cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

OSPF LSA vulnerability monitoring - EEM script

3296
Views
0
Helpful
0
Comments

This EEM script (TCL policy) monitors the routing table of an IOS router in order to find if the router has seen an invalid LSA, which would mean there was an attempt to exploit CVE-2013-0149. If an exploit was seen the script generates a syslog. The script runs every EEM_OSPF_PERIOD seconds and its maximum runtime can be EEM_OSPF_MAX_RUNTIME seconds.

This policy requires the followin EEM environment variables to be set:

  • EEM_OSPF_PERIOD <1-100> (seconds)
  • EEM_OSPF_MAX_RUNTIME <1-100> (seconds)

An example of the EEM policy commands that are needed on the router after copying the tcl eem_ospf_vln.tcl in the router's flash: are

event manager environment EEM_OSPF_PERIOD 20

event manager environment EEM_OSPF_MAX_RUNTIME 5

event manager directory user policy "flash:/"

event manager policy eem_ospf_vuln.tcl

The script is attached below.