Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Cisco (http://www.velocityreviews.com/forums/f27-cisco.html)
-   -   SNMP dest ip:port monitoring and alarm w/4000 router? (http://www.velocityreviews.com/forums/t33915-snmp-dest-ip-port-monitoring-and-alarm-w-4000-router.html)

joeblow 06-07-2004 11:21 PM

SNMP dest ip:port monitoring and alarm w/4000 router?
 
Is it possible (using snmp maybe?) to monitor traffic coming into a
4000 router and to insure that traffic a for a certain ip address(es) and
dest port(s) is present and to send an event, or
make a syslog entry or something when that dest-ip:dest-port traffic
ceases?

thanks

Walter Roberson 06-08-2004 03:37 AM

Re: SNMP dest ip:port monitoring and alarm w/4000 router?
 
In article <pan.2004.06.07.23.21.10.606552@casselout.dk>,
joeblow <dadude@casselout.dk> wrote:
:Is it possible (using snmp maybe?) to monitor traffic coming into a
:4000 router and to insure that traffic a for a certain ip address(es) and
:dest port(s) is present and to send an event, or
:make a syslog entry or something when that dest-ip:dest-port traffic
:ceases?

I don't believe you can do that using SNMP.

You might be able to work something out around analyzing netflow
logs.

You could put a 'permit...log' ACL entry in for the desired traffic,
and have your syslog server generate an alarm if one of the
regular traffic summaries for that entry did not show up. That could
take 5 minutes (by default), but the timing is adjustable.

What you -probably- should be doing is SPAN'ng the traffic
to an IDS-type tool (even if only home grown). I do not know at
the moment whether the 4000 supports SPAN.

--
The image data is transmitted back to Earth at the speed of light
and usually at 12 bits per pixel.

AnyBody43 06-10-2004 02:37 PM

Re: SNMP dest ip:port monitoring and alarm w/4000 router?
 
roberson@ibd.nrc-cnrc.gc.ca (Walter Roberson) wrote
> In article <pan.2004.06.07.23.21.10.606552@casselout.dk>,
> joeblow <dadude@casselout.dk> wrote:
> :Is it possible (using snmp maybe?) to monitor traffic coming into a
> :4000 router and to insure that traffic a for a certain ip address(es) and
> :dest port(s) is present and to send an event, or
> :make a syslog entry or something when that dest-ip:dest-port traffic
> :ceases?
>
> I don't believe you can do that using SNMP.
>
> You might be able to work something out around analyzing netflow
> logs.
>
> You could put a 'permit...log' ACL entry in for the desired traffic,
> and have your syslog server generate an alarm if one of the
> regular traffic summaries for that entry did not show up. That could
> take 5 minutes (by default), but the timing is adjustable.
>
> What you -probably- should be doing is SPAN'ng the traffic
> to an IDS-type tool (even if only home grown). I do not know at
> the moment whether the 4000 supports SPAN.


A home grown monitor would most likely be easy in perl using
windump (and winpcap).

VBscript or any development system that allows external commands to
be run and the output read by the program would be suitable.


All times are GMT. The time now is 11:37 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.