0 Replies Latest reply on Jan 26, 2010 6:14 AM by GaryP

    Dropping Traps Based on 'Trap Details'?

    GaryP

      Hi all, I'd like to create a rule in the Trap Viewer app that drops incoming traps based on a combination of the Trap Type and the presence of a string in the Trap details.

      All our Cisco devices on campus get telnet'd into on a regular basis by a process running on three servers that collects the startup-config. This creates around 15,000 traps a day that I don't want to know about and is taking up database space.

      I could simply drop all 'CISCO-CRC-MIB:ciscoTelnetTrap' traps but I'd still like to see traps for connections that aren't coming from my monitoring hosts. In the Trap Viewer app I can see that the Trap Details field actually contains the IP address for the monitoring servers as part of the loctcpConnInBytes, loctcpConnOutBytes, loctcpConnElapsed and tcpConnState OIDs. Unfortunately these OIDs are transitory as they use the source and destination IP address and TCP/UDP ports as part of their full path.

      i.e. lotcpConnOutBytes for 158.125.5.13 connecting to 131.231.3.164 via telnet (port 23) would be found on:

      1.3.6.1.4.1.9.2.6.1.1.2.131.231.3.164.23.158.125.5.13.48837

      ...but that OID would disappear once the connection was torn down and would be different (due to randomness of the originating high port) each time a connection was initiated.

      Now, the basic trap data is being stored in dbo.Traps and the extended data ('Trap Details') is being stored in dbo.TrapVarBinds (each entry in dbo.Traps creating about 10 entries in dbo.TrapVarBinds, tied together by 'TrapID'). I can write a SQL query that pulls back (or deletes, for that matter) all the entries I want but I'd much rather block them as soon as they come in with a 'drop' action in the Trap Viewer.

      Complicated...I know....any bright ideas? I know this was kind-of-covered in Re: Alarm based on Trap Details but I'm really testing for the existence of an OID, rather than looking at the value it holds.