT IDENTIFIER ::= { hm2DosMitigationGeneralSettings 3}
|
||||
|
||||
hm2DosMitigationSMacDMac OBJECT-TYPE
|
||||
SYNTAX HmEnabledStatus
|
||||
MAX-ACCESS read-write
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"Enable/Disable source MAC address equals destination
|
||||
MAC address DoS protection. All packets ingress having
|
||||
SMAC equals DMAC are dropped."
|
||||
DEFVAL { enable }
|
||||
::= { hm2DosMitigationL2Checks 7 }
|
||||
|
||||
|
||||
hm2DosMitigationCapabilities OBJECT IDENTIFIER ::= { hm2DosMitigationGeneralSettings 0 }
|
||||
|
||||
hm2DosMitigationTcpHdrChecksSup OBJECT-TYPE
|
||||
SYNTAX DosFeatureValue
|
||||
MAX-ACCESS read-only
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"The type of support for TCP header checks."
|
||||
::= { hm2DosMitigationCapabilities 1 }
|
||||
|
||||
hm2DosMitigationIcmpChecksSup OBJECT-TYPE
|
||||
SYNTAX DosFeatureValue
|
||||
MAX-ACCESS read-only
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"The type of support for ICMP checks."
|
||||
::= { hm2DosMitigationCapabilities 2 }
|
||||
|
||||
hm2DosMitigationTcpSynLimitSup OBJECT-TYPE
|
||||
SYNTAX DosFeatureValue
|
||||
MAX-ACCESS read-only
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"The type of support for TCP SYN limiter."
|
||||
::= { hm2DosMitigationCapabilities 3 }
|
||||
|
||||
hm2DosMitigationArpLimitSup OBJECT-TYPE
|
||||
SYNTAX DosFeatureValue
|
||||
MAX-ACCESS read-only
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"The type of support for ARP limiter."
|
||||
::= { hm2DosMitigationCapabilities 4 }
|
||||
|
||||
hm2DosMitigationTcpNullScanSup OBJECT-TYPE
|
||||
SYNTAX DosFeatureValue
|
||||
MAX-ACCESS read-only
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"The type of support for TCP Null Scan."
|
||||
::= { hm2DosMitigationCapabilities 5 }
|
||||
|
||||
hm2DosMitigationTcpXmasSup OBJECT-TYPE
|
||||
SYNTAX DosFeatureValue
|
||||
MAX-ACCESS read-only
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"The type of support for TCP Xmas Scan."
|
||||
::= { hm2DosMitigationCapabilities 6 }
|
||||
|
||||
|
||||
hm2DosMitigationTcpLandSup OBJECT-TYPE
|
||||
SYNTAX DosFeatureValue
|
||||
MAX-ACCESS read-only
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"The type of support for land attack detection."
|
||||
::= { hm2DosMitigationCapabilities 7 }
|
||||
|
||||
|
||||
--******************************************************************************
|
||||
-- TCP Syn/Arp Limiter
|
||||
--******************************************************************************
|
||||
|
||||
hm2DosMitigationLimiter OBJECT IDENTIFIER ::= { hm2DosMitigationObjects 2 }
|
||||
|
||||
hm2DosMitigationLimiterObjects OBJECT IDENTIFIER ::= { hm2DosMitigationLimiter 1 }
|
||||
|
||||
hm2DosMitigationLimiterRules OBJECT IDENTIFIER ::= { hm2DosMitigationLimiter 2 }
|
||||
|
||||
hm2DosMitigationLimiterRuleTable OBJECT-TYPE
|
||||
SYNTAX SEQUENCE OF Hm2DosMitigationLimiterRuleEntry
|
||||
MAX-ACCESS not-accessible
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"TCP Syn Limiter Interface Table"
|
||||
::= { hm2DosMitigationLimiterRules 1 }
|
||||
|
||||
hm2DosMitigationLimiterRuleEntry OBJECT-TYPE
|
||||
SYNTAX Hm2DosMitigationLimiterRuleEntry
|
||||
MAX-ACCESS not-accessible
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"TCP Syn Interface entry."
|
||||
INDEX { hm2DosMitigationLimiterInterface }
|
||||
::= { hm2DosMitigationLimiterRuleTable 1 }
|
||||
|
||||
Hm2DosMitigationLimiterRuleEntry ::=
|
||||
SEQUENCE {
|
||||
hm2DosMitigationLimiterInterface InterfaceIndex,
|
||||
hm2DosMitigationLimiterTcpSynLimit Unsigned32,
|
||||
hm2DosMitigationLimiterArpLimit Unsigned32,
|
||||
hm2DosMitigationLimiterRowStatus RowStatus
|
||||
}
|
||||
|
||||
hm2DosMitigationLimiterInterface OBJECT-TYPE
|
||||
SYNTAX InterfaceIndex
|
||||
MAX-ACCESS accessible-for-notify
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"The interface the limiter is assigned to."
|
||||
::={ hm2DosMitigationLimiterRuleEntry 1 }
|
||||
|
||||
hm2DosMitigationLimiterTcpSynLimit OBJECT-TYPE
|
||||
SYNTAX Unsigned32
|
||||
MAX-ACCESS read-create
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"The number of allowed outgoing TCP syn packets per second
|
||||
per interface.
|
||||
A value of 0 disables the limiter for this interface."
|
||||
::={ hm2DosMitigationLimiterRuleEntry 2 }
|
||||
|
||||
hm2DosMitigationLimiterArpLimit OBJECT-TYPE
|
||||
SYNTAX Unsigned32
|
||||
MAX-ACCESS read-create
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"The number of allowed outgoing ARP packets per second per
|
||||
interface.
|
||||
A value of 0 disables the limiter for this interface."
|
||||
::={ hm2DosMitigationLimiterRuleEntry 3 }
|
||||
|
||||
|
||||
hm2DosMitigationLimiterRowStatus OBJECT-TYPE
|
||||
SYNTAX RowStatus
|
||||
MAX-ACCESS read-create
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"Row status."
|
||||
::={ hm2DosMitigationLimiterRuleEntry 4 }
|
||||
|
||||
|
||||
--******************************************************************************
|
||||
-- Compliance statements
|
||||
--******************************************************************************
|
||||
|
||||
hm2DosMitigationCompliances OBJECT IDENTIFIER ::= { hm2DosMitigationConformance 1 }
|
||||
hm2DosMitigationGroups OBJECT IDENTIFIER ::= { hm2DosMitigationConformance 2 }
|
||||
|
||||
hm2DosMitigationCompliance MODULE-COMPLIANCE
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"The compliance statement for an SNMP entity which
|
||||
implements the Hirschmann DOS Mitigation MIB."
|
||||
MODULE -- this module
|
||||
MANDATORY-GROUPS { hm2DosMitigationGeneralGroup }
|
||||
::= { hm2DosMitigationCompliances 1 }
|
||||
|
||||
hm2DosMitigationGeneralGroup OBJECT-GROUP
|
||||
OBJECTS {
|
||||
hm2DosMitigationTcpSynFinScan,
|
||||
hm2DosMitigationTcpNullScan,
|
||||
hm2DosMitigationTcpXmasScan,
|
||||
hm2DosMitigationTcpMinimalHeader,
|
||||
hm2DosMitigationTcpMinimalHeaderSize,
|
||||
hm2DosMitigationLandAttack,
|
||||
hm2DosMitigationTcpOffsetEqu1,
|
||||
hm2DosMitigationTcpPrivilegedSrcPort,
|
||||
hm2DosMitigationTcpSrcDstPortEqu,
|
||||
hm2DosMitigationIcmpFrags,
|
||||
hm2DosMitigationIcmpPacketSize,
|
||||
hm2DosMitigationIcmpPacketSizeMode,
|
||||
hm2DosMitigationSMacDMac,
|
||||
hm2DosMitigationTcpHdrChecksSup,
|
||||
hm2DosMitigationIcmpChecksSup,
|
||||
hm2DosMitigationTcpSynLimitSup,
|
||||
hm2DosMitigationArpLimitSup,
|
||||
hm2DosMitigationLimiterInterface,
|
||||
hm2DosMitigationLimiterTcpSynLimit,
|
||||
hm2DosMitigationLimiterArpLimit,
|
||||
hm2DosMitigationLimiterRowStatus,
|
||||
hm2DosMitigationTcpXmasSup,
|
||||
hm2DosMitigationTcpNullScanSup,
|
||||
hm2DosMitigationTcpLandSup
|
||||
}
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"A collection of all Hirschmann objects provided by the DoS Mitigation
|
||||
module."
|
||||
::= { hm2DosMitigationGroups 1 }
|
||||
END
|
||||
--******************************************************************************
|
||||
-- HM2-DOS-MITIGATION-MIB: Managed objects for
|
||||
--
|
||||
-- March 2012
|
||||
--
|
||||
-- Copyright (c) Hirschmann Automation & Control GmbH 2012
|
||||
--******************************************************************************
|
||||
|
||||
HM2-DOS-MITIGATION-MIB DEFINITIONS ::= BEGIN
|
||||
IMPORTS
|
||||
OBJECT-TYPE, MODULE-IDENTITY,
|
||||
Unsigned32
|
||||
FROM SNMPv2-SMI
|
||||
RowStatus, TEXTUAL-CONVENTION
|
||||
FROM SNMPv2-TC
|
||||
MODULE-COMPLIANCE, OBJECT-GROUP
|
||||
FROM SNMPv2-CONF
|
||||
InterfaceIndex, ifIndex
|
||||
FROM IF-MIB
|
||||
hm2ConfigurationMibs, HmEnabledStatus
|
||||
FROM HM2-TC-MIB
|
||||
;
|
||||
|
||||
hm2DosMitigationMib MODULE-IDENTITY
|
||||
LAST-UPDATED "201209180000Z" -- September 18, 2012
|
||||
ORGANIZATION "Hirschmann Automation and Control GmbH"
|
||||
CONTACT-INFO
|
||||
"Postal: Stuttgarter Str. 45-51
|
||||
72654 Neckartenzlingen
|
||||
Germany
|
||||
Phone: +49 7127 140
|
||||
E-mail: hac.support@belden.com"
|
||||
DESCRIPTION
|
||||
"Hirschmann Denial of Service MIB
|
||||
Copyright (C) 2012. All Rights Reserved."
|
||||
REVISION "201209180000Z" -- September 18, 2012
|
||||
DESCRIPTION
|
||||
"Change the range of valid values for
|
||||
hm2DosMitigationTcpMinimalHeaderSize
|
||||
MIB object from (0..255) to (20..255)."
|
||||
REVISION "201208200000Z" -- August 20, 2012
|
||||
DESCRIPTION
|
||||
"hm2DosMitigationTcpFrag MIB object removed."
|
||||
REVISION "201206060000Z" -- June 06, 2012
|
||||
DESCRIPTION
|
||||
"Add MIB objects for all features supported by XGS4 switch."
|
||||
REVISION "201203190000Z" -- Mar 19, 2012
|
||||
DESCRIPTION
|
||||
"Initial version."
|
||||
::= { hm2ConfigurationMibs 82 }
|
||||
|
||||
DosFeatureValue ::= TEXTUAL-CONVENTION
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"Type of feature support:
|
||||
- hw(1): Supported in Hardware
|
||||
- sw(2): Supported in Software
|
||||
- noSup(3): Not implemented (no support)"
|
||||
SYNTAX INTEGER {
|
||||
hw(1),
|
||||
sw(2),
|
||||
noSup(3)
|
||||
}
|
||||
|
||||
|
||||
|
||||
hm2DosMitigationNotifications OBJECT IDENTIFIER ::= { hm2DosMitigationMib 0 }
|
||||
hm2DosMitigationObjects OBJECT IDENTIFIER ::= { hm2DosMitigationMib 1 }
|
||||
hm2DosMitigationConformance OBJECT IDENTIFIER ::= { hm2DosMitigationMib 2}
|
||||
|
||||
--******************************************************************************
|
||||
-- General Settings
|
||||
--******************************************************************************
|
||||
|
||||
hm2DosMitigationGeneralSettings OBJECT IDENTIFIER ::= { hm2DosMitigationObjects 1 }
|
||||
|
||||
hm2DosMitigationTcpHdrChecks OBJECT IDENTIFIER ::= { hm2DosMitigationGeneralSettings 1 }
|
||||
|
||||
hm2DosMitigationTcpNullScan OBJECT-TYPE
|
||||
SYNTAX HmEnabledStatus
|
||||
MAX-ACCESS read-write
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"When enabled, TCP Null scans (TCP flags and sequence number
|
||||
set to 0) are filtered by the device."
|
||||
DEFVAL { disable }
|
||||
::= { hm2DosMitigationTcpHdrChecks 1 }
|
||||
|
||||
|
||||
hm2DosMitigationTcpXmasScan OBJECT-TYPE
|
||||
SYNTAX HmEnabledStatus
|
||||
MAX-ACCESS read-write
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"When enabled TCP Xmas scans (TCP flags FIN,
|
||||
URG and PSH all set to 1 and a TCP sequence
|
||||
number = 0) are filtered by the device."
|
||||
DEFVAL { disable }
|
||||
::= { hm2DosMitigationTcpHdrChecks 4 }
|
||||
|
||||
hm2DosMitigationTcpSynFinScan OBJECT-TYPE
|
||||
SYNTAX HmEnabledStatus
|
||||
MAX-ACCESS read-write
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"When enabled TCP packets with SYN and FIN flags set are
|
||||
filtered by the device."
|
||||
DEFVAL { disable }
|
||||
::= { hm2DosMitigationTcpHdrChecks 7 }
|
||||
|
||||
hm2DosMitigationTcpMinimalHeader OBJECT-TYPE
|
||||
SYNTAX HmEnabledStatus
|
||||
MAX-ACCESS read-write
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"When enabled all TCP frames are checked for a minimal valid
|
||||
header size. Packets that contain an invalid header size are
|
||||
discarded."
|
||||
DEFVAL { disable }
|
||||
::= { hm2DosMitigationTcpHdrChecks 10 }
|
||||
|
||||
hm2DosMitigationTcpMinimalHeaderSize OBJECT-TYPE
|
||||
SYNTAX Unsigned32 (20..255)
|
||||
MAX-ACCESS read-write
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
" Specifies the minimum size of a valid TCP frame header size."
|
||||
DEFVAL { 20 }
|
||||
::= { hm2DosMitigationTcpHdrChecks 11 }
|
||||
|
||||
hm2DosMitigationLandAttack OBJECT-TYPE
|
||||
SYNTAX HmEnabledStatus
|
||||
MAX-ACCESS read-write
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"When enabled all IP frames are checked for equality of
|
||||
src and dst IP address (known as land attack). Packets that
|
||||
contain such a combination are silently discarded when
|
||||
enabled."
|
||||
DEFVAL { disable }
|
||||
::= { hm2DosMitigationTcpHdrChecks 13 }
|
||||
|
||||
hm2DosMitigationTcpOffsetEqu1 OBJECT-TYPE
|
||||
SYNTAX HmEnabledStatus
|
||||
MAX-ACCESS read-write
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"Enable/Disable TCP offset DoS protection. All packets
|
||||
ingress having a TCP header offset equal to 1 are dropped."
|
||||
DEFVAL { disable }
|
||||
::= { hm2DosMitigationTcpHdrChecks 14 }
|
||||
|
||||
hm2DosMitigationTcpPrivilegedSrcPort OBJECT-TYPE
|
||||
SYNTAX HmEnabledStatus
|
||||
MAX-ACCESS read-write
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"Enable/Disable TCP SYN and L4 source port smaller than 1024
|
||||
DoS protection. All packets ingress having the TCP SYN flag set
|
||||
and a L4 source port from 0 to 1023 are dropped."
|
||||
DEFVAL { disable }
|
||||
::= { hm2DosMitigationTcpHdrChecks 15 }
|
||||
|
||||
hm2DosMitigationTcpSrcDstPortEqu OBJECT-TYPE
|
||||
SYNTAX HmEnabledStatus
|
||||
MAX-ACCESS read-write
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"Enable/Disable L4 source port equals L4 destination port
|
||||
DoS protection. All TCP or UDP packets ingress having the
|
||||
L4 source port equal to L4 destination port are dropped."
|
||||
DEFVAL { disable }
|
||||
::= { hm2DosMitigationTcpHdrChecks 16 }
|
||||
|
||||
|
||||
hm2DosMitigationIcmpChecks OBJECT IDENTIFIER ::= { hm2DosMitigationGeneralSettings 2 }
|
||||
|
||||
hm2DosMitigationIcmpFrags OBJECT-TYPE
|
||||
SYNTAX HmEnabledStatus
|
||||
MAX-ACCESS read-write
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"When enabled, all fragmented ICMP packets are filtered by the
|
||||
device."
|
||||
DEFVAL { disable }
|
||||
::= { hm2DosMitigationIcmpChecks 1 }
|
||||
|
||||
|
||||
hm2DosMitigationIcmpPacketSize OBJECT-TYPE
|
||||
SYNTAX Unsigned32 (0..1472)
|
||||
MAX-ACCESS read-write
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"Specifies the max. allowed payload size of ICMP packets.
|
||||
Packets having bigger payload are filtered by the device
|
||||
if the hm2DosMitigationIcmpPacketSizeMode is enabled."
|
||||
DEFVAL { 512 }
|
||||
::= { hm2DosMitigationIcmpChecks 4 }
|
||||
|
||||
hm2DosMitigationIcmpPacketSizeMode OBJECT-TYPE
|
||||
SYNTAX HmEnabledStatus
|
||||
MAX-ACCESS read-write
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"When enabled all ICMP ingress packets having the
|
||||
payload bigger than hm2DosMitigationIcmpPacketSize
|
||||
are filtered by device. "
|
||||
DEFVAL { disable }
|
||||
::= { hm2DosMitigationIcmpChecks 5 }
|
||||
|
||||
hm2DosMitigationIcmpSmurfAttack OBJECT-TYPE
|
||||
SYNTAX HmEnabledStatus
|
||||
MAX-ACCESS read-write
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"When enabled, all ingress ICMP packets having
|
||||
the type set to ECHO_REQ (ping) and a broadcast
|
||||
destination IP are dropped. "
|
||||
DEFVAL { disable }
|
||||
::= { hm2DosMitigationIcmpChecks 6 }
|
||||
|
||||
hm2DosMitigationL2Checks OBJECT IDENTIFIER ::= { hm2DosMitigationGeneralSettings 3}
|
||||
|
||||
hm2DosMitigationSMacDMac OBJECT-TYPE
|
||||
SYNTAX HmEnabledStatus
|
||||
MAX-ACCESS read-write
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"Enable/Disable source MAC address equals destination
|
||||
MAC address DoS protection. All packets ingress having
|
||||
SMAC equals DMAC are dropped."
|
||||
DEFVAL { enable }
|
||||
::= { hm2DosMitigationL2Checks 7 }
|
||||
|
||||
|
||||
hm2DosMitigationIpHdrChecks OBJECT IDENTIFIER ::= { hm2DosMitigationGeneralSettings 4}
|
||||
|
||||
hm2DosMitigationDropIpSrcRoute OBJECT-TYPE
|
||||
SYNTAX HmEnabledStatus
|
||||
MAX-ACCESS read-write
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"Discard packets with the Strict/Loose Source Routing IP option set."
|
||||
DEFVAL { enable }
|
||||
::= { hm2DosMitigationIpHdrChecks 1 }
|
||||
|
||||
hm2DosMitigationCapabilities OBJECT IDENTIFIER ::= { hm2DosMitigationGeneralSettings 0 }
|
||||
|
||||
hm2DosMitigationTcpHdrChecksSup OBJECT-TYPE
|
||||
SYNTAX DosFeatureValue
|
||||
MAX-ACCESS read-only
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"The type of support for TCP header checks."
|
||||
::= { hm2DosMitigationCapabilities 1 }
|
||||
|
||||
hm2DosMitigationIcmpChecksSup OBJECT-TYPE
|
||||
SYNTAX DosFeatureValue
|
||||
MAX-ACCESS read-only
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"The type of support for ICMP checks."
|
||||
::= { hm2DosMitigationCapabilities 2 }
|
||||
|
||||
hm2DosMitigationTcpSynLimitSup OBJECT-TYPE
|
||||
SYNTAX DosFeatureValue
|
||||
MAX-ACCESS read-only
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"The type of support for TCP SYN limiter."
|
||||
::= { hm2DosMitigationCapabilities 3 }
|
||||
|
||||
hm2DosMitigationArpLimitSup OBJECT-TYPE
|
||||
SYNTAX DosFeatureValue
|
||||
MAX-ACCESS read-only
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"The type of support for ARP limiter."
|
||||
::= { hm2DosMitigationCapabilities 4 }
|
||||
|
||||
hm2DosMitigationTcpNullScanSup OBJECT-TYPE
|
||||
SYNTAX DosFeatureValue
|
||||
MAX-ACCESS read-only
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"The type of support for TCP Null Scan."
|
||||
::= { hm2DosMitigationCapabilities 5 }
|
||||
|
||||
hm2DosMitigationTcpXmasSup OBJECT-TYPE
|
||||
SYNTAX DosFeatureValue
|
||||
MAX-ACCESS read-only
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"The type of support for TCP Xmas Scan."
|
||||
::= { hm2DosMitigationCapabilities 6 }
|
||||
|
||||
|
||||
hm2DosMitigationTcpLandSup OBJECT-TYPE
|
||||
SYNTAX DosFeatureValue
|
||||
MAX-ACCESS read-only
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"The type of support for land attack detection."
|
||||
::= { hm2DosMitigationCapabilities 7 }
|
||||
|
||||
|
||||
--******************************************************************************
|
||||
-- TCP Syn/Arp Limiter
|
||||
--******************************************************************************
|
||||
|
||||
hm2DosMitigationLimiter OBJECT IDENTIFIER ::= { hm2DosMitigationObjects 2 }
|
||||
|
||||
hm2DosMitigationLimiterObjects OBJECT IDENTIFIER ::= { hm2DosMitigationLimiter 1 }
|
||||
|
||||
hm2DosMitigationLimiterRules OBJECT IDENTIFIER ::= { hm2DosMitigationLimiter 2 }
|
||||
|
||||
hm2DosMitigationLimiterRuleTable OBJECT-TYPE
|
||||
SYNTAX SEQUENCE OF Hm2DosMitigationLimiterRuleEntry
|
||||
MAX-ACCESS not-accessible
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"TCP Syn Limiter Interface Table"
|
||||
::= { hm2DosMitigationLimiterRules 1 }
|
||||
|
||||
hm2DosMitigationLimiterRuleEntry OBJECT-TYPE
|
||||
SYNTAX Hm2DosMitigationLimiterRuleEntry
|
||||
MAX-ACCESS not-accessible
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"TCP Syn Interface entry."
|
||||
INDEX { hm2DosMitigationLimiterInterface }
|
||||
::= { hm2DosMitigationLimiterRuleTable 1 }
|
||||
|
||||
Hm2DosMitigationLimiterRuleEntry ::=
|
||||
SEQUENCE {
|
||||
hm2DosMitigationLimiterInterface InterfaceIndex,
|
||||
hm2DosMitigationLimiterTcpSynLimit Unsigned32,
|
||||
hm2DosMitigationLimiterArpLimit Unsigned32,
|
||||
hm2DosMitigationLimiterRowStatus RowStatus
|
||||
}
|
||||
|
||||
hm2DosMitigationLimiterInterface OBJECT-TYPE
|
||||
SYNTAX InterfaceIndex
|
||||
MAX-ACCESS accessible-for-notify
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"The interface the limiter is assigned to."
|
||||
::={ hm2DosMitigationLimiterRuleEntry 1 }
|
||||
|
||||
hm2DosMitigationLimiterTcpSynLimit OBJECT-TYPE
|
||||
SYNTAX Unsigned32
|
||||
MAX-ACCESS read-create
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"The number of allowed outgoing TCP syn packets per second
|
||||
per interface.
|
||||
A value of 0 disables the limiter for this interface."
|
||||
::={ hm2DosMitigationLimiterRuleEntry 2 }
|
||||
|
||||
hm2DosMitigationLimiterArpLimit OBJECT-TYPE
|
||||
SYNTAX Unsigned32
|
||||
MAX-ACCESS read-create
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"The number of allowed outgoing ARP packets per second per
|
||||
interface.
|
||||
A value of 0 disables the limiter for this interface."
|
||||
::={ hm2DosMitigationLimiterRuleEntry 3 }
|
||||
|
||||
|
||||
hm2DosMitigationLimiterRowStatus OBJECT-TYPE
|
||||
SYNTAX RowStatus
|
||||
MAX-ACCESS read-create
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"Row status."
|
||||
::={ hm2DosMitigationLimiterRuleEntry 4 }
|
||||
|
||||
--******************************************************************************
|
||||
-- Statistics
|
||||
--******************************************************************************
|
||||
|
||||
hm2DosMitigationStatistics OBJECT IDENTIFIER ::= { hm2DosMitigationObjects 3 }
|
||||
|
||||
hm2DosMitigationGlobalDropCounter OBJECT-TYPE
|
||||
SYNTAX Counter64
|
||||
MAX-ACCESS read-only
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"The total number of packets dropped by the different dos
|
||||
mitigation features."
|
||||
::= { hm2DosMitigationStatistics 1 }
|
||||
|
||||
hm2DosMitigationStatisticsPortTable OBJECT-TYPE
|
||||
SYNTAX SEQUENCE OF Hm2DosMitigationStatisticsPortEntry
|
||||
MAX-ACCESS not-accessible
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"A list of statistics counters for dos mitigation features."
|
||||
::= { hm2DosMitigationStatistics 2 }
|
||||
|
||||
hm2DosMitigationStatisticsPortEntry OBJECT-TYPE
|
||||
SYNTAX Hm2DosMitigationStatisticsPortEntry
|
||||
MAX-ACCESS not-accessible
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"A list of statistics counters for dos mitigation features
|
||||
for an interface."
|
||||
INDEX { ifIndex }
|
||||
::= { hm2DosMitigationStatisticsPortTable 1 }
|
||||
|
||||
Hm2DosMitigationStatisticsPortEntry ::=
|
||||
SEQUENCE {
|
||||
hm2DosMitigationPortDropCounter Counter64
|
||||
}
|
||||
|
||||
hm2DosMitigationPortDropCounter OBJECT-TYPE
|
||||
SYNTAX Counter64
|
||||
MAX-ACCESS read-only
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"The total number of packets dropped by the different dos
|
||||
mitigation features."
|
||||
::= { hm2DosMitigationStatisticsPortEntry 1 }
|
||||
|
||||
|
||||
--******************************************************************************
|
||||
-- Compliance statements
|
||||
--******************************************************************************
|
||||
|
||||
hm2DosMitigationCompliances OBJECT IDENTIFIER ::= { hm2DosMitigationConformance 1 }
|
||||
hm2DosMitigationGroups OBJECT IDENTIFIER ::= { hm2DosMitigationConformance 2 }
|
||||
|
||||
hm2DosMitigationCompliance MODULE-COMPLIANCE
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"The compliance statement for an SNMP entity which
|
||||
implements the Hirschmann DOS Mitigation MIB."
|
||||
MODULE -- this module
|
||||
MANDATORY-GROUPS { hm2DosMitigationGeneralGroup }
|
||||
::= { hm2DosMitigationCompliances 1 }
|
||||
|
||||
hm2DosMitigationGeneralGroup OBJECT-GROUP
|
||||
OBJECTS {
|
||||
hm2DosMitigationTcpSynFinScan,
|
||||
hm2DosMitigationTcpNullScan,
|
||||
hm2DosMitigationTcpXmasScan,
|
||||
hm2DosMitigationTcpMinimalHeader,
|
||||
hm2DosMitigationTcpMinimalHeaderSize,
|
||||
hm2DosMitigationLandAttack,
|
||||
hm2DosMitigationTcpOffsetEqu1,
|
||||
hm2DosMitigationTcpPrivilegedSrcPort,
|
||||
hm2DosMitigationTcpSrcDstPortEqu,
|
||||
hm2DosMitigationIcmpFrags,
|
||||
hm2DosMitigationIcmpPacketSize,
|
||||
hm2DosMitigationIcmpPacketSizeMode,
|
||||
hm2DosMitigationSMacDMac,
|
||||
hm2DosMitigationDropIpSrcRoute,
|
||||
hm2DosMitigationTcpHdrChecksSup,
|
||||
hm2DosMitigationIcmpChecksSup,
|
||||
hm2DosMitigationTcpSynLimitSup,
|
||||
hm2DosMitigationArpLimitSup,
|
||||
hm2DosMitigationLimiterInterface,
|
||||
hm2DosMitigationLimiterTcpSynLimit,
|
||||
hm2DosMitigationLimiterArpLimit,
|
||||
hm2DosMitigationLimiterRowStatus,
|
||||
hm2DosMitigationTcpXmasSup,
|
||||
hm2DosMitigationTcpNullScanSup,
|
||||
hm2DosMitigationTcpLandSup
|
||||
}
|
||||
STATUS current
|
||||
DESCRIPTION
|
||||
"A collection of all Hirschmann objects provided by the DoS Mitigation
|
||||
module."
|
||||
::= { hm2DosMitigationGroups 1 }
|
||||
END
|
||||
|
||||
Reference in New Issue
Block a user