Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2186
Views
10
Helpful
6
Replies

EEM policy: Netflow Detector

Go to solution
SKC-Korotkov-999
Level 1
Level 1

‎04-17-2012 05:41 AM

Hi all!

Can anyone give full example of the use of event_register_nf detector in TCL script.

At cisco.com only the syntax commands and there is no example.

Interested in the meaning of keywords: event_type, exit_event_type, event1- event4

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee
In response to SKC-Korotkov-999

‎04-19-2012 12:18 AM

You will need to specify an exit-event.  For example:

event nf monitor-name "pingmon" event-type create  exit-event-type delete event1 entry-value "5" field ipv4 ttl entry-op lt exit-value "5" exit-op lt

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee

‎04-17-2012 07:57 AM

Here's a low TTL detection example:

flow record pingwatcher
 match ipv4 ttl
 match ipv4 source address
 match ipv4 destination address
!
flow monitor pingmon
 record pingwatcher

event manager applet watchLowTTL
 event nf monitor-name "pingmon" event-type create event1 entry-value "5" field ipv4 ttl entry-op lt
 action 1.0 syslog msg "TTL=$_nf_event1_value detected between $_nf_source_address and $_nf_dest_address"

Go to solution
SKC-Korotkov-999
Level 1
Level 1
In response to Joe Clarke

‎04-18-2012 12:17 AM

Thanks Joseph!

As I understand it, applet will be triggered when will create a new flow with the parameters: ttl < 5.

You can still answer questions:

1. What's the difference between the values ​​of event1, event2, event3, event4 ?

2. Which means that the parameter exit_event-type ?

0 Helpful

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee
In response to SKC-Korotkov-999

‎04-18-2012 06:33 AM

You can choose to create multiple NF events (up to four) on which to react.  This particular policy only needs one to match the low TTL.  The exit-event signals when the policy should re-arm.  Without an exit-event, the policy will fire every time there is a low TTL match.  If the exit-event is specified, the policy will not fire again until the exit-event criteria are met then the entry-event criteria are met again.

Go to solution
SKC-Korotkov-999
Level 1
Level 1
In response to Joe Clarke

‎04-19-2012 12:12 AM

Hi Joseph!

Thanks for the answer.

I'm trying to use the exit-event-type as:  

   event nf monitor-name "pingmon" event-type create  exit-event-type delete event1 entry-value "5" field ipv4 ttl entry-op lt

But the policy is not rearmed again.

New ping (after netflow Inactive timeout - 15 sec default) does not cause reactions policy.

She had rearm for the delete of flow? It does not happen, or I misunderstood your.

0 Helpful

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee
In response to SKC-Korotkov-999

‎04-19-2012 12:18 AM

You will need to specify an exit-event.  For example:

event nf monitor-name "pingmon" event-type create  exit-event-type delete event1 entry-value "5" field ipv4 ttl entry-op lt exit-value "5" exit-op lt

0 Helpful

Go to solution
SKC-Korotkov-999
Level 1
Level 1
In response to Joe Clarke

‎04-19-2012 01:00 AM

Hi Joseph! Thanks, is now  working!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents