CISCO-CIDS-MIB.my

-- CISCO-CIDS-MIB.my : Cisco Intrusion Detection System MIB
-- 
-- December 2003, Shane J London
-- 
-- Copyright (c) 2003 by Cisco Systems, Inc. 
-- All rights reserved. 

CISCO-CIDS-MIB DEFINITIONS ::= BEGIN

IMPORTS
        MODULE-IDENTITY,
        OBJECT-TYPE,
        NOTIFICATION-TYPE,
        Integer32,
        Unsigned32,
        Counter32,
        TimeTicks,
        Gauge32
            FROM SNMPv2-SMI
        MODULE-COMPLIANCE, 
        NOTIFICATION-GROUP,
        OBJECT-GROUP
            FROM SNMPv2-CONF
        TEXTUAL-CONVENTION,
        TruthValue,
        DateAndTime
            FROM SNMPv2-TC
        SnmpAdminString
            FROM SNMP-FRAMEWORK-MIB
        Unsigned64
            FROM CISCO-TC
        ciscoMgmt
            FROM CISCO-SMI;

ciscoCidsMIB MODULE-IDENTITY
        LAST-UPDATED        "200312180000Z"
        ORGANIZATION        "Cisco Systems, Inc."
        CONTACT-INFO
                "       Cisco Systems
                        Customer Service

                Postal: 170 W Tasman Drive
                        San Jose, CA  95134
                        USA

                   Tel: +1 800 553-NETS

                E-mail: cs-netranger@cisco.com"
        DESCRIPTION
                "Cisco Intrusion Detection System MIB.  Provides
                 trap definitions for the evAlert and evError
                 elements of the IDIOM (Intrusion Detection and
                 Operations Messages) document and read support 
                 for the Intrusion Detection System (sensor) 
                 health information, such as if the sensor is
                 in a memory critical stage."
        REVISION        "200312180000Z"
        DESCRIPTION
                "Initial version of this MIB module."
        ::= { ciscoMgmt 383 }

ciscoCidsMIBNotifs  OBJECT IDENTIFIER ::=  { ciscoCidsMIB 0 }
ciscoCidsMIBObjects OBJECT IDENTIFIER ::=  { ciscoCidsMIB 1 }
ciscoCidsMIBConform OBJECT IDENTIFIER ::=  { ciscoCidsMIB 2 }

cidsGeneral         OBJECT IDENTIFIER ::= { ciscoCidsMIBObjects 1 }
cidsAlert           OBJECT IDENTIFIER ::= { ciscoCidsMIBObjects 2 }
cidsError           OBJECT IDENTIFIER ::= { ciscoCidsMIBObjects 3 }
cidsHealth          OBJECT IDENTIFIER ::= { ciscoCidsMIBObjects 4 }

-- Textual Conventions
CidsErrorCode ::= TEXTUAL-CONVENTION
        STATUS current
        DESCRIPTION
                "An enumerated value which identifies the general
                 category of error that occurred.

                 errAuthenticationTokenExpired
                      The requested action could not be carried out 
                      because the requestor has provided an 
                      authentication token (e.g. password) that has 
                      expired.
                 errConfigCollision
                      The value of the config-token request 
                      parameter in a setComponentConfig control 
                      transaction request does not match the 
                      current configuration document on the target 
                      host. Typically this indicates that the 
                      configuration on the target host has been 
                      modified by another user.
                 errInUse
                      The requested action could not be completed 
                      because it requires access to a resource
                      that is in use.
                 errInvalidDocument
                      The request contained a document that was 
                      not well-formed, contained an incorrect root 
                      element, or contained additional elements or 
                      attributes that are not permitted by the lax 
                      IDIOM schema.
                 errLimitExceeded
                      The requested action could not be completed 
                      because it would create a resource that  
                      would exceed a system resource limit.
                 errNotAvailable
                      The requested action is supported but cannot 
                      be performed due to the current 
                      configuration of the target host.
                 errNotFound
                      A resource specified in the request does 
                      not exist.
                 errNotSupported
                      The requested action is not supported on 
                      the target host.
                 errPermissionDenied
                      The requestor does not have a sufficiently 
                      high authorization level to perform the 
                      requested action.
                 errSyslog
                      Used to convey messages of interest from 
                      the host system's syslog.
                 errSystemError
                      A system error occurred, such as an 
                      out-of-memory condition, disk access error, 
                      etc.
                 errTransport
                      The requested action could not be carried 
                      out because of a communications failure 
                      with another host that is involved in the 
                      action.
                 errUnacceptableValue
                      The request document was valid but 
                      contained one or more values that could 
                      not be accepted because they either: 
                      (1) conflict with other values in the same 
                      document or (2) are not acceptable due to 
                      the current state of the system.
                 errUnclassified
                      Used to convey an unclassified error 
                      condition.
                 errWarning
                      Used to convey a software warning 
                      condition detected by an application 
                      running on the host system.
                "

        SYNTAX INTEGER  {
                errAuthenticationTokenExpired(1), 
                errConfigCollision(2),
                errInUse(3),
                errInvalidDocument(4), 
                errLimitExceeded(5),
                errNotAvailable(6), 
                errNotFound(7), 
                errNotSupported(8), 
                errPermissionDenied(9), 
                errSyslog(10), 
                errSystemError(11), 
                errTransport(12), 
                errUnacceptableValue(13), 
                errUnclassified(14), 
                errWarning(15)
        }

-- General

cidsGeneralEventId OBJECT-TYPE
        SYNTAX     Unsigned64
        MAX-ACCESS accessible-for-notify
        STATUS     current
        DESCRIPTION
                "Identifies the sequence number of an event. 
                 This value needs to be unique within the scope 
                 of the originating host."
        ::= { cidsGeneral 1 }

cidsGeneralLocalTime OBJECT-TYPE
        SYNTAX     DateAndTime
        MAX-ACCESS accessible-for-notify
        STATUS     current
        DESCRIPTION
                "The local time on the Cisco intrusion detection
                 system sensor when the alert was generated."
        ::= { cidsGeneral 2 }

cidsGeneralUTCTime OBJECT-TYPE
        SYNTAX     DateAndTime
        MAX-ACCESS accessible-for-notify
        STATUS     current
        DESCRIPTION
                "The UTC time on the Cisco intrusion detection 
                 system sensor when the alert was generated."
        ::= { cidsGeneral 3 }

cidsGeneralOriginatorHostId OBJECT-TYPE
        SYNTAX     SnmpAdminString
        MAX-ACCESS accessible-for-notify
        STATUS     current
        DESCRIPTION
                "A globally unique identifier for a Cids host.  Could 
                 be a host name or an ip address."
        ::= { cidsGeneral 4 }

cidsGeneralOriginatorAppName OBJECT-TYPE
        SYNTAX     SnmpAdminString
        MAX-ACCESS accessible-for-notify
        STATUS     current
        DESCRIPTION
                "The optional generic name of a Cids application."
        ::= { cidsGeneral 5 }

cidsGeneralOriginatorAppId OBJECT-TYPE
        SYNTAX     SnmpAdminString
        MAX-ACCESS accessible-for-notify
        STATUS     current
        DESCRIPTION
                "The optional id of this instance of the application. 
                 Typically the process id (pid)."
        ::= { cidsGeneral 6 }

cidsNotificationsEnabled OBJECT-TYPE
        SYNTAX     TruthValue
        MAX-ACCESS read-write
        STATUS     current
        DESCRIPTION
               "Indicates whether notifications will or will not 
                be sent when an event is generated by the device."
        DEFVAL { false }
        ::= { cidsGeneral 7 }

-- Alert

cidsAlertSeverity OBJECT-TYPE
        SYNTAX     SnmpAdminString
        MAX-ACCESS accessible-for-notify
        STATUS     current
        DESCRIPTION
                "The severity associated with a Cids signature
                 (informational, low, medium or high for 
                 example)."
        ::= { cidsAlert 1 }

cidsAlertAlarmTraits OBJECT-TYPE
        SYNTAX     Unsigned32
        MAX-ACCESS accessible-for-notify
        STATUS     current
        DESCRIPTION
                "The alarm traits is an unsigned 16-bit integer 
                 representing the value of the 16 user-defined 
                 alarm traits specified in the configuration for 
                 the signature that triggered the alert.  The 
                 alarmTraits bits are used to classify signatures 
                 into user-defined categories or groups."
        ::= { cidsAlert 2 }

cidsAlertSignature OBJECT-TYPE
        SYNTAX     SnmpAdminString ( SIZE ( 1..64 ) )
        MAX-ACCESS accessible-for-notify
        STATUS     current
        DESCRIPTION
                "Content is a string containing details about the 
                 signature that fired, without any specifics tied 
                 to this instance of the alert.   The 
                 cidsAlertSignatureSigName, cidsAlertSignatureSigId
                 and cidsAlertSignatureSubSigId attributes define 
                 the signature that triggered this Alert."
        ::= { cidsAlert 3 }

cidsAlertSignatureSigName OBJECT-TYPE
        SYNTAX     SnmpAdminString ( SIZE ( 1..64 ) )
        MAX-ACCESS accessible-for-notify
        STATUS     current
        DESCRIPTION
                "The name of the Intrusion detection signature
                 that triggered this event."
        ::= { cidsAlert 4 }

cidsAlertSignatureSigId OBJECT-TYPE
        SYNTAX     Unsigned32
        MAX-ACCESS accessible-for-notify
        STATUS     current
        DESCRIPTION
                "The ID of the Intrusion detection signature
                 that triggered this event.  The ID combines
                 with the cidsAlertSignatureSubSigId to 
                 create a unique key that identifies the 
                 signature that generated this event."
        ::= { cidsAlert 5 }

cidsAlertSignatureSubSigId OBJECT-TYPE
        SYNTAX     Unsigned32
        MAX-ACCESS accessible-for-notify
        STATUS     current
        DESCRIPTION
                "The optional Sub ID of the Intrusion detection 
                 signature that triggered this event.  The Sub
                 ID combines with the cidsAlertSignatureSigId
                 to create a unique key that identifies the
                 signature that generated this event."
        ::= { cidsAlert 6 }

cidsAlertSignatureVersion OBJECT-TYPE
        SYNTAX     SnmpAdminString ( SIZE ( 1..64 ) )
        MAX-ACCESS accessible-for-notify
        STATUS     current
        DESCRIPTION
                "The optional version attribute defines the version 
                 number of the signature update in which the triggering 
                 signature was introduced or was last modified.  
                 Example: 4.1(1.1)S47(0.1)"
        ::= { cidsAlert 7 }

cidsAlertSummary OBJECT-TYPE
        SYNTAX     Unsigned32
        MAX-ACCESS accessible-for-notify
        STATUS     current
        DESCRIPTION
                "Optional, if present, specifies that this is a 
                 summary alert, representing one or more alerts with 
                 common characteristics. The numeric value indicates
                 the number of times the signature fired since the 
                 last summary alert with a matching 'initialAlert'  
                 attribute value.  The first and all subsequent 
                 summary alerts in a sequence will use the eventId 
                 of a previous non-summary evAlert in the initialAlert
                 attribute value. All alerts represented by the
                 summary alert share the same signature and 
                 sub-signature id.  The summaryType attribute defines 
                 the common characteristic(s) of all alerts in the 
                 summary.  The 'final' attribute indicates whether 
                 this is the last evAlert containing the same value 
                 in the 'initialAlert' attribute.  The 'final' 
                 attribute may be omitted if and only if its value 
                 is false."
        ::= { cidsAlert 8 }

cidsAlertSummaryType OBJECT-TYPE
        SYNTAX     SnmpAdminString ( SIZE ( 0..16 ) )
        MAX-ACCESS accessible-for-notify
        STATUS     current
        DESCRIPTION
                "Common characteristics shared by all non-summary 
                 alerts included in a summary alert."
        ::= { cidsAlert 9 }

cidsAlertSummaryFinal OBJECT-TYPE
        SYNTAX     TruthValue
        MAX-ACCESS accessible-for-notify
        STATUS     current
        DESCRIPTION
                "The optional 'final' attribute indicates whether 
                 this is the last evAlert containing the same value 
                 in the 'initialAlert' attribute.  The 'final' 
                 attribute may be omitted if and only if its value 
                 is false."
        ::= { cidsAlert 10 }

cidsAlertSummaryInitialAlert OBJECT-TYPE
        SYNTAX     Unsigned64
        MAX-ACCESS accessible-for-notify
        STATUS     current
        DESCRIPTION
                "Serial number for the initial alert, which is 
                 guaranteed unique within the scope of the 
                 originating host."
        ::= { cidsAlert 11 }

cidsAlertInterfaceGroup OBJECT-TYPE
        SYNTAX     Integer32 ( -2147483648..2147483647 )
        MAX-ACCESS accessible-for-notify
        STATUS     current
        DESCRIPTION
                "Optional numeric identifier for a sniffing 
                 interface group on this host."
        ::= { cidsAlert 12 }

cidsAlertVlan OBJECT-TYPE
        SYNTAX     Unsigned32 ( 0..65535 )
        MAX-ACCESS accessible-for-notify
        STATUS     current
        DESCRIPTION
                "An optional numeric identifier for a vlan.  Identifies 
                 the vlan that uses the number in ISL or 802.3.1q 
                 headers."
        ::= { cidsAlert 13 }

cidsAlertVictimContext OBJECT-TYPE
        SYNTAX     SnmpAdminString
        MAX-ACCESS accessible-for-notify
        STATUS     current
        DESCRIPTION
                "Optional Base64-encoded representation of the stream 
                 data that was sourced by the victim."
        ::= { cidsAlert 14 }

cidsAlertAttackerContext OBJECT-TYPE
        SYNTAX     SnmpAdminString
        MAX-ACCESS accessible-for-notify
        STATUS     current
        DESCRIPTION
                "Optional Base64-encoded representation of the stream 
                 data that was sourced by the Attacker."
        ::= { cidsAlert 15 }

cidsAlertAttackerAddress OBJECT-TYPE
        SYNTAX     SnmpAdminString
        MAX-ACCESS accessible-for-notify
        STATUS     current
        DESCRIPTION
                "Optional ip address and ports on a monitored 
                 interface.  The 'locality' attribute is a string 
                 that indicates the relative location of the ip 
                 address within the network mapping, such as whether 
                 the address falls within the address range of a 
                 protected network.  The optional 'proxy' attribute 
                 is 'true' if the sensor has reason to suspect that 
                 the address given is not the address of the true 
                 attacker.  This could be a the result of address 
                 spoofing or because the host has been compromised 
                 and is acting as a 'zombie'.  The 'proxy' attribute
                 may be omitted if and only if its value is false."
        ::= { cidsAlert 16 }

cidsAlertVictimAddress OBJECT-TYPE
        SYNTAX     SnmpAdminString
        MAX-ACCESS accessible-for-notify
        STATUS     current
        DESCRIPTION
                "Optional ip address and ports on a monitored 
                 interface.  The 'locality' attribute is a string 
                 that indicates the relative location of the ip 
                 address within the network mapping, such as 
                 whether the address falls within the address range 
                 of a protected network."
        ::= { cidsAlert 17 }

cidsAlertIpLoggingActivated OBJECT-TYPE
        SYNTAX     TruthValue
        MAX-ACCESS accessible-for-notify
        STATUS     current
        DESCRIPTION
                "Optional.  Indicates whether ip logging has been 
                 activated as the result of the alert.  A separate 
                 evIpLogStatus event will be generated when logging 
                 has been completed.  The evIpLogStatus event contains 
                 the URL where the log results may be obtained.  This 
                 element may be omitted if and only if its value 
                 is false."
        ::= { cidsAlert 18 }

cidsAlertTcpResetSent OBJECT-TYPE
        SYNTAX     TruthValue
        MAX-ACCESS accessible-for-notify
        STATUS     current
        DESCRIPTION
                "Optional.  Indicates whether a attempt was made to 
                 reset a tcp connection as the result of the alert.  
                 The addresses and ports affected must be implied from 
                 the information contained in the participant elements 
                 of the evAlert.  This element may be omitted if and
                 only if its value is false."
        ::= { cidsAlert 19 }

cidsAlertShunRequested OBJECT-TYPE
        SYNTAX     TruthValue
        MAX-ACCESS accessible-for-notify
        STATUS     current
        DESCRIPTION
                "Optional.  Indicates whether an ip address or tcp 
                 connection has been requested to be shunned as a 
                 result of the alert.  Details about the addresses 
                 and ports involved in the shun can be obtained from 
                 evNacStatus events sent by the Network Access 
                 Controller application.  This element may be omitted 
                 if and only if its value is false."
        ::= { cidsAlert 20 }

cidsAlertDetails OBJECT-TYPE
        SYNTAX     SnmpAdminString
        MAX-ACCESS accessible-for-notify
        STATUS     current
        DESCRIPTION
                "Optional.  Textual details about the specific alert 
                 instance, not just the signature."
        ::= { cidsAlert 21 }

cidsAlertIpLogId OBJECT-TYPE
        SYNTAX     SnmpAdminString
        MAX-ACCESS accessible-for-notify
        STATUS     current
        DESCRIPTION
                "IP log identifiers for IP logs that were added as 
                 the result of this alert."
        ::= { cidsAlert 22 }

cidsThreatResponseStatus OBJECT-TYPE
        SYNTAX     SnmpAdminString
        MAX-ACCESS accessible-for-notify
        STATUS     current
        DESCRIPTION
                "A brief textual description of the status of 
                 the alarm given by the Cisco Systems Threat
                 Response engine."
        ::= { cidsAlert 23 }

cidsThreatResponseSeverity OBJECT-TYPE
        SYNTAX     Integer32 ( -2147483648..2147483647 )
        MAX-ACCESS accessible-for-notify
        STATUS     current
        DESCRIPTION
                "The alarm severity as assigned by the Cisco Systems
                 Threat Response engine."
        ::= { cidsAlert 24 }

cidsAlertEventRiskRating OBJECT-TYPE
        SYNTAX     Unsigned32
        MAX-ACCESS accessible-for-notify
        STATUS     current
        DESCRIPTION
                "A risk factor that incorporates several additional 
                 pieces of information beyond the detection of a 
                 potentially malicious action.  The factors that 
                 characterize this risk are the severity of the 
                 attack if it were to succeed, the fidelity of the 
                 signature, the relevance of the potential attack 
                 with respect to the target host, and the overall 
                 value of the target host to the customer."
        ::= { cidsAlert 25 }

--Error

cidsErrorSeverity OBJECT-TYPE
        SYNTAX     SnmpAdminString
        MAX-ACCESS accessible-for-notify
        STATUS     current
        DESCRIPTION
                "Severity of an error (warning, error or fatal
                 for example).  An example of a type of error 
                 that could occur would be when a requested 
                 action could not be completed because it
                 would create a resource that would exceed a 
                 system resource limit."
        ::= { cidsError 1 }

cidsErrorName OBJECT-TYPE
        SYNTAX     CidsErrorCode
        MAX-ACCESS accessible-for-notify
        STATUS     current
        DESCRIPTION
                "An enumerated error code, which identifies a general 
                 class of errors."
        ::= { cidsError 2 }

cidsErrorMessage OBJECT-TYPE
        SYNTAX     SnmpAdminString
        MAX-ACCESS accessible-for-notify
        STATUS     current
        DESCRIPTION
                "A textual description of the error that occurred."
        ::= { cidsError 3 }

--Health

cidsHealthPacketLoss OBJECT-TYPE
        SYNTAX     Integer32 ( 0..100 )
        UNITS      "percent"
        MAX-ACCESS read-only
        STATUS     current
        DESCRIPTION
               "The percentage of packets lost at the device
                interface level."
        ::= { cidsHealth 1 }

cidsHealthPacketDenialRate OBJECT-TYPE
        SYNTAX     Integer32 ( 0..100 )
        UNITS      "percent"
        MAX-ACCESS read-only
        STATUS     current
        DESCRIPTION
               "The percentage of packets denied due to
                protocol and security violations." 
        ::= { cidsHealth 2 }

cidsHealthAlarmsGenerated OBJECT-TYPE
        SYNTAX     Counter32 
        MAX-ACCESS read-only
        STATUS     current
        DESCRIPTION
               "The number of alarms generated, includes
                all currently defined alarm severities."
        ::= { cidsHealth 3 }

cidsHealthFragmentsInFRU OBJECT-TYPE
        SYNTAX     Gauge32 
        MAX-ACCESS read-only
        STATUS     current
        DESCRIPTION
               "The number of fragments currently queued in the 
                fragment reassembly unit."
        ::= { cidsHealth 4 }

cidsHealthDatagramsInFRU OBJECT-TYPE
        SYNTAX     Gauge32 
        MAX-ACCESS read-only
        STATUS     current
        DESCRIPTION
               "The number of datagrams currently queued in the
                fragment reassembly unit."
        ::= { cidsHealth 5 }

cidsHealthTcpEmbryonicStreams OBJECT-TYPE
        SYNTAX     Gauge32 
        MAX-ACCESS read-only
        STATUS     current
        DESCRIPTION
               "The number of embryonic TCP streams currently
                queued in the device.  TCP streams are
                considered embryonic if they have not 
                completed the TCP three-way handshake."
        ::= { cidsHealth 6 }

cidsHealthTCPEstablishedStreams OBJECT-TYPE
        SYNTAX     Gauge32 
        MAX-ACCESS read-only
        STATUS     current
        DESCRIPTION
               "The number of established TCP streams currently
                queued in the device.  Once a stream has
                completed a TCP three-way handshake it will 
                move to the established state."
        ::= { cidsHealth 7 }

cidsHealthTcpClosingStreams OBJECT-TYPE
        SYNTAX     Gauge32 
        MAX-ACCESS read-only
        STATUS     current
        DESCRIPTION
               "The number of closing TCP streams currently 
                queued in the device.  A stream will move 
                from the established state to closing when
                a valid FIN or RST flag is received."
        ::= { cidsHealth 8 }

cidsHealthTcpStreams OBJECT-TYPE
        SYNTAX     Gauge32 
        MAX-ACCESS read-only
        STATUS     current
        DESCRIPTION
               "The number of TCP streams (embryonic, 
                established and closing) currently queued 
                in the device."
        ::= { cidsHealth 9 }

cidsHealthActiveNodes OBJECT-TYPE
        SYNTAX     Gauge32 
        MAX-ACCESS read-only
        STATUS     current
        DESCRIPTION
               "The number of active nodes currently queued in
                the device."
        ::= { cidsHealth 10 }

cidsHealthTcpDualIpAndPorts OBJECT-TYPE
        SYNTAX     Gauge32 
        MAX-ACCESS read-only
        STATUS     current
        DESCRIPTION
               "The number TCP nodes keyed on both IP addresses 
                and both ports currently queued in the device."
        ::= { cidsHealth 11 }

cidsHealthUdpDualIpAndPorts OBJECT-TYPE
        SYNTAX     Gauge32 
        MAX-ACCESS read-only
        STATUS     current
        DESCRIPTION
               "The number UDP nodes keyed on both IP addresses 
                and both ports currently queued in the device."
        ::= { cidsHealth 12 }

cidsHealthIpDualIp OBJECT-TYPE
        SYNTAX     Gauge32 
        MAX-ACCESS read-only
        STATUS     current
        DESCRIPTION
               "The number IP nodes keyed on both IP addresses 
                currently queued in the device."
        ::= { cidsHealth 13 }

cidsHealthIsSensorMemoryCritical OBJECT-TYPE
        SYNTAX     Unsigned32 ( 0..10 ) 
        MAX-ACCESS read-only
        STATUS     current
        DESCRIPTION
               "A value between 0 and 10 that should rarely
                get above 3.  If this is non-zero the sensor 
                has stopped enforcing policy on some traffic in 
                order to keep up with the current traffic load; 
                the sensor is oversubscribed. The higher the 
                number the more oversubscribed the sensor. It 
                could be oversubscribed from a memory prospective
                and not traffic speed. For example on a 200 Mbit 
                sensor this number might be 3 if the sensor was 
                only seeing 100Mbit of traffic but 6000 
                connections per second which is over the rated 
                capacity of the sensor.  When the sensor is
                in Memory Critical state then a ciscoCidsError
                trap will be sent accordingly."
        ::= { cidsHealth 14 }

cidsHealthIsSensorActive OBJECT-TYPE
        SYNTAX     TruthValue 
        MAX-ACCESS read-only
        STATUS     current
        DESCRIPTION
               "Indicates the failover status of the device.
                True indicates the device is currently active.
                False indicates it is in a standby mode."
        ::= { cidsHealth 15 }

cidsHealthCommandAndControlPort OBJECT-TYPE
        SYNTAX     SnmpAdminString
        MAX-ACCESS read-only
        STATUS     current
        DESCRIPTION
               "The status and network statistics of the 
                currently configured Command and Control 
                interface on the device.  The Command
                and Control interface is where all of the 
                communications for command and control 
                of the sensor occurs.  This is important
                to identify what interface a user will 
                communicate with to control the sensor 
                remotely and general health statistics
                for that interface."
        ::= { cidsHealth 16 }

cidsHealthSensorStatsResetTime OBJECT-TYPE
        SYNTAX     TimeTicks
        MAX-ACCESS read-only
        STATUS     current
        DESCRIPTION
               "The value of SNMPv2-MIB::sysUpTime
                when the Sensor specific statistics
                was reset.  The reset time is 
                collectively for the following objects: 
                   cidsHealthPacketLoss,
                   cidsHealthPacketDenies,
                   cidsHealthAlarmsGenerated,
                   cidsHealthFragmentsInFRU,
                   cidsHealthDatagramsInFRU,
                   cidsHealthTcpEmbryonicStreams,
                   cidsHealthTcpEstablishedStreams,
                   cidsHealthTcpClosingStreams,
                   cidsHealthTcpStreams"
        ::= { cidsHealth 17 }

-- Notifications

-- Since notifications with a large number of bound objects
-- can be rather large, the agent can provide two different
-- notification generation modes.  One without optional objects
-- to try and keep the notification size below 484 bytes and
-- one with no size limits that will send all available optional
-- objects as well as those explicitly listed in the OBJECTS
-- clause of the notification definition.
--
-- The following objects, defined elsewhere in this MIB module
-- as accessible-for-notify, are optional in that they are not
-- explicitly listed in a notification's OBJECTS clause.
-- When the notification generation mode is set to allow optional
-- objects to be bound, the association of the optional objects
-- to particular notifications is as follows:
--
-- ciscoCidsAlert:
--    cidsGeneralOriginatorAppName
--    cidsGeneralOriginatorAppId
--    cidsAlertSignature
--    cidsAlertSignatureVersion
--    cidsAlertSummary
--    cidsAlertSummaryType
--    cidsAlertSummaryFinal
--    cidsAlertSummaryInitialAlert
--    cidsAlertInterfaceGroup
--    cidsAlertVlan
--    cidsAlertVictimContext
--    cidsAlertAttackerContext
--    cidsAlertIpLoggingActivated
--    cidsAlertTcpResetSent
--    cidsAlertShunRequested
--    cidsAlertDetails
--    cidsAlertIpLogId
--    cidsThreatResponseStatus
--    cidsThreatResponseSeverity
--    cidsAlertEventRiskRating
--
-- ciscoCidsError:
--    cidsGeneralOriginatorAppName
--    cidsGeneralOriginatorAppId

ciscoCidsAlert NOTIFICATION-TYPE
        OBJECTS {
                cidsGeneralEventId,
                cidsGeneralLocalTime,
                cidsGeneralUTCTime,
                cidsGeneralOriginatorHostId, 
                cidsAlertSeverity, 
                cidsAlertSignatureSigName, 
                cidsAlertSignatureSigId,
                cidsAlertSignatureSubSigId,
                cidsAlertAlarmTraits,
                cidsAlertAttackerAddress,
                cidsAlertVictimAddress
        }
        STATUS  current
        DESCRIPTION
                "Event indicating that some suspicious or malicious 
                 activity has been detected on a monitored network."  
        ::= { ciscoCidsMIBNotifs 1 }

ciscoCidsError NOTIFICATION-TYPE
        OBJECTS {
                cidsGeneralEventId,
                cidsGeneralLocalTime,
                cidsGeneralUTCTime,
                cidsGeneralOriginatorHostId,
                cidsErrorSeverity,
                cidsErrorName,
                cidsErrorMessage
        }
        STATUS  current
        DESCRIPTION
                "Event indicating that an error has occurred."
        ::= { ciscoCidsMIBNotifs 2 }

-- Conformance

ciscoCidsMIBCompliances OBJECT IDENTIFIER ::= { ciscoCidsMIBConform 1 }
ciscoCidsMIBGroups      OBJECT IDENTIFIER ::= { ciscoCidsMIBConform 2 }

-- Compliance

ciscoCidsMIBCompliance MODULE-COMPLIANCE
        STATUS current
        DESCRIPTION
                "The compliance statement for entities which implement
                the Cids MIB"
        MODULE        -- this module
                MANDATORY-GROUPS { 
                        ciscoCidsGeneralObjectGroup,
                        ciscoCidsAlertObjectGroup,
                        ciscoCidsErrorObjectGroup,
                        ciscoCidsHealthObjectGroup
                }
        ::= { ciscoCidsMIBCompliances 1 }


-- Units of Conformance

ciscoCidsGeneralObjectGroup OBJECT-GROUP
        OBJECTS {
                cidsGeneralEventId,
                cidsGeneralLocalTime,
                cidsGeneralUTCTime,
                cidsGeneralOriginatorHostId, 
                cidsGeneralOriginatorAppName,
                cidsGeneralOriginatorAppId,
                cidsNotificationsEnabled
        }
        STATUS current
        DESCRIPTION
                "General Objects." 
        ::= { ciscoCidsMIBGroups 1 }

ciscoCidsAlertObjectGroup OBJECT-GROUP
        OBJECTS {
                cidsAlertSeverity, 
                cidsAlertAlarmTraits, 
                cidsAlertSignature, 
                cidsAlertSignatureSigName, 
                cidsAlertSignatureSigId,
                cidsAlertSignatureSubSigId,
                cidsAlertSignatureVersion,
                cidsAlertSummary,
                cidsAlertSummaryType,
                cidsAlertSummaryFinal,
                cidsAlertSummaryInitialAlert,
                cidsAlertInterfaceGroup,
                cidsAlertVlan,
                cidsAlertVictimContext,
                cidsAlertAttackerContext,
                cidsAlertVictimAddress,
                cidsAlertAttackerAddress,
                cidsAlertIpLoggingActivated,
                cidsAlertTcpResetSent,
                cidsAlertShunRequested,
                cidsAlertDetails,
                cidsAlertIpLogId,
                cidsThreatResponseStatus,
                cidsThreatResponseSeverity,
                cidsAlertEventRiskRating
        }
        STATUS current
        DESCRIPTION
                "Alert Objects." 
        ::= { ciscoCidsMIBGroups 2 }

ciscoCidsErrorObjectGroup OBJECT-GROUP
        OBJECTS {
                cidsErrorSeverity,
                cidsErrorName,
                cidsErrorMessage
        }
        STATUS current
        DESCRIPTION
                "Error Objects." 
        ::= { ciscoCidsMIBGroups 3 }


ciscoCidsNotificationsGroup NOTIFICATION-GROUP
        NOTIFICATIONS { 
                      ciscoCidsAlert,
                      ciscoCidsError 
        }
        STATUS current
        DESCRIPTION
                "The notifications which are required."
        ::= { ciscoCidsMIBGroups 4 }

ciscoCidsHealthObjectGroup OBJECT-GROUP
        OBJECTS {
                cidsHealthPacketLoss,
                cidsHealthPacketDenialRate,
                cidsHealthAlarmsGenerated,
                cidsHealthFragmentsInFRU,
                cidsHealthDatagramsInFRU,
                cidsHealthTcpEmbryonicStreams,
                cidsHealthTCPEstablishedStreams,
                cidsHealthTcpClosingStreams,
                cidsHealthTcpStreams,
                cidsHealthActiveNodes,
                cidsHealthTcpDualIpAndPorts,
                cidsHealthUdpDualIpAndPorts,
                cidsHealthIpDualIp,
                cidsHealthIsSensorMemoryCritical,
                cidsHealthIsSensorActive,
                cidsHealthCommandAndControlPort,
                cidsHealthSensorStatsResetTime
        }
        STATUS current
        DESCRIPTION
                "Health Objects." 
        ::= { ciscoCidsMIBGroups 5 }

END
OID .1.3.6.1.4.1.9.9.383OID .1.3.6.1.4.1.9.9.383.0TRAP .1.3.6.1.4.1.9.9.383.0.1TRAP .1.3.6.1.4.1.9.9.383.0.2OID .1.3.6.1.4.1.9.9.383.1OID .1.3.6.1.4.1.9.9.383.1.1OID .1.3.6.1.4.1.9.9.383.1.1.1OID .1.3.6.1.4.1.9.9.383.1.1.2OID .1.3.6.1.4.1.9.9.383.1.1.3OID .1.3.6.1.4.1.9.9.383.1.1.4OID .1.3.6.1.4.1.9.9.383.1.1.5OID .1.3.6.1.4.1.9.9.383.1.1.6OID .1.3.6.1.4.1.9.9.383.1.1.7OID .1.3.6.1.4.1.9.9.383.1.2OID .1.3.6.1.4.1.9.9.383.1.2.1OID .1.3.6.1.4.1.9.9.383.1.2.2OID .1.3.6.1.4.1.9.9.383.1.2.3OID .1.3.6.1.4.1.9.9.383.1.2.4OID .1.3.6.1.4.1.9.9.383.1.2.5OID .1.3.6.1.4.1.9.9.383.1.2.6OID .1.3.6.1.4.1.9.9.383.1.2.7OID .1.3.6.1.4.1.9.9.383.1.2.8OID .1.3.6.1.4.1.9.9.383.1.2.9OID .1.3.6.1.4.1.9.9.383.1.2.10OID .1.3.6.1.4.1.9.9.383.1.2.11OID .1.3.6.1.4.1.9.9.383.1.2.12OID .1.3.6.1.4.1.9.9.383.1.2.13OID .1.3.6.1.4.1.9.9.383.1.2.14
OID .1.3.6.1.4.1.9.9.383.1.2.15OID .1.3.6.1.4.1.9.9.383.1.2.16OID .1.3.6.1.4.1.9.9.383.1.2.17OID .1.3.6.1.4.1.9.9.383.1.2.18OID .1.3.6.1.4.1.9.9.383.1.2.19OID .1.3.6.1.4.1.9.9.383.1.2.20OID .1.3.6.1.4.1.9.9.383.1.2.21OID .1.3.6.1.4.1.9.9.383.1.2.22OID .1.3.6.1.4.1.9.9.383.1.2.23OID .1.3.6.1.4.1.9.9.383.1.2.24OID .1.3.6.1.4.1.9.9.383.1.2.25OID .1.3.6.1.4.1.9.9.383.1.3OID .1.3.6.1.4.1.9.9.383.1.3.1OID .1.3.6.1.4.1.9.9.383.1.3.2OID .1.3.6.1.4.1.9.9.383.1.3.3OID .1.3.6.1.4.1.9.9.383.1.4OID .1.3.6.1.4.1.9.9.383.1.4.1OID .1.3.6.1.4.1.9.9.383.1.4.2OID .1.3.6.1.4.1.9.9.383.1.4.3OID .1.3.6.1.4.1.9.9.383.1.4.4OID .1.3.6.1.4.1.9.9.383.1.4.5OID .1.3.6.1.4.1.9.9.383.1.4.6OID .1.3.6.1.4.1.9.9.383.1.4.7OID .1.3.6.1.4.1.9.9.383.1.4.8OID .1.3.6.1.4.1.9.9.383.1.4.9OID .1.3.6.1.4.1.9.9.383.1.4.10OID .1.3.6.1.4.1.9.9.383.1.4.11OID .1.3.6.1.4.1.9.9.383.1.4.12OID .1.3.6.1.4.1.9.9.383.1.4.13OID .1.3.6.1.4.1.9.9.383.1.4.14OID .1.3.6.1.4.1.9.9.383.1.4.15OID .1.3.6.1.4.1.9.9.383.1.4.16OID .1.3.6.1.4.1.9.9.383.1.4.17OID .1.3.6.1.4.1.9.9.383.2OID .1.3.6.1.4.1.9.9.383.2.1OID .1.3.6.1.4.1.9.9.383.2.1.1OID .1.3.6.1.4.1.9.9.383.2.2OID .1.3.6.1.4.1.9.9.383.2.2.1OID .1.3.6.1.4.1.9.9.383.2.2.2OID .1.3.6.1.4.1.9.9.383.2.2.3OID .1.3.6.1.4.1.9.9.383.2.2.4OID .1.3.6.1.4.1.9.9.383.2.2.5