Core issue
When using signature auto-update in NM-CIDS modules running 5.1(1), you do not receive any Simple Network Management Protocol (SNMP) traps when an update completes. But SNMP trap messages can be recieved when a signature update fails.
Resolution
SNMP Trap: SNMP protocol have 5 basic message types, SNMP Trap is one of them.
Why SNMP trap is unique from all other message types?
- It is the only scenario where SNMP agent in the field initiates the communication with SNMP Manager. Remaining 4 types of SNMP message types are initiated by the SNMP manager or issued in response to an SNMP manager's message. A trap is a way of notifying the SNMP manager that "something is wrong".
When using signature auto-update in NM-CIDS modules running 5.1(1), you do not receive any Simple Network Management Protocol (SNMP) traps when an update completes. But SNMP trap messages can be recieved when a signature update fails.
CISCO-CIDS-MIB defines the ciscoCideError notification when there is an error on the sensor, as shown in this example:
CiscoCidsError NOTIFICATION-TYPE
cidsGeneralEventId,
cidsGeneralLocalTime,
cidsGeneralUTCTime,
cidsGeneralOriginatorHostId,
cidsErrorSeverity,
cidsErrorName,
cidsErrorMessage
Since the sigupdate fail is an evError, it is sent as a trap. A successful update is not considered an error, and therefore no error warning is generated when an update is completed.
Protocol / Ports
Simple Network Management Protocol (SNMP)