--******************************************************************************
-- HM2-DOS-MITIGATION-MIB: Managed objects for 
--
-- March 2012
-- 
-- Copyright (c) Hirschmann Automation & Control GmbH 2012
--******************************************************************************

HM2-DOS-MITIGATION-MIB DEFINITIONS ::= BEGIN
IMPORTS 
	OBJECT-TYPE, MODULE-IDENTITY,
	Unsigned32
		FROM SNMPv2-SMI
	RowStatus, TEXTUAL-CONVENTION
		FROM SNMPv2-TC	
	MODULE-COMPLIANCE, OBJECT-GROUP
                FROM SNMPv2-CONF
        InterfaceIndex 
        	FROM IF-MIB
        hm2ConfigurationMibs, HmEnabledStatus		   
        	FROM HM2-TC-MIB        
	;

hm2DosMitigationMib MODULE-IDENTITY
	LAST-UPDATED "201209180000Z" -- September 18, 2012
	ORGANIZATION "Hirschmann Automation and Control GmbH"
    CONTACT-INFO
        "Postal:     Stuttgarter Str. 45-51
                     72654 Neckartenzlingen
                     Germany
         Phone:      +49 7127 140
         E-mail:     hac.support@belden.com"
    DESCRIPTION
          "Hirschmann Denial of Service MIB
           Copyright (C) 2012. All Rights Reserved."
    REVISION     "201209180000Z" -- September 18, 2012
    DESCRIPTION
          "Change the range of valid values for
           hm2DosMitigationTcpMinimalHeaderSize
           MIB object from (0..255) to (20..255)."
    REVISION     "201208200000Z" -- August 20, 2012
    DESCRIPTION
          "hm2DosMitigationTcpFrag MIB object removed."
    REVISION     "201206060000Z" -- June 06, 2012
    DESCRIPTION
          "Add MIB objects for all features supported by XGS4 switch."
    REVISION     "201203190000Z" -- Mar 19, 2012
    DESCRIPTION
          "Initial version."
	::= { hm2ConfigurationMibs 82 }

DosFeatureValue ::= TEXTUAL-CONVENTION
    STATUS   current
    DESCRIPTION 
       "Type of feature support: 
       		- hw(1): Supported in Hardware
       		- sw(2): Supported in Software
       		- noSup(3): Not implemented (no support)"
	SYNTAX   INTEGER {
			hw(1),
			sw(2),
			noSup(3)
	}
    


hm2DosMitigationNotifications 	OBJECT IDENTIFIER ::= { hm2DosMitigationMib 0 }
hm2DosMitigationObjects 		OBJECT IDENTIFIER ::= { hm2DosMitigationMib 1 }
hm2DosMitigationConformance 	OBJECT IDENTIFIER ::= { hm2DosMitigationMib 2}

--******************************************************************************
--                         General Settings
--******************************************************************************

hm2DosMitigationGeneralSettings OBJECT IDENTIFIER ::= { hm2DosMitigationObjects 1 }

hm2DosMitigationTcpHdrChecks OBJECT IDENTIFIER ::= { hm2DosMitigationGeneralSettings 1 }

hm2DosMitigationTcpNullScan OBJECT-TYPE
	SYNTAX HmEnabledStatus
	MAX-ACCESS read-write
	STATUS current
	DESCRIPTION
		"When enabled, TCP Null scans (TCP flags and sequence number
		set to 0) are filtered by the device."
	DEFVAL { disable }
	::= { hm2DosMitigationTcpHdrChecks 1 }


hm2DosMitigationTcpXmasScan OBJECT-TYPE
	SYNTAX HmEnabledStatus
	MAX-ACCESS read-write
	STATUS current
	DESCRIPTION
        "When enabled TCP Xmas scans (TCP flags FIN, 
        URG and PSH all set to 1 and a TCP sequence 
        number = 0) are filtered by the device."
	DEFVAL { disable }
	::= { hm2DosMitigationTcpHdrChecks 4 }

hm2DosMitigationTcpSynFinScan OBJECT-TYPE
	SYNTAX HmEnabledStatus
	MAX-ACCESS read-write
	STATUS current
	DESCRIPTION
		"When enabled TCP packets with SYN and FIN flags set are
		filtered by the device."
	DEFVAL { disable }
	::= { hm2DosMitigationTcpHdrChecks 7 }

hm2DosMitigationTcpMinimalHeader OBJECT-TYPE
	SYNTAX HmEnabledStatus
	MAX-ACCESS read-write
	STATUS current
	DESCRIPTION
		"When enabled all TCP frames are checked for a minimal valid 
		header size. Packets that contain an invalid header size are
		discarded."
	DEFVAL { disable }
	::= { hm2DosMitigationTcpHdrChecks 10 }

hm2DosMitigationTcpMinimalHeaderSize OBJECT-TYPE
	SYNTAX Unsigned32 (20..255)
	MAX-ACCESS read-write
	STATUS current
	DESCRIPTION
		" Specifies the minimum size of a valid TCP frame header size."
	DEFVAL { 20 }
	::= { hm2DosMitigationTcpHdrChecks 11 }

hm2DosMitigationLandAttack OBJECT-TYPE
	SYNTAX HmEnabledStatus
	MAX-ACCESS read-write
	STATUS current
	DESCRIPTION
		"When enabled all IP frames are checked for equality of
		src and dst IP address (known as land attack). Packets that 
		contain such a combination are silently discarded when
		enabled."
	DEFVAL { disable }
	::= { hm2DosMitigationTcpHdrChecks 13 }

hm2DosMitigationTcpOffsetEqu1 OBJECT-TYPE
	SYNTAX HmEnabledStatus
	MAX-ACCESS read-write
	STATUS current
	DESCRIPTION
		"Enable/Disable TCP offset DoS protection. All packets
        ingress having a TCP header offset equal to 1 are dropped."
	DEFVAL { disable }
	::= { hm2DosMitigationTcpHdrChecks 14 }

hm2DosMitigationTcpPrivilegedSrcPort OBJECT-TYPE
	SYNTAX HmEnabledStatus
	MAX-ACCESS read-write
	STATUS current
	DESCRIPTION
		"Enable/Disable TCP SYN and L4 source port smaller than 1024 
        DoS protection. All packets ingress having the TCP SYN flag set 
        and a L4 source port from 0 to 1023 are dropped."
	DEFVAL { disable }
	::= { hm2DosMitigationTcpHdrChecks 	15 }

hm2DosMitigationTcpSrcDstPortEqu OBJECT-TYPE
	SYNTAX HmEnabledStatus
	MAX-ACCESS read-write
	STATUS current
	DESCRIPTION
		"Enable/Disable L4 source port equals L4 destination port 
        DoS protection. All TCP or UDP packets ingress having the
        L4 source port equal to L4 destination port are dropped."
	DEFVAL { disable }
	::= { hm2DosMitigationTcpHdrChecks 16 }


hm2DosMitigationIcmpChecks OBJECT IDENTIFIER ::= { hm2DosMitigationGeneralSettings 2 }

hm2DosMitigationIcmpFrags OBJECT-TYPE
	SYNTAX HmEnabledStatus
	MAX-ACCESS read-write
	STATUS current
	DESCRIPTION
		"When enabled, all fragmented ICMP packets are filtered by the
		device."
	DEFVAL { disable }
	::= { hm2DosMitigationIcmpChecks 1 }


hm2DosMitigationIcmpPacketSize OBJECT-TYPE
	SYNTAX Unsigned32 (0..1472)
	MAX-ACCESS read-write
	STATUS current
	DESCRIPTION
		"Specifies the max. allowed payload size of ICMP packets. 
		Packets having bigger payload are filtered by the device
		if the hm2DosMitigationIcmpPacketSizeMode is enabled."
	DEFVAL { 512 }
	::= { hm2DosMitigationIcmpChecks 4 }

hm2DosMitigationIcmpPacketSizeMode OBJECT-TYPE
	SYNTAX HmEnabledStatus
	MAX-ACCESS read-write
	STATUS current
	DESCRIPTION
		"When enabled all ICMP ingress packets having the
		payload bigger than hm2DosMitigationIcmpPacketSize
		are filtered by device. "
	DEFVAL { disable }
	::= { hm2DosMitigationIcmpChecks 5 }
	
hm2DosMitigationIcmpSmurfAttack OBJECT-TYPE
    SYNTAX HmEnabledStatus
    MAX-ACCESS read-write
    STATUS current
    DESCRIPTION
        "When enabled, all ingress ICMP packets having
         the type set to ECHO_REQ (ping) and a broadcast
         destination IP are dropped. "
    DEFVAL { disable }
    ::= { hm2DosMitigationIcmpChecks 6 }

hm2DosMitigationL2Checks OBJECT IDENTIFIER ::= { hm2DosMitigationGeneralSettings 3}

hm2DosMitigationSMacDMac OBJECT-TYPE
    SYNTAX HmEnabledStatus
    MAX-ACCESS read-write
    STATUS current
    DESCRIPTION
        "Enable/Disable source MAC address equals destination
         MAC address DoS protection. All packets ingress having
         SMAC equals DMAC are dropped."
    DEFVAL { enable }
    ::= { hm2DosMitigationL2Checks 7 }


hm2DosMitigationCapabilities OBJECT IDENTIFIER ::= { hm2DosMitigationGeneralSettings 0 }

hm2DosMitigationTcpHdrChecksSup OBJECT-TYPE
	SYNTAX DosFeatureValue
	MAX-ACCESS read-only
	STATUS current
	DESCRIPTION
	    "The type of support for TCP header checks."
        ::= { hm2DosMitigationCapabilities 1 }
	
hm2DosMitigationIcmpChecksSup OBJECT-TYPE
	SYNTAX DosFeatureValue
	MAX-ACCESS read-only
	STATUS current
	DESCRIPTION
		"The type of support for ICMP checks."
		::= { hm2DosMitigationCapabilities 2 }

hm2DosMitigationTcpSynLimitSup OBJECT-TYPE
	SYNTAX DosFeatureValue
	MAX-ACCESS read-only
	STATUS current
	DESCRIPTION
		"The type of support for TCP SYN limiter."
		::= { hm2DosMitigationCapabilities 3 }

hm2DosMitigationArpLimitSup OBJECT-TYPE
	SYNTAX DosFeatureValue
	MAX-ACCESS read-only
	STATUS current
	DESCRIPTION
		"The type of support for ARP limiter."
		::= { hm2DosMitigationCapabilities 4 }
	
hm2DosMitigationTcpNullScanSup OBJECT-TYPE
	SYNTAX DosFeatureValue
	MAX-ACCESS read-only
	STATUS current
	DESCRIPTION
		"The type of support for TCP Null Scan."
		::= { hm2DosMitigationCapabilities 5 }

hm2DosMitigationTcpXmasSup OBJECT-TYPE
	SYNTAX DosFeatureValue
	MAX-ACCESS read-only
	STATUS current
	DESCRIPTION
		"The type of support for TCP Xmas Scan."
		::= { hm2DosMitigationCapabilities 6 }
	

hm2DosMitigationTcpLandSup OBJECT-TYPE
	SYNTAX DosFeatureValue
	MAX-ACCESS read-only
	STATUS current
	DESCRIPTION
		"The type of support for land attack detection."
		::= { hm2DosMitigationCapabilities 7 }
	
	
--******************************************************************************
--                         TCP Syn/Arp Limiter
--******************************************************************************

hm2DosMitigationLimiter OBJECT IDENTIFIER ::= { hm2DosMitigationObjects 2 }

hm2DosMitigationLimiterObjects OBJECT IDENTIFIER ::= { hm2DosMitigationLimiter 1 }

hm2DosMitigationLimiterRules OBJECT IDENTIFIER ::= { hm2DosMitigationLimiter 2 }

hm2DosMitigationLimiterRuleTable OBJECT-TYPE 
	SYNTAX SEQUENCE OF Hm2DosMitigationLimiterRuleEntry
	MAX-ACCESS not-accessible
	STATUS current
	DESCRIPTION
		"TCP Syn Limiter Interface Table"
	::= { hm2DosMitigationLimiterRules 1 }	

hm2DosMitigationLimiterRuleEntry OBJECT-TYPE
	SYNTAX Hm2DosMitigationLimiterRuleEntry
	MAX-ACCESS not-accessible
	STATUS current
	DESCRIPTION
		"TCP Syn Interface entry."
	INDEX { hm2DosMitigationLimiterInterface }
	::= { hm2DosMitigationLimiterRuleTable 1 }
	
Hm2DosMitigationLimiterRuleEntry ::=
	SEQUENCE {
		hm2DosMitigationLimiterInterface InterfaceIndex,
		hm2DosMitigationLimiterTcpSynLimit Unsigned32,
		hm2DosMitigationLimiterArpLimit Unsigned32,		
		hm2DosMitigationLimiterRowStatus RowStatus
	}

hm2DosMitigationLimiterInterface OBJECT-TYPE
	SYNTAX InterfaceIndex
	MAX-ACCESS accessible-for-notify
	STATUS current
	DESCRIPTION
		"The interface the limiter is assigned to."
		::={ hm2DosMitigationLimiterRuleEntry 1 }

hm2DosMitigationLimiterTcpSynLimit OBJECT-TYPE
	SYNTAX Unsigned32
	MAX-ACCESS read-create
	STATUS current
	DESCRIPTION
		"The number of allowed outgoing TCP syn packets per second
		per interface. 
		A value of 0 disables the limiter for this interface."
		::={ hm2DosMitigationLimiterRuleEntry 2 }

hm2DosMitigationLimiterArpLimit OBJECT-TYPE
	SYNTAX Unsigned32
	MAX-ACCESS read-create
	STATUS current
	DESCRIPTION
		"The number of allowed outgoing ARP packets per second per
		interface. 
		A value of 0 disables the limiter for this interface."
		::={ hm2DosMitigationLimiterRuleEntry 3 }


hm2DosMitigationLimiterRowStatus OBJECT-TYPE
	SYNTAX RowStatus
	MAX-ACCESS read-create
	STATUS current
	DESCRIPTION
		"Row status."
		::={ hm2DosMitigationLimiterRuleEntry 4 }
	

--******************************************************************************
--			Compliance statements
--******************************************************************************

hm2DosMitigationCompliances OBJECT IDENTIFIER ::= { hm2DosMitigationConformance 1 }
hm2DosMitigationGroups OBJECT IDENTIFIER ::= { hm2DosMitigationConformance 2 }

hm2DosMitigationCompliance MODULE-COMPLIANCE
    STATUS      current
    DESCRIPTION
        "The compliance statement for an SNMP entity which
         implements the Hirschmann DOS Mitigation MIB."
    MODULE     -- this module
    MANDATORY-GROUPS { hm2DosMitigationGeneralGroup }
    ::= { hm2DosMitigationCompliances 1 }

hm2DosMitigationGeneralGroup OBJECT-GROUP
    OBJECTS {
        hm2DosMitigationTcpSynFinScan,
        hm2DosMitigationTcpNullScan,
    	hm2DosMitigationTcpXmasScan,
    	hm2DosMitigationTcpMinimalHeader,
        hm2DosMitigationTcpMinimalHeaderSize,
    	hm2DosMitigationLandAttack,
        hm2DosMitigationTcpOffsetEqu1,
        hm2DosMitigationTcpPrivilegedSrcPort,
        hm2DosMitigationTcpSrcDstPortEqu,
    	hm2DosMitigationIcmpFrags,
    	hm2DosMitigationIcmpPacketSize,
        hm2DosMitigationIcmpPacketSizeMode,
        hm2DosMitigationSMacDMac,
        hm2DosMitigationTcpHdrChecksSup,
        hm2DosMitigationIcmpChecksSup,
        hm2DosMitigationTcpSynLimitSup,
        hm2DosMitigationArpLimitSup,
        hm2DosMitigationLimiterInterface,
        hm2DosMitigationLimiterTcpSynLimit,
        hm2DosMitigationLimiterArpLimit,		
        hm2DosMitigationLimiterRowStatus,
        hm2DosMitigationTcpXmasSup,
        hm2DosMitigationTcpNullScanSup,
        hm2DosMitigationTcpLandSup
    }
    STATUS      current
    DESCRIPTION
        "A collection of all Hirschmann objects provided by the DoS Mitigation
        module."
    ::= { hm2DosMitigationGroups 1 }
END
