From 3b618516eef76b7665ab38de37ff70d7024e4b75 Mon Sep 17 00:00:00 2001 From: Rob Cowart Date: Wed, 22 Oct 2025 12:19:40 +0200 Subject: [PATCH 1/8] official IEEE802dot11-MIB trap rules --- enums/integer/ieee/IEEE802dot11-MIB.yml | 356 +++++ traps/enterprises.yml | 5 +- traps/rules/cisco/snmp.yml | 183 --- .../IEEE802dot11-MIB-dot11SMTnotification.yml | 1163 ++++++++++++++--- 4 files changed, 1360 insertions(+), 347 deletions(-) create mode 100644 enums/integer/ieee/IEEE802dot11-MIB.yml delete mode 100644 traps/rules/cisco/snmp.yml diff --git a/enums/integer/ieee/IEEE802dot11-MIB.yml b/enums/integer/ieee/IEEE802dot11-MIB.yml new file mode 100644 index 00000000..d1b65487 --- /dev/null +++ b/enums/integer/ieee/IEEE802dot11-MIB.yml @@ -0,0 +1,356 @@ +# dot11DisassociateReason +.1.2.840.10036.1.1.1.15: + 0: 'reserved' + 1: 'unspecified reason' + 2: 'previous authentication no longer valid' + 3: 'deauthenticated because sending station is leaving (or has left) IBSS or ESS' + 4: 'disassociated due to inactivity' + 5: 'disassociated because AP unable to handle all currently associated stations' + 6: 'class 2 frame received from nonauthenticated station' + 7: 'class 3 frame received from nonassociated station' + 8: 'disassociated because sending station is leaving (or has left) BSS' + 9: 'station requesting association or reassociation not authenticated with responding station' + 10: 'disassociated because of unacceptable information in the power capability element' + 11: 'disassociated because of unacceptable information in the supported channels element' + 12: 'disassociated due to BSS transition management' + 13: 'invalid information (does not follow 802.11 standard)' + 14: 'MIC failure' + 15: '4-way handshake timeout' + 16: 'group-key handshake timeout' + 17: 'information element in 4-way handshake different from association request, reassociation request, probe response, or beacon frame' + 18: 'invalid group cipher' + 19: 'invalid pairwise cipher' + 20: 'invalid authentication and key management protocol (AKMP)' + 21: 'unsupported robust security network (RSN) information element version' + 22: 'invalid RSN information element capabilities' + 23: 'IEEE 802.1X authentication failed' + 24: 'cipher suite rejected because of security policy' + 25: 'TDLS direct-link teardown due to TDLS peer STA unreachable via the TDLS direct link' + 26: 'TDLS direct-link teardown for unspecified reason' + 27: 'disassociated because session terminated by SSP request' + 28: 'disassociated because of lack of SSP roaming agreement' + 29: 'requested service rejected because of SSP cipher suite or AKM requirement' + 30: 'requested service not authorized in this location' + 31: 'TS deleted because QoS AP lacks sufficient bandwidth for this QoS STA due to a change in BSS service characteristics or operational mode' + 32: 'disassociated for unspecified QoS-related reason' + 33: 'disassociated because QoS AP lacks sufficient bandwidth for this QoS station' + 34: 'disassociated because excessive number of frames need to be acknowledged, but are not acknowledged due to AP transmissions or poor channel conditions, or both' + 35: 'disassociated because station is transmitting outside limits of its TXOPs' + 36: 'requested from peer station as station is leaving or resetting the BSS' + 37: 'requested from peer station as it does not want to use the mechanism' + 38: 'requested from peer station as station received frames using the mechanism for which a setup is required' + 39: 'requested from peer station due to timeout' + 45: 'peer station does not support requested cipher suite' + 46: 'disassociated because authorized access limit reached' + 47: 'disassociated due to external service requirements' + 48: 'invalid FT Action frame count' + 49: 'invalid PMKI' + 50: 'invalid mode' + 51: 'invalid FTE' + 52: 'SME cancels the mesh peering instance with the reason other than reaching the maximum number of peer mesh STAs' + 53: 'mesh STA has reached the supported maximum number of peer mesh STAs' + 54: 'received information violates the Mesh Configuration policy configured in the mesh STA profile' + 55: 'mesh STA has received a Mesh Peering Close message requesting to close the mesh peering' + 56: 'mesh STA has resent dot11MeshMaxRetries Mesh Peering Open messages, without receiving a Mesh Peering Confirm message' + 57: 'confirmTimer for the mesh peering instance times out' + 58: 'mesh STA fails to unwrap the GTK or the values in the wrapped contents do not match' + 59: 'mesh STA receives inconsistent information about the mesh parameters between Mesh Peering Management frames' + 60: 'mesh STA fails the authenticated mesh peering exchange because due to failure in selecting either the pairwise ciphersuite or group ciphersuite' + 61: 'mesh STA does not have proxy information for this external destination' + 62: 'mesh STA does not have forwarding information for this destination' + 63: 'mesh STA determines that the link to the next hop of an active path in its forwarding information is no longer usable' + 64: 'deauthentication frame was sent because the MAC address of the STA already exists in the mesh BSS' + 65: 'mesh STA performs channel switch to meet regulatory requirements' + 66: 'mesh STA performs channel switch with unspecified reason' + +# dot11DeauthenticateReason +.1.2.840.10036.1.1.1.17: + 0: 'reserved' + 1: 'unspecified reason' + 2: 'previous authentication no longer valid' + 3: 'deauthenticated because sending station is leaving (or has left) IBSS or ESS' + 4: 'disassociated due to inactivity' + 5: 'disassociated because AP unable to handle all currently associated stations' + 6: 'class 2 frame received from nonauthenticated station' + 7: 'class 3 frame received from nonassociated station' + 8: 'disassociated because sending station is leaving (or has left) BSS' + 9: 'station requesting association or reassociation not authenticated with responding station' + 10: 'disassociated because of unacceptable information in the power capability element' + 11: 'disassociated because of unacceptable information in the supported channels element' + 12: 'disassociated due to BSS transition management' + 13: 'invalid information (does not follow 802.11 standard)' + 14: 'MIC failure' + 15: '4-way handshake timeout' + 16: 'group-key handshake timeout' + 17: 'information element in 4-way handshake different from association request, reassociation request, probe response, or beacon frame' + 18: 'invalid group cipher' + 19: 'invalid pairwise cipher' + 20: 'invalid authentication and key management protocol (AKMP)' + 21: 'unsupported robust security network (RSN) information element version' + 22: 'invalid RSN information element capabilities' + 23: 'IEEE 802.1X authentication failed' + 24: 'cipher suite rejected because of security policy' + 25: 'TDLS direct-link teardown due to TDLS peer STA unreachable via the TDLS direct link' + 26: 'TDLS direct-link teardown for unspecified reason' + 27: 'disassociated because session terminated by SSP request' + 28: 'disassociated because of lack of SSP roaming agreement' + 29: 'requested service rejected because of SSP cipher suite or AKM requirement' + 30: 'requested service not authorized in this location' + 31: 'TS deleted because QoS AP lacks sufficient bandwidth for this QoS STA due to a change in BSS service characteristics or operational mode' + 32: 'disassociated for unspecified QoS-related reason' + 33: 'disassociated because QoS AP lacks sufficient bandwidth for this QoS station' + 34: 'disassociated because excessive number of frames need to be acknowledged, but are not acknowledged due to AP transmissions or poor channel conditions, or both' + 35: 'disassociated because station is transmitting outside limits of its TXOPs' + 36: 'requested from peer station as station is leaving or resetting the BSS' + 37: 'requested from peer station as it does not want to use the mechanism' + 38: 'requested from peer station as station received frames using the mechanism for which a setup is required' + 39: 'requested from peer station due to timeout' + 45: 'peer station does not support requested cipher suite' + 46: 'disassociated because authorized access limit reached' + 47: 'disassociated due to external service requirements' + 48: 'invalid FT Action frame count' + 49: 'invalid PMKI' + 50: 'invalid mode' + 51: 'invalid FTE' + 52: 'SME cancels the mesh peering instance with the reason other than reaching the maximum number of peer mesh STAs' + 53: 'mesh STA has reached the supported maximum number of peer mesh STAs' + 54: 'received information violates the Mesh Configuration policy configured in the mesh STA profile' + 55: 'mesh STA has received a Mesh Peering Close message requesting to close the mesh peering' + 56: 'mesh STA has resent dot11MeshMaxRetries Mesh Peering Open messages, without receiving a Mesh Peering Confirm message' + 57: 'confirmTimer for the mesh peering instance times out' + 58: 'mesh STA fails to unwrap the GTK or the values in the wrapped contents do not match' + 59: 'mesh STA receives inconsistent information about the mesh parameters between Mesh Peering Management frames' + 60: 'mesh STA fails the authenticated mesh peering exchange because due to failure in selecting either the pairwise ciphersuite or group ciphersuite' + 61: 'mesh STA does not have proxy information for this external destination' + 62: 'mesh STA does not have forwarding information for this destination' + 63: 'mesh STA determines that the link to the next hop of an active path in its forwarding information is no longer usable' + 64: 'deauthentication frame was sent because the MAC address of the STA already exists in the mesh BSS' + 65: 'mesh STA performs channel switch to meet regulatory requirements' + 66: 'mesh STA performs channel switch with unspecified reason' + +# dot11AuthenticateFailStatus +.1.2.840.10036.1.1.1.19: + 0: 'reserved' + 1: 'unspecified reason' + 2: 'previous authentication no longer valid' + 3: 'deauthenticated because sending station is leaving (or has left) IBSS or ESS' + 4: 'disassociated due to inactivity' + 5: 'disassociated because AP unable to handle all currently associated stations' + 6: 'class 2 frame received from nonauthenticated station' + 7: 'class 3 frame received from nonassociated station' + 8: 'disassociated because sending station is leaving (or has left) BSS' + 9: 'station requesting association or reassociation not authenticated with responding station' + 10: 'disassociated because of unacceptable information in the power capability element' + 11: 'disassociated because of unacceptable information in the supported channels element' + 12: 'disassociated due to BSS transition management' + 13: 'invalid information (does not follow 802.11 standard)' + 14: 'MIC failure' + 15: '4-way handshake timeout' + 16: 'group-key handshake timeout' + 17: 'information element in 4-way handshake different from association request, reassociation request, probe response, or beacon frame' + 18: 'invalid group cipher' + 19: 'invalid pairwise cipher' + 20: 'invalid authentication and key management protocol (AKMP)' + 21: 'unsupported robust security network (RSN) information element version' + 22: 'invalid RSN information element capabilities' + 23: 'IEEE 802.1X authentication failed' + 24: 'cipher suite rejected because of security policy' + 25: 'TDLS direct-link teardown due to TDLS peer STA unreachable via the TDLS direct link' + 26: 'TDLS direct-link teardown for unspecified reason' + 27: 'disassociated because session terminated by SSP request' + 28: 'disassociated because of lack of SSP roaming agreement' + 29: 'requested service rejected because of SSP cipher suite or AKM requirement' + 30: 'requested service not authorized in this location' + 31: 'TS deleted because QoS AP lacks sufficient bandwidth for this QoS STA due to a change in BSS service characteristics or operational mode' + 32: 'disassociated for unspecified QoS-related reason' + 33: 'disassociated because QoS AP lacks sufficient bandwidth for this QoS station' + 34: 'disassociated because excessive number of frames need to be acknowledged, but are not acknowledged due to AP transmissions or poor channel conditions, or both' + 35: 'disassociated because station is transmitting outside limits of its TXOPs' + 36: 'requested from peer station as station is leaving or resetting the BSS' + 37: 'requested from peer station as it does not want to use the mechanism' + 38: 'requested from peer station as station received frames using the mechanism for which a setup is required' + 39: 'requested from peer station due to timeout' + 45: 'peer station does not support requested cipher suite' + 46: 'disassociated because authorized access limit reached' + 47: 'disassociated due to external service requirements' + 48: 'invalid FT Action frame count' + 49: 'invalid PMKI' + 50: 'invalid mode' + 51: 'invalid FTE' + 52: 'SME cancels the mesh peering instance with the reason other than reaching the maximum number of peer mesh STAs' + 53: 'mesh STA has reached the supported maximum number of peer mesh STAs' + 54: 'received information violates the Mesh Configuration policy configured in the mesh STA profile' + 55: 'mesh STA has received a Mesh Peering Close message requesting to close the mesh peering' + 56: 'mesh STA has resent dot11MeshMaxRetries Mesh Peering Open messages, without receiving a Mesh Peering Confirm message' + 57: 'confirmTimer for the mesh peering instance times out' + 58: 'mesh STA fails to unwrap the GTK or the values in the wrapped contents do not match' + 59: 'mesh STA receives inconsistent information about the mesh parameters between Mesh Peering Management frames' + 60: 'mesh STA fails the authenticated mesh peering exchange because due to failure in selecting either the pairwise ciphersuite or group ciphersuite' + 61: 'mesh STA does not have proxy information for this external destination' + 62: 'mesh STA does not have forwarding information for this destination' + 63: 'mesh STA determines that the link to the next hop of an active path in its forwarding information is no longer usable' + 64: 'deauthentication frame was sent because the MAC address of the STA already exists in the mesh BSS' + 65: 'mesh STA performs channel switch to meet regulatory requirements' + 66: 'mesh STA performs channel switch with unspecified reason' + +# dot11AssociateFailStatus +.1.2.840.10036.1.1.1.46: + 0: 'successful' + 1: 'unspecified failure' + 2: 'TDLS wakeup schedule rejected but alternative schedule provided' + 3: 'TDLS wakeup schedule rejected' + 5: 'security disabled' + 6: 'unacceptable lifetime' + 7: 'not in same BSS' + 10: 'cannot support all requested capabilities in capability information field' + 11: 'reassociation denied due to inability to confirm that association exists' + 12: 'association denied due to reason outside scope of this standard' + 13: 'responding station does not support specified authentication algorithm' + 14: 'received authentication frame with authentication transaction sequence number out of expected sequence' + 15: 'authentication rejected because of challenge failure' + 16: 'authentication rejected due to timeout waiting for next frame in sequence' + 17: 'association denied because AP unable to handle additional associated stations' + 18: 'association denied due to requesting station not supporting all data rates in the BSSBasicRateSet parameter, where BSS refers to basic service set' + 19: 'association denied due to requesting station not supporting short preamble option' + 20: 'association denied due to requesting station not supporting PBCC modulation option' + 21: 'association denied due to requesting station not supporting channel agility option' + 22: 'association request rejected because spectrum management capability required' + 23: 'association request rejected because of unacceptable information in the power capability element' + 24: 'association request rejected because of unacceptable information in the supported channels element' + 25: 'association denied due to requesting station not supporting short slot time option' + 26: 'association denied due to requesting station not supporting DSSS-OFDM option' + 27: 'association denied because requesting station does not support HT features' + 28: 'PMK-R0 Key Holder unreachable' + 29: 'association denied because requesting station does not support phased coexistence operation (PCO) transition time required by the AP' + 30: 'association request rejected temporarily; try again later' + 31: 'robust management frame policy violation' + 32: 'Unspecified. QoS-related failure' + 33: 'association denied because QoS AP has insufficient bandwidth to handle another QoS station' + 34: 'association denied due to excessive frame loss rates or poor conditions on current operating channel, or both' + 35: 'association (with QoS BSS) denied because the requesting station does not support the QoS facility' + 37: 'request declined' + 38: 'request not successful as one or more parameters have invalid values' + 39: 'TS not created because request cannot be honored; however, suggested TSPEC provided so that the initiating station may attempt to set another TS with suggested changes to TSPEC' + 40: 'invalid information element (does not follow 802.11 standard)' + 41: 'invalid group cipher' + 42: 'invalid pairwise cipher' + 43: 'invalid AKMP' + 44: 'unsupported RSNE information element version' + 45: 'invalid RSNE information element capabilities' + 46: 'cipher suite rejected because of security policy' + 47: 'TS not created; however, HC may be capable of creating TS, in response to a request, after the time indicated in TS delay element' + 48: 'direct link not allowed in the BSS by policy' + 49: 'destination station not present within this BSS' + 50: 'destination station not a QoS station' + 51: 'association denied because ListenInterval too large' + 52: 'invalid FT action frame count' + 53: 'invalid shared key (PMKID)' + 54: 'invalid MDE' + 55: 'invalid FTE' + 56: 'TCLAS processing not supported by AP' + 57: 'AP has insufficient TCLAS processing resources to satisfy request' + 58: 'TS not created because request cannot be honored; however, HC suggests station transitions to other BSSs to set up TS' + 59: 'GAS advertisement protocol not supported' + 60: 'No outstanding GAS request' + 61: 'GAS response not received from advertisement server' + 62: 'station timed out waiting for GAS query response' + 63: 'GAS response larger than query response length limit' + 64: 'request refused because home network does not support request' + 65: 'advertisement server in network not currently reachable' + 68: 'request refused because AP does not support unauthenticated access' + 73: 'U-APSD coexistence not supported' + 74: 'requested U-APSD coexistence mode not supported' + 75: 'requested interval or duration value cannot be supported with U-APSD coexistence' + 76: 'authentication rejected because anti-clogging token is required' + 77: 'authentication rejected because the offered finite cyclic group not supported' + 78: 'TBTT adjustment request not successful because station could not find alternative TBTT' + 79: 'transmission failure' + 80: 'requested TCLAS not supported' + 81: 'TCLAS resources exhausted' + 82: 'rejected with suggested BSS transition' + 93: 'association or reassociation refused because of memory limits at AP' + 94: 'association or reassociation refused because emergency services not supported at AP' + 95: 'GAS query response not yet received' + 101: 'request failed due to exceeded MAF limit' + 102: 'request failed due to exceeded MCCA track limit, where MCF refers to mesh coordination function' + +# dot11ReassociateFailStatus +.1.2.840.10036.1.1.1.50: + 0: 'successful' + 1: 'unspecified failure' + 2: 'TDLS wakeup schedule rejected but alternative schedule provided' + 3: 'TDLS wakeup schedule rejected' + 5: 'security disabled' + 6: 'unacceptable lifetime' + 7: 'not in same BSS' + 10: 'cannot support all requested capabilities in capability information field' + 11: 'reassociation denied due to inability to confirm that association exists' + 12: 'association denied due to reason outside scope of this standard' + 13: 'responding station does not support specified authentication algorithm' + 14: 'received authentication frame with authentication transaction sequence number out of expected sequence' + 15: 'authentication rejected because of challenge failure' + 16: 'authentication rejected due to timeout waiting for next frame in sequence' + 17: 'association denied because AP unable to handle additional associated stations' + 18: 'association denied due to requesting station not supporting all data rates in the BSSBasicRateSet parameter, where BSS refers to basic service set' + 19: 'association denied due to requesting station not supporting short preamble option' + 20: 'association denied due to requesting station not supporting PBCC modulation option' + 21: 'association denied due to requesting station not supporting channel agility option' + 22: 'association request rejected because spectrum management capability required' + 23: 'association request rejected because of unacceptable information in the power capability element' + 24: 'association request rejected because of unacceptable information in the supported channels element' + 25: 'association denied due to requesting station not supporting short slot time option' + 26: 'association denied due to requesting station not supporting DSSS-OFDM option' + 27: 'association denied because requesting station does not support HT features' + 28: 'PMK-R0 Key Holder unreachable' + 29: 'association denied because requesting station does not support phased coexistence operation (PCO) transition time required by the AP' + 30: 'association request rejected temporarily; try again later' + 31: 'robust management frame policy violation' + 32: 'Unspecified. QoS-related failure' + 33: 'association denied because QoS AP has insufficient bandwidth to handle another QoS station' + 34: 'association denied due to excessive frame loss rates or poor conditions on current operating channel, or both' + 35: 'association (with QoS BSS) denied because the requesting station does not support the QoS facility' + 37: 'request declined' + 38: 'request not successful as one or more parameters have invalid values' + 39: 'TS not created because request cannot be honored; however, suggested TSPEC provided so that the initiating station may attempt to set another TS with suggested changes to TSPEC' + 40: 'invalid information element (does not follow 802.11 standard)' + 41: 'invalid group cipher' + 42: 'invalid pairwise cipher' + 43: 'invalid AKMP' + 44: 'unsupported RSNE information element version' + 45: 'invalid RSNE information element capabilities' + 46: 'cipher suite rejected because of security policy' + 47: 'TS not created; however, HC may be capable of creating TS, in response to a request, after the time indicated in TS delay element' + 48: 'direct link not allowed in the BSS by policy' + 49: 'destination station not present within this BSS' + 50: 'destination station not a QoS station' + 51: 'association denied because ListenInterval too large' + 52: 'invalid FT action frame count' + 53: 'invalid shared key (PMKID)' + 54: 'invalid MDE' + 55: 'invalid FTE' + 56: 'TCLAS processing not supported by AP' + 57: 'AP has insufficient TCLAS processing resources to satisfy request' + 58: 'TS not created because request cannot be honored; however, HC suggests station transitions to other BSSs to set up TS' + 59: 'GAS advertisement protocol not supported' + 60: 'No outstanding GAS request' + 61: 'GAS response not received from advertisement server' + 62: 'station timed out waiting for GAS query response' + 63: 'GAS response larger than query response length limit' + 64: 'request refused because home network does not support request' + 65: 'advertisement server in network not currently reachable' + 68: 'request refused because AP does not support unauthenticated access' + 73: 'U-APSD coexistence not supported' + 74: 'requested U-APSD coexistence mode not supported' + 75: 'requested interval or duration value cannot be supported with U-APSD coexistence' + 76: 'authentication rejected because anti-clogging token is required' + 77: 'authentication rejected because the offered finite cyclic group not supported' + 78: 'TBTT adjustment request not successful because station could not find alternative TBTT' + 79: 'transmission failure' + 80: 'requested TCLAS not supported' + 81: 'TCLAS resources exhausted' + 82: 'rejected with suggested BSS transition' + 93: 'association or reassociation refused because of memory limits at AP' + 94: 'association or reassociation refused because emergency services not supported at AP' + 95: 'GAS query response not yet received' + 101: 'request failed due to exceeded MAF limit' + 102: 'request failed due to exceeded MCCA track limit, where MCF refers to mesh coordination function' diff --git a/traps/enterprises.yml b/traps/enterprises.yml index e4689527..16dde33c 100644 --- a/traps/enterprises.yml +++ b/traps/enterprises.yml @@ -1,6 +1,9 @@ # Rules for handling an unsupported Enterprise unsupported: unsupported.yml +# IEEE +.1.2.840.10036.1.6: IEEE/IEEE802dot11-MIB-dot11SMTnotification.yml + # IETF .1.3.6.1.2.1.14.16: IETF/OSPF-TRAP-MIB-ospfTraps.yml .1.3.6.1.2.1.14.16.2: IETF/OSPF-TRAP-MIB-ospfTraps.yml @@ -46,7 +49,6 @@ unsupported: unsupported.yml .1.3.6.1.4.1.12356.105: fortinet/FORTINET-FORTIMAIL-MIB-fnFortiMailMib.yml # DRAFTS -.1.2.840.10036.1.6: ieee/IEEE802dot11-MIB-dot11SMTnotification.yml .1.3.6.1.2.1.1.9.7.1: hp/TapeAlert-MIB-tapeAlert.yml .1.3.6.1.2.1.1.11.1.2: hitachi/Hitachi-DF-RAID-LAN-MIB-dfraidLan.yml .1.3.6.1.2.1.10.5: IETF/RFC1382-MIB-x25.yml @@ -60,7 +62,6 @@ unsupported: unsupported.yml .1.3.6.1.2.1.10.94.1.2.2: IETF/ADSL-LINE-MIB-adslAturTraps.yml .1.3.6.1.2.1.10.166.2: IETF/MPLS-LSR-STD-MIB-mplsLsrNotifications.yml .1.3.6.1.2.1.10.166.3: IETF/MPLS-TE-STD-MIB-mplsTeNotifications.yml -.1.3.6.1.2.1.11: cisco/snmp.yml .1.3.6.1.2.1.16: IETF/RMON-MIB-rmonEventsV2.yml .1.3.6.1.2.1.16.29.2: IETF/HC-ALARM-MIB-hcAlarmNotifPrefix.yml .1.3.6.1.2.1.17: IETF/BRIDGE-MIB-dot1dNotifications.yml diff --git a/traps/rules/cisco/snmp.yml b/traps/rules/cisco/snmp.yml deleted file mode 100644 index e7262509..00000000 --- a/traps/rules/cisco/snmp.yml +++ /dev/null @@ -1,183 +0,0 @@ -- mapping: |- - #!blobl - root = this - root.out.origin.agent.name = "CISCOTRAP-MIB" -- switch: - - check: this.trap.SpecificTrap == 0 - processors: - - label: cold_start_variables - mapping: |- - #!blobl - root = this - - root.out.cisco.sysUpTime = this.trap.VarBinds.index(0).Value - root.out.cisco.whyReload = this.trap.VarBinds.index(1).Value.snmp_display_string() - - label: cold_start_template - mapping: | - #!blobl - root = this - root.out.event.category.name = "" - root.out.event.id = "" - root.out.event.message = "" - root.out.object.name = "" - root.out.event.class.name = "" - - root.out.event.severity.code = 7 - root.out.event.severity.level = "Debug" - - check: this.trap.SpecificTrap == 1 - processors: - - label: zone_service_req_rej_notify_variables - mapping: |- - #!blobl - root = this - - root.out.cisco.zoneMemberFormat = this.trap.VarBinds.index(0).Value.enum_enrich(".1.3.6.1.4.1.9.9.294.1.1.11.1.4") - root.out.cisco.zoneMemberID = this.trap.VarBinds.index(1).Value.snmp_octet_string() - root.out.cisco.zoneServiceRejReasonCode = this.trap.VarBinds.index(2).Value.enum_enrich(".1.3.6.1.4.1.9.9.294.1.3.1") - root.out.cisco.zoneServiceRejReasonCodeExp = this.trap.VarBinds.index(3).Value.enum_enrich(".1.3.6.1.4.1.9.9.294.1.3.2") - - label: zone_service_req_rej_notify_rules_1 - mapping: |- - #!blobl - root = this - - root.out.event.class.name = "SNMPTRAP-cisco-CISCO-ZS-MIB-zoneServiceReqRejNotify" - root.out.event.id = "SNMPTRAP-cisco-CISCO-ZS-MIB-zoneServiceReqRejNotify" - root.out.event.category.name = "Registration Request Status" - root.out.object.name = "zoneMemberEntry.9.294.1.4" - root.out.event.message = "Registration Request Rejected by Local Zone Server, " + this.trap.VarBinds.index(2).Value.enum_enrich(".1.3.6.1.4.1.9.9.294.1.3.1").string() + " ( " + this.trap.VarBinds.index(0).Value.enum_enrich(".1.3.6.1.4.1.9.9.294.1.1.11.1.4").string() + ": " + this.trap.VarBinds.index(1).Value.snmp_octet_string().string() + " )" - root.out.event.severity.code = 3 - root.out.event.severity.level = "Error" - - check: this.trap.SpecificTrap == 2 - processors: - - label: link_down_variables - mapping: |- - #!blobl - root = this - - root.out.cisco.ifIndex = this.trap.VarBinds.index(0).Value - root.out.cisco.ifDescr = this.trap.VarBinds.index(1).Value.snmp_display_string() - root.out.cisco.ifType = this.trap.VarBinds.index(2).Value.enum_enrich(".1.3.6.1.2.1.2.2.1.3") - root.out.cisco.locIfReason = this.trap.VarBinds.index(3).Value.snmp_display_string() - - label: link_down_template - mapping: | - #!blobl - root = this - root.out.event.category.name = "" - root.out.event.id = "" - root.out.event.message = "" - root.out.object.name = "" - root.out.event.class.name = "" - - root.out.event.severity.code = 7 - root.out.event.severity.level = "Debug" - - check: this.trap.SpecificTrap == 3 - processors: - - label: link_up_variables - mapping: |- - #!blobl - root = this - - root.out.cisco.ifIndex = this.trap.VarBinds.index(0).Value - root.out.cisco.ifDescr = this.trap.VarBinds.index(1).Value.snmp_display_string() - root.out.cisco.ifType = this.trap.VarBinds.index(2).Value.enum_enrich(".1.3.6.1.2.1.2.2.1.3") - root.out.cisco.locIfReason = this.trap.VarBinds.index(3).Value.snmp_display_string() - - label: link_up_template - mapping: | - #!blobl - root = this - root.out.event.category.name = "" - root.out.event.id = "" - root.out.event.message = "" - root.out.object.name = "" - root.out.event.class.name = "" - - root.out.event.severity.code = 7 - root.out.event.severity.level = "Debug" - - check: this.trap.SpecificTrap == 4 - processors: - - label: authentication_failure_variables - mapping: |- - #!blobl - root = this - - root.out.cisco.authAddr = this.trap.VarBinds.index(0).Value - - label: authentication_failure_template - mapping: | - #!blobl - root = this - root.out.event.category.name = "" - root.out.event.id = "" - root.out.event.message = "" - root.out.object.name = "" - root.out.event.class.name = "" - - root.out.event.severity.code = 7 - root.out.event.severity.level = "Debug" - - check: this.trap.SpecificTrap == 5 - processors: - - label: egp_neighbor_loss_variables - mapping: |- - #!blobl - root = this - - root.out.cisco.egpNeighAddr = this.trap.VarBinds.index(0).Value - - label: egp_neighbor_loss_template - mapping: | - #!blobl - root = this - root.out.event.category.name = "" - root.out.event.id = "" - root.out.event.message = "" - root.out.object.name = "" - root.out.event.class.name = "" - - root.out.event.severity.code = 7 - root.out.event.severity.level = "Debug" - - check: this.trap.SpecificTrap == 6 - processors: - - label: zone_activate_notify_variables - mapping: |- - #!blobl - root = this - - root.out.cisco.zoneSetActivateResult = this.trap.VarBinds.index(0).Value.enum_enrich(".1.3.6.1.4.1.9.9.294.1.1.5.1.2") - root.out.cisco.zoneSwitchWwn = this.trap.VarBinds.index(1).Value.snmp_octet_string() - - label: zone_activate_notify_template - mapping: | - #!blobl - root = this - root.out.event.category.name = "" - root.out.event.id = "" - root.out.event.message = "" - root.out.object.name = "" - root.out.event.class.name = "" - - root.out.event.severity.code = 7 - root.out.event.severity.level = "Debug" - - check: this.trap.SpecificTrap == 7 - processors: - - label: zone_compact_notify_variables - mapping: |- - #!blobl - root = this - - root.out.cisco.zoneCompactVsan = this.trap.VarBinds.index(0).Value - - label: zone_compact_notify_template - mapping: | - #!blobl - root = this - root.out.event.category.name = "" - root.out.event.id = "" - root.out.event.message = "" - root.out.object.name = "" - root.out.event.class.name = "" - - root.out.event.severity.code = 7 - root.out.event.severity.level = "Debug" - - processors: - - label: default - mapping: | - #!blobl - root = this - - root.out.event.category.name = "Unknown Trap" diff --git a/traps/rules/ieee/IEEE802dot11-MIB-dot11SMTnotification.yml b/traps/rules/ieee/IEEE802dot11-MIB-dot11SMTnotification.yml index e9a87d6c..ac9f55c9 100644 --- a/traps/rules/ieee/IEEE802dot11-MIB-dot11SMTnotification.yml +++ b/traps/rules/ieee/IEEE802dot11-MIB-dot11SMTnotification.yml @@ -1,166 +1,1005 @@ - mapping: |- #!blobl root = this - root.out.origin.agent.name = "IEEE802dot11-MIB" + root.out.origin.agent.name = "IEEE IEEE802dot11-MIB" - switch: - - check: this.trap.SpecificTrap == 1 - processors: - - label: dot11disassociate_variables - mapping: |- - #!blobl - root = this - - root.out.ieee.ifIndex = this.trap.VarBinds.index(0).Value - root.out.ieee.dot11DisassociateReason = this.trap.VarBinds.index(1).Value - root.out.ieee.dot11DisassociateStation = this.trap.VarBinds.index(2).Value.snmp_mac_address() - - label: dot11disassociate_rules_1 - mapping: |- - #!blobl - root = this - - root.out.event.class.name = "SNMPTRAP-IEEE-IEEE802dot11-MIB-dot11Disassociate" - root.out.event.id = "SNMPTRAP-IEEE-IEEE802dot11-MIB-dot11Disassociate" - root.out.event.category.name = "802.11 Disassociation" - root.out.object.name = "ifEntry." + this.trap.VarBinds.index(0).Value.string() + ", Station MAC: " + this.trap.VarBinds.index(2).Value.snmp_mac_address().string() - root.out.event.message = "STA Sent Disassociation Frame ( to Station MAC: " + this.trap.VarBinds.index(2).Value.snmp_mac_address().string() + " )" - root.out.event.severity.code = 4 - root.out.event.severity.level = "Warning" - - check: this.trap.SpecificTrap == 2 - processors: - - label: dot11deauthenticate_variables - mapping: |- - #!blobl - root = this - - root.out.ieee.ifIndex = this.trap.VarBinds.index(0).Value - root.out.ieee.dot11DeauthenticateReason = this.trap.VarBinds.index(1).Value - root.out.ieee.dot11DeauthenticateStation = this.trap.VarBinds.index(2).Value.snmp_mac_address() - - label: dot11deauthenticate_rules_1 - mapping: |- - #!blobl - root = this - - root.out.event.class.name = "SNMPTRAP-IEEE-IEEE802dot11-MIB-dot11Deauthenticate" - root.out.event.id = "SNMPTRAP-IEEE-IEEE802dot11-MIB-dot11Deauthenticate" - root.out.event.category.name = "802.11 Deauthentication" - root.out.object.name = "ifEntry." + this.trap.VarBinds.index(0).Value.string() + ", Station MAC: " + this.trap.VarBinds.index(2).Value.snmp_mac_address().string() - root.out.event.message = "STA Sent Deauthentication Frame ( to Station MAC: " + this.trap.VarBinds.index(2).Value.snmp_mac_address().string() + " )" - root.out.event.severity.code = 4 - root.out.event.severity.level = "Warning" - - check: this.trap.SpecificTrap == 3 - processors: - - label: dot11authenticate_fail_variables - mapping: |- - #!blobl - root = this - - root.out.ieee.ifIndex = this.trap.VarBinds.index(0).Value - root.out.ieee.dot11AuthenticateFailStatus = this.trap.VarBinds.index(1).Value - root.out.ieee.dot11AuthenticateFailStation = this.trap.VarBinds.index(2).Value.snmp_mac_address() - - label: dot11authenticate_fail_rules_1 - mapping: |- - #!blobl - root = this - - root.out.event.class.name = "SNMPTRAP-IEEE-IEEE802dot11-MIB-dot11AuthenticateFail" - root.out.event.id = "SNMPTRAP-IEEE-IEEE802dot11-MIB-dot11AuthenticateFail" - root.out.event.category.name = "802.11 Authentication Failure" - root.out.object.name = "ifEntry." + this.trap.VarBinds.index(0).Value.string() + ", Station MAC: " + this.trap.VarBinds.index(2).Value.snmp_mac_address().string() - root.out.event.message = "STA Sent Authentication Failure Frame ( to Station MAC: " + this.trap.VarBinds.index(2).Value.snmp_mac_address().string() + " )" - root.out.event.severity.code = 3 - root.out.event.severity.level = "Error" - - check: this.trap.SpecificTrap == 4 - processors: - - label: dot11associate_variables - mapping: |- - #!blobl - root = this - - root.out.ieee.ifIndex = this.trap.VarBinds.index(0).Value - root.out.ieee.dot11AssociateStation = this.trap.VarBinds.index(1).Value.snmp_mac_address() - root.out.ieee.dot11AssociateID = this.trap.VarBinds.index(2).Value - - label: dot11associate_template - mapping: | - #!blobl - root = this - root.out.event.category.name = "" - root.out.event.id = "" - root.out.event.message = "" - root.out.object.name = "" - root.out.event.class.name = "" - - root.out.event.severity.code = 7 - root.out.event.severity.level = "Debug" - - check: this.trap.SpecificTrap == 5 - processors: - - label: dot11associate_failed_variables - mapping: |- - #!blobl - root = this - - root.out.ieee.ifIndex = this.trap.VarBinds.index(0).Value - root.out.ieee.dot11AssociateFailStatus = this.trap.VarBinds.index(1).Value - root.out.ieee.dot11AssociateFailStation = this.trap.VarBinds.index(2).Value.snmp_mac_address() - - label: dot11associate_failed_template - mapping: | - #!blobl - root = this - root.out.event.category.name = "" - root.out.event.id = "" - root.out.event.message = "" - root.out.object.name = "" - root.out.event.class.name = "" - - root.out.event.severity.code = 7 - root.out.event.severity.level = "Debug" - - check: this.trap.SpecificTrap == 6 - processors: - - label: dot11reassociate_variables - mapping: |- - #!blobl - root = this - - root.out.ieee.ifIndex = this.trap.VarBinds.index(0).Value - root.out.ieee.dot11ReassociateStation = this.trap.VarBinds.index(1).Value.snmp_mac_address() - root.out.ieee.dot11ReassociateID = this.trap.VarBinds.index(2).Value - - label: dot11reassociate_template - mapping: | - #!blobl - root = this - root.out.event.category.name = "" - root.out.event.id = "" - root.out.event.message = "" - root.out.object.name = "" - root.out.event.class.name = "" - - root.out.event.severity.code = 7 - root.out.event.severity.level = "Debug" - - check: this.trap.SpecificTrap == 7 - processors: - - label: dot11reassociate_failed_variables - mapping: |- - #!blobl - root = this - - root.out.ieee.ifIndex = this.trap.VarBinds.index(0).Value - root.out.ieee.dot11ReassociateFailStatus = this.trap.VarBinds.index(1).Value - root.out.ieee.dot11ReassociateStation = this.trap.VarBinds.index(2).Value.snmp_mac_address() - - label: dot11reassociate_failed_template - mapping: | - #!blobl - root = this - root.out.event.category.name = "" - root.out.event.id = "" - root.out.event.message = "" - root.out.object.name = "" - root.out.event.class.name = "" - - root.out.event.severity.code = 7 - root.out.event.severity.level = "Debug" - - processors: - - label: default - mapping: | - #!blobl - root = this - - root.out.event.category.name = "Unknown Trap" + - check: this.trap.SpecificTrap == 1 + # dot11Disassociate + # + # The disassociate notification is sent when the STA sends a Disassociation frame. The value of the notification + # includes the MAC address of the MAC to which the Disassociation frame was sent and the reason for the + # disassociation. + # + # ifIndex (Integer32) - A unique value, greater than zero, for each interface. + # dot11DisassociateReason (INTEGER) - This attribute holds the most recently transmitted Reason Code in a + # Disassociation frame. If no Disassociation frame has been transmitted, the value of this attribute is 0. + # dot11DisassociateStation (MacAddress) - This attribute holds the MAC address from the Address 1 field of the most + # recently transmitted Disassociation frame. If no Disassociation frame has been transmitted, the value of this + # attribute is 0. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds = "unexpected" + if this.trap.VarBinds.length() > 2 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.2.1.2.2.1.1") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.2.840.10036.1.1.1.15") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.2.840.10036.1.1.1.16") { + meta varbinds = "standard" + }}}} else { + if this.trap.VarBinds.length() > 1 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.2.840.10036.1.1.1.15") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.2.840.10036.1.1.1.16") { + meta varbinds = "no_ifIndex" + }}} + } + + - switch: + - check: metadata("varbinds") != "unexpected" + processors: + - mapping: |- + #!blobl + root = this + + if metadata("varbinds") == "standard" { + root.out.ieee.ifIndex = this.trap.VarBinds.index(0).Value.string() + root.out.ieee.dot11DisassociateReason = this.trap.VarBinds.index(1).Value.snmp_int_enum_enrich(".1.2.840.10036.1.1.1.15") + root.out.ieee.dot11DisassociateStation = this.trap.VarBinds.index(2).Value.snmp_mac_address() + } else if metadata("varbinds") == "no_ifIndex" { + root.out.ieee.ifIndex = this.trap.VarBinds.index(0).OID.snmp_oid_get_index(".1.2.840.10036.1.1.1.15") + root.out.ieee.dot11DisassociateReason = this.trap.VarBinds.index(0).Value.snmp_int_enum_enrich(".1.2.840.10036.1.1.1.15") + root.out.ieee.dot11DisassociateStation = this.trap.VarBinds.index(1).Value.snmp_mac_address() + } + + root.out.object.name = "IEEE802dot11-MIB::ifEntry" + root.out.object.index = this.trap.VarBinds.index(0).Value.string() + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.out.object.label = "interface: ifIndex " + root.out.ieee.ifIndex + ", station: " + root.out.ieee.dot11DisassociateStation + + root.out.event.class.name = "SNMPTRAP-IEEE802dot11-MIB-dot11SMTnotification-dot11Disassociate" + root.out.event.id = "SNMPTRAP-IEEE802dot11-MIB-dot11SMTnotification-dot11Disassociate" + root.out.event.category.name = "STA association state" + root.out.event.message = "STA disassociation, " + root.out.ieee.dot11DisassociateReason + root.out.event.severity.code = 6 + root.out.event.severity.level = "Notice" + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + }}}}}} + + root.out.event.class.name = "SNMPTRAP-IEEE802dot11-MIB-dot11SMTnotification-dot11Disassociate" + root.out.event.id = "SNMPTRAP-IEEE802dot11-MIB-dot11SMTnotification-dot11Disassociate-unknown" + root.out.event.category.name = "STA association state" + root.out.event.message = "STA disassociation - UNEXPECTED VARBINDS for dot11Disassociate trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2 + # dot11Deauthenticate + # + # The deauthenticate notification is sent when the STA sends a Deauthentication frame. The value of the notification + # includes the MAC address of the MAC to which the Deauthentication frame was sent and the reason for the + # deauthentication. + # + # ifIndex (Integer32) - A unique value, greater than zero, for each interface. + # dot11DeauthenticateReason (INTEGER) - This attribute holds the most recently transmitted Reason Code in a + # Deauthentication frame. If no Deauthentication frame has been transmitted, the value of this attribute is 0. + # dot11DeauthenticateStation (MacAddress) - This attribute holds the MAC address from the Address 1 field of the + # most recently transmitted Deauthentication frame. If no Deauthentication frame has been transmitted, the value + # of this attribute is 0. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds = "unexpected" + if this.trap.VarBinds.length() > 2 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.2.1.2.2.1.1") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.2.840.10036.1.1.1.17") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.2.840.10036.1.1.1.18") { + meta varbinds = "standard" + }}}} else { + if this.trap.VarBinds.length() > 1 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.2.840.10036.1.1.1.17") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.2.840.10036.1.1.1.18") { + meta varbinds = "no_ifIndex" + }}} + } + + - switch: + - check: metadata("varbinds") != "unexpected" + processors: + - mapping: |- + #!blobl + root = this + + if metadata("varbinds") == "standard" { + root.out.ieee.ifIndex = this.trap.VarBinds.index(0).Value.string() + root.out.ieee.dot11DeauthenticateReason = this.trap.VarBinds.index(1).Value.snmp_int_enum_enrich(".1.2.840.10036.1.1.1.17") + root.out.ieee.dot11DeauthenticateStation = this.trap.VarBinds.index(2).Value.snmp_mac_address() + } else if metadata("varbinds") == "no_ifIndex" { + root.out.ieee.ifIndex = this.trap.VarBinds.index(0).OID.snmp_oid_get_index(".1.2.840.10036.1.1.1.17") + root.out.ieee.dot11DeauthenticateReason = this.trap.VarBinds.index(0).Value.snmp_int_enum_enrich(".1.2.840.10036.1.1.1.17") + root.out.ieee.dot11DeauthenticateStation = this.trap.VarBinds.index(1).Value.snmp_mac_address() + } + + root.out.object.name = "IEEE802dot11-MIB::ifEntry" + root.out.object.index = this.trap.VarBinds.index(0).Value.string() + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.out.object.label = "interface: ifIndex " + root.out.ieee.ifIndex + ", station: " + root.out.ieee.dot11DeauthenticateStation + + root.out.event.class.name = "SNMPTRAP-IEEE802dot11-MIB-dot11SMTnotification-dot11Deauthenticate" + root.out.event.id = "SNMPTRAP-IEEE802dot11-MIB-dot11SMTnotification-dot11Deauthenticate" + root.out.event.category.name = "STA authentication state" + root.out.event.message = "STA deauthentication, " + root.out.ieee.dot11DeauthenticateReason + root.out.event.severity.code = 5 + root.out.event.severity.level = "Notice" + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + }}}}}} + + root.out.event.class.name = "SNMPTRAP-IEEE802dot11-MIB-dot11SMTnotification-dot11Deauthenticate" + root.out.event.id = "SNMPTRAP-IEEE802dot11-MIB-dot11SMTnotification-dot11Deauthenticate-unknown" + root.out.event.category.name = "STA authentication state" + root.out.event.message = "STA deauthentication - UNEXPECTED VARBINDS for dot11Deauthenticate trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3 + # dot11AuthenticateFail + # + # The authenticate failure notification is sent when the STA sends an Authentication frame with a status code other + # than SUCCESS. The value of the notification includes the MAC address of the MAC to which the Authentication frame + # was sent and the reason for the authentication failure. + # + # ifIndex (Integer32) - A unique value, greater than zero, for each interface. + # dot11AuthenticateFailStatus (INTEGER) - This attribute holds the most recently transmitted Status Code in a + # failed Authentication frame. If no failed Authentication frame has been transmitted, the value of this attribute + # is 0. + # dot11AuthenticateFailStation (MacAddress) - This attribute holds the MAC address from the Address 1 field of the + # most recently transmitted failed Authentication frame. If no failed Authentication frame has been transmitted, + # the value of this attribute is 0. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds = "unexpected" + if this.trap.VarBinds.length() > 2 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.2.1.2.2.1.1") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.2.840.10036.1.1.1.19") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.2.840.10036.1.1.1.20") { + meta varbinds = "standard" + }}}} else { + if this.trap.VarBinds.length() > 1 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.2.840.10036.1.1.1.19") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.2.840.10036.1.1.1.20") { + meta varbinds = "no_ifIndex" + }}} + } + + - switch: + - check: metadata("varbinds") != "unexpected" + processors: + - mapping: |- + #!blobl + root = this + + if metadata("varbinds") == "standard" { + root.out.ieee.ifIndex = this.trap.VarBinds.index(0).Value.string() + root.out.ieee.dot11AuthenticateFailStatus = this.trap.VarBinds.index(1).Value.snmp_int_enum_enrich(".1.2.840.10036.1.1.1.19") + root.out.ieee.dot11AuthenticateFailStation = this.trap.VarBinds.index(2).Value.snmp_mac_address() + } else if metadata("varbinds") == "no_ifIndex" { + root.out.ieee.ifIndex = this.trap.VarBinds.index(0).OID.snmp_oid_get_index(".1.2.840.10036.1.1.1.19") + root.out.ieee.dot11AuthenticateFailStatus = this.trap.VarBinds.index(0).Value.snmp_int_enum_enrich(".1.2.840.10036.1.1.1.19") + root.out.ieee.dot11AuthenticateFailStation = this.trap.VarBinds.index(1).Value.snmp_mac_address() + } + + root.out.object.name = "IEEE802dot11-MIB::ifEntry" + root.out.object.index = this.trap.VarBinds.index(0).Value.string() + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.out.object.label = "interface: ifIndex " + root.out.ieee.ifIndex + ", station: " + root.out.ieee.dot11AuthenticateFailStation + + root.out.event.class.name = "SNMPTRAP-IEEE802dot11-MIB-dot11SMTnotification-dot11AuthenticateFail" + root.out.event.id = "SNMPTRAP-IEEE802dot11-MIB-dot11SMTnotification-dot11AuthenticateFail" + root.out.event.category.name = "STA authentication state" + root.out.event.message = "STA authentication failed, " + root.out.ieee.dot11AuthenticateFailStatus + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + }}}}}} + + root.out.event.class.name = "SNMPTRAP-IEEE802dot11-MIB-dot11SMTnotification-dot11AuthenticateFail" + root.out.event.id = "SNMPTRAP-IEEE802dot11-MIB-dot11SMTnotification-dot11AuthenticateFail-unknown" + root.out.event.category.name = "STA authentication state" + root.out.event.message = "STA authentication failed - UNEXPECTED VARBINDS for dot11AuthenticateFail trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 4 + # dot11Associate + # + # The associate notification is sent when the STA sends an Association Response frame with a status code equal to + # SUCCESS. The value of the notification includes the MAC address of the MAC to which the Association Response frame + # was sent and the Association ID. + # + # ifIndex (Integer32) - A unique value, greater than zero, for each interface. + # dot11AssociateStation (MacAddress) - This attribute indicates the MAC address from the Address 1 field of the most + # recently transmitted Association Response frame. If no Association Response frame has been transmitted, the + # value of this attribute is 0. + # dot11AssociateID (Unsigned32) - This attribute indicates the Association ID from the most recently transmitted + # Association Response frame. If no Association Response frame has been transmitted, the value of this attribute + # is 0. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds = "unexpected" + if this.trap.VarBinds.length() > 2 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.2.1.2.2.1.1") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.2.840.10036.1.1.1.43") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.2.840.10036.1.1.1.44") { + meta varbinds = "standard" + }}}} else { + if this.trap.VarBinds.length() > 1 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.2.840.10036.1.1.1.43") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.2.840.10036.1.1.1.44") { + meta varbinds = "no_ifIndex" + }}} + } + + - switch: + - check: metadata("varbinds") != "unexpected" + processors: + - mapping: |- + #!blobl + root = this + + if metadata("varbinds") == "standard" { + root.out.ieee.ifIndex = this.trap.VarBinds.index(0).Value.string() + root.out.ieee.dot11AssociateStation = this.trap.VarBinds.index(1).Value.snmp_mac_address() + root.out.ieee.dot11AssociateID = this.trap.VarBinds.index(2).Value.string() + } else if metadata("varbinds") == "no_ifIndex" { + root.out.ieee.ifIndex = this.trap.VarBinds.index(0).OID.snmp_oid_get_index(".1.2.840.10036.1.1.1.43") + root.out.ieee.dot11AssociateStation = this.trap.VarBinds.index(0).Value.snmp_mac_address() + root.out.ieee.dot11AssociateID = this.trap.VarBinds.index(1).Value.string() + } + + root.out.object.name = "IEEE802dot11-MIB::ifEntry" + root.out.object.index = this.trap.VarBinds.index(0).Value.string() + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.out.object.label = "interface: ifIndex " + root.out.ieee.ifIndex + ", station: " + root.out.ieee.dot11AssociateStation + + root.out.event.class.name = "SNMPTRAP-IEEE802dot11-MIB-dot11SMTnotification-dot11Associate" + root.out.event.id = "SNMPTRAP-IEEE802dot11-MIB-dot11SMTnotification-dot11Associate" + root.out.event.category.name = "STA association state" + root.out.event.message = "STA association successful" + root.out.event.severity.code = 6 + root.out.event.severity.level = "Informational" + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + }}}}}} + + root.out.event.class.name = "SNMPTRAP-IEEE802dot11-MIB-dot11SMTnotification-dot11Associate" + root.out.event.id = "SNMPTRAP-IEEE802dot11-MIB-dot11SMTnotification-dot11Associate-unknown" + root.out.event.category.name = "STA association state" + root.out.event.message = "STA association successful - UNEXPECTED VARBINDS for dot11Associate trap!" + root.out.event.severity.code = 5 + root.out.event.severity.level = "Notice" + + - check: this.trap.SpecificTrap == 5 + # dot11AssociateFailed + # + # The associate failed notification is sent when the STA sends an Association Response frame with a status code + # other than SUCCESS. The value of the notification includes the MAC address of the MAC to which the Association + # Response frame was sent and the reason for the association failure. + # + # ifIndex (Integer32) - A unique value, greater than zero, for each interface. + # dot11AssociateFailStatus (INTEGER) - This attribute indicates the most recently transmitted Status Code in a + # failed Association Response frame. If no failed Association Response frame has been transmitted, the value of + # this attribute is 0. + # dot11AssociateFailStation (MacAddress) - This attribute indicates the MAC address from the Address 1 field of the + # most recently transmitted failed Association Response frame. If no failed Association Response frame has been + # transmitted, the value of this attribute is 0. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds = "unexpected" + if this.trap.VarBinds.length() > 2 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.2.1.2.2.1.1") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.2.840.10036.1.1.1.46") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.2.840.10036.1.1.1.45") { + meta varbinds = "standard" + }}}} else { + if this.trap.VarBinds.length() > 1 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.2.840.10036.1.1.1.46") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.2.840.10036.1.1.1.45") { + meta varbinds = "no_ifIndex" + }}} + } + + - switch: + - check: metadata("varbinds") != "unexpected" + processors: + - mapping: |- + #!blobl + root = this + + if metadata("varbinds") == "standard" { + root.out.ieee.ifIndex = this.trap.VarBinds.index(0).Value.string() + root.out.ieee.dot11AssociateFailStatus = this.trap.VarBinds.index(1).Value.snmp_int_enum_enrich(".1.2.840.10036.1.1.1.46") + root.out.ieee.dot11AssociateFailStation = this.trap.VarBinds.index(2).Value.snmp_mac_address() + } else if metadata("varbinds") == "no_ifIndex" { + root.out.ieee.ifIndex = this.trap.VarBinds.index(0).OID.snmp_oid_get_index(".1.2.840.10036.1.1.1.46") + root.out.ieee.dot11AssociateFailStatus = this.trap.VarBinds.index(0).Value.snmp_int_enum_enrich(".1.2.840.10036.1.1.1.46") + root.out.ieee.dot11AssociateFailStation = this.trap.VarBinds.index(1).Value.snmp_mac_address() + } + + root.out.object.name = "IEEE802dot11-MIB::ifEntry" + root.out.object.index = this.trap.VarBinds.index(0).Value.string() + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.out.object.label = "interface: ifIndex " + root.out.ieee.ifIndex + ", station: " + root.out.ieee.dot11AssociateFailStation + + root.out.event.class.name = "SNMPTRAP-IEEE802dot11-MIB-dot11SMTnotification-dot11AssociateFailed" + root.out.event.id = "SNMPTRAP-IEEE802dot11-MIB-dot11SMTnotification-dot11AssociateFailed" + root.out.event.category.name = "STA association state" + root.out.event.message = "STA association failed, " + root.out.ieee.dot11AssociateFailStatus + root.out.event.severity.code = 3 + root.out.event.severity.level = "Error" + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + }}}}}} + + root.out.event.class.name = "SNMPTRAP-IEEE802dot11-MIB-dot11SMTnotification-dot11AssociateFailed" + root.out.event.id = "SNMPTRAP-IEEE802dot11-MIB-dot11SMTnotification-dot11AssociateFailed-unknown" + root.out.event.category.name = "STA association state" + root.out.event.message = "STA association failed - UNEXPECTED VARBINDS for dot11AssociateFailed trap!" + root.out.event.severity.code = 3 + root.out.event.severity.level = "Error" + + - check: this.trap.SpecificTrap == 6 + # dot11Reassociate + # + # The reassociate notification is sent when the STA sends a Reassociation Response frame with a status code equal to + # SUCCESS. The value of the notification includes the MAC address of the MAC to which the Reassociation Response + # frame was sent and the Reassociation ID. + # + # ifIndex (Integer32) - A unique value, greater than zero, for each interface. + # dot11ReassociateStation (MacAddress) - This attribute indicates the MAC address from the Address 1 field of the + # most recently transmitted Reassociation Response frame. If no Reassociation Response frame has been transmitted, + # the value of this attribute is 0. + # dot11ReassociateID (Unsigned32) - This attribute indicates the Association ID from the most recently transmitted + # Reassociation Response frame. If no Reassociation Response frame has been transmitted, the value of this + # attribute is 0. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds = "unexpected" + if this.trap.VarBinds.length() > 2 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.2.1.2.2.1.1") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.2.840.10036.1.1.1.47") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.2.840.10036.1.1.1.48") { + meta varbinds = "standard" + }}}} else { + if this.trap.VarBinds.length() > 1 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.2.840.10036.1.1.1.47") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.2.840.10036.1.1.1.48") { + meta varbinds = "no_ifIndex" + }}} + } + + - switch: + - check: metadata("varbinds") != "unexpected" + processors: + - mapping: |- + #!blobl + root = this + + if metadata("varbinds") == "standard" { + root.out.ieee.ifIndex = this.trap.VarBinds.index(0).Value.string() + root.out.ieee.dot11ReassociateStation = this.trap.VarBinds.index(1).Value.snmp_mac_address() + root.out.ieee.dot11ReassociateID = this.trap.VarBinds.index(2).Value.string() + } else if metadata("varbinds") == "no_ifIndex" { + root.out.ieee.ifIndex = this.trap.VarBinds.index(0).OID.snmp_oid_get_index(".1.2.840.10036.1.1.1.47") + root.out.ieee.dot11ReassociateStation = this.trap.VarBinds.index(0).Value.snmp_mac_address() + root.out.ieee.dot11ReassociateID = this.trap.VarBinds.index(1).Value.string() + } + + root.out.object.name = "IEEE802dot11-MIB::ifEntry" + root.out.object.index = this.trap.VarBinds.index(0).Value.string() + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.out.object.label = "interface: ifIndex " + root.out.ieee.ifIndex + ", station: " + root.out.ieee.dot11ReassociateStation + + root.out.event.class.name = "SNMPTRAP-IEEE802dot11-MIB-dot11SMTnotification-dot11Reassociate" + root.out.event.id = "SNMPTRAP-IEEE802dot11-MIB-dot11SMTnotification-dot11Reassociate" + root.out.event.category.name = "STA association state" + root.out.event.message = "STA reassociation successful" + root.out.event.severity.code = 6 + root.out.event.severity.level = "Informational" + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + }}}}}} + + root.out.event.class.name = "SNMPTRAP-IEEE802dot11-MIB-dot11SMTnotification-dot11Reassociate" + root.out.event.id = "SNMPTRAP-IEEE802dot11-MIB-dot11SMTnotification-dot11Reassociate-unknown" + root.out.event.category.name = "STA association state" + root.out.event.message = "STA reassociation successful - UNEXPECTED VARBINDS for dot11Reassociate trap!" + root.out.event.severity.code = 5 + root.out.event.severity.level = "Notice" + + - check: this.trap.SpecificTrap == 7 + # dot11ReassociateFailed + # + # The reassociate failed notification is sent when the STA sends a Reassociation Response frame with a status code + # other than SUCCESS. The value of the notification includes the MAC address of the MAC to which the Reassociation + # Response frame was sent and the reason for the reassociation failure. + # + # ifIndex (Integer32) - A unique value, greater than zero, for each interface. + # dot11ReassociateFailStatus (INTEGER) - This attribute indicates the most recently transmitted Status Code in a + # failed Association Response frame. If no failed Association Response frame has been transmitted, the value of + # this attribute is 0. + # dot11ReassociateStation (MacAddress) - This attribute indicates the MAC address from the Address 1 field of the + # most recently transmitted Reassociation Response frame. If no Reassociation Response frame has been transmitted, + # the value of this attribute is 0. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds = "unexpected" + if this.trap.VarBinds.length() > 2 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.2.1.2.2.1.1") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.2.840.10036.1.1.1.50") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.2.840.10036.1.1.1.47") { + meta varbinds = "standard" + }}}} else { + if this.trap.VarBinds.length() > 1 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.2.840.10036.1.1.1.50") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.2.840.10036.1.1.1.47") { + meta varbinds = "no_ifIndex" + }}} + } + + - switch: + - check: metadata("varbinds") != "unexpected" + processors: + - mapping: |- + #!blobl + root = this + + if metadata("varbinds") == "standard" { + root.out.ieee.ifIndex = this.trap.VarBinds.index(0).Value.string() + root.out.ieee.dot11ReassociateFailStatus = this.trap.VarBinds.index(1).Value.snmp_int_enum_enrich(".1.2.840.10036.1.1.1.50") + root.out.ieee.dot11ReassociateStation = this.trap.VarBinds.index(2).Value.snmp_mac_address() + } else if metadata("varbinds") == "no_ifIndex" { + root.out.ieee.ifIndex = this.trap.VarBinds.index(0).OID.snmp_oid_get_index(".1.2.840.10036.1.1.1.50") + root.out.ieee.dot11ReassociateFailStatus = this.trap.VarBinds.index(0).Value.snmp_int_enum_enrich(".1.2.840.10036.1.1.1.50") + root.out.ieee.dot11ReassociateStation = this.trap.VarBinds.index(1).Value.snmp_mac_address() + } + + root.out.object.name = "IEEE802dot11-MIB::ifEntry" + root.out.object.index = this.trap.VarBinds.index(0).Value.string() + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.out.object.label = "interface: ifIndex " + root.out.ieee.ifIndex + ", station: " + root.out.ieee.dot11ReassociateStation + + root.out.event.class.name = "SNMPTRAP-IEEE802dot11-MIB-dot11SMTnotification-dot11ReassociateFailed" + root.out.event.id = "SNMPTRAP-IEEE802dot11-MIB-dot11SMTnotification-dot11ReassociateFailed" + root.out.event.category.name = "STA association state" + root.out.event.message = "STA reassociation failed, " + root.out.ieee.dot11ReassociateFailStatus + root.out.event.severity.code = 3 + root.out.event.severity.level = "Error" + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + }}}}}} + + root.out.event.class.name = "SNMPTRAP-IEEE802dot11-MIB-dot11SMTnotification-dot11ReassociateFailed" + root.out.event.id = "SNMPTRAP-IEEE802dot11-MIB-dot11SMTnotification-dot11ReassociateFailed-unknown" + root.out.event.category.name = "STA association state" + root.out.event.message = "STA reassociation failed - UNEXPECTED VARBINDS for dot11ReassociateFailed trap!" + root.out.event.severity.code = 3 + root.out.event.severity.level = "Error" + + - processors: + - label: default + mapping: | + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + }}}}}}}} + + root.out.event.class.name = "SNMPTRAP-IEEE802dot11-MIB-dot11SMTnotification-unknown" + root.out.event.id = "SNMPTRAP-IEEE802dot11-MIB-dot11SMTnotification-" + this.trap.SpecificTrap.string() + root.out.event.category.name = "unknown specific trap" + root.out.event.message = "unknown specific trap " + this.trap.SpecificTrap.string() + " from IEEE IEEE802dot11-MIB-dot11SMTnotification" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" From 85c12e589daa548abf2fb60afdee2cf10055f069 Mon Sep 17 00:00:00 2001 From: Rob Cowart Date: Wed, 22 Oct 2025 14:48:40 +0200 Subject: [PATCH 2/8] official Printer-MIB trap rules --- enums/integer/ietf/Printer-MIB.yml | 711 ++++++++++++- traps/enterprises.yml | 2 +- .../rules/IETF/Printer-MIB-printerV1Alert.yml | 310 ++++++ .../IETF/Printer-MIB-printerV2AlertPrefix.yml | 996 ------------------ 4 files changed, 1021 insertions(+), 998 deletions(-) create mode 100644 traps/rules/IETF/Printer-MIB-printerV1Alert.yml delete mode 100644 traps/rules/IETF/Printer-MIB-printerV2AlertPrefix.yml diff --git a/enums/integer/ietf/Printer-MIB.yml b/enums/integer/ietf/Printer-MIB.yml index 628a8106..e427f059 100644 --- a/enums/integer/ietf/Printer-MIB.yml +++ b/enums/integer/ietf/Printer-MIB.yml @@ -369,7 +369,7 @@ 33: 'finisher attribute' # finAttribute # prtAlertCode -.1.3.6.1.2.1.43.18.1.1.7: +.1.3.6.1.2.1.43.18.1.1.7_definition: 1: other 2: unknown 3: coverOpen @@ -1077,3 +1077,712 @@ 31836: inserterOverTemperature 31837: inserterTimingFailure 31838: inserterThermistorFailure + +.1.3.6.1.2.1.43.18.1.1.7: + 1: 'other' + 2: 'unknown' + 3: 'cover open' + 4: 'cover closed' + 5: 'interlock open' + 6: 'interlock closed' + 7: 'configuration change' + 8: 'jam' + 9: 'sub-unit missing' + 10: 'sub-unit life almost over' + 11: 'sub-unit life over' + 12: 'sub-unit almost empty' + 13: 'sub-unit empty' + 14: 'sub-unit almost full' + 15: 'sub-unit full' + 16: 'sub-unit near limit' + 17: 'sub-unit at limit' + 18: 'sub-unit opened' + 19: 'sub-unit closed' + 20: 'sub-unit turned on' + 21: 'sub-unit turned off' + 22: 'sub-unit offline' + 23: 'sub-unit power saver' + 24: 'sub-unit warming up' + 25: 'sub-unit added' + 26: 'sub-unit removed' + 27: 'sub-unit resource added' + 28: 'sub-unit resource removed' + 29: 'sub-unit recoverable failure' + 30: 'sub-unit unrecoverable failure' + 31: 'sub-unit recoverable storage error' + 32: 'sub-unit unrecoverable storage error' + 33: 'sub-unit motor failure' + 34: 'sub-unit memory exhausted' + 35: 'sub-unit under temperature' + 36: 'sub-unit over temperature' + 37: 'sub-unit timing failure' + 38: 'sub-unit thermistor failure' + 501: 'door open' + 502: 'door closed' + 503: 'power up' + 504: 'power down' + 505: 'printer NMS reset' + 506: 'printer manual reset' + 507: 'printer ready to print' + 801: 'input media tray missing' + 802: 'input media size change' + 803: 'input media weight change' + 804: 'input media type change' + 805: 'input media color change' + 806: 'input media form parts change' + 807: 'input media supply low' + 808: 'input media supply empty' + 809: 'input media change request' + 810: 'input manual input request' + 811: 'input tray position failure' + 812: 'input tray elevation failure' + 813: 'input cannot feed size selected' + 901: 'output media tray missing' + 902: 'output media tray almost full' + 903: 'output media tray full' + 904: 'output mailbox select failure' + 1001: 'marker fuser under temperature' + 1002: 'marker fuser over temperature' + 1003: 'marker fuser timing failure' + 1004: 'marker fuser thermistor failure' + 1005: 'marker adjusting print quality' + 1101: 'marker toner empty' + 1102: 'marker ink empty' + 1103: 'marker print ribbon empty' + 1104: 'marker toner almost empty' + 1105: 'marker ink almost empty' + 1106: 'marker print ribbon almost empty' + 1107: 'marker waste toner receptacle almost full' + 1108: 'marker waste ink receptacle almost full' + 1109: 'marker waste toner receptacle full' + 1110: 'marker waste ink receptacle full' + 1111: 'marker OPC life almost over' + 1112: 'marker OPC life over' + 1113: 'marker developer almost empty' + 1114: 'marker developer empty' + 1115: 'marker toner cartridge missing' + 1301: 'media path media tray missing' + 1302: 'media path media tray almost full' + 1303: 'media path media tray full' + 1304: 'media path cannot duplex media selected' + 1501: 'interpreter memory increase' + 1502: 'interpreter memory decrease' + 1503: 'interpreter cartridge added' + 1504: 'interpreter cartridge deleted' + 1505: 'interpreter resource added' + 1506: 'interpreter resource deleted' + 1507: 'interpreter resource unavailable' + 1509: 'interpreter complex page encountered' + 1801: 'alert removal of binary change entry' + 30203: 'stapler cover open' + 30204: 'stapler cover closed' + 30205: 'stapler interlock open' + 30206: 'stapler interlock closed' + 30207: 'stapler configuration change' + 30208: 'stapler jam' + 30209: 'stapler missing' + 30210: 'stapler life almost over' + 30211: 'stapler life over' + 30212: 'stapler almost empty' + 30213: 'stapler empty' + 30214: 'stapler almost full' + 30215: 'stapler full' + 30216: 'stapler near limit' + 30217: 'stapler at limit' + 30218: 'stapler opened' + 30219: 'stapler closed' + 30220: 'stapler turned on' + 30221: 'stapler turned off' + 30222: 'stapler offline' + 30223: 'stapler power saver' + 30224: 'stapler warming up' + 30225: 'stapler added' + 30226: 'stapler removed' + 30227: 'stapler resource added' + 30228: 'stapler resource removed' + 30229: 'stapler recoverable failure' + 30230: 'stapler unrecoverable failure' + 30231: 'stapler recoverable storage error' + 30232: 'stapler unrecoverable storage error' + 30233: 'stapler motor failure' + 30234: 'stapler memory exhausted' + 30235: 'stapler under temperature' + 30236: 'stapler over temperature' + 30237: 'stapler timing failure' + 30238: 'stapler thermistor failure' + 30303: 'stitcher cover open' + 30304: 'stitcher cover closed' + 30305: 'stitcher interlock open' + 30306: 'stitcher interlock closed' + 30307: 'stitcher configuration change' + 30308: 'stitcher jam' + 30309: 'stitcher missing' + 30310: 'stitcher life almost over' + 30311: 'stitcher life over' + 30312: 'stitcher almost empty' + 30313: 'stitcher empty' + 30314: 'stitcher almost full' + 30315: 'stitcher full' + 30316: 'stitcher near limit' + 30317: 'stitcher at limit' + 30318: 'stitcher opened' + 30319: 'stitcher closed' + 30320: 'stitcher turned on' + 30321: 'stitcher turned off' + 30322: 'stitcher offline' + 30323: 'stitcher power saver' + 30324: 'stitcher warming up' + 30325: 'stitcher added' + 30326: 'stitcher removed' + 30327: 'stitcher resource added' + 30328: 'stitcher resource removed' + 30329: 'stitcher recoverable failure' + 30330: 'stitcher unrecoverable failure' + 30331: 'stitcher recoverable storage error' + 30332: 'stitcher unrecoverable storage error' + 30333: 'stitcher motor failure' + 30334: 'stitcher memory exhausted' + 30335: 'stitcher under temperature' + 30336: 'stitcher over temperature' + 30337: 'stitcher timing failure' + 30338: 'stitcher thermistor failure' + 30403: 'folder cover open' + 30404: 'folder cover closed' + 30405: 'folder interlock open' + 30406: 'folder interlock closed' + 30407: 'folder configuration change' + 30408: 'folder jam' + 30409: 'folder missing' + 30410: 'folder life almost over' + 30411: 'folder life over' + 30412: 'folder almost empty' + 30413: 'folder empty' + 30414: 'folder almost full' + 30415: 'folder full' + 30416: 'folder near limit' + 30417: 'folder at limit' + 30418: 'folder opened' + 30419: 'folder closed' + 30420: 'folder turned on' + 30421: 'folder turned off' + 30422: 'folder offline' + 30423: 'folder power saver' + 30424: 'folder warming up' + 30425: 'folder added' + 30426: 'folder removed' + 30427: 'folder resource added' + 30428: 'folder resource removed' + 30429: 'folder recoverable failure' + 30430: 'folder unrecoverable failure' + 30431: 'folder recoverable storage error' + 30432: 'folder unrecoverable storage error' + 30433: 'folder motor failure' + 30434: 'folder memory exhausted' + 30435: 'folder under temperature' + 30436: 'folder over temperature' + 30437: 'folder timing failure' + 30438: 'folder thermistor failure' + 30503: 'binder cover open' + 30504: 'binder cover closed' + 30505: 'binder interlock open' + 30506: 'binder interlock closed' + 30507: 'binder configuration change' + 30508: 'binder jam' + 30509: 'binder missing' + 30510: 'binder life almost over' + 30511: 'binder life over' + 30512: 'binder almost empty' + 30513: 'binder empty' + 30514: 'binder almost full' + 30515: 'binder full' + 30516: 'binder near limit' + 30517: 'binder at limit' + 30518: 'binder opened' + 30519: 'binder closed' + 30520: 'binder turned on' + 30521: 'binder turned off' + 30522: 'binder offline' + 30523: 'binder power saver' + 30524: 'binder warming up' + 30525: 'binder added' + 30526: 'binder removed' + 30527: 'binder resource added' + 30528: 'binder resource removed' + 30529: 'binder recoverable failure' + 30530: 'binder unrecoverable failure' + 30531: 'binder recoverable storage error' + 30532: 'binder unrecoverable storage error' + 30533: 'binder motor failure' + 30534: 'binder memory exhausted' + 30535: 'binder under temperature' + 30536: 'binder over temperature' + 30537: 'binder timing failure' + 30538: 'binder thermistor failure' + 30603: 'trimmer cover open' + 30604: 'trimmer cover closed' + 30605: 'trimmer interlock open' + 30606: 'trimmer interlock closed' + 30607: 'trimmer configuration change' + 30608: 'trimmer jam' + 30609: 'trimmer missing' + 30610: 'trimmer life almost over' + 30611: 'trimmer life over' + 30612: 'trimmer almost empty' + 30613: 'trimmer empty' + 30614: 'trimmer almost full' + 30615: 'trimmer full' + 30616: 'trimmer near limit' + 30617: 'trimmer at limit' + 30618: 'trimmer opened' + 30619: 'trimmer closed' + 30620: 'trimmer turned on' + 30621: 'trimmer turned off' + 30622: 'trimmer offline' + 30623: 'trimmer power saver' + 30624: 'trimmer warming up' + 30625: 'trimmer added' + 30626: 'trimmer removed' + 30627: 'trimmer resource added' + 30628: 'trimmer resource removed' + 30629: 'trimmer recoverable failure' + 30630: 'trimmer unrecoverable failure' + 30631: 'trimmer recoverable storage error' + 30632: 'trimmer unrecoverable storage error' + 30633: 'trimmer motor failure' + 30634: 'trimmer memory exhausted' + 30635: 'trimmer under temperature' + 30636: 'trimmer over temperature' + 30637: 'trimmer timing failure' + 30638: 'trimmer thermistor failure' + 30703: 'die cutter cover open' + 30704: 'die cutter cover closed' + 30705: 'die cutter interlock open' + 30706: 'die cutter interlock closed' + 30707: 'die cutter configuration change' + 30708: 'die cutter jam' + 30709: 'die cutter missing' + 30710: 'die cutter life almost over' + 30711: 'die cutter life over' + 30712: 'die cutter almost empty' + 30713: 'die cutter empty' + 30714: 'die cutter almost full' + 30715: 'die cutter full' + 30716: 'die cutter near limit' + 30717: 'die cutter at limit' + 30718: 'die cutter opened' + 30719: 'die cutter closed' + 30720: 'die cutter turned on' + 30721: 'die cutter turned off' + 30722: 'die cutter offline' + 30723: 'die cutter power saver' + 30724: 'die cutter warming up' + 30725: 'die cutter added' + 30726: 'die cutter removed' + 30727: 'die cutter resource added' + 30728: 'die cutter resource removed' + 30729: 'die cutter recoverable failure' + 30730: 'die cutter unrecoverable failure' + 30731: 'die cutter recoverable storage error' + 30732: 'die cutter unrecoverable storage error' + 30733: 'die cutter motor failure' + 30734: 'die cutter memory exhausted' + 30735: 'die cutter under temperature' + 30736: 'die cutter over temperature' + 30737: 'die cutter timing failure' + 30738: 'die cutter thermistor failure' + 30803: 'puncher cover open' + 30804: 'puncher cover closed' + 30805: 'puncher interlock open' + 30806: 'puncher interlock closed' + 30807: 'puncher configuration change' + 30808: 'puncher jam' + 30809: 'puncher missing' + 30810: 'puncher life almost over' + 30811: 'puncher life over' + 30812: 'puncher almost empty' + 30813: 'puncher empty' + 30814: 'puncher almost full' + 30815: 'puncher full' + 30816: 'puncher near limit' + 30817: 'puncher at limit' + 30818: 'puncher opened' + 30819: 'puncher closed' + 30820: 'puncher turned on' + 30821: 'puncher turned off' + 30822: 'puncher offline' + 30823: 'puncher power saver' + 30824: 'puncher warming up' + 30825: 'puncher added' + 30826: 'puncher removed' + 30827: 'puncher resource added' + 30828: 'puncher resource removed' + 30829: 'puncher recoverable failure' + 30830: 'puncher unrecoverable failure' + 30831: 'puncher recoverable storage error' + 30832: 'puncher unrecoverable storage error' + 30833: 'puncher motor failure' + 30834: 'puncher memory exhausted' + 30835: 'puncher under temperature' + 30836: 'puncher over temperature' + 30837: 'puncher timing failure' + 30838: 'puncher thermistor failure' + 30903: 'perforater cover open' + 30904: 'perforater cover closed' + 30905: 'perforater interlock open' + 30906: 'perforater interlock closed' + 30907: 'perforater configuration change' + 30908: 'perforater jam' + 30909: 'perforater missing' + 30910: 'perforater life almost over' + 30911: 'perforater life over' + 30912: 'perforater almost empty' + 30913: 'perforater empty' + 30914: 'perforater almost full' + 30915: 'perforater full' + 30916: 'perforater near limit' + 30917: 'perforater at limit' + 30918: 'perforater opened' + 30919: 'perforater closed' + 30920: 'perforater turned on' + 30921: 'perforater turned off' + 30922: 'perforater offline' + 30923: 'perforater power saver' + 30924: 'perforater warming up' + 30925: 'perforater added' + 30926: 'perforater removed' + 30927: 'perforater resource added' + 30928: 'perforater resource removed' + 30929: 'perforater recoverable failure' + 30930: 'perforater unrecoverable failure' + 30931: 'perforater recoverable storage error' + 30932: 'perforater unrecoverable storage error' + 30933: 'perforater motor failure' + 30934: 'perforater memory exhausted' + 30935: 'perforater under temperature' + 30936: 'perforater over temperature' + 30937: 'perforater timing failure' + 30938: 'perforater thermistor failure' + 31003: 'slitter cover open' + 31004: 'slitter cover closed' + 31005: 'slitter interlock open' + 31006: 'slitter interlock closed' + 31007: 'slitter configuration change' + 31008: 'slitter jam' + 31009: 'slitter missing' + 31010: 'slitter life almost over' + 31011: 'slitter life over' + 31012: 'slitter almost empty' + 31013: 'slitter empty' + 31014: 'slitter almost full' + 31015: 'slitter full' + 31016: 'slitter near limit' + 31017: 'slitter at limit' + 31018: 'slitter opened' + 31019: 'slitter closed' + 31020: 'slitter turned on' + 31021: 'slitter turned off' + 31022: 'slitter offline' + 31023: 'slitter power saver' + 31024: 'slitter warming up' + 31025: 'slitter added' + 31026: 'slitter removed' + 31027: 'slitter resource added' + 31028: 'slitter resource removed' + 31029: 'slitter recoverable failure' + 31030: 'slitter unrecoverable failure' + 31031: 'slitter recoverable storage error' + 31032: 'slitter unrecoverable storage error' + 31033: 'slitter motor failure' + 31034: 'slitter memory exhausted' + 31035: 'slitter under temperature' + 31036: 'slitter over temperature' + 31037: 'slitter timing failure' + 31038: 'slitter thermistor failure' + 31103: 'separation cutter cover open' + 31104: 'separation cutter cover closed' + 31105: 'separation cutter interlock open' + 31106: 'separation cutter interlock closed' + 31107: 'separation cutter configuration change' + 31108: 'separation cutter jam' + 31109: 'separation cutter missing' + 31110: 'separation cutter life almost over' + 31111: 'separation cutter life over' + 31112: 'separation cutter almost empty' + 31113: 'separation cutter empty' + 31114: 'separation cutter almost full' + 31115: 'separation cutter full' + 31116: 'separation cutter near limit' + 31117: 'separation cutter at limit' + 31118: 'separation cutter opened' + 31119: 'separation cutter closed' + 31120: 'separation cutter turned on' + 31121: 'separation cutter turned off' + 31122: 'separation cutter offline' + 31123: 'separation cutter power saver' + 31124: 'separation cutter warming up' + 31125: 'separation cutter added' + 31126: 'separation cutter removed' + 31127: 'separation cutter resource added' + 31128: 'separation cutter resource removed' + 31129: 'separation cutter recoverable failure' + 31130: 'separation cutter unrecoverable failure' + 31131: 'separation cutter recoverable storage error' + 31132: 'separation cutter unrecoverable storage error' + 31133: 'separation cutter motor failure' + 31134: 'separation cutter memory exhausted' + 31135: 'separation cutter under temperature' + 31136: 'separation cutter over temperature' + 31137: 'separation cutter timing failure' + 31138: 'separation cutter thermistor failure' + 31203: 'imprinter cover open' + 31204: 'imprinter cover closed' + 31205: 'imprinter interlock open' + 31206: 'imprinter interlock closed' + 31207: 'imprinter configuration change' + 31208: 'imprinter jam' + 31209: 'imprinter missing' + 31210: 'imprinter life almost over' + 31211: 'imprinter life over' + 31212: 'imprinter almost empty' + 31213: 'imprinter empty' + 31214: 'imprinter almost full' + 31215: 'imprinter full' + 31216: 'imprinter near limit' + 31217: 'imprinter at limit' + 31218: 'imprinter opened' + 31219: 'imprinter closed' + 31220: 'imprinter turned on' + 31221: 'imprinter turned off' + 31222: 'imprinter offline' + 31223: 'imprinter power saver' + 31224: 'imprinter warming up' + 31225: 'imprinter added' + 31226: 'imprinter removed' + 31227: 'imprinter resource added' + 31228: 'imprinter resource removed' + 31229: 'imprinter recoverable failure' + 31230: 'imprinter unrecoverable failure' + 31231: 'imprinter recoverable storage error' + 31232: 'imprinter unrecoverable storage error' + 31233: 'imprinter motor failure' + 31234: 'imprinter memory exhausted' + 31235: 'imprinter under temperature' + 31236: 'imprinter over temperature' + 31237: 'imprinter timing failure' + 31238: 'imprinter thermistor failure' + 31303: 'wrapper cover open' + 31304: 'wrapper cover closed' + 31305: 'wrapper interlock open' + 31306: 'wrapper interlock closed' + 31307: 'wrapper configuration change' + 31308: 'wrapper jam' + 31309: 'wrapper missing' + 31310: 'wrapper life almost over' + 31311: 'wrapper life over' + 31312: 'wrapper almost empty' + 31313: 'wrapper empty' + 31314: 'wrapper almost full' + 31315: 'wrapper full' + 31316: 'wrapper near limit' + 31317: 'wrapper at limit' + 31318: 'wrapper opened' + 31319: 'wrapper closed' + 31320: 'wrapper turned on' + 31321: 'wrapper turned off' + 31322: 'wrapper offline' + 31323: 'wrapper power saver' + 31324: 'wrapper warming up' + 31325: 'wrapper added' + 31326: 'wrapper removed' + 31327: 'wrapper resource added' + 31328: 'wrapper resource removed' + 31329: 'wrapper recoverable failure' + 31330: 'wrapper unrecoverable failure' + 31331: 'wrapper recoverable storage error' + 31332: 'wrapper unrecoverable storage error' + 31333: 'wrapper motor failure' + 31334: 'wrapper memory exhausted' + 31335: 'wrapper under temperature' + 31336: 'wrapper over temperature' + 31337: 'wrapper timing failure' + 31338: 'wrapper thermistor failure' + 31403: 'bander cover open' + 31404: 'bander cover closed' + 31405: 'bander interlock open' + 31406: 'bander interlock closed' + 31407: 'bander configuration change' + 31408: 'bander jam' + 31409: 'bander missing' + 31410: 'bander life almost over' + 31411: 'bander life over' + 31412: 'bander almost empty' + 31413: 'bander empty' + 31414: 'bander almost full' + 31415: 'bander full' + 31416: 'bander near limit' + 31417: 'bander at limit' + 31418: 'bander opened' + 31419: 'bander closed' + 31420: 'bander turned on' + 31421: 'bander turned off' + 31422: 'bander offline' + 31423: 'bander power saver' + 31424: 'bander warming up' + 31425: 'bander added' + 31426: 'bander removed' + 31427: 'bander resource added' + 31428: 'bander resource removed' + 31429: 'bander recoverable failure' + 31430: 'bander unrecoverable failure' + 31431: 'bander recoverable storage error' + 31432: 'bander unrecoverable storage error' + 31433: 'bander motor failure' + 31434: 'bander memory exhausted' + 31435: 'bander under temperature' + 31436: 'bander over temperature' + 31437: 'bander timing failure' + 31438: 'bander thermistor failure' + 31503: 'make envelope cover open' + 31504: 'make envelope cover closed' + 31505: 'make envelope interlock open' + 31506: 'make envelope interlock closed' + 31507: 'make envelope configuration change' + 31508: 'make envelope jam' + 31509: 'make envelope missing' + 31510: 'make envelope life almost over' + 31511: 'make envelope life over' + 31512: 'make envelope almost empty' + 31513: 'make envelope empty' + 31514: 'make envelope almost full' + 31515: 'make envelope full' + 31516: 'make envelope near limit' + 31517: 'make envelope at limit' + 31518: 'make envelope opened' + 31519: 'make envelope closed' + 31520: 'make envelope turned on' + 31521: 'make envelope turned off' + 31522: 'make envelope offline' + 31523: 'make envelope power saver' + 31524: 'make envelope warming up' + 31525: 'make envelope added' + 31526: 'make envelope removed' + 31527: 'make envelope resource added' + 31528: 'make envelope resource removed' + 31529: 'make envelope recoverable failure' + 31530: 'make envelope unrecoverable failure' + 31531: 'make envelope recoverable storage error' + 31532: 'make envelope unrecoverable storage error' + 31533: 'make envelope motor failure' + 31534: 'make envelope memory exhausted' + 31535: 'make envelope under temperature' + 31536: 'make envelope over temperature' + 31537: 'make envelope timing failure' + 31538: 'make envelope thermistor failure' + 31603: 'stacker cover open' + 31604: 'stacker cover closed' + 31605: 'stacker interlock open' + 31606: 'stacker interlock closed' + 31607: 'stacker configuration change' + 31608: 'stacker jam' + 31609: 'stacker missing' + 31610: 'stacker life almost over' + 31611: 'stacker life over' + 31612: 'stacker almost empty' + 31613: 'stacker empty' + 31614: 'stacker almost full' + 31615: 'stacker full' + 31616: 'stacker near limit' + 31617: 'stacker at limit' + 31618: 'stacker opened' + 31619: 'stacker closed' + 31620: 'stacker turned on' + 31621: 'stacker turned off' + 31622: 'stacker offline' + 31623: 'stacker power saver' + 31624: 'stacker warming up' + 31625: 'stacker added' + 31626: 'stacker removed' + 31627: 'stacker resource added' + 31628: 'stacker resource removed' + 31629: 'stacker recoverable failure' + 31630: 'stacker unrecoverable failure' + 31631: 'stacker recoverable storage error' + 31632: 'stacker unrecoverable storage error' + 31633: 'stacker motor failure' + 31634: 'stacker memory exhausted' + 31635: 'stacker under temperature' + 31636: 'stacker over temperature' + 31637: 'stacker timing failure' + 31638: 'stacker thermistor failure' + 31703: 'sheet rotator cover open' + 31704: 'sheet rotator cover closed' + 31705: 'sheet rotator interlock open' + 31706: 'sheet rotator interlock closed' + 31707: 'sheet rotator configuration change' + 31708: 'sheet rotator jam' + 31709: 'sheet rotator missing' + 31710: 'sheet rotator life almost over' + 31711: 'sheet rotator life over' + 31712: 'sheet rotator almost empty' + 31713: 'sheet rotator empty' + 31714: 'sheet rotator almost full' + 31715: 'sheet rotator full' + 31716: 'sheet rotator near limit' + 31717: 'sheet rotator at limit' + 31718: 'sheet rotator opened' + 31719: 'sheet rotator closed' + 31720: 'sheet rotator turned on' + 31721: 'sheet rotator turned off' + 31722: 'sheet rotator offline' + 31723: 'sheet rotator power saver' + 31724: 'sheet rotator warming up' + 31725: 'sheet rotator added' + 31726: 'sheet rotator removed' + 31727: 'sheet rotator resource added' + 31728: 'sheet rotator resource removed' + 31729: 'sheet rotator recoverable failure' + 31730: 'sheet rotator unrecoverable failure' + 31731: 'sheet rotator recoverable storage error' + 31732: 'sheet rotator unrecoverable storage error' + 31733: 'sheet rotator motor failure' + 31734: 'sheet rotator memory exhausted' + 31735: 'sheet rotator under temperature' + 31736: 'sheet rotator over temperature' + 31737: 'sheet rotator timing failure' + 31738: 'sheet rotator thermistor failure' + 31803: 'inserter cover open' + 31804: 'inserter cover closed' + 31805: 'inserter interlock open' + 31806: 'inserter interlock closed' + 31807: 'inserter configuration change' + 31808: 'inserter jam' + 31809: 'inserter missing' + 31810: 'inserter life almost over' + 31811: 'inserter life over' + 31812: 'inserter almost empty' + 31813: 'inserter empty' + 31814: 'inserter almost full' + 31815: 'inserter full' + 31816: 'inserter near limit' + 31817: 'inserter at limit' + 31818: 'inserter opened' + 31819: 'inserter closed' + 31820: 'inserter turned on' + 31821: 'inserter turned off' + 31822: 'inserter offline' + 31823: 'inserter power saver' + 31824: 'inserter warming up' + 31825: 'inserter added' + 31826: 'inserter removed' + 31827: 'inserter resource added' + 31828: 'inserter resource removed' + 31829: 'inserter recoverable failure' + 31830: 'inserter unrecoverable failure' + 31831: 'inserter recoverable storage error' + 31832: 'inserter unrecoverable storage error' + 31833: 'inserter motor failure' + 31834: 'inserter memory exhausted' + 31835: 'inserter under temperature' + 31836: 'inserter over temperature' + 31837: 'inserter timing failure' + 31838: 'inserter thermistor failure' diff --git a/traps/enterprises.yml b/traps/enterprises.yml index 16dde33c..50b0a2f3 100644 --- a/traps/enterprises.yml +++ b/traps/enterprises.yml @@ -7,6 +7,7 @@ unsupported: unsupported.yml # IETF .1.3.6.1.2.1.14.16: IETF/OSPF-TRAP-MIB-ospfTraps.yml .1.3.6.1.2.1.14.16.2: IETF/OSPF-TRAP-MIB-ospfTraps.yml +.1.3.6.1.2.1.43.18.2: IETF/Printer-MIB-printerV1Alert.yml # Brocade .1.3.6.1.4.1.1588.2.1.1.1: brocade/SW-MIB-sw.yml @@ -69,7 +70,6 @@ unsupported: unsupported.yml .1.3.6.1.2.1.26: IETF/MAU-MIB-snmpDot3MauTraps.yml .1.3.6.1.2.1.33.2: IETF/UPS-MIB-upsTraps.yml .1.3.6.1.2.1.39.2: IETF/RDBMS-MIB-rdbmsTraps.yml -.1.3.6.1.2.1.43.18.2: IETF/Printer-MIB-printerV2AlertPrefix.yml .1.3.6.1.2.1.44.2: IETF/MIP-MIB-mipMIBNotifications.yml .1.3.6.1.2.1.46.1: IETF/DLSW-MIB-dlswTraps.yml .1.3.6.1.2.1.47.2: IETF/ENTITY-MIB-entityMIBTrapPrefix.yml diff --git a/traps/rules/IETF/Printer-MIB-printerV1Alert.yml b/traps/rules/IETF/Printer-MIB-printerV1Alert.yml new file mode 100644 index 00000000..b380082e --- /dev/null +++ b/traps/rules/IETF/Printer-MIB-printerV1Alert.yml @@ -0,0 +1,310 @@ +- mapping: |- + #!blobl + root = this + root.out.origin.agent.name = "IETF Printer-MIB" +- switch: + - check: this.trap.SpecificTrap == 1 + # printerV2Alert + # + # This trap is sent whenever a critical event is added to the prtAlertTable. + # + # prtAlertIndex (Integer32) - The index value used to determine which alerts have been added or removed from the alert table. + # prtAlertSeverityLevel (INTEGER) - The level of severity of this alert table entry. + # prtAlertGroup (INTEGER) - The type of sub-unit within the printer model that this alert is related. + # prtAlertGroupIndex (Integer32) - The low-order index of the row within the table identified by prtAlertGroup that represents the sub-unit of the printer that caused this alert, or -1 if not applicable. + # prtAlertLocation (Integer32) - The sub-unit location that is defined by the printer manufacturer to further refine the location of this alert within the designated sub-unit. + # prtAlertCode (INTEGER) - The code that describes the type of alert for this entry in the table. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 5 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.2.1.43.18.1.1.1") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.2.1.43.18.1.1.2") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.2.1.43.18.1.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.2.1.43.18.1.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.2.1.43.18.1.1.6") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.2.1.43.18.1.1.7") { + meta varbinds_ok = true + }}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + meta prtAlertSeverityLevel = this.trap.VarBinds.index(1).Value + + root.out.ietf.prtAlertIndex = this.trap.VarBinds.index(0).Value.string() + root.out.ietf.prtAlertSeverityLevel = this.trap.VarBinds.index(1).Value.snmp_int_enum_enrich(".1.3.6.1.2.1.43.18.1.1.2") + root.out.ietf.prtAlertGroup = this.trap.VarBinds.index(2).Value.snmp_int_enum_enrich(".1.3.6.1.2.1.43.18.1.1.4") + root.out.ietf.prtAlertGroupIndex = this.trap.VarBinds.index(3).Value.string() + root.out.ietf.prtAlertLocation = this.trap.VarBinds.index(4).Value.string() + root.out.ietf.prtAlertCode = this.trap.VarBinds.index(5).Value.snmp_int_enum_enrich(".1.3.6.1.2.1.43.18.1.1.7") + + root.out.object.name = "HOST-RESOURCES-MIB::hrDeviceEntry" + root.TEMP.prtAlert = this.trap.VarBinds.index(1).OID.snmp_oid_get_index(".1.3.6.1.2.1.43.18.1.1.2") + root.TEMP.prtAlertEntry = root.TEMP.prtAlert.snmp_oid_extract_index("Integer,Integer") + root.out.ietf.hrDeviceIndex = root.TEMP.prtAlertEntry.index(0).string() + root.out.object.index = root.out.ietf.hrDeviceIndex + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.out.object.label = "device: hrDeviceIndex " + root.out.ietf.hrDeviceIndex + ", group: " + root.out.ietf.prtAlertGroupIndex + ", location: " + root.out.ietf.prtAlertLocation + + root.out.event.class.name = "SNMPTRAP-Printer-MIB-printerV1Alert-printerV2Alert" + root.out.event.id = "SNMPTRAP-Printer-MIB-printerV1Alert-printerV2Alert-" + this.trap.VarBinds.index(5).Value.snmp_int_enum_enrich(".1.3.6.1.2.1.43.18.1.1.7_definition") + root.out.event.category.name = "printer " + root.out.ietf.prtAlertGroup + " state" + root.out.event.message = root.out.ietf.prtAlertGroup + ": " + root.out.ietf.prtAlertCode + + - switch: + - check: metadata("") == 1 + processors: + - mapping: |- + #!blobl + root = this + + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: metadata("") == 3 + processors: + - mapping: |- + #!blobl + root = this + + root.out.event.severity.code = 3 + root.out.event.severity.level = "Error" + + - check: metadata("") == 4 + processors: + - mapping: |- + #!blobl + root = this + + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: metadata("") == 5 + processors: + - mapping: |- + #!blobl + root = this + + root.out.event.severity.code = 0 + root.out.event.severity.level = "Warning" + + - processors: + - mapping: |- + #!blobl + root = this + + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + }}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-Printer-MIB-printerV1Alert-printerV2Alert" + root.out.event.id = "SNMPTRAP-Printer-MIB-printerV1Alert-printerV2Alert-unknown" + root.out.event.category.name = "printer alert" + root.out.event.message = "printer alert - UNEXPECTED VARBINDS for printerV2Alert trap!" + root.out.event.severity.code = 3 + root.out.event.severity.level = "Error" + + - processors: + - label: default + mapping: | + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + }}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-Printer-MIB-printerV1Alert-unknown" + root.out.event.id = "SNMPTRAP-Printer-MIB-printerV1Alert-" + this.trap.SpecificTrap.string() + root.out.event.category.name = "unknown specific trap" + root.out.event.message = "unknown specific trap " + this.trap.SpecificTrap.string() + " from IETF Printer-MIB-printerV1Alert" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" diff --git a/traps/rules/IETF/Printer-MIB-printerV2AlertPrefix.yml b/traps/rules/IETF/Printer-MIB-printerV2AlertPrefix.yml deleted file mode 100644 index a0fd8923..00000000 --- a/traps/rules/IETF/Printer-MIB-printerV2AlertPrefix.yml +++ /dev/null @@ -1,996 +0,0 @@ -- mapping: |- - #!blobl - root = this - root.out.origin.agent.name = "Printer-MIB" -- switch: - - check: this.trap.SpecificTrap == 1 - processors: - - label: printer_v2alert_variables - mapping: |- - #!blobl - root = this - - root.out.IETF.prtAlertIndex = this.trap.VarBinds.index(0).Value - root.out.IETF.prtAlertSeverityLevel = this.trap.VarBinds.index(1).Value.enum_enrich(".1.3.6.1.2.1.43.18.1.1.2") - root.out.IETF.prtAlertGroup = this.trap.VarBinds.index(2).Value.enum_enrich(".1.3.6.1.2.1.43.18.1.1.4") - root.out.IETF.prtAlertGroupIndex = this.trap.VarBinds.index(3).Value - root.out.IETF.prtAlertLocation = this.trap.VarBinds.index(4).Value - root.out.IETF.prtAlertCode = this.trap.VarBinds.index(5).Value.enum_enrich(".1.3.6.1.2.1.43.18.1.1.7") - - label: printer_v2alert_rules_1 - mapping: |- - #!blobl - root = this - - root.out.event.class.name = "SNMPTRAP-IETF-Printer-MIB-printerV2Alert" - root.out.event.id = "SNMPTRAP-IETF-Printer-MIB-printerV2Alert" - root.out.object.name = this.trap.VarBinds.index(2).Value.enum_enrich(".1.3.6.1.2.1.43.18.1.1.4").string() - root.out.object.name = this.trap.VarBinds.index(2).Value.enum_enrich(".1.3.6.1.2.1.43.18.1.1.4").string() + " " + this.trap.VarBinds.index(3).Value.string() - root.out.object.name = this.trap.VarBinds.index(2).Value.enum_enrich(".1.3.6.1.2.1.43.18.1.1.4").string() + ", Location " + this.trap.VarBinds.index(4).Value.string() - - label: printer_v2alert_rules_2 - switch: - - check: this.trap.VarBinds.index(1).Value == 1 - processors: - - label: printer_v2alert_rules_2_1 - mapping: |- - #!blobl - root = this - - root.out.event.severity.code = 3 - root.out.event.severity.level = "Error" - - check: this.trap.VarBinds.index(1).Value == 3 - processors: - - label: printer_v2alert_rules_2_3 - mapping: |- - #!blobl - root = this - - root.out.event.severity.code = 2 - root.out.event.severity.level = "Critical" - - check: this.trap.VarBinds.index(1).Value == 4 - processors: - - label: printer_v2alert_rules_2_4 - mapping: |- - #!blobl - root = this - - root.out.event.severity.code = 4 - root.out.event.severity.level = "Warning" - - check: this.trap.VarBinds.index(1).Value == 5 - processors: - - label: printer_v2alert_rules_2_5 - mapping: |- - #!blobl - root = this - - root.out.event.severity.code = 4 - root.out.event.severity.level = "Warning" - - processors: - - label: printer_v2alert_rules_2_default - mapping: |- - #!blobl - root = this - - root.out.event.severity.code = 4 - root.out.event.severity.level = "Warning" - - label: printer_v2alert_rules_3 - switch: - - check: this.trap.VarBinds.index(5).Value == 1 - processors: - - label: printer_v2alert_rules_3_1 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Printer Status" - root.out.event.message = "Other Printer Status" - - check: this.trap.VarBinds.index(5).Value == 2 - processors: - - label: printer_v2alert_rules_3_2 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Printer Status" - root.out.event.message = "Printer Status Unknown" - - check: this.trap.VarBinds.index(5).Value == 3 - processors: - - label: printer_v2alert_rules_3_3 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Cover Status" - root.out.event.message = "Printer Cover Open" - - check: this.trap.VarBinds.index(5).Value == 4 - processors: - - label: printer_v2alert_rules_3_4 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Cover Status" - root.out.event.message = "Printer Cover Closed" - root.out.event.severity.code = 5 - root.out.event.severity.level = "Notice" - - check: this.trap.VarBinds.index(5).Value == 5 - processors: - - label: printer_v2alert_rules_3_5 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Interlock Status" - root.out.event.message = "Printer Interlock Open" - - check: this.trap.VarBinds.index(5).Value == 6 - processors: - - label: printer_v2alert_rules_3_6 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Interlock Status" - root.out.event.message = "Printer Interlock Closed" - root.out.event.severity.code = 5 - root.out.event.severity.level = "Notice" - - check: this.trap.VarBinds.index(5).Value == 7 - processors: - - label: printer_v2alert_rules_3_7 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Printer Interlock" - root.out.event.message = "Printer Configuration Change" - root.out.event.severity.code = 4 - root.out.event.severity.level = "Warning" - - check: this.trap.VarBinds.index(5).Value == 8 - processors: - - label: printer_v2alert_rules_3_8 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Printer Status" - root.out.event.message = "Printer Jam" - - check: this.trap.VarBinds.index(5).Value == 9 - processors: - - label: printer_v2alert_rules_3_9 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Sub-Unit Status" - root.out.event.message = "Printer Sub-Unit Missing" - - check: this.trap.VarBinds.index(5).Value == 10 - processors: - - label: printer_v2alert_rules_3_10 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Sub-Unit Status" - root.out.event.message = "Printer Sub-Unit Life Almost Over" - - check: this.trap.VarBinds.index(5).Value == 11 - processors: - - label: printer_v2alert_rules_3_11 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Sub-Unit Status" - root.out.event.message = "Printer Sub-Unit Life Over" - - check: this.trap.VarBinds.index(5).Value == 12 - processors: - - label: printer_v2alert_rules_3_12 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Sub-Unit Full/Empty" - root.out.event.message = "Printer Sub-Unit Almost Empty" - - check: this.trap.VarBinds.index(5).Value == 13 - processors: - - label: printer_v2alert_rules_3_13 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Sub-Unit Full/Empty" - root.out.event.message = "Printer Sub-Unit Empty" - - check: this.trap.VarBinds.index(5).Value == 14 - processors: - - label: printer_v2alert_rules_3_14 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Sub-Unit Full/Empty" - root.out.event.message = "Printer Sub-Unit Almost Full" - - check: this.trap.VarBinds.index(5).Value == 15 - processors: - - label: printer_v2alert_rules_3_15 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Sub-Unit Full/Empty" - root.out.event.message = "Printer Sub-Unit Full" - - check: this.trap.VarBinds.index(5).Value == 16 - processors: - - label: printer_v2alert_rules_3_16 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Sub-Unit Limit" - root.out.event.message = "Printer Sub-Unit Near Limit" - - check: this.trap.VarBinds.index(5).Value == 17 - processors: - - label: printer_v2alert_rules_3_17 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Sub-Unit Limit" - root.out.event.message = "Printer Sub-Unit At Limit" - - check: this.trap.VarBinds.index(5).Value == 18 - processors: - - label: printer_v2alert_rules_3_18 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Sub-Unit Open/Close" - root.out.event.message = "Printer Sub-Unit Opened" - - check: this.trap.VarBinds.index(5).Value == 19 - processors: - - label: printer_v2alert_rules_3_19 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Sub-Unit Open/Close" - root.out.event.message = "Printer Sub-Unit Closed" - root.out.event.severity.code = 5 - root.out.event.severity.level = "Notice" - - check: this.trap.VarBinds.index(5).Value == 20 - processors: - - label: printer_v2alert_rules_3_20 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Sub-Unit On/Off" - root.out.event.message = "Printer Sub-Unit Turned On" - root.out.event.severity.code = 5 - root.out.event.severity.level = "Notice" - - check: this.trap.VarBinds.index(5).Value == 21 - processors: - - label: printer_v2alert_rules_3_21 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Sub-Unit On/Off" - root.out.event.message = "Printer Sub-Unit Turned Off" - - check: this.trap.VarBinds.index(5).Value == 22 - processors: - - label: printer_v2alert_rules_3_22 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Sub-Unit Status" - root.out.event.message = "Printer Sub-Unit Offline" - - check: this.trap.VarBinds.index(5).Value == 23 - processors: - - label: printer_v2alert_rules_3_23 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Sub-Unit Status" - root.out.event.message = "Printer Sub-Unit Power Saver" - - check: this.trap.VarBinds.index(5).Value == 24 - processors: - - label: printer_v2alert_rules_3_24 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Sub-Unit Status" - root.out.event.message = "Printer Sub-Unit Warming Up" - - check: this.trap.VarBinds.index(5).Value == 25 - processors: - - label: printer_v2alert_rules_3_25 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Sub-Unit Add/Remove" - root.out.event.message = "Printer Sub-Unit Added" - root.out.event.severity.code = 5 - root.out.event.severity.level = "Notice" - - check: this.trap.VarBinds.index(5).Value == 26 - processors: - - label: printer_v2alert_rules_3_26 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Sub-Unit Add/Remove" - root.out.event.message = "Printer Sub-Unit Removed" - - check: this.trap.VarBinds.index(5).Value == 27 - processors: - - label: printer_v2alert_rules_3_27 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Sub-Unit Resource Add/Remove" - root.out.event.message = "Printer Sub-Unit Resource Added" - root.out.event.severity.code = 5 - root.out.event.severity.level = "Notice" - - check: this.trap.VarBinds.index(5).Value == 28 - processors: - - label: printer_v2alert_rules_3_28 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Sub-Unit Resource Add/Remove" - root.out.event.message = "Printer Sub-Unit Resource Removed" - - check: this.trap.VarBinds.index(5).Value == 29 - processors: - - label: printer_v2alert_rules_3_29 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Sub-Unit Status" - root.out.event.message = "Printer Sub-Unit Recoverable Failure" - - check: this.trap.VarBinds.index(5).Value == 30 - processors: - - label: printer_v2alert_rules_3_30 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Sub-Unit Status" - root.out.event.message = "Printer Sub-Unit Unrecoverable Failure" - - check: this.trap.VarBinds.index(5).Value == 31 - processors: - - label: printer_v2alert_rules_3_31 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Sub-Unit Storage Status" - root.out.event.message = "Printer Sub-Unit Recoverable Storage Error" - - check: this.trap.VarBinds.index(5).Value == 32 - processors: - - label: printer_v2alert_rules_3_32 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Sub-Unit Storage Status" - root.out.event.message = "Printer Sub-Unit Unrecoverable Storage Error" - - check: this.trap.VarBinds.index(5).Value == 33 - processors: - - label: printer_v2alert_rules_3_33 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Sub-Unit Status" - root.out.event.message = "Printer Sub-Unit Motor Failure" - - check: this.trap.VarBinds.index(5).Value == 34 - processors: - - label: printer_v2alert_rules_3_34 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Sub-Unit Status" - root.out.event.message = "Printer Sub-Unit Memory Exhausted" - - check: this.trap.VarBinds.index(5).Value == 35 - processors: - - label: printer_v2alert_rules_3_35 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Sub-Unit Temperature" - root.out.event.message = "Printer Sub-Unit Under Temperature" - - check: this.trap.VarBinds.index(5).Value == 36 - processors: - - label: printer_v2alert_rules_3_36 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Sub-Unit Temperature" - root.out.event.message = "Printer Sub-Unit Over Temperature" - - check: this.trap.VarBinds.index(5).Value == 37 - processors: - - label: printer_v2alert_rules_3_37 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Sub-Unit Status" - root.out.event.message = "Printer Sub-Unit Timing Failure" - - check: this.trap.VarBinds.index(5).Value == 38 - processors: - - label: printer_v2alert_rules_3_38 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Sub-Unit Status" - root.out.event.message = "Printer Sub-Unit Thermistor Failure" - - check: this.trap.VarBinds.index(5).Value == 501 - processors: - - label: printer_v2alert_rules_3_501 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Door Status" - root.out.event.message = "Printer Door Open" - - check: this.trap.VarBinds.index(5).Value == 502 - processors: - - label: printer_v2alert_rules_3_502 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Door Status" - root.out.event.message = "Printer Door Closed" - root.out.event.severity.code = 5 - root.out.event.severity.level = "Notice" - - check: this.trap.VarBinds.index(5).Value == 503 - processors: - - label: printer_v2alert_rules_3_503 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Power Status" - root.out.event.message = "Printer Power Up" - root.out.event.severity.code = 5 - root.out.event.severity.level = "Notice" - - check: this.trap.VarBinds.index(5).Value == 504 - processors: - - label: printer_v2alert_rules_3_504 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Power Status" - root.out.event.message = "Printer Power Down" - - check: this.trap.VarBinds.index(5).Value == 505 - processors: - - label: printer_v2alert_rules_3_505 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Printer Status" - root.out.event.message = "Printer Reset by NMS" - root.out.event.severity.code = 4 - root.out.event.severity.level = "Warning" - - check: this.trap.VarBinds.index(5).Value == 506 - processors: - - label: printer_v2alert_rules_3_506 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Printer Status" - root.out.event.message = "Printer Reset Manually" - root.out.event.severity.code = 4 - root.out.event.severity.level = "Warning" - - check: this.trap.VarBinds.index(5).Value == 507 - processors: - - label: printer_v2alert_rules_3_507 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Printer Status" - root.out.event.message = "Printer Ready To Print" - root.out.event.severity.code = 5 - root.out.event.severity.level = "Notice" - - check: this.trap.VarBinds.index(5).Value == 801 - processors: - - label: printer_v2alert_rules_3_801 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Input Media Status" - root.out.event.message = "Printer Input Media Tray Missing" - - check: this.trap.VarBinds.index(5).Value == 802 - processors: - - label: printer_v2alert_rules_3_802 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Input Media Change" - root.out.event.message = "Printer Input Media Size Change" - root.out.event.severity.code = 4 - root.out.event.severity.level = "Warning" - - check: this.trap.VarBinds.index(5).Value == 803 - processors: - - label: printer_v2alert_rules_3_803 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Input Media Change" - root.out.event.message = "Printer Input Media Weight Change" - root.out.event.severity.code = 4 - root.out.event.severity.level = "Warning" - - check: this.trap.VarBinds.index(5).Value == 804 - processors: - - label: printer_v2alert_rules_3_804 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Input Media Change" - root.out.event.message = "Printer Input Media Type Change" - root.out.event.severity.code = 4 - root.out.event.severity.level = "Warning" - - check: this.trap.VarBinds.index(5).Value == 805 - processors: - - label: printer_v2alert_rules_3_805 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Input Media Change" - root.out.event.message = "Printer Input Media Color Change" - root.out.event.severity.code = 4 - root.out.event.severity.level = "Warning" - - check: this.trap.VarBinds.index(5).Value == 806 - processors: - - label: printer_v2alert_rules_3_806 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Input Media Change" - root.out.event.message = "Printer Input Media Form Parts Change" - root.out.event.severity.code = 4 - root.out.event.severity.level = "Warning" - - check: this.trap.VarBinds.index(5).Value == 807 - processors: - - label: printer_v2alert_rules_3_807 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Input Media Status" - root.out.event.message = "Printer Input Media Supply Low" - - check: this.trap.VarBinds.index(5).Value == 808 - processors: - - label: printer_v2alert_rules_3_808 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Input Media Status" - root.out.event.message = "Printer Input Media Supply Empty" - - check: this.trap.VarBinds.index(5).Value == 809 - processors: - - label: printer_v2alert_rules_3_809 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Input Media Change" - root.out.event.message = "Printer Input Media Change Request" - root.out.event.severity.code = 4 - root.out.event.severity.level = "Warning" - - check: this.trap.VarBinds.index(5).Value == 810 - processors: - - label: printer_v2alert_rules_3_810 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Manual Input" - root.out.event.message = "Printer Manual Input Request" - - check: this.trap.VarBinds.index(5).Value == 811 - processors: - - label: printer_v2alert_rules_3_811 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Input Tray Status" - root.out.event.message = "Printer Input Tray Position Failure" - - check: this.trap.VarBinds.index(5).Value == 812 - processors: - - label: printer_v2alert_rules_3_812 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Input Tray Status" - root.out.event.message = "Printer Input Tray Elevation Failure" - - check: this.trap.VarBinds.index(5).Value == 813 - processors: - - label: printer_v2alert_rules_3_813 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Input Media Status" - root.out.event.message = "Printer Cannot Feed Size Selected" - - check: this.trap.VarBinds.index(5).Value == 901 - processors: - - label: printer_v2alert_rules_3_901 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Output Media Status" - root.out.event.message = "Printer Output Media Tray Missing" - - check: this.trap.VarBinds.index(5).Value == 902 - processors: - - label: printer_v2alert_rules_3_902 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Output Media Status" - root.out.event.message = "Printer Output Media Tray Almost Full" - - check: this.trap.VarBinds.index(5).Value == 903 - processors: - - label: printer_v2alert_rules_3_903 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Output Media Status" - root.out.event.message = "Printer Output Media Tray Full" - - check: this.trap.VarBinds.index(5).Value == 904 - processors: - - label: printer_v2alert_rules_3_904 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Output Mailbox Status" - root.out.event.message = "Printer Output Mailbox Select Failure" - - check: this.trap.VarBinds.index(5).Value == 1001 - processors: - - label: printer_v2alert_rules_3_1001 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Fuser Status" - root.out.event.message = "Printer Fuser Under Temperature" - - check: this.trap.VarBinds.index(5).Value == 1002 - processors: - - label: printer_v2alert_rules_3_1002 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Fuser Status" - root.out.event.message = "Printer Fuser Over Temperature" - - check: this.trap.VarBinds.index(5).Value == 1003 - processors: - - label: printer_v2alert_rules_3_1003 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Fuser Status" - root.out.event.message = "Printer Fuser Timing Failure" - - check: this.trap.VarBinds.index(5).Value == 1004 - processors: - - label: printer_v2alert_rules_3_1004 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Fuser Status" - root.out.event.message = "Printer Fuser Thermistor Failure" - - check: this.trap.VarBinds.index(5).Value == 1005 - processors: - - label: printer_v2alert_rules_3_1005 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Marker Status" - root.out.event.message = "Printer Marker Adjusting Print Quality" - root.out.event.severity.code = 4 - root.out.event.severity.level = "Warning" - - check: this.trap.VarBinds.index(5).Value == 1101 - processors: - - label: printer_v2alert_rules_3_1101 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Toner Status" - root.out.event.message = "Printer Toner Empty" - - check: this.trap.VarBinds.index(5).Value == 1102 - processors: - - label: printer_v2alert_rules_3_1102 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Ink Status" - root.out.event.message = "Printer Ink Empty" - - check: this.trap.VarBinds.index(5).Value == 1103 - processors: - - label: printer_v2alert_rules_3_1103 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Print Ribbon Status" - root.out.event.message = "Printer Ribbon Empty" - - check: this.trap.VarBinds.index(5).Value == 1104 - processors: - - label: printer_v2alert_rules_3_1104 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Toner Status" - root.out.event.message = "Printer Toner Almost Empty" - - check: this.trap.VarBinds.index(5).Value == 1105 - processors: - - label: printer_v2alert_rules_3_1105 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Ink Status" - root.out.event.message = "Printer Ink Almost Empty" - - check: this.trap.VarBinds.index(5).Value == 1106 - processors: - - label: printer_v2alert_rules_3_1106 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Print Ribbon Status" - root.out.event.message = "Printer Ribbon Almost Empty" - - check: this.trap.VarBinds.index(5).Value == 1107 - processors: - - label: printer_v2alert_rules_3_1107 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Waste Toner Status" - root.out.event.message = "Printer Waste Toner Receptacle Almost Full" - - check: this.trap.VarBinds.index(5).Value == 1108 - processors: - - label: printer_v2alert_rules_3_1108 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Waste Ink Status" - root.out.event.message = "Printer Waste Ink Receptacle Almost Full" - - check: this.trap.VarBinds.index(5).Value == 1109 - processors: - - label: printer_v2alert_rules_3_1109 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Waste Toner Status" - root.out.event.message = "Printer Waste Toner Receptacle Full" - - check: this.trap.VarBinds.index(5).Value == 1110 - processors: - - label: printer_v2alert_rules_3_1110 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Waste Ink Status" - root.out.event.message = "Printer Waste Ink Receptacle Full" - - check: this.trap.VarBinds.index(5).Value == 1111 - processors: - - label: printer_v2alert_rules_3_1111 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "OPC Status" - root.out.event.message = "Printer OPC Life Almost Over" - - check: this.trap.VarBinds.index(5).Value == 1112 - processors: - - label: printer_v2alert_rules_3_1112 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "OPC Status" - root.out.event.message = "Printer OPC Life Over" - - check: this.trap.VarBinds.index(5).Value == 1113 - processors: - - label: printer_v2alert_rules_3_1113 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Developer Status" - root.out.event.message = "Printer Developer Almost Empty" - - check: this.trap.VarBinds.index(5).Value == 1114 - processors: - - label: printer_v2alert_rules_3_1114 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Developer Status" - root.out.event.message = "Printer Developer Empty" - - check: this.trap.VarBinds.index(5).Value == 1115 - processors: - - label: printer_v2alert_rules_3_1115 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Toner Status" - root.out.event.message = "Printer Toner Cartridge Missing" - - check: this.trap.VarBinds.index(5).Value == 1301 - processors: - - label: printer_v2alert_rules_3_1301 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Media Path Media Status" - root.out.event.message = "Printer Media Path Media Tray Missing" - - check: this.trap.VarBinds.index(5).Value == 1302 - processors: - - label: printer_v2alert_rules_3_1302 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Media Path Media Status" - root.out.event.message = "Printer Media Path Media Tray Almost Full" - - check: this.trap.VarBinds.index(5).Value == 1303 - processors: - - label: printer_v2alert_rules_3_1303 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Media Path Media Status" - root.out.event.message = "Printer Media Path Media Tray Full" - - check: this.trap.VarBinds.index(5).Value == 1304 - processors: - - label: printer_v2alert_rules_3_1304 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Media Path Media Status" - root.out.event.message = "Printer Media Path Cannot Select Duplex Media" - - check: this.trap.VarBinds.index(5).Value == 1501 - processors: - - label: printer_v2alert_rules_3_1501 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Interpreter Memory Status" - root.out.event.message = "Printer Interpreter Memory Increase" - root.out.event.severity.code = 5 - root.out.event.severity.level = "Notice" - - check: this.trap.VarBinds.index(5).Value == 1502 - processors: - - label: printer_v2alert_rules_3_1502 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Interpreter Memory Status" - root.out.event.message = "Printer Interpreter Memory Decrease" - - check: this.trap.VarBinds.index(5).Value == 1503 - processors: - - label: printer_v2alert_rules_3_1503 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Interpreter Cartridge Status" - root.out.event.message = "Printer Interpreter Cartridge Added" - root.out.event.severity.code = 5 - root.out.event.severity.level = "Notice" - - check: this.trap.VarBinds.index(5).Value == 1504 - processors: - - label: printer_v2alert_rules_3_1504 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Interpreter Cartridge Status" - root.out.event.message = "Printer Interpreter Cartridge Deleted" - - check: this.trap.VarBinds.index(5).Value == 1505 - processors: - - label: printer_v2alert_rules_3_1505 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Interpreter Resource Status" - root.out.event.message = "Printer Interpreter Resource Added" - root.out.event.severity.code = 5 - root.out.event.severity.level = "Notice" - - check: this.trap.VarBinds.index(5).Value == 1506 - processors: - - label: printer_v2alert_rules_3_1506 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Interpreter Resource Status" - root.out.event.message = "Printer Interpreter Resource Deleted" - - check: this.trap.VarBinds.index(5).Value == 1507 - processors: - - label: printer_v2alert_rules_3_1507 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Interpreter Resource Status" - root.out.event.message = "Printer Interpreter Resource Unavailable" - - check: this.trap.VarBinds.index(5).Value == 1509 - processors: - - label: printer_v2alert_rules_3_1509 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Interpreter Resource Status" - root.out.event.message = "Insufficient Printer Interpreter Resources, Complex Page" - - check: this.trap.VarBinds.index(5).Value == 1801 - processors: - - label: printer_v2alert_rules_3_1801 - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Alert Status" - root.out.event.message = "Printer Alert Removal Of Binary Change Entry" - - processors: - - label: printer_v2alert_rules_3_default - mapping: |- - #!blobl - root = this - - root.out.event.category.name = "Printer Status" - root.out.event.message = "Printer Status Unknown ( " + root.out.object.name + " )" - - label: printer_v2alert_rules_4 - mapping: |- - #!blobl - root = this - - root.out.event.message = root.out.event.message + " ( " + root.out.object.name + " )" - - processors: - - label: default - mapping: | - #!blobl - root = this - - root.out.event.category.name = "Unknown Trap" From 09934ddc32b3fa0b5ab833331af3dbdbf814507a Mon Sep 17 00:00:00 2001 From: Rob Cowart Date: Wed, 22 Oct 2025 16:03:51 +0200 Subject: [PATCH 3/8] official IETF MAU-MIB trap rules --- enums/integer/ietf/MAU-MIB.yml | 16 +- traps/enterprises.yml | 2 +- traps/rules/IETF/MAU-MIB-snmpDot3MauMgt.yml | 360 ++++++++++++++++++ traps/rules/IETF/MAU-MIB-snmpDot3MauTraps.yml | 142 ------- 4 files changed, 369 insertions(+), 151 deletions(-) create mode 100644 traps/rules/IETF/MAU-MIB-snmpDot3MauMgt.yml delete mode 100644 traps/rules/IETF/MAU-MIB-snmpDot3MauTraps.yml diff --git a/enums/integer/ietf/MAU-MIB.yml b/enums/integer/ietf/MAU-MIB.yml index 0bca470a..031dfe44 100644 --- a/enums/integer/ietf/MAU-MIB.yml +++ b/enums/integer/ietf/MAU-MIB.yml @@ -1,11 +1,11 @@ .1.3.6.1.2.1.26.1.1.1.8: - 1: other - 2: unknown - 3: noJabber - 4: jabbering + 1: 'other' # other + 2: 'unknown' # unknown + 3: 'no jabber' # noJabber + 4: 'jabbering' # jabbering .1.3.6.1.2.1.26.2.1.1.7: - 1: other - 2: unknown - 3: noJabber - 4: jabbering + 1: 'other' # other + 2: 'unknown' # unknown + 3: 'no jabber' # noJabber + 4: 'jabbering' # jabbering diff --git a/traps/enterprises.yml b/traps/enterprises.yml index 50b0a2f3..51f54026 100644 --- a/traps/enterprises.yml +++ b/traps/enterprises.yml @@ -7,6 +7,7 @@ unsupported: unsupported.yml # IETF .1.3.6.1.2.1.14.16: IETF/OSPF-TRAP-MIB-ospfTraps.yml .1.3.6.1.2.1.14.16.2: IETF/OSPF-TRAP-MIB-ospfTraps.yml +.1.3.6.1.2.1.26: IETF/MAU-MIB-snmpDot3MauMgt.yml .1.3.6.1.2.1.43.18.2: IETF/Printer-MIB-printerV1Alert.yml # Brocade @@ -67,7 +68,6 @@ unsupported: unsupported.yml .1.3.6.1.2.1.16.29.2: IETF/HC-ALARM-MIB-hcAlarmNotifPrefix.yml .1.3.6.1.2.1.17: IETF/BRIDGE-MIB-dot1dNotifications.yml .1.3.6.1.2.1.22: IETF/SNMP-REPEATER-MIB-snmpDot3RptrMgt.yml -.1.3.6.1.2.1.26: IETF/MAU-MIB-snmpDot3MauTraps.yml .1.3.6.1.2.1.33.2: IETF/UPS-MIB-upsTraps.yml .1.3.6.1.2.1.39.2: IETF/RDBMS-MIB-rdbmsTraps.yml .1.3.6.1.2.1.44.2: IETF/MIP-MIB-mipMIBNotifications.yml diff --git a/traps/rules/IETF/MAU-MIB-snmpDot3MauMgt.yml b/traps/rules/IETF/MAU-MIB-snmpDot3MauMgt.yml new file mode 100644 index 00000000..b6bd94bc --- /dev/null +++ b/traps/rules/IETF/MAU-MIB-snmpDot3MauMgt.yml @@ -0,0 +1,360 @@ +- mapping: |- + #!blobl + root = this + root.out.origin.agent.name = "IETF MAU-MIB" +- switch: + - check: this.trap.SpecificTrap == 1 + # rpMauJabberTrap + # + # This trap is sent whenever a managed repeater MAU enters the jabber state. + # + # rpMauJabberState (INTEGER) + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 0 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.2.1.26.1.1.1.8") { + meta varbinds_ok = true + }} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + meta rpMauJabberState = this.trap.VarBinds.index(0).Value + + root.out.ietf.rpMauJabberState = this.trap.VarBinds.index(0).Value.snmp_int_enum_enrich(".1.3.6.1.2.1.26.1.1.1.8") + + root.out.object.name = "MAU-MIB::rpMauEntry" + root.out.object.index = this.trap.VarBinds.index(0).OID.snmp_oid_get_index(".1.3.6.1.2.1.26.1.1.1.8") + root.TEMP.rpMauEntry = root.out.object.index.snmp_oid_extract_index("Integer,Integer,Integer") + root.out.ietf.rpMauGroupIndex = root.TEMP.rpMauEntry.index(0).string() + root.out.ietf.rpMauPortIndex = root.TEMP.rpMauEntry.index(1).string() + root.out.ietf.rpMauIndex = root.TEMP.rpMauEntry.index(2).string() + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.out.object.label = "group: " + root.out.ietf.rpMauGroupIndex + ", port: " + root.out.ietf.rpMauPortIndex + ", MAU: " + root.out.ietf.rpMauIndex + + root.out.event.class.name = "SNMPTRAP-MAU-MIB-snmpDot3MauMgt-rpMauJabberTrap" + root.out.event.id = "SNMPTRAP-MAU-MIB-snmpDot3MauMgt-rpMauJabberTrap" + root.out.event.category.name = "repeater MAU jabber state" + + - switch: + - check: metadata("rpMauJabberState") == 1 + processors: + - mapping: |- + #!blobl + root = this + + root.out.event.id = root.out.event.id + "-other" + root.out.event.message = "repeater MAU other jabber state" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: metadata("rpMauJabberState") == 3 + processors: + - mapping: |- + #!blobl + root = this + + root.out.event.id = root.out.event.id + "-noJabber" + root.out.event.message = "repeater MAU not jabbering" + root.out.event.severity.code = 6 + root.out.event.severity.level = "Informational" + + - check: metadata("rpMauJabberState") == 4 + processors: + - mapping: |- + #!blobl + root = this + + root.out.event.id = root.out.event.id + "-jabbering" + root.out.event.message = "repeater MAU jabbering" + root.out.event.severity.code = 3 + root.out.event.severity.level = "Error" + + - processors: + - mapping: |- + #!blobl + root = this + + root.out.event.id = root.out.event.id + "-unknown" + root.out.event.message = "repeater MAU jabber state unknown" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + }}}} + + root.out.event.class.name = "SNMPTRAP-MAU-MIB-snmpDot3MauMgt-rpMauJabberTrap" + root.out.event.id = "SNMPTRAP-MAU-MIB-snmpDot3MauMgt-rpMauJabberTrap-unknown" + root.out.event.category.name = "repeater MAU jabber state" + root.out.event.message = "repeater MAU jabber state notification - UNEXPECTED VARBINDS for rpMauJabberTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2 + # ifMauJabberTrap + # + # This trap is sent whenever a managed interface MAU enters the jabber state. + # + # ifMauJabberState (INTEGER) + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 0 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.2.1.26.2.1.1.7") { + meta varbinds_ok = true + }} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + meta ifMauJabberState = this.trap.VarBinds.index(0).Value + + root.out.ietf.ifMauJabberState = this.trap.VarBinds.index(0).Value.snmp_int_enum_enrich(".1.3.6.1.2.1.26.2.1.1.7") + + root.out.object.name = "MAU-MIB::ifMauEntry" + root.out.object.index = this.trap.VarBinds.index(0).OID.snmp_oid_get_index(".1.3.6.1.2.1.26.2.1.1.7") + root.TEMP.ifMauEntry = root.out.object.index.snmp_oid_extract_index("Integer,Integer") + root.out.ietf.ifMauIfIndex = root.TEMP.ifMauEntry.index(0).string() + root.out.ietf.ifMauIndex = root.TEMP.ifMauEntry.index(1).string() + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.out.object.label = "interface: ifIndex " + root.out.ietf.ifMauIfIndex + ", MAU: " + root.out.ietf.ifMauIndex + + root.out.event.class.name = "SNMPTRAP-MAU-MIB-snmpDot3MauMgt-ifMauJabberTrap" + root.out.event.id = "SNMPTRAP-MAU-MIB-snmpDot3MauMgt-ifMauJabberTrap" + root.out.event.category.name = "interface MAU jabber state" + + - switch: + - check: metadata("ifMauJabberState") == 1 + processors: + - mapping: |- + #!blobl + root = this + + root.out.event.id = root.out.event.id + "-other" + root.out.event.message = "interface MAU other jabber state" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: metadata("ifMauJabberState") == 3 + processors: + - mapping: |- + #!blobl + root = this + + root.out.event.id = root.out.event.id + "-noJabber" + root.out.event.message = "interface MAU not jabbering" + root.out.event.severity.code = 6 + root.out.event.severity.level = "Informational" + + - check: metadata("ifMauJabberState") == 4 + processors: + - mapping: |- + #!blobl + root = this + + root.out.event.id = root.out.event.id + "-jabbering" + root.out.event.message = "interface MAU jabbering" + root.out.event.severity.code = 3 + root.out.event.severity.level = "Error" + + - processors: + - mapping: |- + #!blobl + root = this + + root.out.event.id = root.out.event.id + "-unknown" + root.out.event.message = "interface MAU jabber state unknown" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + }}}} + + root.out.event.class.name = "SNMPTRAP-MAU-MIB-snmpDot3MauMgt-ifMauJabberTrap" + root.out.event.id = "SNMPTRAP-MAU-MIB-snmpDot3MauMgt-ifMauJabberTrap-unknown" + root.out.event.category.name = "interface MAU jabber state" + root.out.event.message = "interface MAU jabber state notification - UNEXPECTED VARBINDS for ifMauJabberTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - processors: + - label: default + mapping: | + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + }}}}}}}} + + root.out.event.class.name = "SNMPTRAP-MAU-MIB-snmpDot3MauMgt-unknown" + root.out.event.id = "SNMPTRAP-MAU-MIB-snmpDot3MauMgt-" + this.trap.SpecificTrap.string() + root.out.event.category.name = "unknown specific trap" + root.out.event.message = "unknown specific trap " + this.trap.SpecificTrap.string() + " from IETF MAU-MIB-snmpDot3MauMgt" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" diff --git a/traps/rules/IETF/MAU-MIB-snmpDot3MauTraps.yml b/traps/rules/IETF/MAU-MIB-snmpDot3MauTraps.yml deleted file mode 100644 index 2ac0dcc3..00000000 --- a/traps/rules/IETF/MAU-MIB-snmpDot3MauTraps.yml +++ /dev/null @@ -1,142 +0,0 @@ -- mapping: |- - #!blobl - root = this - root.out.origin.agent.name = "MAU-MIB" -- switch: - - check: this.trap.SpecificTrap == 1 - processors: - - label: rp_mau_jabber_trap_variables - mapping: |- - #!blobl - root = this - - root.out.IETF.rpMauJabberState = this.trap.VarBinds.index(0).Value.enum_enrich(".1.3.6.1.2.1.26.1.1.1.8") - - label: rp_mau_jabber_trap_rules_1 - mapping: |- - #!blobl - root = this - - root.out.event.class.name = "SNMPTRAP-IETF-MAU-MIB-rpMauJabberTrap" - root.out.event.id = "SNMPTRAP-IETF-MAU-MIB-rpMauJabberTrap" - root.out.event.category.name = "Repeater MAU Jabber Status" - root.out.object.name = "rpMauEntry.2.1.26" - - label: rp_mau_jabber_trap_rules_2 - switch: - - check: this.trap.VarBinds.index(0).Value == 1 - processors: - - label: rp_mau_jabber_trap_rules_2_1 - mapping: |- - #!blobl - root = this - - root.out.event.message = "802.3 Repeater MAU Jabber Status Unknown" - root.out.event.severity.code = 4 - root.out.event.severity.level = "Warning" - - check: this.trap.VarBinds.index(0).Value == 2 - processors: - - label: rp_mau_jabber_trap_rules_2_2 - mapping: |- - #!blobl - root = this - - root.out.event.message = "802.3 Repeater MAU Jabber Status Unknown" - root.out.event.severity.code = 4 - root.out.event.severity.level = "Warning" - - check: this.trap.VarBinds.index(0).Value == 3 - processors: - - label: rp_mau_jabber_trap_rules_2_3 - mapping: |- - #!blobl - root = this - - root.out.event.message = "802.3 Repeater MAU Not Jabbering" - root.out.event.severity.code = 5 - root.out.event.severity.level = "Notice" - - check: this.trap.VarBinds.index(0).Value == 4 - processors: - - label: rp_mau_jabber_trap_rules_2_4 - mapping: |- - #!blobl - root = this - - root.out.event.message = "802.3 Repeater MAU Jabbering" - root.out.event.severity.code = 3 - root.out.event.severity.level = "Error" - - label: rp_mau_jabber_trap_rules_3 - mapping: |- - #!blobl - root = this - - root.out.event.message = root.out.event.message + " ( Group: 2, Port: 1, MAU: 26 )" - - check: this.trap.SpecificTrap == 2 - processors: - - label: if_mau_jabber_trap_variables - mapping: |- - #!blobl - root = this - - root.out.IETF.ifMauJabberState = this.trap.VarBinds.index(0).Value.enum_enrich(".1.3.6.1.2.1.26.2.1.1.7") - - label: if_mau_jabber_trap_rules_1 - mapping: |- - #!blobl - root = this - - root.out.event.class.name = "SNMPTRAP-IETF-MAU-MIB-ifMauJabberTrap" - root.out.event.id = "SNMPTRAP-IETF-MAU-MIB-ifMauJabberTrap" - root.out.event.category.name = "Interface MAU Jabber Status" - root.out.object.name = "ifMauEntry.1.26" - - label: if_mau_jabber_trap_rules_2 - switch: - - check: this.trap.VarBinds.index(0).Value == 1 - processors: - - label: if_mau_jabber_trap_rules_2_1 - mapping: |- - #!blobl - root = this - - root.out.event.message = "802.3 Interface MAU Jabber Status Unknown" - root.out.event.severity.code = 4 - root.out.event.severity.level = "Warning" - - check: this.trap.VarBinds.index(0).Value == 2 - processors: - - label: if_mau_jabber_trap_rules_2_2 - mapping: |- - #!blobl - root = this - - root.out.event.message = "802.3 Interface MAU Jabber Status Unknown" - root.out.event.severity.code = 4 - root.out.event.severity.level = "Warning" - - check: this.trap.VarBinds.index(0).Value == 3 - processors: - - label: if_mau_jabber_trap_rules_2_3 - mapping: |- - #!blobl - root = this - - root.out.event.message = "802.3 Interface MAU Not Jabbering" - root.out.event.severity.code = 5 - root.out.event.severity.level = "Notice" - - check: this.trap.VarBinds.index(0).Value == 4 - processors: - - label: if_mau_jabber_trap_rules_2_4 - mapping: |- - #!blobl - root = this - - root.out.event.message = "802.3 Interface MAU Jabbering" - root.out.event.severity.code = 3 - root.out.event.severity.level = "Error" - - label: if_mau_jabber_trap_rules_3 - mapping: |- - #!blobl - root = this - - root.out.event.message = root.out.event.message + " ( ifIndex: 1, MAU: 26 )" - - processors: - - label: default - mapping: | - #!blobl - root = this - - root.out.event.category.name = "Unknown Trap" From 1513c49c168da6583ea62c19b70fd40ed1c90835 Mon Sep 17 00:00:00 2001 From: Rob Cowart Date: Wed, 22 Oct 2025 23:06:19 +0200 Subject: [PATCH 4/8] official BRIDGE-MIB trap rules --- traps/enterprises.yml | 2 +- traps/rules/IETF/BRIDGE-MIB-dot1dBridge.yml | 312 ++++++++++++++++++++ 2 files changed, 313 insertions(+), 1 deletion(-) create mode 100644 traps/rules/IETF/BRIDGE-MIB-dot1dBridge.yml diff --git a/traps/enterprises.yml b/traps/enterprises.yml index 51f54026..1ed3a464 100644 --- a/traps/enterprises.yml +++ b/traps/enterprises.yml @@ -7,6 +7,7 @@ unsupported: unsupported.yml # IETF .1.3.6.1.2.1.14.16: IETF/OSPF-TRAP-MIB-ospfTraps.yml .1.3.6.1.2.1.14.16.2: IETF/OSPF-TRAP-MIB-ospfTraps.yml +.1.3.6.1.2.1.17: IETF/BRIDGE-MIB-dot1dBridge.yml .1.3.6.1.2.1.26: IETF/MAU-MIB-snmpDot3MauMgt.yml .1.3.6.1.2.1.43.18.2: IETF/Printer-MIB-printerV1Alert.yml @@ -66,7 +67,6 @@ unsupported: unsupported.yml .1.3.6.1.2.1.10.166.3: IETF/MPLS-TE-STD-MIB-mplsTeNotifications.yml .1.3.6.1.2.1.16: IETF/RMON-MIB-rmonEventsV2.yml .1.3.6.1.2.1.16.29.2: IETF/HC-ALARM-MIB-hcAlarmNotifPrefix.yml -.1.3.6.1.2.1.17: IETF/BRIDGE-MIB-dot1dNotifications.yml .1.3.6.1.2.1.22: IETF/SNMP-REPEATER-MIB-snmpDot3RptrMgt.yml .1.3.6.1.2.1.33.2: IETF/UPS-MIB-upsTraps.yml .1.3.6.1.2.1.39.2: IETF/RDBMS-MIB-rdbmsTraps.yml diff --git a/traps/rules/IETF/BRIDGE-MIB-dot1dBridge.yml b/traps/rules/IETF/BRIDGE-MIB-dot1dBridge.yml new file mode 100644 index 00000000..0bf60e81 --- /dev/null +++ b/traps/rules/IETF/BRIDGE-MIB-dot1dBridge.yml @@ -0,0 +1,312 @@ + +- mapping: |- + #!blobl + root = this + root.out.origin.agent.name = "IETF BRIDGE-MIB" +- switch: + - check: this.trap.SpecificTrap == 1 + # newRoot + # + # The newRoot trap indicates that the sending agent has become the new root of the Spanning Tree; the trap is sent + # by a bridge soon after its election as the new root, e.g., upon expiration of the Topology Change Timer, + # immediately subsequent to its election. Implementation of this trap is optional. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds = "unexpected" + if this.trap.VarBinds.length() == 0 { + meta varbinds = "standard" + } else if this.trap.VarBinds.length() > 0 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.9.9.46.1.3.1.1.1") { + meta varbinds = "cisco" + }} + + - switch: + - check: metadata("varbinds") == "standard" + processors: + - mapping: |- + #!blobl + root = this + + root.out.object.name = "BRIDGE-MIB::dot1dBridge" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + + root.out.event.class.name = "SNMPTRAP-BRIDGE-MIB-dot1dBridge-newRoot" + root.out.event.id = "SNMPTRAP-BRIDGE-MIB-dot1dBridge-newRoot" + root.out.event.category.name = "spanning tree root" + root.out.event.message = this.trap.AgentAddress.string() + " is new root of spanning tree" + root.out.event.severity.code = 5 + root.out.event.severity.level = "Notice" + + - check: metadata("varbinds") == "cisco" + processors: + - mapping: |- + #!blobl + root = this + + root.out.cisco.vtpVlanIndex = this.trap.VarBinds.index(0).Value.string() + + root.out.object.name = "CISCO-VTP-MIB::vtpVlanEntry" + root.out.object.index = this.trap.VarBinds.index(0).OID.snmp_oid_get_index(".1.3.6.1.4.1.9.9.46.1.3.1.1.1") + root.TEMP.vtpVlanEntry = root.out.object.index.snmp_oid_extract_index("Integer,Integer") + root.out.cisco.managementDomainIndex = root.TEMP.vtpVlanEntry.index(0).string() + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.out.object.label = "management domain: " + root.out.cisco.managementDomainIndex + ", VLAN: " + root.out.cisco.vtpVlanIndex + + root.out.event.class.name = "SNMPTRAP-BRIDGE-MIB-dot1dBridge-newRoot" + root.out.event.id = "SNMPTRAP-BRIDGE-MIB-dot1dBridge-newRoot" + root.out.event.category.name = "spanning tree root" + root.out.event.message = this.trap.AgentAddress.string() + " is new root of spanning tree" + root.out.event.severity.code = 5 + root.out.event.severity.level = "Notice" + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + }}}} + + root.out.event.class.name = "SNMPTRAP-BRIDGE-MIB-dot1dBridge-newRoot" + root.out.event.id = "SNMPTRAP-BRIDGE-MIB-dot1dBridge-newRoot-unknown" + root.out.event.category.name = "spanning tree root" + root.out.event.message = this.trap.AgentAddress.string() + " is new root of spanning tree - UNEXPECTED VARBINDS for newRoot trap!" + root.out.event.severity.code = 5 + root.out.event.severity.level = "Notice" + + - check: this.trap.SpecificTrap == 2 + # topologyChange + # + # A topologyChange trap is sent by a bridge when any of its configured ports transitions from the Learning state to + # the Forwarding state, or from the Forwarding state to the Blocking state. The trap is not sent if a newRoot trap + # is sent for the same transition. Implementation of this trap is optional. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds = "unexpected" + if this.trap.VarBinds.length() == 0 { + meta varbinds = "standard" + } else if this.trap.VarBinds.length() > 1 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.9.9.46.1.3.1.1.1") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.2.1.31.1.1.1.1") { + meta varbinds = "cisco" + }}} + + - switch: + - check: metadata("varbinds") == "standard" + processors: + - mapping: |- + #!blobl + root = this + + root.out.object.name = "BRIDGE-MIB::dot1dBridge" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + + root.out.event.class.name = "SNMPTRAP-BRIDGE-MIB-dot1dBridge-topologyChange" + root.out.event.id = "SNMPTRAP-BRIDGE-MIB-dot1dBridge-topologyChange" + root.out.event.category.name = "bridge topology change" + root.out.event.message = "bridge port transitioned learn-to-forward or forward-to-block" + root.out.event.severity.code = 5 + root.out.event.severity.level = "Notice" + + - check: metadata("varbinds") == "cisco" + processors: + - mapping: |- + #!blobl + root = this + + root.out.cisco.vtpVlanIndex = this.trap.VarBinds.index(0).Value.string() + root.out.ietf.ifName = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "CISCO-VTP-MIB::vtpVlanEntry" + root.out.object.index = this.trap.VarBinds.index(0).OID.snmp_oid_get_index(".1.3.6.1.4.1.9.9.46.1.3.1.1.1") + root.TEMP.vtpVlanEntry = root.out.object.index.snmp_oid_extract_index("Integer,Integer") + root.out.cisco.managementDomainIndex = root.TEMP.vtpVlanEntry.index(0).string() + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.out.object.label = "management domain: " + root.out.cisco.managementDomainIndex + ", VLAN: " + root.out.cisco.vtpVlanIndex + ", interface: " + root.out.ietf.ifName + + root.out.event.class.name = "SNMPTRAP-BRIDGE-MIB-dot1dBridge-topologyChange" + root.out.event.id = "SNMPTRAP-BRIDGE-MIB-dot1dBridge-topologyChange" + root.out.event.category.name = "bridge topology change" + root.out.event.message = "bridge port transitioned learn-to-forward or forward-to-block" + root.out.event.severity.code = 5 + root.out.event.severity.level = "Notice" + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + }}}} + + root.out.event.class.name = "SNMPTRAP-BRIDGE-MIB-dot1dBridge-topologyChange" + root.out.event.id = "SNMPTRAP-BRIDGE-MIB-dot1dBridge-topologyChange-unknown" + root.out.event.category.name = "bridge topology change" + root.out.event.message = "bridge port transitioned learn-to-forward or forward-to-block - UNEXPECTED VARBINDS for topologyChange trap!" + root.out.event.severity.code = 5 + root.out.event.severity.level = "Notice" + + - processors: + - label: default + mapping: | + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + }}}}}}}} + + root.out.event.class.name = "SNMPTRAP-BRIDGE-MIB-dot1dBridge-unknown" + root.out.event.id = "SNMPTRAP-BRIDGE-MIB-dot1dBridge-" + this.trap.SpecificTrap.string() + root.out.event.category.name = "unknown specific trap" + root.out.event.message = "unknown specific trap " + this.trap.SpecificTrap.string() + " from IETF BRIDGE-MIB-dot1dBridge" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" From 546ca0346b00c04622348bbed09685bab072b5ba Mon Sep 17 00:00:00 2001 From: Rob Cowart Date: Thu, 23 Oct 2025 00:43:00 +0200 Subject: [PATCH 5/8] add BGP4-MIB trap rules --- traps/enterprises.yml | 2 + traps/rules/IETF/BGP4-MIB-bgp.yml | 660 +++++++++++++++++++++++++ traps/rules/IETF/BGP4-MIB-bgpTraps.yml | 640 ++++++++++++++++++++++++ 3 files changed, 1302 insertions(+) create mode 100644 traps/rules/IETF/BGP4-MIB-bgp.yml create mode 100644 traps/rules/IETF/BGP4-MIB-bgpTraps.yml diff --git a/traps/enterprises.yml b/traps/enterprises.yml index 1ed3a464..190a0b18 100644 --- a/traps/enterprises.yml +++ b/traps/enterprises.yml @@ -7,6 +7,8 @@ unsupported: unsupported.yml # IETF .1.3.6.1.2.1.14.16: IETF/OSPF-TRAP-MIB-ospfTraps.yml .1.3.6.1.2.1.14.16.2: IETF/OSPF-TRAP-MIB-ospfTraps.yml +.1.3.6.1.2.1.15: IETF/BGP4-MIB-bgp.yml +.1.3.6.1.2.1.15.7: IETF/BGP4-MIB-bgpTraps.yml .1.3.6.1.2.1.17: IETF/BRIDGE-MIB-dot1dBridge.yml .1.3.6.1.2.1.26: IETF/MAU-MIB-snmpDot3MauMgt.yml .1.3.6.1.2.1.43.18.2: IETF/Printer-MIB-printerV1Alert.yml diff --git a/traps/rules/IETF/BGP4-MIB-bgp.yml b/traps/rules/IETF/BGP4-MIB-bgp.yml new file mode 100644 index 00000000..6313f783 --- /dev/null +++ b/traps/rules/IETF/BGP4-MIB-bgp.yml @@ -0,0 +1,660 @@ +- mapping: |- + #!blobl + root = this + root.out.origin.agent.name = "IETF BGP4-MIB" +- switch: + - check: this.trap.SpecificTrap == 1 + # bgpEstablishedNotification + # + # The bgpEstablishedNotification event is generated when the BGP FSM enters the established state. + # + # bgpPeerRemoteAddr (IpAddress) - The remote IP address of this entry's BGP peer. + # bgpPeerLastError (OCTET STRING) - The last error code and subcode seen by this peer on this connection. If no + # error has occurred, this field is zero. Otherwise, the first byte of this two byte OCTET STRING contains the + # error code, and the second byte contains the subcode. + # bgpPeerState (INTEGER) - The BGP peer connection state. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 2 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.2.1.15.3.1.7") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.2.1.15.3.1.14") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.2.1.15.3.1.2") { + meta varbinds_ok = true + }}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.ietf.bgpPeerRemoteAddr = this.trap.VarBinds.index(0).Value + root.out.ietf.bgpPeerLastError = this.trap.VarBinds.index(1).Value.snmp_octet_string() + root.out.ietf.bgpPeerState = this.trap.VarBinds.index(2).Value.snmp_int_enum_enrich(".1.3.6.1.2.1.15.3.1.2") + + root.out.object.name = "BGP4-MIB::bgpPeerEntry" + root.out.object.index = root.out.ietf.bgpPeerRemoteAddr + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.out.object.label = "peer: " + root.out.ietf.bgpPeerRemoteAddr + + root.out.event.class.name = "SNMPTRAP-BGP4-MIB-bgp-bgpEstablishedNotification" + root.out.event.id = "SNMPTRAP-BGP4-MIB-bgp-bgpEstablishedNotification" + root.out.event.category.name = "BGP peer state" + root.out.event.message = "BGP peer established" + root.out.event.severity.code = 6 + root.out.event.severity.level = "Informational" + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + }}}}}} + + root.out.event.class.name = "SNMPTRAP-BGP4-MIB-bgp-bgpEstablishedNotification" + root.out.event.id = "SNMPTRAP-BGP4-MIB-bgp-bgpEstablishedNotification-unknown" + root.out.event.category.name = "BGP peer state" + root.out.event.message = "BGP peer established - UNEXPECTED VARBINDS for bgpEstablishedNotification trap!" + root.out.event.severity.code = 5 + root.out.event.severity.level = "Notice" + + - check: this.trap.SpecificTrap == 2 + # bgpBackwardTransNotification + # + # The bgpBackwardTransNotification event is generated when the BGP FSM moves from a higher numbered state to a lower + # numbered state. + # + # bgpPeerRemoteAddr (IpAddress) - The remote IP address of this entry's BGP peer. + # bgpPeerLastError (OCTET STRING) - The last error code and subcode seen by this peer on this connection. If no + # error has occurred, this field is zero. Otherwise, the first byte of this two byte OCTET STRING contains the + # error code, and the second byte contains the subcode. + # bgpPeerState (INTEGER) - The BGP peer connection state. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 2 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.2.1.15.3.1.7") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.2.1.15.3.1.14") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.2.1.15.3.1.2") { + meta varbinds_ok = true + }}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + meta bgpPeerState = this.trap.VarBinds.index(2).Value + + root.out.ietf.bgpPeerRemoteAddr = this.trap.VarBinds.index(0).Value + root.out.ietf.bgpPeerLastError = this.trap.VarBinds.index(1).Value.snmp_octet_string() + root.out.ietf.bgpPeerState = this.trap.VarBinds.index(2).Value.snmp_int_enum_enrich(".1.3.6.1.2.1.15.3.1.2") + + meta bgpPeerLastError = root.out.ietf.bgpPeerLastError + + root.out.object.name = "BGP4-MIB::bgpPeerEntry" + root.out.object.index = root.out.ietf.bgpPeerRemoteAddr + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.out.object.label = "peer: " + root.out.ietf.bgpPeerRemoteAddr + + root.out.event.class.name = "SNMPTRAP-BGP4-MIB-bgp-bgpBackwardTransNotification" + root.out.event.id = "SNMPTRAP-BGP4-MIB-bgp-bgpBackwardTransNotification" + root.out.event.category.name = "BGP peer state" + + - switch: + - check: metadata("bgpPeerState") == 1 + processors: + - mapping: |- + #!blobl + root = this + + root.out.event.id = root.out.event.id + "-idle" + root.out.event.message = "BGP peer idle" + root.out.event.severity.code = 3 + root.out.event.severity.level = "Error" + + - check: metadata("bgpPeerState") == 2 + processors: + - mapping: |- + #!blobl + root = this + + root.out.event.id = root.out.event.id + "-connect" + root.out.event.message = "BGP peer connect" + root.out.event.severity.code = 5 + root.out.event.severity.level = "Notice" + + - check: metadata("bgpPeerState") == 3 + processors: + - mapping: |- + #!blobl + root = this + + root.out.event.id = root.out.event.id + "-active" + root.out.event.message = "BGP peer active" + root.out.event.severity.code = 5 + root.out.event.severity.level = "Notice" + + - check: metadata("bgpPeerState") == 4 + processors: + - mapping: |- + #!blobl + root = this + + root.out.event.id = root.out.event.id + "-opensent" + root.out.event.message = "BGP peer open sent" + root.out.event.severity.code = 5 + root.out.event.severity.level = "Notice" + + - check: metadata("bgpPeerState") == 5 + processors: + - mapping: |- + #!blobl + root = this + + root.out.event.id = root.out.event.id + "-openconfirm" + root.out.event.message = "BGP peer open confirm" + root.out.event.severity.code = 5 + root.out.event.severity.level = "Notice" + + - check: metadata("bgpPeerState") == 6 + processors: + - mapping: |- + #!blobl + root = this + + root.out.event.id = root.out.event.id + "-established" + root.out.event.message = "BGP peer established" + root.out.event.severity.code = 6 + root.out.event.severity.level = "Informational" + + - processors: + - mapping: |- + #!blobl + root = this + + root.out.event.id = root.out.event.id + "-unknown" + root.out.event.message = "BGP peer state unknown" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - switch: + - check: metadata("bgpPeerLastError") == "0000" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", No Error" + - check: metadata("bgpPeerLastError") == "0100" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", Message Header Error - Unspecific" + - check: metadata("bgpPeerLastError") == "0101" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", Message Header Error - Connection Not Synchronized" + - check: metadata("bgpPeerLastError") == "0102" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", Message Header Error - Bad Message Length" + - check: metadata("bgpPeerLastError") == "0103" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", Message Header Error - Bad Message Type" + - check: metadata("bgpPeerLastError") == "0200" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", OPEN Message Error - Unspecific" + - check: metadata("bgpPeerLastError") == "0201" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", OPEN Message Error - Unsupported Version Number" + - check: metadata("bgpPeerLastError") == "0202" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", OPEN Message Error - Bad Peer AS" + - check: metadata("bgpPeerLastError") == "0203" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", OPEN Message Error - Bad BGP Identifier" + - check: metadata("bgpPeerLastError") == "0204" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", OPEN Message Error - Unsupported Optional Parameter" + - check: metadata("bgpPeerLastError") == "0206" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", OPEN Message Error - Unacceptable Hold Time" + - check: metadata("bgpPeerLastError") == "0207" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", OPEN Message Error - Unsupported Capability" + - check: metadata("bgpPeerLastError") == "020b" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", OPEN Message Error - Role Mismatch" + - check: metadata("bgpPeerLastError") == "0300" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", UPDATE Message Error - Unspecific" + - check: metadata("bgpPeerLastError") == "0301" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", UPDATE Message Error - Malformed Attribute List" + - check: metadata("bgpPeerLastError") == "0302" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", UPDATE Message Error - Unrecognized Well-known Attribute" + - check: metadata("bgpPeerLastError") == "0303" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", UPDATE Message Error - Missing Well-known Attribute" + - check: metadata("bgpPeerLastError") == "0304" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", UPDATE Message Error - Attribute Flags Error" + - check: metadata("bgpPeerLastError") == "0305" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", UPDATE Message Error - Attribute Length Error" + - check: metadata("bgpPeerLastError") == "0306" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", UPDATE Message Error - Invalid ORIGIN Attribute" + - check: metadata("bgpPeerLastError") == "0308" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", UPDATE Message Error - Invalid NEXT_HOP Attribute" + - check: metadata("bgpPeerLastError") == "0309" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", UPDATE Message Error - Optional Attribute Error" + - check: metadata("bgpPeerLastError") == "030a" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", UPDATE Message Error - Invalid Network Field" + - check: metadata("bgpPeerLastError") == "030b" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", UPDATE Message Error - Malformed AS_PATH" + - check: metadata("bgpPeerLastError") == "0400" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", Hold Timer Expired" + - check: metadata("bgpPeerLastError") == "0500" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", Finite State Machine Error" + - check: metadata("bgpPeerLastError") == "0501" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", Finite State Machine Error - Receive Unexpected Message in OpenSent State" + - check: metadata("bgpPeerLastError") == "0502" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", Finite State Machine Error - Receive Unexpected Message in OpenConfirm State" + - check: metadata("bgpPeerLastError") == "0503" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", Finite State Machine Error - Receive Unexpected Message in Established State" + - check: metadata("bgpPeerLastError") == "0600" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", Cease" + - check: metadata("bgpPeerLastError") == "0601" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", Cease - Maximum Number of Prefixes Reached" + - check: metadata("bgpPeerLastError") == "0602" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", Cease - Administrative Shutdown" + - check: metadata("bgpPeerLastError") == "0603" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", Cease - Peer De-configured" + - check: metadata("bgpPeerLastError") == "0604" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", Cease - Administrative Reset" + - check: metadata("bgpPeerLastError") == "0605" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", Cease - Connection Rejected" + - check: metadata("bgpPeerLastError") == "0606" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", Cease - Other Configuration Change" + - check: metadata("bgpPeerLastError") == "0607" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", Cease - Connection Collision Resolution" + - check: metadata("bgpPeerLastError") == "0608" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", Cease - Out of Resources" + - check: metadata("bgpPeerLastError") == "0609" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", Cease - Hard Reset" + - check: metadata("bgpPeerLastError") == "060a" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", Cease - BFD Down" + - check: metadata("bgpPeerLastError") == "0700" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", ROUTE-REFRESH Message Error" + - check: metadata("bgpPeerLastError") == "0701" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", ROUTE-REFRESH Message Error - Invalid Message Length" + - check: metadata("bgpPeerLastError") == "0800" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", Send Hold Timer Expired" + - check: metadata("bgpPeerLastError") == "0900" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", Loss of LSDB Synchronization" + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + }}}}}} + + root.out.event.class.name = "SNMPTRAP-BGP4-MIB-bgp-bgpBackwardTransNotification" + root.out.event.id = "SNMPTRAP-BGP4-MIB-bgp-bgpBackwardTransNotification-unknown" + root.out.event.category.name = "BGP peer state" + root.out.event.message = "BGP peer backward transition - UNEXPECTED VARBINDS for bgpBackwardTransNotification trap!" + root.out.event.severity.code = 3 + root.out.event.severity.level = "Error" + + - processors: + - label: default + mapping: | + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + }}}}}}}} + + root.out.event.class.name = "SNMPTRAP-BGP4-MIB-bgp-unknown" + root.out.event.id = "SNMPTRAP-BGP4-MIB-bgp-" + this.trap.SpecificTrap.string() + root.out.event.category.name = "unknown specific trap" + root.out.event.message = "unknown specific trap " + this.trap.SpecificTrap.string() + " from IETF BGP4-MIB-bgp" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" diff --git a/traps/rules/IETF/BGP4-MIB-bgpTraps.yml b/traps/rules/IETF/BGP4-MIB-bgpTraps.yml new file mode 100644 index 00000000..da64d2f9 --- /dev/null +++ b/traps/rules/IETF/BGP4-MIB-bgpTraps.yml @@ -0,0 +1,640 @@ +- mapping: |- + #!blobl + root = this + root.out.origin.agent.name = "IETF BGP4-MIB" +- switch: + - check: this.trap.SpecificTrap == 1 + # bgpEstablished + # + # The bgpEstablished event is generated when the BGP FSM enters the established state. + # + # bgpPeerLastError (OCTET STRING) - The last error code and subcode seen by this peer on this connection. If no + # error has occurred, this field is zero. Otherwise, the first byte of this two byte OCTET STRING contains the + # error code, and the second byte contains the subcode. + # bgpPeerState (INTEGER) - The BGP peer connection state. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 1 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.2.1.15.3.1.14") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.2.1.15.3.1.2") { + meta varbinds_ok = true + }}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.ietf.bgpPeerLastError = this.trap.VarBinds.index(0).Value.snmp_octet_string() + root.out.ietf.bgpPeerState = this.trap.VarBinds.index(1).Value.snmp_int_enum_enrich(".1.3.6.1.2.1.15.3.1.2") + + root.out.object.name = "BGP4-MIB::bgpPeerEntry" + root.out.object.index = this.trap.VarBinds.index(1).OID.snmp_oid_get_index(".1.3.6.1.2.1.15.3.1.2") + root.out.ietf.bgpPeerRemoteAddr = root.out.object.index + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.out.object.label = "peer: " + root.out.ietf.bgpPeerRemoteAddr + + root.out.event.class.name = "SNMPTRAP-BGP4-MIB-bgpTraps-bgpEstablished" + root.out.event.id = "SNMPTRAP-BGP4-MIB-bgpTraps-bgpEstablished" + root.out.event.category.name = "BGP peer state" + root.out.event.message = "BGP peer established" + root.out.event.severity.code = 6 + root.out.event.severity.level = "Informational" + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + }}}}} + + root.out.event.class.name = "SNMPTRAP-BGP4-MIB-bgpTraps-bgpEstablished" + root.out.event.id = "SNMPTRAP-BGP4-MIB-bgpTraps-bgpEstablished-unknown" + root.out.event.category.name = "BGP peer state" + root.out.event.message = "BGP peer established - UNEXPECTED VARBINDS for bgpEstablished trap!" + root.out.event.severity.code = 5 + root.out.event.severity.level = "Notice" + + - check: this.trap.SpecificTrap == 2 + # bgpBackwardTransition + # + # The bgpBackwardTransition event is generated when the BGP FSM moves from a higher numbered state to a lower + # numbered state. + # + # bgpPeerLastError (OCTET STRING) - The last error code and subcode seen by this peer on this connection. If no + # error has occurred, this field is zero. Otherwise, the first byte of this two byte OCTET STRING contains the + # error code, and the second byte contains the subcode. + # bgpPeerState (INTEGER) - The BGP peer connection state. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 1 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.2.1.15.3.1.14") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.2.1.15.3.1.2") { + meta varbinds_ok = true + }}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + meta bgpPeerState = this.trap.VarBinds.index(1).Value + + root.out.ietf.bgpPeerLastError = this.trap.VarBinds.index(0).Value.snmp_octet_string() + root.out.ietf.bgpPeerState = this.trap.VarBinds.index(1).Value.snmp_int_enum_enrich(".1.3.6.1.2.1.15.3.1.2") + + meta bgpPeerLastError = root.out.ietf.bgpPeerLastError + + root.out.object.name = "BGP4-MIB::bgpPeerEntry" + root.out.object.index = this.trap.VarBinds.index(1).OID.snmp_oid_get_index(".1.3.6.1.2.1.15.3.1.2") + root.out.ietf.bgpPeerRemoteAddr = root.out.object.index + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.out.object.label = "peer: " + root.out.ietf.bgpPeerRemoteAddr + + root.out.event.class.name = "SNMPTRAP-BGP4-MIB-bgpTraps-bgpBackwardTransition" + root.out.event.id = "SNMPTRAP-BGP4-MIB-bgpTraps-bgpBackwardTransition" + root.out.event.category.name = "BGP peer state" + + - switch: + - check: metadata("bgpPeerState") == 1 + processors: + - mapping: |- + #!blobl + root = this + + root.out.event.id = root.out.event.id + "-idle" + root.out.event.message = "BGP peer idle" + root.out.event.severity.code = 3 + root.out.event.severity.level = "Error" + + - check: metadata("bgpPeerState") == 2 + processors: + - mapping: |- + #!blobl + root = this + + root.out.event.id = root.out.event.id + "-connect" + root.out.event.message = "BGP peer connect" + root.out.event.severity.code = 5 + root.out.event.severity.level = "Notice" + + - check: metadata("bgpPeerState") == 3 + processors: + - mapping: |- + #!blobl + root = this + + root.out.event.id = root.out.event.id + "-active" + root.out.event.message = "BGP peer active" + root.out.event.severity.code = 5 + root.out.event.severity.level = "Notice" + + - check: metadata("bgpPeerState") == 4 + processors: + - mapping: |- + #!blobl + root = this + + root.out.event.id = root.out.event.id + "-opensent" + root.out.event.message = "BGP peer open sent" + root.out.event.severity.code = 5 + root.out.event.severity.level = "Notice" + + - check: metadata("bgpPeerState") == 5 + processors: + - mapping: |- + #!blobl + root = this + + root.out.event.id = root.out.event.id + "-openconfirm" + root.out.event.message = "BGP peer open confirm" + root.out.event.severity.code = 5 + root.out.event.severity.level = "Notice" + + - check: metadata("bgpPeerState") == 6 + processors: + - mapping: |- + #!blobl + root = this + + root.out.event.id = root.out.event.id + "-established" + root.out.event.message = "BGP peer established" + root.out.event.severity.code = 6 + root.out.event.severity.level = "Informational" + + - processors: + - mapping: |- + #!blobl + root = this + + root.out.event.id = root.out.event.id + "-unknown" + root.out.event.message = "BGP peer state unknown" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - switch: + - check: metadata("bgpPeerLastError") == "0000" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", No Error" + - check: metadata("bgpPeerLastError") == "0100" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", Message Header Error - Unspecific" + - check: metadata("bgpPeerLastError") == "0101" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", Message Header Error - Connection Not Synchronized" + - check: metadata("bgpPeerLastError") == "0102" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", Message Header Error - Bad Message Length" + - check: metadata("bgpPeerLastError") == "0103" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", Message Header Error - Bad Message Type" + - check: metadata("bgpPeerLastError") == "0200" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", OPEN Message Error - Unspecific" + - check: metadata("bgpPeerLastError") == "0201" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", OPEN Message Error - Unsupported Version Number" + - check: metadata("bgpPeerLastError") == "0202" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", OPEN Message Error - Bad Peer AS" + - check: metadata("bgpPeerLastError") == "0203" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", OPEN Message Error - Bad BGP Identifier" + - check: metadata("bgpPeerLastError") == "0204" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", OPEN Message Error - Unsupported Optional Parameter" + - check: metadata("bgpPeerLastError") == "0206" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", OPEN Message Error - Unacceptable Hold Time" + - check: metadata("bgpPeerLastError") == "0207" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", OPEN Message Error - Unsupported Capability" + - check: metadata("bgpPeerLastError") == "020b" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", OPEN Message Error - Role Mismatch" + - check: metadata("bgpPeerLastError") == "0300" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", UPDATE Message Error - Unspecific" + - check: metadata("bgpPeerLastError") == "0301" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", UPDATE Message Error - Malformed Attribute List" + - check: metadata("bgpPeerLastError") == "0302" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", UPDATE Message Error - Unrecognized Well-known Attribute" + - check: metadata("bgpPeerLastError") == "0303" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", UPDATE Message Error - Missing Well-known Attribute" + - check: metadata("bgpPeerLastError") == "0304" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", UPDATE Message Error - Attribute Flags Error" + - check: metadata("bgpPeerLastError") == "0305" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", UPDATE Message Error - Attribute Length Error" + - check: metadata("bgpPeerLastError") == "0306" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", UPDATE Message Error - Invalid ORIGIN Attribute" + - check: metadata("bgpPeerLastError") == "0308" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", UPDATE Message Error - Invalid NEXT_HOP Attribute" + - check: metadata("bgpPeerLastError") == "0309" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", UPDATE Message Error - Optional Attribute Error" + - check: metadata("bgpPeerLastError") == "030a" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", UPDATE Message Error - Invalid Network Field" + - check: metadata("bgpPeerLastError") == "030b" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", UPDATE Message Error - Malformed AS_PATH" + - check: metadata("bgpPeerLastError") == "0400" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", Hold Timer Expired" + - check: metadata("bgpPeerLastError") == "0500" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", Finite State Machine Error" + - check: metadata("bgpPeerLastError") == "0501" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", Finite State Machine Error - Receive Unexpected Message in OpenSent State" + - check: metadata("bgpPeerLastError") == "0502" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", Finite State Machine Error - Receive Unexpected Message in OpenConfirm State" + - check: metadata("bgpPeerLastError") == "0503" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", Finite State Machine Error - Receive Unexpected Message in Established State" + - check: metadata("bgpPeerLastError") == "0600" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", Cease" + - check: metadata("bgpPeerLastError") == "0601" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", Cease - Maximum Number of Prefixes Reached" + - check: metadata("bgpPeerLastError") == "0602" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", Cease - Administrative Shutdown" + - check: metadata("bgpPeerLastError") == "0603" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", Cease - Peer De-configured" + - check: metadata("bgpPeerLastError") == "0604" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", Cease - Administrative Reset" + - check: metadata("bgpPeerLastError") == "0605" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", Cease - Connection Rejected" + - check: metadata("bgpPeerLastError") == "0606" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", Cease - Other Configuration Change" + - check: metadata("bgpPeerLastError") == "0607" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", Cease - Connection Collision Resolution" + - check: metadata("bgpPeerLastError") == "0608" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", Cease - Out of Resources" + - check: metadata("bgpPeerLastError") == "0609" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", Cease - Hard Reset" + - check: metadata("bgpPeerLastError") == "060a" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", Cease - BFD Down" + - check: metadata("bgpPeerLastError") == "0700" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", ROUTE-REFRESH Message Error" + - check: metadata("bgpPeerLastError") == "0701" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", ROUTE-REFRESH Message Error - Invalid Message Length" + - check: metadata("bgpPeerLastError") == "0800" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", Send Hold Timer Expired" + - check: metadata("bgpPeerLastError") == "0900" + processors: + - mapping: |- + #!blobl + root = this + root.out.event.message = root.out.event.message + ", Loss of LSDB Synchronization" + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + }}}}} + + root.out.event.class.name = "SNMPTRAP-BGP4-MIB-bgpTraps-bgpBackwardTransition" + root.out.event.id = "SNMPTRAP-BGP4-MIB-bgpTraps-bgpBackwardTransition-unknown" + root.out.event.category.name = "BGP peer state" + root.out.event.message = "BGP peer backward transition - UNEXPECTED VARBINDS for bgpBackwardTransition trap!" + root.out.event.severity.code = 3 + root.out.event.severity.level = "Error" + + - processors: + - label: default + mapping: | + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + }}}}}}}} + + root.out.event.class.name = "SNMPTRAP-BGP4-MIB-bgpTraps-unknown" + root.out.event.id = "SNMPTRAP-BGP4-MIB-bgpTraps-" + this.trap.SpecificTrap.string() + root.out.event.category.name = "unknown specific trap" + root.out.event.message = "unknown specific trap " + this.trap.SpecificTrap.string() + " from IETF BGP4-MIB-bgpTraps" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" From 335a51976442dc0c567da2cb51eebf689d6ba82a Mon Sep 17 00:00:00 2001 From: Rob Cowart Date: Thu, 23 Oct 2025 01:02:21 +0200 Subject: [PATCH 6/8] add NAT-MIB trap rules --- traps/enterprises.yml | 1 + traps/rules/IETF/NAT-MIB-natMIB.yml | 176 ++++++++++++++++++++++++++++ 2 files changed, 177 insertions(+) create mode 100644 traps/rules/IETF/NAT-MIB-natMIB.yml diff --git a/traps/enterprises.yml b/traps/enterprises.yml index 190a0b18..81b5ffca 100644 --- a/traps/enterprises.yml +++ b/traps/enterprises.yml @@ -12,6 +12,7 @@ unsupported: unsupported.yml .1.3.6.1.2.1.17: IETF/BRIDGE-MIB-dot1dBridge.yml .1.3.6.1.2.1.26: IETF/MAU-MIB-snmpDot3MauMgt.yml .1.3.6.1.2.1.43.18.2: IETF/Printer-MIB-printerV1Alert.yml +.1.3.6.1.2.1.123: IETF/NAT-MIB-natMIB.yml # Brocade .1.3.6.1.4.1.1588.2.1.1.1: brocade/SW-MIB-sw.yml diff --git a/traps/rules/IETF/NAT-MIB-natMIB.yml b/traps/rules/IETF/NAT-MIB-natMIB.yml new file mode 100644 index 00000000..41cbaff2 --- /dev/null +++ b/traps/rules/IETF/NAT-MIB-natMIB.yml @@ -0,0 +1,176 @@ +- mapping: |- + #!blobl + root = this + root.out.origin.agent.name = "IETF NAT-MIB" +- switch: + - check: this.trap.SpecificTrap == 1 + # natPacketDiscard + # + # This notification is generated when IP packets are discarded by the NAT function; e.g., due to lack of mapping + # space when NAT is out of addresses or ports. + # + # ifIndex (Integer32) - A unique value, greater than zero, for each interface. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 0 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.2.1.2.2.1.1") { + meta varbinds_ok = true + }} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.ietf.ifIndex = this.trap.VarBinds.index(0).Value.string() + + root.out.object.name = "IF-MIB::ifEntry" + root.out.object.index = root.out.ietf.ifIndex + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.out.object.label = "interface: ifIndex " + root.out.ietf.ifIndex + + root.out.event.class.name = "SNMPTRAP-NAT-MIB-natMIB-natPacketDiscard" + root.out.event.id = "SNMPTRAP-NAT-MIB-natMIB-natPacketDiscard" + root.out.event.category.name = "NAT packet discard" + root.out.event.message = "packets discarded by NAT function" + root.out.event.severity.code = 5 + root.out.event.severity.level = "Notice" + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + }}}} + + root.out.event.class.name = "SNMPTRAP-NAT-MIB-natMIB-natPacketDiscard" + root.out.event.id = "SNMPTRAP-NAT-MIB-natMIB-natPacketDiscard-unknown" + root.out.event.category.name = "NAT packet discard" + root.out.event.message = "packets discarded by NAT function - UNEXPECTED VARBINDS for natPacketDiscard trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - processors: + - label: default + mapping: | + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + }}}}}}}} + + root.out.event.class.name = "SNMPTRAP-NAT-MIB-natMIB-unknown" + root.out.event.id = "SNMPTRAP-NAT-MIB-natMIB-" + this.trap.SpecificTrap.string() + root.out.event.category.name = "unknown specific trap" + root.out.event.message = "unknown specific trap " + this.trap.SpecificTrap.string() + " from IETF NAT-MIB-natMIB" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" From c5a6a75de0b5c6d418ed250aa4bc8578eebce817 Mon Sep 17 00:00:00 2001 From: Rob Cowart Date: Thu, 23 Oct 2025 10:03:39 +0200 Subject: [PATCH 7/8] official CISCO-CONFIG-COPY-MIB trap rules --- enums/integer/cisco/CISCO-CONFIG-COPY-MIB.yml | 18 + traps/enterprises.yml | 4 +- .../CISCO-CONFIG-COPY-MIB-ccCopyMIBTraps.yml | 389 ++++++++++++++---- 3 files changed, 332 insertions(+), 79 deletions(-) create mode 100644 enums/integer/cisco/CISCO-CONFIG-COPY-MIB.yml diff --git a/enums/integer/cisco/CISCO-CONFIG-COPY-MIB.yml b/enums/integer/cisco/CISCO-CONFIG-COPY-MIB.yml new file mode 100644 index 00000000..aa0edfa7 --- /dev/null +++ b/enums/integer/cisco/CISCO-CONFIG-COPY-MIB.yml @@ -0,0 +1,18 @@ +# ccCopyState +.1.3.6.1.4.1.9.9.96.1.1.1.1.10: + 1: 'waiting' # waiting + 2: 'running' # running + 3: 'successful' # successful + 4: 'failed' # failed + +# ccCopyFailCause +.1.3.6.1.4.1.9.9.96.1.1.1.1.13: + 1: 'unknown' # unknown + 2: 'bad file name' # badFileName + 3: 'timeout' # timeout + 4: 'no memory' # noMem + 5: 'no configuration' # noConfig + 6: 'unsupported protocol' # unsupportedProtocol + 7: 'configuration apply failed' # someConfigApplyFailed + 8: 'system not ready' # systemNotReady + 9: 'request aborted' # requestAborted diff --git a/traps/enterprises.yml b/traps/enterprises.yml index 81b5ffca..f08aad0b 100644 --- a/traps/enterprises.yml +++ b/traps/enterprises.yml @@ -14,6 +14,9 @@ unsupported: unsupported.yml .1.3.6.1.2.1.43.18.2: IETF/Printer-MIB-printerV1Alert.yml .1.3.6.1.2.1.123: IETF/NAT-MIB-natMIB.yml +# Cisco +.1.3.6.1.4.1.9.9.96.2.1: cisco/CISCO-CONFIG-COPY-MIB-ccCopyMIBTraps.yml + # Brocade .1.3.6.1.4.1.1588.2.1.1.1: brocade/SW-MIB-sw.yml @@ -139,7 +142,6 @@ unsupported: unsupported.yml .1.3.6.1.4.1.9.9.87.2: cisco/CISCO-C2900-MIB-c2900MibNotificationsPrefix.yml .1.3.6.1.4.1.9.9.91.2: cisco/CISCO-ENTITY-SENSOR-MIB-entitySensorMIBNotifications.yml .1.3.6.1.4.1.9.9.95.2: cisco/CISCO-ALPS-MIB-ciscoAlpsMIBNotifications.yml -.1.3.6.1.4.1.9.9.96.2.1: cisco/CISCO-CONFIG-COPY-MIB-ccCopyMIBTraps.yml .1.3.6.1.4.1.9.9.99.2: cisco/CISCO-LOCAL-DIRECTOR-MIB-ciscoLocalDirectorMIBNotifications.yml .1.3.6.1.4.1.9.9.105.2: cisco/CISCO-C8500-REDUNDANCY-MIB-ccrMIBNotifications.yml .1.3.6.1.4.1.9.9.106.2: cisco/CISCO-HSRP-MIB-cHsrpMIBNotifications.yml diff --git a/traps/rules/cisco/CISCO-CONFIG-COPY-MIB-ccCopyMIBTraps.yml b/traps/rules/cisco/CISCO-CONFIG-COPY-MIB-ccCopyMIBTraps.yml index 5d905fd5..35048cc7 100644 --- a/traps/rules/cisco/CISCO-CONFIG-COPY-MIB-ccCopyMIBTraps.yml +++ b/traps/rules/cisco/CISCO-CONFIG-COPY-MIB-ccCopyMIBTraps.yml @@ -1,91 +1,324 @@ - mapping: |- #!blobl root = this - root.out.origin.agent.name = "CISCO-CONFIG-COPY-MIB" + root.out.origin.agent.name = "Cisco CISCO-CONFIG-COPY-MIB" - switch: - - check: this.trap.SpecificTrap == 1 - processors: - - label: cc_copy_completion_variables - mapping: |- - #!blobl - root = this - - root.out.cisco.ccCopyServerAddress = this.trap.VarBinds.index(0).Value - root.out.cisco.ccCopyFileName = this.trap.VarBinds.index(1).Value.snmp_display_string() - root.out.cisco.ccCopyState = this.trap.VarBinds.index(2).Value.enum_enrich(".1.3.6.1.4.1.9.9.96.1.1.1.1.10") - root.out.cisco.ccCopyTimeStarted = this.trap.VarBinds.index(3).Value - root.out.cisco.ccCopyTimeCompleted = this.trap.VarBinds.index(4).Value - root.out.cisco.ccCopyFailCause = this.trap.VarBinds.index(5).Value.enum_enrich(".1.3.6.1.4.1.9.9.96.1.1.1.1.13") - - label: cc_copy_completion_rules_1 - mapping: |- - #!blobl - root = this - - root.out.event.class.name = "SNMPTRAP-cisco-CISCO-CONFIG-COPY-MIB-ccCopyCompletion" - root.out.event.id = "SNMPTRAP-cisco-CISCO-CONFIG-COPY-MIB-ccCopyCompletion" - root.out.event.category.name = "Configuration Copy Status" - root.out.object.name = "ccCopyEntry.1" - - label: cc_copy_completion_rules_2 - switch: - - check: this.trap.VarBinds.index(2).Value == 1 - processors: - - label: cc_copy_completion_rules_2_1 - mapping: |- - #!blobl - root = this + - check: this.trap.SpecificTrap == 1 + # ccCopyCompletion + # + # A ccCopyCompletion trap is sent at the completion of a config-copy request. The ccCopyFailCause is not + # instantiated, and hence not included in a trap, when the ccCopyState is success. + # + # ccCopyServerAddress (IpAddress) - The IP address of the TFTP server from (or to) which to copy the configuration + # file. This object must be created when either the ccCopySourceFileType or ccCopyDestFileType has the value + # 'networkFile'. Values of 0.0.0.0 or FF.FF.FF.FF for ccCopyServerAddress are not allowed. + # ccCopyFileName (DisplayString) - The file name (including the path, if applicable) of the file. This object must + # be created when either the ccCopySourceFileType or ccCopyDestFileType has the value 'networkFile' or 'iosFile'. + # ccCopyState (INTEGER) - Specifies the state of this config-copy request. + # ccCopyTimeStarted (TimeTicks) - Specifies the time the ccCopyState last transitioned to 'running', or 0 if the + # state has never transitioned to 'running'(e.g., stuck in 'waiting' state). + # ccCopyTimeCompleted (TimeTicks) - Specifies the time the ccCopyState last transitioned from 'running' to + # 'successful' or 'failed' states. This object is instantiated only after the row has been instantiated. Its value + # will remain 0 until the request has completed. + # ccCopyFailCause (INTEGER) - The reason why the config-copy operation failed. This object is instantiated only when + # the ccCopyState for this entry is in the 'failed' state. + processors: + - mapping: |- + #!blobl + root = this - root.out.event.message = "Configuration Copy Waiting" - root.out.event.severity.code = 4 - root.out.event.severity.level = "Warning" - - check: this.trap.VarBinds.index(2).Value == 2 - processors: - - label: cc_copy_completion_rules_2_2 - mapping: |- - #!blobl - root = this + meta varbinds_ok = false + if this.trap.VarBinds.length() > 5 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.9.9.96.1.1.1.1.5") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.9.9.96.1.1.1.1.6") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.9.9.96.1.1.1.1.10") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.9.9.96.1.1.1.1.11") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.9.9.96.1.1.1.1.12") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.9.9.96.1.1.1.1.13") { + meta varbinds_ok = true + }}}}}}} - root.out.event.message = "Configuration Copy Running" - root.out.event.severity.code = 4 - root.out.event.severity.level = "Warning" - - check: this.trap.VarBinds.index(2).Value == 3 - processors: - - label: cc_copy_completion_rules_2_3 - mapping: |- - #!blobl - root = this + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this - root.out.event.message = "Configuration Copy Successful" - root.out.event.severity.code = 5 - root.out.event.severity.level = "Notice" - - check: this.trap.VarBinds.index(2).Value == 4 - processors: - - label: cc_copy_completion_rules_2_4 - mapping: |- - #!blobl - root = this + meta ccCopyState = this.trap.VarBinds.index(2).Value + + root.out.cisco.ccCopyServerAddress = this.trap.VarBinds.index(0).Value + root.out.cisco.ccCopyFileName = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.cisco.ccCopyState = this.trap.VarBinds.index(2).Value.snmp_int_enum_enrich(".1.3.6.1.4.1.9.9.96.1.1.1.1.10") + root.out.cisco.ccCopyTimeStarted = this.trap.VarBinds.index(3).Value + root.out.cisco.ccCopyTimeCompleted = this.trap.VarBinds.index(4).Value + root.out.cisco.ccCopyFailCause = this.trap.VarBinds.index(5).Value.snmp_int_enum_enrich(".1.3.6.1.4.1.9.9.96.1.1.1.1.13") + + root.out.object.name = "CISCO-CONFIG-COPY-MIB::ccCopyEntry" + root.out.object.index = this.trap.VarBinds.index(0).OID.snmp_oid_get_index(".1.3.6.1.4.1.9.9.96.1.1.1.1.5") + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.out.object.label = "server: " + root.out.cisco.ccCopyServerAddress + ", file: " + root.out.cisco.ccCopyFileName + + root.out.event.class.name = "SNMPTRAP-CISCO-CONFIG-COPY-MIB-ccCopyMIBTraps-ccCopyCompletion" + root.out.event.id = "SNMPTRAP-CISCO-CONFIG-COPY-MIB-ccCopyMIBTraps-ccCopyCompletion" + root.out.event.category.name = "configuration copy state" + + - switch: + - check: metadata("ccCopyState") == 1 + processors: + - mapping: |- + #!blobl + root = this - root.out.event.message = "Configuration Copy Failed, " + this.trap.VarBinds.index(5).Value.enum_enrich(".1.3.6.1.4.1.9.9.96.1.1.1.1.13").string() - root.out.event.severity.code = 3 - root.out.event.severity.level = "Error" - - processors: - - label: cc_copy_completion_rules_2_default - mapping: |- + root.out.event.id = root.out.event.id + "-waiting" + root.out.event.message = "configuration copy to/from " + root.out.cisco.ccCopyServerAddress + " waiting" + root.out.event.severity.code = 5 + root.out.event.severity.level = "Notice" + + - check: metadata("ccCopyState") == 2 + processors: + - mapping: |- + #!blobl + root = this + + root.out.event.id = root.out.event.id + "-running" + root.out.event.message = "configuration copy to/from " + root.out.cisco.ccCopyServerAddress + " running" + root.out.event.severity.code = 5 + root.out.event.severity.level = "Notice" + + - check: metadata("ccCopyState") == 3 + processors: + - mapping: |- + #!blobl + root = this + + root.out.event.id = root.out.event.id + "-successful" + root.out.event.message = "configuration copy to/from " + root.out.cisco.ccCopyServerAddress + " successful" + root.out.event.severity.code = 6 + root.out.event.severity.level = "Informational" + + - check: metadata("ccCopyState") == 4 + processors: + - mapping: |- + #!blobl + root = this + + root.out.event.id = root.out.event.id + "-failed" + root.out.event.message = "configuration copy to/from " + root.out.cisco.ccCopyServerAddress + " failed, " + root.out.cisco.ccCopyFailCause + root.out.event.severity.code = 3 + root.out.event.severity.level = "Error" + + - processors: + - mapping: |- #!blobl root = this - root.out.event.message = "Configuration Copy Status Unknown" + root.out.event.id = root.out.event.id + "-unknown" + root.out.event.message = "configuration copy state to/from " + root.out.cisco.ccCopyServerAddress + " unknown" root.out.event.severity.code = 4 root.out.event.severity.level = "Warning" - - label: cc_copy_completion_rules_3 - mapping: |- - #!blobl - root = this - - root.out.event.message = root.out.event.message + " ( TFTP Server: " + this.trap.VarBinds.index(0).Value.string() + ", File: " + this.trap.VarBinds.index(1).Value.snmp_display_string().string() + " )" - - processors: - - label: default - mapping: | - #!blobl - root = this - - root.out.event.category.name = "Unknown Trap" + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + }}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-CISCO-CONFIG-COPY-MIB-ccCopyMIBTraps-ccCopyCompletion" + root.out.event.id = "SNMPTRAP-CISCO-CONFIG-COPY-MIB-ccCopyMIBTraps-ccCopyCompletion-unknown" + root.out.event.category.name = "configuration copy state" + root.out.event.message = "configuration copy request completed - UNEXPECTED VARBINDS for ccCopyCompletion trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - processors: + - label: default + mapping: | + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + }}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-CISCO-CONFIG-COPY-MIB-ccCopyMIBTraps-unknown" + root.out.event.id = "SNMPTRAP-CISCO-CONFIG-COPY-MIB-ccCopyMIBTraps-" + this.trap.SpecificTrap.string() + root.out.event.category.name = "unknown specific trap" + root.out.event.message = "unknown specific trap " + this.trap.SpecificTrap.string() + " from Cisco CISCO-CONFIG-COPY-MIB-ccCopyMIBTraps" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" From af0ccf41b088d89f332758c902d3d8615f1b6d2e Mon Sep 17 00:00:00 2001 From: Rob Cowart Date: Thu, 23 Oct 2025 11:04:04 +0200 Subject: [PATCH 8/8] official CISCO-CONFIG-MAN-MIB trap rules --- enums/integer/cisco/CISCO-CONFIG-MAN-MIB.yml | 52 +- traps/enterprises.yml | 2 +- ...IB-ciscoConfigManMIBNotificationPrefix.yml | 445 ++++++++++++++++++ ...MAN-MIB-ciscoConfigManMIBNotifications.yml | 71 --- 4 files changed, 472 insertions(+), 98 deletions(-) create mode 100644 traps/rules/cisco/CISCO-CONFIG-MAN-MIB-ciscoConfigManMIBNotificationPrefix.yml delete mode 100644 traps/rules/cisco/CISCO-CONFIG-MAN-MIB-ciscoConfigManMIBNotifications.yml diff --git a/enums/integer/cisco/CISCO-CONFIG-MAN-MIB.yml b/enums/integer/cisco/CISCO-CONFIG-MAN-MIB.yml index d17bc400..bd272b9d 100644 --- a/enums/integer/cisco/CISCO-CONFIG-MAN-MIB.yml +++ b/enums/integer/cisco/CISCO-CONFIG-MAN-MIB.yml @@ -1,33 +1,33 @@ .1.3.6.1.4.1.9.9.43.1.1.6.1.3: - 1: commandLine - 2: SNMP + 1: 'CLI' # commandLine + 2: 'SNMP' # SNMP .1.3.6.1.4.1.9.9.43.1.1.6.1.4: - 1: erase - 2: commandSource - 3: running - 4: startup - 5: local - 6: networkTftp - 7: networkRcp - 8: networkFtp - 9: networkScp + 1: 'erase' # erase + 2: 'command source' # commandSource + 3: 'running' # running + 4: 'startup' # startup + 5: 'local' # local + 6: 'network TFTP' # networkTftp + 7: 'network RCP' # networkRcp + 8: 'network FTP' # networkFtp + 9: 'network SCP' # networkScp .1.3.6.1.4.1.9.9.43.1.1.6.1.5: - 1: erase - 2: commandSource - 3: running - 4: startup - 5: local - 6: networkTftp - 7: networkRcp - 8: networkFtp - 9: networkScp + 1: 'erase' # erase + 2: 'command source' # commandSource + 3: 'running' # running + 4: 'startup' # startup + 5: 'local' # local + 6: 'network TFTP' # networkTftp + 7: 'network RCP' # networkRcp + 8: 'network FTP' # networkFtp + 9: 'network SCP' # networkScp .1.3.6.1.4.1.9.9.43.1.1.6.1.6: - 1: notApplicable - 2: unknown - 3: console - 4: terminal - 5: virtual - 6: auxiliary + 1: 'not-applicable' # notApplicable + 2: 'unknown' # unknown + 3: 'console' # console + 4: 'terminal' # terminal + 5: 'virtual' # virtual + 6: 'auxiliary' # auxiliary diff --git a/traps/enterprises.yml b/traps/enterprises.yml index f08aad0b..e21a70e6 100644 --- a/traps/enterprises.yml +++ b/traps/enterprises.yml @@ -15,6 +15,7 @@ unsupported: unsupported.yml .1.3.6.1.2.1.123: IETF/NAT-MIB-natMIB.yml # Cisco +.1.3.6.1.4.1.9.9.43.2: cisco/CISCO-CONFIG-MAN-MIB-ciscoConfigManMIBNotificationPrefix.yml .1.3.6.1.4.1.9.9.96.2.1: cisco/CISCO-CONFIG-COPY-MIB-ccCopyMIBTraps.yml # Brocade @@ -128,7 +129,6 @@ unsupported: unsupported.yml .1.3.6.1.4.1.9.9.35.2: cisco/CISCO-BSTUN-MIB-bstunNotifications.yml .1.3.6.1.4.1.9.9.41.2: cisco/CISCO-SYSLOG-MIB-ciscoSyslogMIBNotifications.yml .1.3.6.1.4.1.9.9.42.2: cisco/CISCO-RTTMON-MIB-rttMonNotifications.yml -.1.3.6.1.4.1.9.9.43.2: cisco/CISCO-CONFIG-MAN-MIB-ciscoConfigManMIBNotifications.yml .1.3.6.1.4.1.9.9.44.3: cisco/CISCO-ICSUDSU-MIB-ciscoICsuDsuMIBNotifications.yml .1.3.6.1.4.1.9.9.46.2: cisco/CISCO-VTP-MIB-vtpNotificationsPrefix.yml .1.3.6.1.4.1.9.9.52.2: cisco/CISCO-IP-ENCRYPTION-MIB-cieMIBTraps.yml diff --git a/traps/rules/cisco/CISCO-CONFIG-MAN-MIB-ciscoConfigManMIBNotificationPrefix.yml b/traps/rules/cisco/CISCO-CONFIG-MAN-MIB-ciscoConfigManMIBNotificationPrefix.yml new file mode 100644 index 00000000..db06eb67 --- /dev/null +++ b/traps/rules/cisco/CISCO-CONFIG-MAN-MIB-ciscoConfigManMIBNotificationPrefix.yml @@ -0,0 +1,445 @@ +- mapping: |- + #!blobl + root = this + root.out.origin.agent.name = "Cisco CISCO-CONFIG-MAN-MIB" +- switch: + - check: this.trap.SpecificTrap == 1 + # ciscoConfigManEvent + # + # Notification of a configuration management event as recorded in ccmHistoryEventTable. + # + # ccmHistoryEventCommandSource (INTEGER) - The source of the command that instigated the event. + # ccmHistoryEventConfigSource (INTEGER) - The configuration data source for the event. + # ccmHistoryEventConfigDestination (INTEGER) - The configuration data destination for the event. + # ccmHistoryEventTerminalUser (DisplayString) - If ccmHistoryEventCommandSource is 'commandLine', the name of the logged in user. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds = false + if this.trap.VarBinds.length() > 2 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.9.9.43.1.1.6.1.3") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.9.9.43.1.1.6.1.4") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.9.9.43.1.1.6.1.5") { + meta varbinds_ok = true + }}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.cisco.ccmHistoryEventCommandSource = this.trap.VarBinds.index(0).Value.snmp_int_enum_enrich(".1.3.6.1.4.1.9.9.43.1.1.6.1.3") + root.out.cisco.ccmHistoryEventConfigSource = this.trap.VarBinds.index(1).Value.snmp_int_enum_enrich(".1.3.6.1.4.1.9.9.43.1.1.6.1.4") + root.out.cisco.ccmHistoryEventConfigDestination = this.trap.VarBinds.index(2).Value.snmp_int_enum_enrich(".1.3.6.1.4.1.9.9.43.1.1.6.1.5") + + if this.trap.VarBinds.length() > 3 { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.9.9.43.1.1.6.1.8") { + root.out.cisco.ccmHistoryEventTerminalUser = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + }} + + root.out.object.name = "CISCO-CONFIG-MAN-MIB::ccmHistoryEventEntry" + root.out.object.index = this.trap.VarBinds.index(0).OID.snmp_oid_get_index(".1.3.6.1.4.1.9.9.43.1.1.6.1.3") + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.out.object.label = "source: " + root.out.cisco.ccmHistoryEventConfigSource + ", destination: " + root.out.cisco.ccmHistoryEventConfigDestination + if root.out.cisco.ccmHistoryEventCommandSource == "CLI" && root.out.exists("cisco.ccmHistoryEventTerminalUser") { + root.out.object.label = root.out.object.label + ", user: " + root.out.cisco.ccmHistoryEventTerminalUser + } + + root.out.event.class.name = "SNMPTRAP-CISCO-CONFIG-MAN-MIB-ciscoConfigManMIBNotificationPrefix-ciscoConfigManEvent" + root.out.event.id = "SNMPTRAP-CISCO-CONFIG-MAN-MIB-ciscoConfigManMIBNotificationPrefix-ciscoConfigManEvent" + root.out.event.category.name = "configuration management event " + root.out.event.message = "configuration management via " + root.out.cisco.ccmHistoryEventCommandSource + root.out.event.severity.code = 5 + root.out.event.severity.level = "Notice" + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + }}}}}}} + + root.out.event.class.name = "SNMPTRAP-CISCO-CONFIG-MAN-MIB-ciscoConfigManMIBNotificationPrefix-ciscoConfigManEvent" + root.out.event.id = "SNMPTRAP-CISCO-CONFIG-MAN-MIB-ciscoConfigManMIBNotificationPrefix-ciscoConfigManEvent-unknown" + root.out.event.category.name = "configuration management event" + root.out.event.message = "configuration management event - UNEXPECTED VARBINDS for ciscoConfigManEvent trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2 + # ccmCLIRunningConfigChanged + # + # This notification indicates that the running configuration of the managed system has changed from the CLI. If the + # managed system supports a separate configuration mode(where the configuration commands are entered under a + # configuration session which affects the running configuration of the system), then this notification is sent when + # the configuration mode is exited. During this configuration session there can be one or more running configuration + # changes. + # + # ccmHistoryRunningLastChanged (TimeTicks) - The value of sysUpTime when the running configuration was last changed. + # ccmHistoryEventTerminalType (INTEGER) - If ccmHistoryEventCommandSource is 'commandLine', the terminal type, otherwise 'notApplicable'. + # ccmHistoryEventTerminalUser (DisplayString) - If ccmHistoryEventCommandSource is 'commandLine', the name of the logged in user. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 1 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.9.9.43.1.1.1") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.9.9.43.1.1.6.1.6") { + meta varbinds_ok = true + }}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.cisco.ccmHistoryRunningLastChanged = this.trap.VarBinds.index(0).Value + root.out.cisco.ccmHistoryEventTerminalType = this.trap.VarBinds.index(1).Value.snmp_int_enum_enrich(".1.3.6.1.4.1.9.9.43.1.1.6.1.6") + + root.out.object.name = "CISCO-CONFIG-MAN-MIB::ccmHistoryEventEntry" + root.out.object.index = this.trap.VarBinds.index(1).OID.snmp_oid_get_index(".1.3.6.1.4.1.9.9.43.1.1.6.1.6") + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + + if this.trap.VarBinds.length() > 2 { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.9.9.43.1.1.6.1.8") { + root.out.cisco.ccmHistoryEventTerminalUser = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.object.label = "user: " + root.out.cisco.ccmHistoryEventTerminalUser + }} + + root.out.event.class.name = "SNMPTRAP-CISCO-CONFIG-MAN-MIB-ciscoConfigManMIBNotificationPrefix-ccmCLIRunningConfigChanged" + root.out.event.id = "SNMPTRAP-CISCO-CONFIG-MAN-MIB-ciscoConfigManMIBNotificationPrefix-ccmCLIRunningConfigChanged" + root.out.event.category.name = "configuration change" + root.out.event.message = "configuration changed via " + root.out.cisco.ccmHistoryEventTerminalType + " CLI" + root.out.event.severity.code = 5 + root.out.event.severity.level = "Notice" + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + }}}}}} + + root.out.event.class.name = "SNMPTRAP-CISCO-CONFIG-MAN-MIB-ciscoConfigManMIBNotificationPrefix-ccmCLIRunningConfigChanged" + root.out.event.id = "SNMPTRAP-CISCO-CONFIG-MAN-MIB-ciscoConfigManMIBNotificationPrefix-ccmCLIRunningConfigChanged-unknown" + root.out.event.category.name = "configuration change" + root.out.event.message = "configuration changed via CLI - UNEXPECTED VARBINDS for ccmCLIRunningConfigChanged trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3 + # ccmCTIDRolledOver + # + # This notification indicates that the Config Change Tracking ID has rolled over and will be reset. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() == 0 { + meta varbinds_ok = true + } + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.object.name = "CISCO-CONFIG-MAN-MIB::ccmCTIDObjects" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + + root.out.event.class.name = "SNMPTRAP-CISCO-CONFIG-MAN-MIB-ciscoConfigManMIBNotificationPrefix-ccmCTIDRolledOver" + root.out.event.id = "SNMPTRAP-CISCO-CONFIG-MAN-MIB-ciscoConfigManMIBNotificationPrefix-ccmCTIDRolledOver" + root.out.event.category.name = "configuration change tracking state" + root.out.event.message = "configuration change tracking ID rolled over" + root.out.event.severity.code = 5 + root.out.event.severity.level = "Notice" + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + }}}} + + root.out.event.class.name = "SNMPTRAP-CISCO-CONFIG-MAN-MIB-ciscoConfigManMIBNotificationPrefix-ccmCTIDRolledOver" + root.out.event.id = "SNMPTRAP-CISCO-CONFIG-MAN-MIB-ciscoConfigManMIBNotificationPrefix-ccmCTIDRolledOver-unknown" + root.out.event.category.name = "configuration change tracking state" + root.out.event.message = "configuration change tracking ID rolled over - UNEXPECTED VARBINDS for ccmCTIDRolledOver trap!" + root.out.event.severity.code = 5 + root.out.event.severity.level = "Notice" + + - processors: + - label: default + mapping: | + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + }}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-CISCO-CONFIG-MAN-MIB-ciscoConfigManMIBNotificationPrefix-unknown" + root.out.event.id = "SNMPTRAP-CISCO-CONFIG-MAN-MIB-ciscoConfigManMIBNotificationPrefix-" + this.trap.SpecificTrap.string() + root.out.event.category.name = "unknown specific trap" + root.out.event.message = "unknown specific trap " + this.trap.SpecificTrap.string() + " from Cisco CISCO-CONFIG-MAN-MIB-ciscoConfigManMIBNotificationPrefix" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" diff --git a/traps/rules/cisco/CISCO-CONFIG-MAN-MIB-ciscoConfigManMIBNotifications.yml b/traps/rules/cisco/CISCO-CONFIG-MAN-MIB-ciscoConfigManMIBNotifications.yml deleted file mode 100644 index 04338204..00000000 --- a/traps/rules/cisco/CISCO-CONFIG-MAN-MIB-ciscoConfigManMIBNotifications.yml +++ /dev/null @@ -1,71 +0,0 @@ -- mapping: |- - #!blobl - root = this - root.out.origin.agent.name = "CISCO-CONFIG-MAN-MIB" -- switch: - - check: this.trap.SpecificTrap == 1 - processors: - - label: cisco_config_man_event_variables - mapping: |- - #!blobl - root = this - - root.out.cisco.ccmHistoryEventCommandSource = this.trap.VarBinds.index(0).Value.enum_enrich(".1.3.6.1.4.1.9.9.43.1.1.6.1.3") - root.out.cisco.ccmHistoryEventConfigSource = this.trap.VarBinds.index(1).Value.enum_enrich(".1.3.6.1.4.1.9.9.43.1.1.6.1.4") - root.out.cisco.ccmHistoryEventConfigDestination = this.trap.VarBinds.index(2).Value.enum_enrich(".1.3.6.1.4.1.9.9.43.1.1.6.1.5") - root.out.cisco.ccmHistoryEventTerminalUser = if this.trap.VarBinds.length() >= 4 { this.trap.VarBinds.index(3).Value.snmp_display_string() } - - label: cisco_config_man_event_rules_1 - mapping: |- - #!blobl - root = this - - root.out.event.class.name = "SNMPTRAP-cisco-CISCO-CONFIG-MAN-MIB-ciscoConfigManEvent" - root.out.event.id = "SNMPTRAP-cisco-CISCO-CONFIG-MAN-MIB-ciscoConfigManEvent" - root.out.event.category.name = "Configuration Change" - root.out.object.name = "ccmHistoryEventEntry.2" - root.out.event.message = "Configuration Changed via " + this.trap.VarBinds.index(0).Value.enum_enrich(".1.3.6.1.4.1.9.9.43.1.1.6.1.3").string() + " ( Source: " + this.trap.VarBinds.index(1).Value.enum_enrich(".1.3.6.1.4.1.9.9.43.1.1.6.1.4").string() + ", Destination: " + this.trap.VarBinds.index(2).Value.enum_enrich(".1.3.6.1.4.1.9.9.43.1.1.6.1.5").string() + " )" - root.out.event.severity.code = 4 - root.out.event.severity.level = "Warning" - - check: this.trap.SpecificTrap == 2 - processors: - - label: ccm_clirunning_config_changed_variables - mapping: |- - #!blobl - root = this - - root.out.cisco.ccmHistoryRunningLastChanged = this.trap.VarBinds.index(0).Value - root.out.cisco.ccmHistoryEventTerminalType = this.trap.VarBinds.index(1).Value.enum_enrich(".1.3.6.1.4.1.9.9.43.1.1.6.1.6") - root.out.cisco.ccmHistoryEventTerminalUser = this.trap.VarBinds.index(2).Value.snmp_display_string() - - label: ccm_clirunning_config_changed_template - mapping: | - #!blobl - root = this - root.out.event.category.name = "" - root.out.event.id = "" - root.out.event.message = "" - root.out.object.name = "" - root.out.event.class.name = "" - - root.out.event.severity.code = 7 - root.out.event.severity.level = "Debug" - - check: this.trap.SpecificTrap == 3 - processors: - - label: ccm_ctidrolled_over_template - mapping: | - #!blobl - root = this - root.out.event.category.name = "" - root.out.event.id = "" - root.out.event.message = "" - root.out.object.name = "" - root.out.event.class.name = "" - - root.out.event.severity.code = 7 - root.out.event.severity.level = "Debug" - - processors: - - label: default - mapping: | - #!blobl - root = this - - root.out.event.category.name = "Unknown Trap"