cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4006
Views
0
Helpful
0
Comments
Panos Kampanakis
Cisco Employee
Cisco Employee

This EEM script (TCL policy) monitors the routing table of an IOS router in order to find if the router has seen an invalid LSA, which would mean there was an attempt to exploit CVE-2013-0149. If an exploit was seen the script generates a syslog. The script runs every EEM_OSPF_PERIOD seconds and its maximum runtime can be EEM_OSPF_MAX_RUNTIME seconds.

This policy requires the followin EEM environment variables to be set:

  • EEM_OSPF_PERIOD <1-100> (seconds)
  • EEM_OSPF_MAX_RUNTIME <1-100> (seconds)

An example of the EEM policy commands that are needed on the router after copying the tcl eem_ospf_vln.tcl in the router's flash: are

event manager environment EEM_OSPF_PERIOD 20

event manager environment EEM_OSPF_MAX_RUNTIME 5

event manager directory user policy "flash:/"

event manager policy eem_ospf_vuln.tcl

The script is attached below.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: