Trap variables

The NetProfiler traps include a set of variables describing the conditions that caused the trap. Most variables are common to all NetProfiler traps. However, traps generated by t he following types of policies include additional variables:

Denial of Service/Bandwidth Surge

Suspicious Connection

New Server Port

Performance and Availability

User-defined

Service

Variables that are common to all NetProfiler trap messages

The NetProfiler attaches variables to traps to provide information to the trap receiver. All traps include a set of variables describing the conditions that caused the trap. Traps for some types of policies include additional variables, which are listed separately by trap. Where applicable, the variables that are common to all NetProfiler traps include:

  • Trap Number – an INTEGER, indicated by a component of the trap Object ID .1.3.6.1.4.1.7054.70.0.n, where n is the unique, enterprise-specific trap number as listed in the table above.  

  • System Up Time – an INTEGER, identified as .1.3.6.1.2.1.1.3.0, that is the length of time that the NetProfiler operating system has been running, expressed in Time Ticks (hundredths of a second).

  • Severity – an INTEGER, identified as .1.3.6.1.4.1.7054.71.2.1.0, that indicates the severity, on a scale of 1 to 100, of the event that triggered the alert.

  • Event Description – a human-readable OCTET STRING, identified as .1.3.6.1.4.1.7054.71.2.3.0, that provides the name of the type of policy that caused the alert.

  • Event ID – an INTEGER, identified as .1.3.6.1.4.1.7054.71.2.4.0, that is the NetProfiler  Event ID number for the event that triggered the alert.  This is the ID number displayed on the Dashboard page and the Event Reports page.

  • Event URL – an OCTET STRING, identified as .1.3.6.1.4.1.7054.71.2.5.0, that is the URL of the Event Details report for the event that triggered the alert.  This is given in the format https://<profiler_name>/event_viewer.php?id=<event_ID>. A NetProfiler login (Event Viewer role or higher) and password are required to view the report.

  • Alert Level – an INTEGER, identified as .1.3.6.1.4.1.7054.71.2.7.0, that indicates the level of the alert, where 1 is Low, 2 is Medium, and 3 is High.

  • Start Time – an INTEGER, identified as .1.3.6.1.4.1.7054.71.2.8.0, that is the epoch time that the event started.

  • Source Count – an INTEGER, identified as .1.3.6.1.4.1.7054.71.2.16.0, that is the number of sources associated with the event.

  • Source List – a sequence, identified as .1.3.6.1.4.1.7054.71.2.17.0, that lists the IP address and host name of sources associated with the event. The elements in this list are:

Index – an INTEGER, identified as .1.3.6.1.4.1.7054.71.2.17.1.1. n, where n is the number of the row.

Name – an OCTET STRING, which is the DNS name (if available) of the source host, and is identified as .1.3.6.1.4.1.7054.71.2.17.1.2. n where n is the number of the row.

Address – an IpAddress, which is the IP address of the source host, and is identified as .1.3.6.1.4.1.7054.71.2.17.1.3. n where n is the number of the row.

For example, the OIDs for the first three rows are:

Index:  .1.3.6.1.4.1.7054.71.2.17.1.1.1

Name:  .1.3.6.1.4.1.7054.71.2.17.1.2.1

Address:  .1.3.6.1.4.1.7054.71.2.17.1.3.1

Index:  .1.3.6.1.4.1.7054.71.2.17.1.1.2

Name:  .1.3.6.1.4.1.7054.71.2.17.1.2.2

Address:  .1.3.6.1.4.1.7054.71.2.17.1.3.2

Index:  .1.3.6.1.4.1.7054.71.2.17.1.1.3

Name:  .1.3.6.1.4.1.7054.71.2.17.1.2.3

Address:  .1.3.6.1.4.1.7054.71.2.17.1.3.3

  • Destination Count – an INTEGER, identified as .1.3.6.1.4.1.7054.71.2.18.0, that is the number of destinations associated with the event.

  • Destination List – a sequence, identified as .1.3.6.1.4.1.7054.71.2.19.0, that lists the IP address and host name of destinations associated with the event. The elements in this list are:

Index – an INTEGER, identified as .1.3.6.1.4.1.7054.71.2.19.1.1. n, where n is the number of the row.

Name – is an OCTET STRING, which is the DNS name (if available) of the destination host, and is identified as .1.3.6.1.4.1.7054.71.2.19.1.2. n where n is the number of the row.

Address – is an IpAddress, which is the IP address of the destination host, and is identified as .1.3.6.1.4.1.7054.71.2.19.1.3. n where n is the number of the row.

  • Protocol Count – an INTEGER, identified as .1.3.6.1.4.1.7054.71.2.20.0, that is the number of protocols associated with the event.

  • Protocol List – a sequence, identified as .1.3.6.1.4.1.7054.71.2.21.0, that lists the protocols associated with the event. The elements in this list are:

Index – an INTEGER, identified as .1.3.6.1.4.1.7054.71.2.21.1.1. n, where n is the number of the row.

Name – is an OCTET STRING, which is the name of the protocol, and is identified as .1.3.6.1.4.1.7054.71.2.21.1.2. n where n is the number of the row.

Number – is an INTEGER, which is the number of the protocol, and is identified as .1.3.6.1.4.1.7054.71.2.21.1.3.n where n is the number of the row.

  • Port Count – an INTEGER, identified as .1.3.6.1.4.1.7054.71.2.22.0, that is the number of ports associated with the event.

  • Port List – a sequence, identified as .1.3.6.1.4.1.7054.71.2.23.0, that lists the ports associated with the event. The elements in this list are:

Index – an INTEGER, identified as .1.3.6.1.4.1.7054.71.2.23.1.1. n, where n is the number of the row.

Name – is an OCTET STRING, which is the name of the port, and is identified as .1.3.6.1.4.1.7054.71.2.23.1.2. n where n is the number of the row.

Protocol Number – is an INTEGER, which is the numeric ID of the protocol associated with the port and is identified as .1.3.6.1.4.1.7054.71.2.23.1.3. n where n is the number of the row.

Port Number – is an INTEGER, which is the numeric ID of the port and is identified as .1.3.6.1.4.1.7054.71.2.23.1.4. n where n is the number of the row.

The length of the source, destination, protocol, and port lists is limited by the "Maximum length of lists attached to traps" setting in the SNMP MIB Configuration section of the Administration > General Settings page. For compatibility reasons, the protocol/port-related variables are named in terms of "services" in the MIB.

Top

Additional trap variables

Denial of Service/Bandwidth Surge trap variables

In addition to the variables that are common to all NetProfiler traps, Denial of Service/Bandwidth Surge traps include:

  • normal bytes per second – an INTEGER, identified as .1.3.6.1.4.1.7054.71.2.31.0, that is the normal number of bytes per second for the current profile.

  • current bytes per second – an INTEGER, identified as .1.3.6.1.4.1.7054.71.2.32.0, that is the current number of bytes per second.

  • normal packets per second – an INTEGER, identified as .1.3.6.1.4.1.7054.71.2.33.0, that is the normal number of packets per second for the current profile.

  • current packets per second – an INTEGER, identified as .1.3.6.1.4.1.7054.71.2.34.0, that is the current number of packets per second.

Suspicious Connection trap variables

In addition to the variables that are common to all NetProfiler traps, Suspicious Connection traps include:

  • current number of connections – an INTEGER, identified as .1.3.6.1.4.1.7054.71.2.36.0, that is the current number of connections per second.

New Server Port trap variables

In addition to the variables that are common to all NetProfiler traps, New Server Port traps include:

  • host or group switch – An INTEGER, identified as .1.3.6.1.4.1.7054.71.2.41.1.0, that indicates whether the policy alerted on a host or on a group, where 1 indicates Host, and 2 indicates Group.

  • host name – an OCTET STRING, identified as .1.3.6.1.4.1.7054.71.2.41.2.0.  If the policy alerts for only a specified host, then this is the host name.

  • host address – an IpAddress, identified as .1.3.6.1.4.1.7054.71.2.41.3.0.  If the policy alerts for only a specified host, then this is the host’s IP address.

  • policy description – an OCTET STRING, identified as .1.3.6.1.4.1.7054.71.2.43.0, that describes the policy that was violated.

  • group type ID – an INTEGER, identified as .1.3.6.1.4.1.7054.71.2.41.4.0.  If the policy alerts for only a given group, then this is the numeric ID of the group type.

  • group ID – an INTEGER, identified as .1.3.6.1.4.1.7054.71.2.41.5.0.  If the policy alerts for only a given group, then this is the numeric ID of the group.

Performance, Availability, and User-defined trap variables

In addition to the variables that are common to all NetProfiler traps, Performance and Availability traps and User-defined traps both include:

  • policy name – an OCTET STRING, identified as .1.3.6.1.4.1.7054.71.2.42.0, that is the name of the policy that was violated.

  • policy description – an OCTET STRING, identified as .1.3.6.1.4.1.7054.71.2.43.0, that describes the policy that was violated.

  • upper or lower bound – an INTEGER, identified as .1.3.6.1.4.1.7054.71.2.45.0, that identifies whether the threshold is an upper bound or lower bound, where 1 indicates upper bound and 2 indicates lower bound.

  • threshold value – an INTEGER, identified as .1.3.6.1.4.1.7054.71.2.46.0, that identifies the traffic rate for the exceeded threshold.

  • threshold units – a STRING, identified as .1.3.6.1.4.1.7054.71.2.47.0, that identifies the units of measure that the rule is using.

Service Policy trap variables

In addition to the variables that are common to all NetProfiler traps, Service traps include:

  • policy name – an OCTET STRING, identified as .1.3.6.1.4.1.7054.71.2.42.0, that is the name of the policy that was violated.

  • policy description – an OCTET STRING, identified as .1.3.6.1.4.1.7054.71.2.43.0, that describes the policy that was violated.

Top

SNMP Support

MIB