04-17-2012 05:41 AM
Hi all!
Can anyone give full example of the use of event_register_nf detector in TCL script.
At cisco.com only the syntax commands and there is no example.
Interested in the meaning of keywords: event_type, exit_event_type, event1- event4
Solved! Go to Solution.
04-19-2012 12:18 AM
You will need to specify an exit-event. For example:
event nf monitor-name "pingmon" event-type create exit-event-type delete event1 entry-value "5" field ipv4 ttl entry-op lt exit-value "5" exit-op lt
04-17-2012 07:57 AM
Here's a low TTL detection example:
flow record pingwatcher
match ipv4 ttl
match ipv4 source address
match ipv4 destination address
!
flow monitor pingmon
record pingwatcher
event manager applet watchLowTTL
event nf monitor-name "pingmon" event-type create event1 entry-value "5" field ipv4 ttl entry-op lt
action 1.0 syslog msg "TTL=$_nf_event1_value detected between $_nf_source_address and $_nf_dest_address"
04-18-2012 12:17 AM
Thanks Joseph!
As I understand it, applet will be triggered when will create a new flow with the parameters: ttl < 5.
You can still answer questions:
1. What's the difference between the values of event1, event2, event3, event4 ?
2. Which means that the parameter exit_event-type ?
04-18-2012 06:33 AM
You can choose to create multiple NF events (up to four) on which to react. This particular policy only needs one to match the low TTL. The exit-event signals when the policy should re-arm. Without an exit-event, the policy will fire every time there is a low TTL match. If the exit-event is specified, the policy will not fire again until the exit-event criteria are met then the entry-event criteria are met again.
04-19-2012 12:12 AM
Hi Joseph!
Thanks for the answer.
I'm trying to use the exit-event-type as:
event nf monitor-name "pingmon" event-type create exit-event-type delete event1 entry-value "5" field ipv4 ttl entry-op lt
But the policy is not rearmed again.
New ping (after netflow Inactive timeout - 15 sec default) does not cause reactions policy.
She had rearm for the delete of flow? It does not happen, or I misunderstood your.
04-19-2012 12:18 AM
You will need to specify an exit-event. For example:
event nf monitor-name "pingmon" event-type create exit-event-type delete event1 entry-value "5" field ipv4 ttl entry-op lt exit-value "5" exit-op lt
04-19-2012 01:00 AM
Hi Joseph! Thanks, is now working!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide