1 Reply Latest reply on Jun 13, 2012 2:14 PM by robrod

    SNMP GET Question - IPS



      We have a IPS from Mcafee, a Network Security Plataform.


      We need to get via SNMP, the number of blocked access.

      I was checking documentations and I found this 2 articles:

      https://kc.mcafee.com/corporate/index?page=content&id=KB71562&actp=search&viewlo cale=en_US&searchid=1334255115227


      We tried to use the same command as is showed at link above:


      snmpwalk –v3 –t10 –a MD5 –A <authentication-key> –x DES –X <private-key> –u <username> –l authPriv <sensor-IP> .


      And it didn’t worked, it returned a weird string.

      Another article that i´ve found was:


      https://kc.mcafee.com/corporate/index?page=content&id=KB66374&actp=search&viewlo cale=en_US&searchid=1334242160401


      It shows traps MIBs.


      I think that the value of ivAlertCount can give us the number that we need. But this Get is not working, I checked and maybe this is only a “TRAP” type of SNMP.


      We did some tests with this OIDs:





      And we got some results.


      The question is if there is a SNMP OID to get the number of blocked access due a signature was detected (the same value that is showed on NSP GUI).



        • 1. Re: SNMP GET Question - IPS

          Can you clarify "blocked access"? Do you mean that  you would like to know when someone attempts to login to the sensor? If so, there are other ways to do that like looking at the audit logs. Or you could use TACACS and then configure TACACS to send a syslog event if you need to see this behavior real-time.


          As for SNMP, you may want to have a look at the MIBS. Most of the MIBS are entirely hardware-based, so there doesn't appear to be a way to look at the audit logs on the sensor via SNMP.


          Here is the link for the NSP MIBS: https://kc.mcafee.com/corporate/index?page=content&id=KB55030


          Hope this helps you.