We have a IPS from Mcafee, a Network Security Plataform.
We need to get via SNMP, the number of blocked access.
I was checking documentations and I found this 2 articles:
We tried to use the same command as is showed at link above:
snmpwalk –v3 –t10 –a MD5 –A <authentication-key> –x DES –X <private-key> –u <username> –l authPriv <sensor-IP> .184.108.40.206.4.1.89220.127.116.11.1.1.1
And it didn’t worked, it returned a weird string.
Another article that i´ve found was:
It shows traps MIBs.
I think that the value of ivAlertCount can give us the number that we need. But this Get is not working, I checked and maybe this is only a “TRAP” type of SNMP.
We did some tests with this OIDs:
And we got some results.
The question is if there is a SNMP OID to get the number of blocked access due a signature was detected (the same value that is showed on NSP GUI).
Can you clarify "blocked access"? Do you mean that you would like to know when someone attempts to login to the sensor? If so, there are other ways to do that like looking at the audit logs. Or you could use TACACS and then configure TACACS to send a syslog event if you need to see this behavior real-time.
As for SNMP, you may want to have a look at the MIBS. Most of the MIBS are entirely hardware-based, so there doesn't appear to be a way to look at the audit logs on the sensor via SNMP.
Here is the link for the NSP MIBS: https://kc.mcafee.com/corporate/index?page=content&id=KB55030
Hope this helps you.