DX NetOps

This is all based around the following evnet/trap.

A "rhProtectionTrap" event has occurred, from {t} device, named {m}.

The SNMP trap that is generated when a protection

         is activated, deactivated, terminated or failed

         on a guard for the specified Zone, either by an

         operator or by a detector or termination detection.

rhTrapModifier = {T rhTrapModifier 1}

rhTrapSeverity = {T rhTrapSeverity 2}

rhZoneId = {I 3}

rhZoneName = {S 4}

rhTrapEventTime = {S 5}

rhTrapSeqNumber = {I 6}

rhTrapDescription = {S 7}

This is to notify us of elements of DDOS attacks from one of our devices.

What im aiming to do is get the above trap creating alarms for each arrack and then clearing them when they stop.  However there are a few elements that are causing me a problem.

Basically the same trap is used for when attacks start and stop this is variable 1  which is either start or stop.

And I need a new alarm instance for each attack on a different zone which is set out in variable 3.

So to start off with what I have done is created a copy of the original event (original event code 0xfff000a2) the copy is called 0xfff000b0.

I have then set an event rule in the original to say:

If event 0xfff000a2 occurs, if ({v 1}=={S start}), evaluates to TRUE, then generate event 0xfff000b0.

So as I want each alarm to be set via alarm in event 0xfff000b0 I have set to create the alarm and use Event Variable Discriminators set to 3 (which I believe should create a new alarm for each different value in variable 3 which is rhZoneId)

Next I create another copy of the original event this time (0xfff000b2) and I set up an new criteria in the original event as such:

If event 0xfff000a2 occurs, if ({v 1}=={S stop}), evaluates to TRUE, then generate event 0xfff000b2

So in theory if the trap come in with start then it will generate event 0xfff000b0, and if a trap comes in with stop it will generate event 0xfff000b2

In the Cleared Alarms Area for event 0xFFF000b2 I select the cause code 0xfffb0 with event variable discriminators set to 3.

So in theory I should now have setup the below:

Event 0xfff000a2 which is triggered by the initial trap coming in.

If the string in variable 1 = start it generates event 0xfff000b0 which creates a unique alarm based on each unique zone id as set in variable 3.

However if the String in variable 1 = stop then it generates event 0xfff000b2 which has event 0xfff000b0 in its cleared Alarm(s) with the discriminator of 3, so should clear any start alarms with the same zone ID.

Im running testing now, but thought I would sanity check this via the community.

Any obvious snagging points I have missed, or am I doing this the long way round somehow?

Cheers

Dan

Hi Dan,

                That looks correct and you’ve covered your bases so I would expect you’ll be good to go with what you’ve done.

Cheers

Jay

Hi all,

quick update we are actually using the rhAttackTrap instead but all other bits stay the same with the expetion of the stop string now = end and i have it set on the end event to not just clear the start event but to generate an alarm that notifies the operators to the fact the attack has ended.

so what is happening now i have applied this is that on the attack = start event it is actually generating the attack start and the attack end events at the same time.

ie rhTrapModifier = start this is some how matching the condition that = end, checked the event and it definatly = start.

so when we have an attack start it is not generating 2 alarms one saying it has started and one saying it has ended at the same time and i think whats worse is that as they are at the same time there is no event for the end event to clear so our console shows both.

any ideas?