diff options
Diffstat (limited to 'MIBS/junos/JUNIPER-JS-SCREENING-MIB')
| -rw-r--r-- | MIBS/junos/JUNIPER-JS-SCREENING-MIB | 1556 |
1 files changed, 1556 insertions, 0 deletions
diff --git a/MIBS/junos/JUNIPER-JS-SCREENING-MIB b/MIBS/junos/JUNIPER-JS-SCREENING-MIB new file mode 100644 index 0000000..4905c30 --- /dev/null +++ b/MIBS/junos/JUNIPER-JS-SCREENING-MIB @@ -0,0 +1,1556 @@ +-- ******************************************************************* +-- Juniper enterprise security screening objects MIB. +-- +-- Copyright (c) 2001-2009, Juniper Networks, Inc. +-- All rights reserved. +-- +-- The contents of this document are subject to change without notice. +-- ******************************************************************* + + +JUNIPER-JS-SCREENING-MIB DEFINITIONS ::= BEGIN + +IMPORTS + Integer32, Counter64, + NOTIFICATION-TYPE, + MODULE-IDENTITY, OBJECT-TYPE FROM SNMPv2-SMI + DisplayString FROM SNMPv2-TC + ifName FROM IF-MIB + jnxJsScreening FROM JUNIPER-JS-SMI; + + + jnxJsScreenMIB MODULE-IDENTITY + LAST-UPDATED "201404020000Z" -- Apr 02, 2014 + ORGANIZATION "Juniper Networks, Inc." + CONTACT-INFO + "Juniper Technical Assistance Center + Juniper Networks, Inc. + 1133 Innovation Way + Sunnyvale, CA 94089 + + E-mail: support@juniper.net + HTTP://www.juniper.net" + DESCRIPTION + "This module defines the MIB for Juniper Enterprise Firewall + screen functionality. Juniper documentation is recommended + as the reference. + + Juniper Security Firewall provides various detection methods + and defense mechanisms to combat exploits at all stages of + the path of execution. These includes: + Setting screen options + Firwall DOS attacks + Network DOS attack + OS specific DOS attack + Fragment reassembly + " + REVISION "201404020000Z" -- Apr 02, 2014 + DESCRIPTION "Added IPv6 Tunneling Screen statistics MIBs + Add new trap var bindings for IPv6 Tunneling Screen" + REVISION "201311070000Z" -- Nov 07, 2013 + DESCRIPTION "Added Udp Port Scan screen statistics MIBs + Add new trap var bindings for Udp Port Scan" + REVISION "201306060000Z" -- Jun. 06, 2013 + DESCRIPTION "Added IPv6 screen statistics MIBs + Add new traps" + REVISION "201204061030Z" -- Apr 06, 2012 + DESCRIPTION "Added TCP/UDP sweeping MIBs + Put trap to under routing category" + REVISION "200902040000Z" -- Feb 04, 2009 + DESCRIPTION "Added following new trap tresholds: + jnxJsScreenSynFloodSrcThresh + jnxJsScreenSynFloodDstThresh + jnxJsScreenSessLimitSrcThresh + jnxJsScreenSessLimitDstThresh + Added following new counters: + jnxJsScreenMonSynFloodSrc + jnxJsScreenMonSynFloodDst + Deprecated following objects: + jnxJsScreenSynAttackQueSize + jnxJsScreenSynAttackAgeTime" + REVISION "200709240000Z" -- Sep 24, 2007 + DESCRIPTION "Creation Date" + ::= { jnxJsScreening 1 } + + + jnxJsScreenNotifications OBJECT IDENTIFIER ::= { jnxJsScreenMIB 0 } + jnxJsScreenObjects OBJECT IDENTIFIER ::= { jnxJsScreenMIB 1 } + jnxJsScreenTrapVars OBJECT IDENTIFIER ::= { jnxJsScreenMIB 2 } + + -- *************************************************************** + -- Screening table + -- *************************************************************** + + jnxJsScreenMonTable OBJECT-TYPE + SYNTAX SEQUENCE OF JnxJsScreenMonEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Juniper security Firewall can allow DI protection on each of + the device's physical interface. This table collects the + screen attributes that monitor the various attacks. + + The screen options can be enabled at security zone bounded to + a interface or interfaces. When these options apply to traffic + reaching the device through interfaces (via a zone), they offers + protection against malicious information gathering probe or + an attack to compromise, disable, or harm a network or network + resources." + ::= { jnxJsScreenObjects 1 } + + jnxJsScreenMonEntry OBJECT-TYPE + SYNTAX JnxJsScreenMonEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The screen option monitoring statistics entry. Each + entry is uniquely identified by the zone name. + + The data is collected on a per zone basis. There + can be multiple interfaces bound to a particular + zones. Hence, the statistics are aggregated across + the interfaces on a per zone basis. + " + INDEX { IMPLIED jnxJsScreenZoneName } + ::= { jnxJsScreenMonTable 1 } + + + JnxJsScreenMonEntry ::= SEQUENCE + { + jnxJsScreenZoneName DisplayString, + jnxJsScreenNumOfIf Integer32, + jnxJsScreenMonSynAttk Counter64, + jnxJsScreenMonTearDrop Counter64, + jnxJsScreenMonSrcRoute Counter64, + jnxJsScreenMonPingDeath Counter64, + jnxJsScreenMonAddrSpoof Counter64, + jnxJsScreenMonLand Counter64, + jnxJsScreenMonIcmpFlood Counter64, + jnxJsScreenMonUdpFlood Counter64, + jnxJsScreenMonWinnuke Counter64, + jnxJsScreenMonPortScan Counter64, + jnxJsScreenMonIpSweep Counter64, + jnxJsScreenMonSynFrag Counter64, + jnxJsScreenMonTcpNoFlag Counter64, + jnxJsScreenMonIpUnknownProt Counter64, + jnxJsScreenMonIpOptBad Counter64, + jnxJsScreenMonIpOptRecRt Counter64, -- record route option + jnxJsScreenMonIpOptTimestamp Counter64, -- timestamp option + jnxJsScreenMonIpOptSecurity Counter64, + jnxJsScreenMonIpOptLSR Counter64, -- Loose source route + jnxJsScreenMonIpOptSSR Counter64, -- Strict source route + jnxJsScreenMonIpOptStream Counter64, -- stream options + jnxJsScreenMonIcmpFrag Counter64, + jnxJsScreenMonIcmpLarge Counter64, + jnxJsScreenMonTcpSynFin Counter64, + jnxJsScreenMonTcpFinNoAck Counter64, + jnxJsScreenMonLimitSessSrc Counter64, -- session-limit source ip based + jnxJsScreenMonLimitSessDest Counter64, -- session-limit dest ip based + jnxJsScreenMonSynAckAck Counter64, + jnxJsScreenMonIpFrag Counter64, + + -- Threshold data -- + jnxJsScreenSynAttackThresh Integer32, + jnxJsScreenSynAttackTimeout Integer32, + jnxJsScreenSynAttackAlmTh Integer32, + jnxJsScreenSynAttackQueSize Integer32, + jnxJsScreenSynAttackAgeTime Integer32, + jnxJsScreenIcmpFloodThresh Integer32, + jnxJsScreenUdpFloodThresh Integer32, + jnxJsScreenPortScanThresh Integer32, + jnxJsScreenIpSweepThresh Integer32, + jnxJsScreenSynAckAckThres Integer32, + + -- IPv6 specific data -- + jnxJsScreenMonIpv6ExtHdr Counter64, + jnxJsScreenMonIpv6HopOpt Counter64, + jnxJsScreenMonIpv6DstOpt Counter64, + jnxJsScreenMonIpv6ExtLimit Counter64, + jnxJsScreenMonIpMalIpv6 Counter64, + jnxJsScreenMonIcmpMalIcmpv6 Counter64, + jnxJsScreenIpv6ExtNumLim Integer32, + + -- Other Screen data -- + jnxJsScreenUdpPortScanThresh Integer32, + jnxJsScreenMonUdpPortScan Counter64, + jnxJsScreenMonIpTunnelGre6in4 Counter64, + jnxJsScreenMonIpTunnelGre4in6 Counter64, + jnxJsScreenMonIpTunnelGre6in6 Counter64, + jnxJsScreenMonIpTunnelGre4in4 Counter64, + jnxJsScreenMonIpTunnelIpInUdpTeredo Counter64, + jnxJsScreenMonIpTunnelBadInnerHeader Counter64, + jnxJsScreenMonIpTunnelIpIp6to4relay Counter64, + jnxJsScreenMonIpTunnelIpIp6in4 Counter64, + jnxJsScreenMonIpTunnelIpIp6over4 Counter64, + jnxJsScreenMonIpTunnelIpIp4in6 Counter64, + jnxJsScreenMonIpTunnelIpIp4in4 Counter64, + jnxJsScreenMonIpTunnelIpIp6in6 Counter64, + jnxJsScreenMonIpTunnelIpIpIsatap Counter64, + jnxJsScreenMonIpTunnelIpIpDsLite Counter64 + + } + + jnxJsScreenZoneName OBJECT-TYPE + SYNTAX DisplayString (SIZE(1..255)) + MAX-ACCESS accessible-for-notify + STATUS current + DESCRIPTION + "The name of the security zone under which the statistics + are collected. " + ::= { jnxJsScreenMonEntry 1 } + + jnxJsScreenNumOfIf OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Number of interfaces bound to this zone. Each counter + contains the aggregated data of all the interfaces" + ::= { jnxJsScreenMonEntry 2 } + + jnxJsScreenMonSynAttk OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The SYN (TCP connection request) attack is a common denial + of service (DoS) technique characterized by the following + pattern: + - Using a spoofed IP address not in use on the Internet, + an attacker sends multiple SYN packets to the target machine. + + - For each SYN packet received, the target machine allocates + resources and sends an acknowledgement (SYN-ACK) to the source + IP address. This can cause the target machine to allocate + resources for more than 3 minutes to respond to just one i + SYN attack, hence wasting resources. + + This attribute records the number of SYN attacks." + ::= { jnxJsScreenMonEntry 3 } + + jnxJsScreenMonTearDrop OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Teardrop attacks exploit the reassembly of fragmented IP + packets. In the IP header, one of the fields is the fragment + offset field, which indicates one of the fields is the fragment + offset field. It indicates the starting position of the data + contained in a fragmented packet relative to the data of the + original unfragmented packet. When the sum of the offset and + size of one fragmented packet differ from that of the next + fragmented packet, the packets overlap. The server attempting + to reassemble the packet can crash, especially if it is running + an older operating system that has this vulnerability. + + When this option is enabled, the security device detects this + discrepancy in a fragmented packet and drops it and this + attribute counts the number of packets dropped." + ::= { jnxJsScreenMonEntry 4 } + + jnxJsScreenMonSrcRoute OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "IP source route options can be used to hide their true address + and access restricted areas of a network by specifying a + different path. The security device should be able to either + block any packets with loose or strict source route options + set or detect such packets and then record the event for the + ingress interface. + + This attribute records either the loose source route option or + strict source route attack packets." + ::= { jnxJsScreenMonEntry 5 } + + jnxJsScreenMonPingDeath OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The maximum allowable IP packet size is 65,535 bytes, + including the packet header (typically 20 bytes long). + An ICMP echo request is an IP packet with a pseudo header, + which is 8 bytes long. Therefore, the maximum allowable + size of the data area of an ICMP echo request is 65,507 + bytes. + + However, many ping implementations allow the user to specify + a packet size larger than 65,507 bytes. A grossly oversized + ICMP packet can trigger a range of adverse system reactions + such as denial of service (DoS), crashing, freezing, and + rebooting. + + When the Ping Death option is enabled, the device detects and + rejects such oversized and irregular packet sizes even when + the attacker hides the total packet size by purposefully + fragmenting it. + + This attributes counts the ping of death attack packets." + ::= { jnxJsScreenMonEntry 6 } + + jnxJsScreenMonAddrSpoof OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "One method to gain access to a restricted network is to insert + a bogus source address in the packet header to make the packet + appear to come from a trusted source. This technique is called + IP spoofing. The mechanism to detect IP spoofing relies on + route table entries. + + For example, if a packet with source IP address 10.1.1.6 arrives + at port eth3, but the device has a route to 10.1.1.0/24 through + port eth1. IP spoofing checking notes that this address arrived + at an invalid interface as defined in the route table. A valid + packet from 10.1.1.6 can only arrive via eth1, not eth3. The + device concludes that the packet has a spoofed source IP address + and discards it. + + This attribute records the address spoofing attack packets." + ::= { jnxJsScreenMonEntry 7 } + + jnxJsScreenMonLand OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "A combined SYN attack with IP spoof is referred to as + Land attack. A Land attack occurs when an attacker sends + spoofed SYN packets containing the IP address of the victim as + both the destination and source IP address. The receiving + system responds by sending the SYN-ACK packet to itself, + creating an empty connection that lasts until the idle timeout + value is reached. Flooding a system with such empty connections + can overwhelm the system, causing a DoS. + + This attribute records the land attack packets." + ::= { jnxJsScreenMonEntry 8 } + + jnxJsScreenMonIcmpFlood OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "An ICMP flood typically occurs when ICMP echo requests overload + its victim with so many requests that it expends all its + resources responding until it can no longer process valid network + traffic. With the ICMP flood protection feature enabled, and a + threshold set. If the threshold exceeded, the system invokes the + flood attack protection feature. + + The default threshold value is 1000 packets per second. If the + threshold is exceeded, the security device ignores further + ICMP echo requests for the remainder of that second plus the + next second as well. + + This attribute records the ICMP flood attack packets." + ::= { jnxJsScreenMonEntry 9 } + + jnxJsScreenMonUdpFlood OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "UDP flooding occurs when an attacker sends IP packets containing + UDP datagrams with the purpose of slowing down the victim to the + point that it can no longer handle valid connections. With the + UDP flood protection feature enabled, a threshold can be set which + once exceeded, the system invokes the UDP flood attack protection + feature. + + The default threshold value is 1000 packets per second. + If the number of UDP datagrams from one or more sources to a + single destination exceeds this threshold, security device + ignores further UDP datagrams to that destination for the + remainder of that second plus the next second as well. + + This attribute records the UDP flood attack packets." + ::= { jnxJsScreenMonEntry 10 } + + jnxJsScreenMonWinnuke OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "WinNuke is a DoS attack targeting any computer on the internet + running Windows. The attacker sends a TCP segment, usually to + NetBIOS port 139 with the urgent (URG) flag set, to a host with + an established connection. This introduces a NetBIOS fragment + overlap, which causes many machines running Windows to crash. + + This attributes counts the netbios attack." + ::= { jnxJsScreenMonEntry 11 } + + jnxJsScreenMonPortScan OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "A port scan occurs when one source IP address sends IP packets + containing TCP SYN segments to a defined number of different + ports at the same destination IP address within a defined interval. + The purpose of this attack is to scan the available services in + the hope that at least one port will respond, thus identifying + a service of the target. The device should internally log the + number of different ports scanned from one remote source. + + This attribute records the port scan attempt attack packets." + ::= { jnxJsScreenMonEntry 12 } + + jnxJsScreenMonIpSweep OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "An address sweep occurs when one source IP address sends a + defined number of ICMP packets to different hosts within a + defined interval. The purpose of this attack is to send ICMP + packets, typically echo requests, to various hosts in the + hope that at least one replies, thus uncovering an address of + the target. The device internally log the number of ICMP packets + to different addresses from one remote source. + + This attributes records the address sweep attemp attack packets." + ::= { jnxJsScreenMonEntry 13 } + + jnxJsScreenMonSynFrag OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "IP encapsulates a TCP SYN segment in the IP packet that initiates + a TCP connection. The purpose is to initiate a connection and to + invoke a SYN/ACK segment response. The SYN segment typically does + not contain any data since the IP packet is small and there is + no legitimate reason for it to be fragmented. A fragmented SYN + packet is anomalous and is suspectful. To be cautious, it might + be helpful to block such these fragments from entering the + protected network. + + When the syn fragmentation check is enable, the security device + detects and drops the packets when the IP header indicates that + the packet has been fragmented while the SYN flag is set in the + TCP header. + + This attributes records the detection of the SYN fragments." + ::= { jnxJsScreenMonEntry 14 } + + jnxJsScreenMonTcpNoFlag OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "A normal TCP segment header has at least one flag control set. + A TCP segment with no control flags set is an anomalous event. + Operating systems respond to such anomalies in different ways. + The response, or even lack of response, from the targeted device + can provide a clue as to the target's OS type. + + When this option is enabled, if the device discovers such a + header with a missing or malformed flags field, it drops the + packet. + + The attribure records the detection of TCP without flag set packets." + ::= { jnxJsScreenMonEntry 15 } + + jnxJsScreenMonIpUnknownProt OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "According to RFC 1700, some protocol types in IP header are + reserved and unassigned at this time. Precisely because these + protocols are undefined, there is no way to know in advance + if a particular unknown protocol is benign or malicious. Unless + your network makes use of a non-standard protocol with reserved + or unassigned protocol number, a cautious stance is to block + such unknown elements from entering your protected network. + + When the Unknown Protocol Protection SCREEN option is enabled, + the security device drops packets when the protocol field + contains a protocol ID number of 137 or greater by default. + + This attribute records the detection of Unknown protocol + IP packets." + ::= { jnxJsScreenMonEntry 16 } + + jnxJsScreenMonIpOptBad OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "IP protocol specifies a set of eight options that provide + special routing controls, diagnostic tools, and security. + These eight options can be used for malicious objectives. + + Either intentionally or accidentally, attackers sometimes + misconfigure IP options, producing either incomplete or + malformed fields. The misformatting is anomalous and + potentially harmful to the intended recipient. + + When the Bad IP Option Protection SCREEN option is enabled, + the security device detects and blocks packets when any IP + option in the IP packet header is incorrectly formatted. + + This attributes records the detection of the IP bad option + packets." + ::= { jnxJsScreenMonEntry 17 } + + jnxJsScreenMonIpOptRecRt OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The IP standard RFC 791 specifies a set of options to provide + special routing controls, diagnostic tools, and security. + These options appear after the destination address in an IP packet + header. When they do appear, they are frequently being put to + some nefarious use. Record option is one of these options that an + attacker can use for reconnaissance or for some unknown but + suspicious purpose + + When record IP option is received, the security device + flags this as an network reconnaissance attack and records + the event for the ingress interface. + + This attribute records the detection of IP record option + packets." + ::= { jnxJsScreenMonEntry 18 } + + jnxJsScreenMonIpOptTimestamp OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The IP standard RFC 791 specifies a set of options to provide + special routing controls, diagnostic tools, and security. + These options appear after the destination address in an IP packet + header. When they do appear, they are frequently being put to + some nefarious use. Timestamp is one of these options that an + attacker can use for reconnaissance or for some unknown but + suspicious purpose + + When timestamp IP option is received, the security device + flags this as an network reconnaissance attack and records + the event for the ingress interface. + + This attribute records the detection of IP timestamp option + packets." + ::= { jnxJsScreenMonEntry 19 } + + jnxJsScreenMonIpOptSecurity OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The IP standard RFC 791 specifies a set of options to provide + special routing controls, diagnostic tools, and security. + These options appear after the destination address in an IP packet + header. When they do appear, they are frequently being put to + some nefarious use. Security is one of these options that an + attacker can use for reconnaissance or for some unknown but + suspicious purpose + + When the security IP option is received, the security device + flags this as an network reconnaissance attack and records + the event for the ingress interface. + + This attribute records the detection of IP security option + packets." + ::= { jnxJsScreenMonEntry 20 } + + jnxJsScreenMonIpOptLSR OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Attackers can use IP source route options to hide their true + address and access restricted areas of a network by specifying + a different path. The security device should be able to either + block any packets with loose or strict source route options + set or detect such packets and then record the event for the + ingress interface. + + This attribute records the detection of loose source route + packets." + ::= { jnxJsScreenMonEntry 21 } + + jnxJsScreenMonIpOptSSR OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Attackers can use IP source route options to hide their true + address and access restricted areas of a network by specifying + a different path. The security device should be able to either + block any packets with loose or strict source route options + set or detect such packets and then record the event for the + ingress interface. + + This attribute records the detection of strict source route + packets." + ::= { jnxJsScreenMonEntry 22 } + + jnxJsScreenMonIpOptStream OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The IP standard RFC 791 specifies a set of options to provide + special routing controls, diagnostic tools, and security. + These options appear after the destination address in an IP packet + header. When they do appear, they are frequently being put to + some nefarious use. Stream is one of these options that an + attacker can use for reconnaissance or for some unknown but + suspicious purpose + + When the security IP option is received, the security device + flags this as an network reconnaissance attack and records + the event for the ingress interface. + + This attribute records the detect of IP stream option + packets." + ::= { jnxJsScreenMonEntry 23 } + + jnxJsScreenMonIcmpFrag OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "ICMP provides error reporting and network probe capabilities. + ICMP packets contain very short messages, there is no legitimate + reason for ICMP packets to be fragmented. If an ICMP packet is + so large that it must be fragmented, something has gone amiss. + With the ICMP Fragment Protection SCREEN option enabled, the device + should be able to block any ICMP packet with the More Fragments + flag set, or with an offset value indicated in the offset field. + + This attribute counts the ICMP fragment packets." + ::= { jnxJsScreenMonEntry 24 } + + jnxJsScreenMonIcmpLarge OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "ICMP packets contain very short messages, there is no legitimate + reason for ICMP packets to be fragmented. + + If an ICMP packet is unusually large, something is wrong. For example, + the Loki program uses ICMP as a channel for transmitting covert + messages. The presence of large ICMP packets might expose a + compromised machine acting as a Loki agent. It might also indicate + some other kind of shifty activity. + + When the the Large Size ICMP Packet Protection SCREEN option is enabled, + the device drops ICMP packets with a length greater than 1024 bytes. + + This attribute records the detection of large ICMP packets." + ::= { jnxJsScreenMonEntry 25 } + + jnxJsScreenMonTcpSynFin OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Both the SYN and FIN control flags are not normally set in the + same TCP segment header. The SYN flag synchronizes sequence + numbers to initiate a TCP connection. The FIN flag indicates + the end of data transmission to finish a TCP connection. Their + purposes are mutually exclusive. A TCP header with the SYN and + FIN flags set is anomalous TCP behavior, causing various + responses from the recipient, depending on the OS. + + When block both syn and fin option is enable, the device + drops the packet when it discovers such a header + + This attribute records the TCP syn fin both set packet + dropped." + ::= { jnxJsScreenMonEntry 26 } + + jnxJsScreenMonTcpFinNoAck OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "A FIN scan sends TCP segments with the FIN flag set in an + attempt to provoke a response and thereby discover an active + host or an active port on a host. The use of TCP segments + with the FIN flag set might evade detection and thereby help + the attacker succeed in his or her reconnaissance efforts. + + This attributes records the detection of the TCP fin set + without ack bit set packets." + ::= { jnxJsScreenMonEntry 27 } + + jnxJsScreenMonLimitSessSrc OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "All the virus-generated traffic originates from the same IP + address (generally from a infected server), a source-based + session limit ensures that the firewall can curb such + excessive amounts of traffic. Based on a threshold value, + if the number of concurrent sessions required to fill up + the session table of the particular firewall. + + The default maximum for source-based session limit is 128 + concurrent sessions, which can be adjusted to accordingly. + + This attribute records the number of the session connection + based on the source IP that exceeds the specified limit." + ::= { jnxJsScreenMonEntry 28 } + + jnxJsScreenMonLimitSessDest OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The user can limit the number of concurrent sessions + to the same destination IP address. A wily attacker can + launch a distributed denial-of-service (DDoS) attack using + 'zombie agents'. Setting a destination-based session limit + can ensure that device allows only an acceptable number of + concurrent connection requests, no matter what the source, + to reach any one host. + + The default maximum for destination-based session limit is + 128 concurrent sessions. + + This attribute records the number of session connection based + on the destination source IP address that exceeds the specified + limit." + ::= { jnxJsScreenMonEntry 29 } + + jnxJsScreenMonSynAckAck OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "When an authentication user initiates a Telnet or FTP connection, + the user sends a SYN segment to the Telnet or FTP server. The + device intercepts the SYN segment, creates an entry in its + session table, and proxies a SYN-ACK segment to the user. The + user then replies with an ACK segment. At that point, the initial + 3-way handshake is complete. The device sends a login prompt to + the user. When a malicisou user does not log in, but instead + continue initiating SYN-ACK-ACK sessions, the firewall session + table can fill up to the point where the device begins rejecting + legitimate connection requests. + + When the SYN-ACK-ACK proxy protection option is enabled, after + the number of connections from the same IP address reaches the + SYN-ACK-ACK proxy threshold, the device rejects further + connection requests from that IP address. By default, the + threshold is 512 connections from any single IP address. + + The attribute records the detection of SYN ACK ACK attack." + ::= { jnxJsScreenMonEntry 30 } + + jnxJsScreenMonIpFrag OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "As packets travels, it is sometimes necessary to break a packet + into smaller fragments based upon the maximum transmission unit + (MTU) of each network. IP fragments might contain an attacker's + attempt to exploit the vulnerabilities in the packet reassembly + code of specific IP stack implementations. When the victim + receives these packets, the results can range from processing + the packets incorrectly to crashing the entire system. + + When the block IP framentation flag is enabled, the device blocks + all IP packet fragments that it receives at interfaces bound to + that zone. + + This attribute counts the number of block IP fragment packets." + ::= { jnxJsScreenMonEntry 31 } + + + -- + -- Threshold values + -- + jnxJsScreenSynAttackThresh OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of SYN segments to the same destination address + and port number per second required to activate the SYN proxying + mechanism. In order to set the appropriate threshold value, it + requires a through knowledge of the normal traffic patterns at site + + For example, if the security device normally gets 2000 SYN + segments per second, the threshold value should be set at + 3000/second. + + This attribute displays the configured SYN attack threshold value." + ::= { jnxJsScreenMonEntry 32 } + + jnxJsScreenSynAttackTimeout OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The maximum length of time before a half-completed connection is + dropped from the queue. The default is 20 seconds. + + This attributes display the SYN attack timeout value." + ::= { jnxJsScreenMonEntry 33 } + + jnxJsScreenSynAttackAlmTh OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The syn attack alarm threshold causes an alarm to be generated when + the number of proxied, half-complete TCP connection requests per + second requests to the same destination address and port number + exceeds its value. + + This attribute display the SYN attack alarm threshold value." + ::= { jnxJsScreenMonEntry 34 } + + jnxJsScreenSynAttackQueSize OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The number of proxied connection requests held in the proxied + connection queue before the device starts rejecting new connection + requests. + + This attribute displays the SYN attack queue size. + + This object has been deprecated." + ::= { jnxJsScreenMonEntry 35 } + + jnxJsScreenSynAttackAgeTime OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "SYN flood age time. + + This object has been deprecated." + ::= { jnxJsScreenMonEntry 36 } + + jnxJsScreenIcmpFloodThresh OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "ICMP flooding occurs when an attacker sends IP packets containing + ICMP datagrams with the purpose of slowing down the victim to the + point that it can no longer handle valid connections. + + This attributes display the ICMP attack alarm threshold value." + ::= { jnxJsScreenMonEntry 37 } + + jnxJsScreenUdpFloodThresh OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "UDP flooding occurs when an attacker sends IP packets containing + UDP datagrams with the purpose of slowing down the victim to the + point that it can no longer handle valid connections. + + The default threshold value is 1000 packets per second. + + This attribute displays the UDP attack alarm threshold value." + ::= { jnxJsScreenMonEntry 38 } + + jnxJsScreenPortScanThresh OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The port scan threshold interval is in microseconds. The default + threshold value is 5000. The valid threshold range is 1000-1000000. + + By using the default settings, if a remote host scans 10 ports in + 0.005 seconds (5000 microseconds), the device flags this as a + port scan attack, and rejects all further packets from the remote + source for the remainder of the specified timeout period. The + device detects and drops the tenth packet that meets the port scan + attack criterion. + + This attribute displays the port scan threshold value." + ::= { jnxJsScreenMonEntry 39 } + + jnxJsScreenIpSweepThresh OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The IP sweep threshold interval is in microseconds. The default + threshold value is 5000. The valid threshold range is 1000-1000000. + + By using the default settings, if a remote host sends ICMP traffic + to 10 addresses in 0.005 seconds (5000 microseconds), the + security device flags this as an address sweep attack, and + rejects all further ICMP echo requests from that host for + the remainder of the specified threshold time period. The + device detects and drops the tenth packet that meets the address + sweep attack criterion. + + This attribute holds the UDP attack alarm threshold." + ::= { jnxJsScreenMonEntry 40 } + + jnxJsScreenSynAckAckThres OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "SYN ack ack alarm threshold value." + ::= { jnxJsScreenMonEntry 41 } + + jnxJsScreenMonIpv6ExtHdr OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "In one IPv6 packet, one or more extension headers may appear before + the encapsulated payload after the mandatory header. User can screen + any one or several extension headers. + + When the extension header screen is enabled, the device screens all + IPv6 packets with specific header. + + The attribute counts the number of block IPv6 extension packets." + ::= { jnxJsScreenMonEntry 42 } + + jnxJsScreenMonIpv6HopOpt OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "In one IPv6 hop by hop option extension header, it carries a variable + number options. User can screen any one or several options. + + When the hop by hop option screen is enabled, the device screens all + IPv6 packets with specific option type. + + The attribute counts the number of block IPv6 option type packets." + ::= { jnxJsScreenMonEntry 43 } + + jnxJsScreenMonIpv6DstOpt OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "In one IPv6 destination option extension header, it carries a variable + number options. User can screen any one or several options. + + When the destination option screen is enabled, the device screens all + IPv6 packets with specific option type. + + The attribute counts the number of block IPv6 option type packets." + ::= { jnxJsScreenMonEntry 44 } + + jnxJsScreenMonIpv6ExtLimit OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "In one IPv6 packet, one or more extension headers may appear before + the encapsulated payload. User can screen IPv6 packets if their extension + header number is larger than one limit. + + When the extension header limit screen is enabled, the device screens + IPv6 packets with more than one limit extension headers. + + The attribute counts the number of block IPv6 packets." + ::= { jnxJsScreenMonEntry 45 } + + jnxJsScreenMonIpMalIpv6 OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "One IPv6 packets may contain malformed header, the device tries to block + these packets to protect downstream devices. + + When the malformed IPv6 screen is enabled, the device screens IPv6 packets + with malformed header. + + The attribute counts the number of block malformed header IPv6 packets." + ::= { jnxJsScreenMonEntry 46 } + + jnxJsScreenMonIcmpMalIcmpv6 OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "One ICMPv6 packets may contain malformed content, the device tries to block + these packets to protect downstream devices. + + When the malformed ICMPv6 screen is enabled, the device screens ICMPv6 + packets with malformed content. + + The attribute counts the number of block malformed ICMPv6 packets." + ::= { jnxJsScreenMonEntry 47 } + + jnxJsScreenIpv6ExtNumLim OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "IPv6 extension header number limit value." + ::= { jnxJsScreenMonEntry 48 } + + + -- + -- Other Screen values + -- + jnxJsScreenUdpPortScanThresh OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The UDP port scan threshold interval is in microseconds. The default + threshold value is 5000. The valid threshold range is 1000-1000000. + + By using the default settings, if a remote host scans 10 ports in + 0.005 seconds (5000 microseconds), the device flags this as a + udp port scan attack, and rejects all further packets from the remote + source for the remainder of the specified timeout period. The + device detects and drops the tenth packet that meets the port scan + attack criterion. + + This attribute displays the UDP port scan threshold value." + ::= { jnxJsScreenMonEntry 49 } + + jnxJsScreenMonUdpPortScan OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "A UDP port scan occurs when one source IP address sends UDP packets + to a defined number of different ports at the same destination + IP address within a defined interval. The purpose of this attack + is to scan the available services in the hope that at least one + port will respond, thus identifying a service of the target. + The device should internally log the number of different ports + scanned from one remote source. + + This attribute records the UDP port scan attempt attack packets." + ::= { jnxJsScreenMonEntry 50 } + + + jnxJsScreenMonIpTunnelGre6in4 OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "When an IP GRE 6in4 Tunnel packet meets the attack criteria + specified by current configuration, it will be counted in this + statisitic. + + This attribute records the IP GRE 6in4 Tunnel attempt attack packets." + ::= { jnxJsScreenMonEntry 51 } + + + jnxJsScreenMonIpTunnelGre4in6 OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "When an IP GRE 4in6 Tunnel packet meets the attack criteria + specified by current configuration, it will be counted in this + statisitic. + + This attribute records the IP GRE 4in6 Tunnel attempt attack packets." + ::= { jnxJsScreenMonEntry 52 } + + + jnxJsScreenMonIpTunnelGre6in6 OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "When an IP GRE 6in6 Tunnel packet meets the attack criteria + specified by current configuration, it will be counted in this + statisitic. + + This attribute records the IP GRE 6in6 Tunnel attempt attack packets." + ::= { jnxJsScreenMonEntry 53 } + + + jnxJsScreenMonIpTunnelGre4in4 OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "When an IP GRE 4in4 Tunnel packet meets the attack criteria + specified by current configuration, it will be counted in this + statisitic. + + This attribute records the IP GRE 4in4 Tunnel attempt attack packets." + ::= { jnxJsScreenMonEntry 54 } + + + jnxJsScreenMonIpTunnelIpInUdpTeredo OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "When an IPinUDP Teredo Tunnel packet meets the attack criteria + specified by current configuration, it will be counted in this + statisitic. + + This attribute records the IPinUDP Teredo Tunnel attempt attack packets." + ::= { jnxJsScreenMonEntry 55 } + + + jnxJsScreenMonIpTunnelBadInnerHeader OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "When an IP Tunnel Bad Inner Header packet meets the attack criteria + specified by current configuration, it will be counted in this + statisitic. + + This attribute records the IP Tunnel Bad Inner Header attempt attack packets." + ::= { jnxJsScreenMonEntry 56 } + + + jnxJsScreenMonIpTunnelIpIp6to4relay OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "When an IP Tunnel IPinIP 6to4 relay packet meets the attack criteria + specified by current configuration, it will be counted in this + statisitic. + + This attribute records the IP Tunnel IPinIP 6to4 relay attempt attack packets." + ::= { jnxJsScreenMonEntry 57 } + + + jnxJsScreenMonIpTunnelIpIp6in4 OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "When an IP Tunnel IPinIP 6in4 packet meets the attack criteria + specified by current configuration, it will be counted in this + statisitic. + + This attribute records the IP Tunnel IPinIP 6in4 attempt attack packets." + ::= { jnxJsScreenMonEntry 58 } + + + jnxJsScreenMonIpTunnelIpIp6over4 OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "When an IP Tunnel IPinIP 6over4 packet meets the attack criteria + specified by current configuration, it will be counted in this + statisitic. + + This attribute records the IP Tunnel IPinIP 6over4 attempt attack packets." + ::= { jnxJsScreenMonEntry 59 } + + + jnxJsScreenMonIpTunnelIpIp4in6 OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "When an IP Tunnel IPinIP 4in6 packet meets the attack criteria + specified by current configuration, it will be counted in this + statisitic. + + This attribute records the IP Tunnel IPinIP 4in6 attempt attack packets." + ::= { jnxJsScreenMonEntry 60 } + + jnxJsScreenMonIpTunnelIpIp4in4 OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "When an IP Tunnel IPinIP 4in4 packet meets the attack criteria + specified by current configuration, it will be counted in this + statisitic. + + This attribute records the IP Tunnel IPinIP 4in4 attempt attack packets." + ::= { jnxJsScreenMonEntry 61 } + + jnxJsScreenMonIpTunnelIpIp6in6 OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "When an IP Tunnel IPinIP 6in6 packet meets the attack criteria + specified by current configuration, it will be counted in this + statisitic. + + This attribute records the IP Tunnel IPinIP 6in6 attempt attack packets." + ::= { jnxJsScreenMonEntry 62 } + + + jnxJsScreenMonIpTunnelIpIpIsatap OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "When an IP Tunnel IPinIP ISATAP packet meets the attack criteria + specified by current configuration, it will be counted in this + statisitic. + + This attribute records the IP Tunnel IPinIP ISATAP attempt attack packets." + ::= { jnxJsScreenMonEntry 63 } + + + jnxJsScreenMonIpTunnelIpIpDsLite OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "When an IP Tunnel IPinIP DS-Lite packet meets the attack criteria + specified by current configuration, it will be counted in this + statisitic. + + This attribute records the IP Tunnel IPinIP DS-Lite attempt attack packets." + ::= { jnxJsScreenMonEntry 64 } + +-- +-- Additional Syn Flood, Session Limit thresholds and counters +-- + + jnxJsScreenMonThreshTable OBJECT-TYPE + SYNTAX SEQUENCE OF JnxJsScreenMonThreshEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "This table is a read-only table that augments the + jnxJsScreenMonTable. The purpose of this table is + to keep threshold and counter information about + Syn Flood and Session Limit." + ::= { jnxJsScreenObjects 2 } + + jnxJsScreenMonThreshEntry OBJECT-TYPE + SYNTAX JnxJsScreenMonThreshEntry + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Syn Flood and Session Limit thresholds and counts." + AUGMENTS { jnxJsScreenMonEntry } + ::= { jnxJsScreenMonThreshTable 1 } + + JnxJsScreenMonThreshEntry ::= SEQUENCE + { + jnxJsScreenSynFloodSrcThresh Integer32, + jnxJsScreenSynFloodDstThresh Integer32, + jnxJsScreenSessLimitSrcThresh Integer32, + jnxJsScreenSessLimitDstThresh Integer32, + jnxJsScreenMonSynFloodSrc Counter64, + jnxJsScreenMonSynFloodDst Counter64 + } + + jnxJsScreenSynFloodSrcThresh OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of SYN segments received per second from a single + source IP - regardless of the destination IP address and + port number - before the security device begins dropping + connection requests from that source." + ::= { jnxJsScreenMonThreshEntry 1 } + + jnxJsScreenSynFloodDstThresh OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of SYN segments received per second from a single + destination IP address before the security device begins dropping + connection requests to that destination. If a protected host runs + multiple services, you might want to set a threshold based on + destination IP address only - regardless of the destination + port number." + ::= { jnxJsScreenMonThreshEntry 2 } + + jnxJsScreenSessLimitSrcThresh OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The security device can impose a limit on the number of SYN segments + permitted from a single source IP address." + ::= { jnxJsScreenMonThreshEntry 3 } + + jnxJsScreenSessLimitDstThresh OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The security device can impose a limit on the number of SYN segments + permitted to a single destination IP address." + ::= { jnxJsScreenMonThreshEntry 4 } + + jnxJsScreenMonSynFloodSrc OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of concurrent sessions from the same source IP address." + ::= { jnxJsScreenMonThreshEntry 5 } + + jnxJsScreenMonSynFloodDst OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of concurrent sessions to the same destination IP address." + ::= { jnxJsScreenMonThreshEntry 6 } + +-- +-- This table is for TCP/UDP sweep thresholds and counters +-- + + jnxJsScreenSweepTable OBJECT-TYPE + SYNTAX SEQUENCE OF JnxJsScreenSweepEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "This table is a read-only table that augments the + jnxJsScreenMonTable. The purpose of this table is + to add counters and thresholds for TCP/UDP sweep + feature." + ::= { jnxJsScreenObjects 3 } + + jnxJsScreenSweepEntry OBJECT-TYPE + SYNTAX JnxJsScreenSweepEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "TCP/UDP sweep thresholds and counters." + AUGMENTS { jnxJsScreenMonEntry } + ::= { jnxJsScreenSweepTable 1 } + + JnxJsScreenSweepEntry ::= SEQUENCE + { + jnxJsScreenTcpSweepThresh Integer32, + jnxJsScreenUdpSweepThresh Integer32, + jnxJsScreenMonTcpSweep Counter64, + jnxJsScreenMonUdpSweep Counter64 + } + + jnxJsScreenTcpSweepThresh OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The TCP sweep threshold interval is in microseconds. The + default threshold value is 5000. The valid threshold range + is 1000-1000000. + + By using the default settings, if a remote host initiates TCP + connection to 10 addresses in 0.005 seconds(5000 microseconds), + the security device flags this as an TCP sweep attack, and + rejects all further new TCP connections initiated from that + host for the remainder of the specified threshold time period. + This attribute holds the TCP sweep attack threshold." + ::= { jnxJsScreenSweepEntry 1 } + + jnxJsScreenUdpSweepThresh OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The UDP sweep threshold interval is in microseconds. The + default threshold value is 5000. The valid threshold range is + 1000-1000000. + + By using the default settings, if a remote host has UDP + connection to 10 addresses in 0.005 seconds(5000 microseconds), + the security device flags this as an UDP sweep attack, and + rejects all further new UDP connections from that host for + the remainder of the specified threshold time period. + + This attribute holds the UDP sweep attack threshold." + ::= { jnxJsScreenSweepEntry 2 } + + jnxJsScreenMonTcpSweep OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of TCP sessions dropped due to TCP sweeping attack." + ::= { jnxJsScreenSweepEntry 3 } + + jnxJsScreenMonUdpSweep OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of UDP packets dropped due to UDP sweeping attack." + ::= { jnxJsScreenSweepEntry 4 } + + + -- *************************************************************** + -- definition of access authentication related traps. + -- *************************************************************** + + -- + -- When the device detects an attack, based on configured value, + -- an attack trap is generated. + -- + jnxJsScreenAttack NOTIFICATION-TYPE + OBJECTS { jnxJsScreenZoneName, + ifName, + jnxJsScreenAttackType, + jnxJsScreenAttackCounter, + jnxJsScreenAttackDescr + } + STATUS current + DESCRIPTION + "A per min bytes exceed trap signifies that the number of + bytes per minutes has exceeds the specified threshold. + + jnxJsScreenZoneName: the zone name under which the attack + is occuring. + ifName the interface at which the attack is occuring. + jnxJsScreenAttackType: type of attack. + jnxJsScreenAttackCounter: the number of attacks recorded + based on the particular screening options enabled. The + value of this counter is the aggregated statistic of all + the interfaces bound to the mentioned zone. + jnxJsScreenAttackDescr: a general text description of the + this attack or the trap." + ::= { jnxJsScreenNotifications 1 } + + -- + -- The trap indicates an screen option is changed. + -- + jnxJsScreenCfgChange NOTIFICATION-TYPE + OBJECTS { jnxJsScreenZoneName, + jnxJsScreenAttackType, + jnxJsScreenCfgStatus } + STATUS current + DESCRIPTION + "The screening configuration change trap signifies that + an screening option has been changed(enabled or disabled). + + A disable feature may implies a security hole. + + jnxJsScreenZoneName is the zone at which the changed option + is applicable to. + jnxJsScreenAttackType the screen feature. + jnxJsScreenCfgStatus: either enabled or disabled" + ::= { jnxJsScreenNotifications 2 } + + + -- ************************************************************** + -- Trap variables + -- ************************************************************** + jnxJsScreenAttackType OBJECT-TYPE + SYNTAX INTEGER { + icmpFlood (1), + udpFlood (2), + portScanning (3), + ipSweeping (4), + synfloodSrcIP (5), + synfloodDstIP (6), + sessLimitSrcBased (7), + sessLimitDestBased (8), + synAckAck (9), + synAttack (10), + winNuke (11), + tearDrop (12), + ipAddressSpoof (13), + pingDeath (14), + sourceRoute (15), + landAttack (16), + synFragmentation (17), + tcpNoFlag (18), + ipUnknownProtocol (19), + ipOptionBad (20), + ipOptionRecRt (21), + ipOptionTimeStamp (22), + ipOptionSecurity (23), + ipOptionLSR (24), + ipOptionSRR (25), + ipOptionStream (26), + icmpFragmentation (27), + icmpLarge (28), + tcpSynFin (29), + tcpFinNoAck (30), + ipFragmentation (31), + tcpSweeping (32), + udpSweeping (33), + ipv6exthdr (34), + ipv6hbyhopt (35), + ipv6dstopt (36), + ipv6extlim (37), + ipv6malhdr (38), + icmpv6malpkt (39), + udpportScanning (40), + ipTunnelGre6in4 (41), + ipTunnelGre4in6 (42), + ipTunnelGre6in6 (43), + ipTunnelGre4in4 (44), + ipTunnelIpInUdpTeredo (45), + ipTunnelBadInnerHeader (46), + ipTunnelIpIp6to4relay (47), + ipTunnelIpIp6in4 (48), + ipTunnelIpIp6over4 (49), + ipTunnelIpIp4in6 (50), + ipTunnelIpIp4in4 (51), + ipTunnelIpIp6in6 (52), + ipTunnelIpIpIsatap (53), + ipTunnelIpIpDsLite (54) + + } + MAX-ACCESS accessible-for-notify + STATUS current + DESCRIPTION + "The type of attacks that the device support." + ::= { jnxJsScreenTrapVars 1 } + + jnxJsScreenAttackCounter OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS accessible-for-notify + STATUS current + DESCRIPTION + "The threshold value that triggers the trap to be generated." + ::= { jnxJsScreenTrapVars 2 } + + jnxJsScreenAttackDescr OBJECT-TYPE + SYNTAX DisplayString (SIZE(1..255)) + MAX-ACCESS accessible-for-notify + STATUS current + DESCRIPTION + "The description pertinent to the attack trap." + ::= { jnxJsScreenTrapVars 3 } + + jnxJsScreenCfgStatus OBJECT-TYPE + SYNTAX INTEGER { + disabled (1), + enabled (2) + } + MAX-ACCESS accessible-for-notify + STATUS current + DESCRIPTION + "The screening option configuration status: enabled or disabled." + ::= { jnxJsScreenTrapVars 4 } + +-- +-- End of File +-- + +END + + |