418 lines
13 KiB
Plaintext
418 lines
13 KiB
Plaintext
--******************************************************************************
|
|
-- HM2-DOS-MITIGATION-MIB: Managed objects for
|
|
--
|
|
-- March 2012
|
|
--
|
|
-- Copyright (c) Hirschmann Automation & Control GmbH 2012
|
|
--******************************************************************************
|
|
|
|
HM2-DOS-MITIGATION-MIB DEFINITIONS ::= BEGIN
|
|
IMPORTS
|
|
OBJECT-TYPE, MODULE-IDENTITY,
|
|
Unsigned32
|
|
FROM SNMPv2-SMI
|
|
RowStatus, TEXTUAL-CONVENTION
|
|
FROM SNMPv2-TC
|
|
MODULE-COMPLIANCE, OBJECT-GROUP
|
|
FROM SNMPv2-CONF
|
|
InterfaceIndex
|
|
FROM IF-MIB
|
|
hm2ConfigurationMibs, HmEnabledStatus
|
|
FROM HM2-TC-MIB
|
|
;
|
|
|
|
hm2DosMitigationMib MODULE-IDENTITY
|
|
LAST-UPDATED "201209180000Z" -- September 18, 2012
|
|
ORGANIZATION "Hirschmann Automation and Control GmbH"
|
|
CONTACT-INFO
|
|
"Postal: Stuttgarter Str. 45-51
|
|
72654 Neckartenzlingen
|
|
Germany
|
|
Phone: +49 7127 140
|
|
E-mail: hac.support@belden.com"
|
|
DESCRIPTION
|
|
"Hirschmann Denial of Service MIB
|
|
Copyright (C) 2012. All Rights Reserved."
|
|
REVISION "201209180000Z" -- September 18, 2012
|
|
DESCRIPTION
|
|
"Change the range of valid values for
|
|
hm2DosMitigationTcpMinimalHeaderSize
|
|
MIB object from (0..255) to (20..255)."
|
|
REVISION "201208200000Z" -- August 20, 2012
|
|
DESCRIPTION
|
|
"hm2DosMitigationTcpFrag MIB object removed."
|
|
REVISION "201206060000Z" -- June 06, 2012
|
|
DESCRIPTION
|
|
"Add MIB objects for all features supported by XGS4 switch."
|
|
REVISION "201203190000Z" -- Mar 19, 2012
|
|
DESCRIPTION
|
|
"Initial version."
|
|
::= { hm2ConfigurationMibs 82 }
|
|
|
|
DosFeatureValue ::= TEXTUAL-CONVENTION
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Type of feature support:
|
|
- hw(1): Supported in Hardware
|
|
- sw(2): Supported in Software
|
|
- noSup(3): Not implemented (no support)"
|
|
SYNTAX INTEGER {
|
|
hw(1),
|
|
sw(2),
|
|
noSup(3)
|
|
}
|
|
|
|
|
|
|
|
hm2DosMitigationNotifications OBJECT IDENTIFIER ::= { hm2DosMitigationMib 0 }
|
|
hm2DosMitigationObjects OBJECT IDENTIFIER ::= { hm2DosMitigationMib 1 }
|
|
hm2DosMitigationConformance OBJECT IDENTIFIER ::= { hm2DosMitigationMib 2}
|
|
|
|
--******************************************************************************
|
|
-- General Settings
|
|
--******************************************************************************
|
|
|
|
hm2DosMitigationGeneralSettings OBJECT IDENTIFIER ::= { hm2DosMitigationObjects 1 }
|
|
|
|
hm2DosMitigationTcpHdrChecks OBJECT IDENTIFIER ::= { hm2DosMitigationGeneralSettings 1 }
|
|
|
|
hm2DosMitigationTcpNullScan OBJECT-TYPE
|
|
SYNTAX HmEnabledStatus
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"When enabled, TCP Null scans (TCP flags and sequence number
|
|
set to 0) are filtered by the device."
|
|
DEFVAL { disable }
|
|
::= { hm2DosMitigationTcpHdrChecks 1 }
|
|
|
|
|
|
hm2DosMitigationTcpXmasScan OBJECT-TYPE
|
|
SYNTAX HmEnabledStatus
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"When enabled TCP Xmas scans (TCP flags FIN,
|
|
URG and PSH all set to 1 and a TCP sequence
|
|
number = 0) are filtered by the device."
|
|
DEFVAL { disable }
|
|
::= { hm2DosMitigationTcpHdrChecks 4 }
|
|
|
|
hm2DosMitigationTcpSynFinScan OBJECT-TYPE
|
|
SYNTAX HmEnabledStatus
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"When enabled TCP packets with SYN and FIN flags set are
|
|
filtered by the device."
|
|
DEFVAL { disable }
|
|
::= { hm2DosMitigationTcpHdrChecks 7 }
|
|
|
|
hm2DosMitigationTcpMinimalHeader OBJECT-TYPE
|
|
SYNTAX HmEnabledStatus
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"When enabled all TCP frames are checked for a minimal valid
|
|
header size. Packets that contain an invalid header size are
|
|
discarded."
|
|
DEFVAL { disable }
|
|
::= { hm2DosMitigationTcpHdrChecks 10 }
|
|
|
|
hm2DosMitigationTcpMinimalHeaderSize OBJECT-TYPE
|
|
SYNTAX Unsigned32 (20..255)
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
" Specifies the minimum size of a valid TCP frame header size."
|
|
DEFVAL { 20 }
|
|
::= { hm2DosMitigationTcpHdrChecks 11 }
|
|
|
|
hm2DosMitigationLandAttack OBJECT-TYPE
|
|
SYNTAX HmEnabledStatus
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"When enabled all IP frames are checked for equality of
|
|
src and dst IP address (known as land attack). Packets that
|
|
contain such a combination are silently discarded when
|
|
enabled."
|
|
DEFVAL { disable }
|
|
::= { hm2DosMitigationTcpHdrChecks 13 }
|
|
|
|
hm2DosMitigationTcpOffsetEqu1 OBJECT-TYPE
|
|
SYNTAX HmEnabledStatus
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Enable/Disable TCP offset DoS protection. All packets
|
|
ingress having a TCP header offset equal to 1 are dropped."
|
|
DEFVAL { disable }
|
|
::= { hm2DosMitigationTcpHdrChecks 14 }
|
|
|
|
hm2DosMitigationTcpPrivilegedSrcPort OBJECT-TYPE
|
|
SYNTAX HmEnabledStatus
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Enable/Disable TCP SYN and L4 source port smaller than 1024
|
|
DoS protection. All packets ingress having the TCP SYN flag set
|
|
and a L4 source port from 0 to 1023 are dropped."
|
|
DEFVAL { disable }
|
|
::= { hm2DosMitigationTcpHdrChecks 15 }
|
|
|
|
hm2DosMitigationTcpSrcDstPortEqu OBJECT-TYPE
|
|
SYNTAX HmEnabledStatus
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Enable/Disable L4 source port equals L4 destination port
|
|
DoS protection. All TCP or UDP packets ingress having the
|
|
L4 source port equal to L4 destination port are dropped."
|
|
DEFVAL { disable }
|
|
::= { hm2DosMitigationTcpHdrChecks 16 }
|
|
|
|
|
|
hm2DosMitigationIcmpChecks OBJECT IDENTIFIER ::= { hm2DosMitigationGeneralSettings 2 }
|
|
|
|
hm2DosMitigationIcmpFrags OBJECT-TYPE
|
|
SYNTAX HmEnabledStatus
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"When enabled, all fragmented ICMP packets are filtered by the
|
|
device."
|
|
DEFVAL { disable }
|
|
::= { hm2DosMitigationIcmpChecks 1 }
|
|
|
|
|
|
hm2DosMitigationIcmpPacketSize OBJECT-TYPE
|
|
SYNTAX Unsigned32 (0..1472)
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Specifies the max. allowed payload size of ICMP packets.
|
|
Packets having bigger payload are filtered by the device
|
|
if the hm2DosMitigationIcmpPacketSizeMode is enabled."
|
|
DEFVAL { 512 }
|
|
::= { hm2DosMitigationIcmpChecks 4 }
|
|
|
|
hm2DosMitigationIcmpPacketSizeMode OBJECT-TYPE
|
|
SYNTAX HmEnabledStatus
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"When enabled all ICMP ingress packets having the
|
|
payload bigger than hm2DosMitigationIcmpPacketSize
|
|
are filtered by device. "
|
|
DEFVAL { disable }
|
|
::= { hm2DosMitigationIcmpChecks 5 }
|
|
|
|
hm2DosMitigationIcmpSmurfAttack OBJECT-TYPE
|
|
SYNTAX HmEnabledStatus
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"When enabled, all ingress ICMP packets having
|
|
the type set to ECHO_REQ (ping) and a broadcast
|
|
destination IP are dropped. "
|
|
DEFVAL { disable }
|
|
::= { hm2DosMitigationIcmpChecks 6 }
|
|
|
|
hm2DosMitigationL2Checks OBJECT IDENTIFIER ::= { hm2DosMitigationGeneralSettings 3}
|
|
|
|
hm2DosMitigationSMacDMac OBJECT-TYPE
|
|
SYNTAX HmEnabledStatus
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Enable/Disable source MAC address equals destination
|
|
MAC address DoS protection. All packets ingress having
|
|
SMAC equals DMAC are dropped."
|
|
DEFVAL { enable }
|
|
::= { hm2DosMitigationL2Checks 7 }
|
|
|
|
|
|
hm2DosMitigationCapabilities OBJECT IDENTIFIER ::= { hm2DosMitigationGeneralSettings 0 }
|
|
|
|
hm2DosMitigationTcpHdrChecksSup OBJECT-TYPE
|
|
SYNTAX DosFeatureValue
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The type of support for TCP header checks."
|
|
::= { hm2DosMitigationCapabilities 1 }
|
|
|
|
hm2DosMitigationIcmpChecksSup OBJECT-TYPE
|
|
SYNTAX DosFeatureValue
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The type of support for ICMP checks."
|
|
::= { hm2DosMitigationCapabilities 2 }
|
|
|
|
hm2DosMitigationTcpSynLimitSup OBJECT-TYPE
|
|
SYNTAX DosFeatureValue
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The type of support for TCP SYN limiter."
|
|
::= { hm2DosMitigationCapabilities 3 }
|
|
|
|
hm2DosMitigationArpLimitSup OBJECT-TYPE
|
|
SYNTAX DosFeatureValue
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The type of support for ARP limiter."
|
|
::= { hm2DosMitigationCapabilities 4 }
|
|
|
|
hm2DosMitigationTcpNullScanSup OBJECT-TYPE
|
|
SYNTAX DosFeatureValue
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The type of support for TCP Null Scan."
|
|
::= { hm2DosMitigationCapabilities 5 }
|
|
|
|
hm2DosMitigationTcpXmasSup OBJECT-TYPE
|
|
SYNTAX DosFeatureValue
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The type of support for TCP Xmas Scan."
|
|
::= { hm2DosMitigationCapabilities 6 }
|
|
|
|
|
|
hm2DosMitigationTcpLandSup OBJECT-TYPE
|
|
SYNTAX DosFeatureValue
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The type of support for land attack detection."
|
|
::= { hm2DosMitigationCapabilities 7 }
|
|
|
|
|
|
--******************************************************************************
|
|
-- TCP Syn/Arp Limiter
|
|
--******************************************************************************
|
|
|
|
hm2DosMitigationLimiter OBJECT IDENTIFIER ::= { hm2DosMitigationObjects 2 }
|
|
|
|
hm2DosMitigationLimiterObjects OBJECT IDENTIFIER ::= { hm2DosMitigationLimiter 1 }
|
|
|
|
hm2DosMitigationLimiterRules OBJECT IDENTIFIER ::= { hm2DosMitigationLimiter 2 }
|
|
|
|
hm2DosMitigationLimiterRuleTable OBJECT-TYPE
|
|
SYNTAX SEQUENCE OF Hm2DosMitigationLimiterRuleEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"TCP Syn Limiter Interface Table"
|
|
::= { hm2DosMitigationLimiterRules 1 }
|
|
|
|
hm2DosMitigationLimiterRuleEntry OBJECT-TYPE
|
|
SYNTAX Hm2DosMitigationLimiterRuleEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"TCP Syn Interface entry."
|
|
INDEX { hm2DosMitigationLimiterInterface }
|
|
::= { hm2DosMitigationLimiterRuleTable 1 }
|
|
|
|
Hm2DosMitigationLimiterRuleEntry ::=
|
|
SEQUENCE {
|
|
hm2DosMitigationLimiterInterface InterfaceIndex,
|
|
hm2DosMitigationLimiterTcpSynLimit Unsigned32,
|
|
hm2DosMitigationLimiterArpLimit Unsigned32,
|
|
hm2DosMitigationLimiterRowStatus RowStatus
|
|
}
|
|
|
|
hm2DosMitigationLimiterInterface OBJECT-TYPE
|
|
SYNTAX InterfaceIndex
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The interface the limiter is assigned to."
|
|
::={ hm2DosMitigationLimiterRuleEntry 1 }
|
|
|
|
hm2DosMitigationLimiterTcpSynLimit OBJECT-TYPE
|
|
SYNTAX Unsigned32
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The number of allowed outgoing TCP syn packets per second
|
|
per interface.
|
|
A value of 0 disables the limiter for this interface."
|
|
::={ hm2DosMitigationLimiterRuleEntry 2 }
|
|
|
|
hm2DosMitigationLimiterArpLimit OBJECT-TYPE
|
|
SYNTAX Unsigned32
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The number of allowed outgoing ARP packets per second per
|
|
interface.
|
|
A value of 0 disables the limiter for this interface."
|
|
::={ hm2DosMitigationLimiterRuleEntry 3 }
|
|
|
|
|
|
hm2DosMitigationLimiterRowStatus OBJECT-TYPE
|
|
SYNTAX RowStatus
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Row status."
|
|
::={ hm2DosMitigationLimiterRuleEntry 4 }
|
|
|
|
|
|
--******************************************************************************
|
|
-- Compliance statements
|
|
--******************************************************************************
|
|
|
|
hm2DosMitigationCompliances OBJECT IDENTIFIER ::= { hm2DosMitigationConformance 1 }
|
|
hm2DosMitigationGroups OBJECT IDENTIFIER ::= { hm2DosMitigationConformance 2 }
|
|
|
|
hm2DosMitigationCompliance MODULE-COMPLIANCE
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The compliance statement for an SNMP entity which
|
|
implements the Hirschmann DOS Mitigation MIB."
|
|
MODULE -- this module
|
|
MANDATORY-GROUPS { hm2DosMitigationGeneralGroup }
|
|
::= { hm2DosMitigationCompliances 1 }
|
|
|
|
hm2DosMitigationGeneralGroup OBJECT-GROUP
|
|
OBJECTS {
|
|
hm2DosMitigationTcpSynFinScan,
|
|
hm2DosMitigationTcpNullScan,
|
|
hm2DosMitigationTcpXmasScan,
|
|
hm2DosMitigationTcpMinimalHeader,
|
|
hm2DosMitigationTcpMinimalHeaderSize,
|
|
hm2DosMitigationLandAttack,
|
|
hm2DosMitigationTcpOffsetEqu1,
|
|
hm2DosMitigationTcpPrivilegedSrcPort,
|
|
hm2DosMitigationTcpSrcDstPortEqu,
|
|
hm2DosMitigationIcmpFrags,
|
|
hm2DosMitigationIcmpPacketSize,
|
|
hm2DosMitigationIcmpPacketSizeMode,
|
|
hm2DosMitigationSMacDMac,
|
|
hm2DosMitigationTcpHdrChecksSup,
|
|
hm2DosMitigationIcmpChecksSup,
|
|
hm2DosMitigationTcpSynLimitSup,
|
|
hm2DosMitigationArpLimitSup,
|
|
hm2DosMitigationLimiterInterface,
|
|
hm2DosMitigationLimiterTcpSynLimit,
|
|
hm2DosMitigationLimiterArpLimit,
|
|
hm2DosMitigationLimiterRowStatus,
|
|
hm2DosMitigationTcpXmasSup,
|
|
hm2DosMitigationTcpNullScanSup,
|
|
hm2DosMitigationTcpLandSup
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A collection of all Hirschmann objects provided by the DoS Mitigation
|
|
module."
|
|
::= { hm2DosMitigationGroups 1 }
|
|
END
|