   SNORT-INTRUSION-DETECTION-ALERT-MIB DEFINITIONS ::= BEGIN
    IMPORTS
      MODULE-IDENTITY,  Counter32, Gauge32, OBJECT-TYPE,
      OBJECT-IDENTITY,  mib-2    FROM SNMPv2-SMI
      MODULE-COMPLIANCE, OBJECT-GROUP
                 FROM SNMPv2-CONF
      SnmpEngineID, SnmpAdminString
                 FROM SNMP-FRAMEWORK-MIB
      InetAddressType, InetAddress
                 FROM INET-ADDRESS-MIB
      URLString
                 FROM NETWORK-SERVICES-MIB
      snortExp
                 FROM SNORT-COMMON-MIB;

   snortIDSAlertMIB MODULE-IDENTITY
       LAST-UPDATED "200107250000Z"        --  25th July 2001
       ORGANIZATION "Snort.org"
       CONTACT-INFO
      "                      Glenn Mansfield Keeni
                     Postal: Cyber Solutions Inc.
                             6-6-3, Minami Yoshinari
                             Aoba-ku, Sendai, Japan 989-3204.
                        Tel: +81-22-303-4012
                        Fax: +81-22-303-4015
                     E-mail: glenn@cysols.com

                             Martin Roesch
                             6550 Bonnie Brae Dr.
                             Eldersburg, MD 21784
                             US

                        Tel: +1-410-549-7810
                     E-mail: roesch@sourcefire.com

       Support Group E-mail: mibsupport@cysols.com"

       DESCRIPTION
               " The MIB for snort Alert Messages."
            ::= { snortExp 1 }     
                                      
   --  sidaSensors: The Table of Sensors. Each row represents a Snort Sensor.
   --  sidaSensorID is the key to the table. 

    sidaSensors OBJECT-TYPE
        SYNTAX  SEQUENCE OF SidaSensorEntry
        MAX-ACCESS  not-accessible
        STATUS  current
        DESCRIPTION
          " Each row of this table contains information
            about an alert indexed by sidaSensorID."
        ::= { snortIDSAlertMIB 1 }

--
--  The sensor static objects
--
    sidaSensorEntry OBJECT-TYPE
        SYNTAX  SidaSensorEntry
        MAX-ACCESS  not-accessible
        STATUS  current
        DESCRIPTION
          " Entry containing information pertaining to
            a snort sensor."
        INDEX { sidaSensorID }
        ::= { sidaSensors 1 }

    SidaSensorEntry ::= SEQUENCE {
        sidaSensorID 
                   INTEGER,
        sidaSensorDescription 
                   SnmpAdminString,
        sidaSensorVersion   
                   SnmpAdminString,
        sidaSensorLocation 
                   SnmpAdminString,
        sidaSensorAddressType 
                   InetAddressType,
        sidaSensorAddress 
                   InetAddress,
        sidaSensorInterfaceIndex
                 INTEGER,
        sidaSensorManufacturer   
                   SnmpAdminString,
        sidaSensorProductName   
                   SnmpAdminString,
        sidaSensorProductID 
                   OBJECT IDENTIFIER
   }

    sidaSensorID OBJECT-TYPE
        SYNTAX  INTEGER
        MAX-ACCESS  read-only
        STATUS  current
        DESCRIPTION
          " An identifier to uniquely identify the Analyzer
            in the domain."
        ::= { sidaSensorEntry 1 }

    sidaSensorDescription OBJECT-TYPE
        SYNTAX  SnmpAdminString
        MAX-ACCESS  read-only
        STATUS  current
        DESCRIPTION
          " A short description of the Sensor."
        ::= { sidaSensorEntry 2 }

    sidaSensorVersion   OBJECT-TYPE
        SYNTAX SnmpAdminString
        MAX-ACCESS read-only
        STATUS current
        DESCRIPTION
          " the version number of the sensor that detected the event."
        ::= { sidaSensorEntry 3}

    sidaSensorLocation OBJECT-TYPE
        SYNTAX SnmpAdminString
        MAX-ACCESS read-only
        STATUS current
        DESCRIPTION
          " the location of the sensor that detected the event."
        ::= { sidaSensorEntry 4}

    sidaSensorAddressType OBJECT-TYPE
        SYNTAX InetAddressType
        MAX-ACCESS read-only
        STATUS current
        DESCRIPTION
          "The type of the address which follows."
        ::= { sidaSensorEntry 5}

    sidaSensorAddress OBJECT-TYPE
        SYNTAX InetAddress
        MAX-ACCESS read-only
        STATUS current
        DESCRIPTION
          "The network address of the sensor. "
        ::= { sidaSensorEntry 6}

    sidaSensorInterfaceIndex OBJECT-TYPE
        SYNTAX INTEGER (1..65535)
        MAX-ACCESS read-only
        STATUS current
        DESCRIPTION
          " The ifIndex of the interface on which the event was
            detected  by the sensor."
        ::= {sidaSensorEntry 7}

    sidaSensorManufacturer   OBJECT-TYPE
        SYNTAX SnmpAdminString
        MAX-ACCESS read-only
        STATUS current
        DESCRIPTION
          " the Manufacturer of the sensor that detected the event."
        ::= { sidaSensorEntry 8}

    sidaSensorProductName   OBJECT-TYPE
        SYNTAX SnmpAdminString
        MAX-ACCESS read-only
        STATUS current
        DESCRIPTION
          " the name of the product that detected the event."
        ::= { sidaSensorEntry 9}

    sidaSensorProductID OBJECT-TYPE
        SYNTAX  OBJECT IDENTIFIER
        MAX-ACCESS  read-only
        STATUS  current
        DESCRIPTION
          "A reference to MIB definitions specific to the
           analyzer generating the message.  If this information
           is not present, its value should be set to the OBJECT
           IDENTIFIER { 0 0 }, which is a syntatically valid
           object identifier."
        ::= { sidaSensorEntry 10 }

   --  sidaAlerts: The Table of Alerts. Each row represents an Alert.
   --  sidaAlertID is the key to the table. The size of this table will be
   --  implementation dependent - some implementors may choose to keep
   --  a maximum of one messages in this table.

    sidaAlerts OBJECT-TYPE
        SYNTAX  SEQUENCE OF SidaAlertEntry
        MAX-ACCESS  not-accessible
        STATUS  current
        DESCRIPTION
          " Each row of this table contains information
            about an alert indexed by sidaSensorID and sidaAlertID."
        ::= { snortIDSAlertMIB 2 }

    sidaAlertEntry OBJECT-TYPE
        SYNTAX  SidaAlertEntry
        MAX-ACCESS  not-accessible
        STATUS  current
        DESCRIPTION
          " Entry containing information pertaining to
            an alert."
        INDEX { sidaSensorID, sidaAlertID}
        ::= { sidaAlerts 1 }

    SidaAlertEntry ::= SEQUENCE {
       sidaAlertID
                 INTEGER,
       sidaAlertTimeStamp
                 SnmpAdminString,
       sidaAlertActionsTaken
                 INTEGER,
       sidaAlertMsg
                 SnmpAdminString,
       sidaAlertMoreInfo
                 SnmpAdminString,
       sidaAlertSrcAddressType
                 InetAddressType,
       sidaAlertSrcAddress
                 InetAddress,
       sidaAlertDstAddressType
                 InetAddressType,
       sidaAlertDstAddress
                 InetAddress,
       sidaAlertSrcPort
                 INTEGER,
       sidaAlertDstPort
                 INTEGER,
       sidaAlertStartTime
                 SnmpAdminString,
       sidaAlertOccurrences
                 Gauge
    }

    sidaAlertID OBJECT-TYPE
        SYNTAX INTEGER (1..65535)
        MAX-ACCESS read-only
        STATUS current
        DESCRIPTION
          " The AlertID uniquely identifies each alert generated
            by the sensor."
        ::= {sidaAlertEntry 1}

    sidaAlertTimeStamp OBJECT-TYPE
        SYNTAX SnmpAdminString
        MAX-ACCESS read-only
        STATUS current
        DESCRIPTION
          " An NTP style timestamp of the local time when this alert 
            was generated. It will be of the format 991372237.668158 ."
        ::= { sidaAlertEntry 2}

    -- the actions will probably be a comma separated list of action
    -- codes or a pointer to another MIB table from which the actions
    -- may be fetched.
    --

    sidaAlertActionsTaken OBJECT-TYPE
        SYNTAX SnmpAdminString
        MAX-ACCESS read-only
        STATUS current
        DESCRIPTION
          " The list of automatic actions taken by the sensor"
        ::= { sidaAlertEntry 3}

    -- SnmpAdminString length is 255 characters max. It contains
    -- information represented using the ISO/IEC IS 10646-1 character
    -- set, encoded using the UTF-8 transformation format to facilitate
    -- internationalization.

    sidaAlertMsg OBJECT-TYPE
        SYNTAX SnmpAdminString
        MAX-ACCESS read-only
        STATUS current
        DESCRIPTION
          " the message associated with the rule that triggered
            the alert. Conventionally, the name of the attack.
            If there is no message this field will be blank."
        ::= { sidaAlertEntry 4}

    sidaAlertMoreInfo OBJECT-TYPE
        SYNTAX  URLString   
        MAX-ACCESS  read-only
        STATUS  current
        DESCRIPTION
          "A reference to more information specific to this
           alert message. This is likely to be a URL. If there is no
           reference available this field will be blank"

        ::= { sidaAlertEntry 5}

    sidaAlertSrcAddressType OBJECT-TYPE
        SYNTAX InetAddressType
        MAX-ACCESS read-only
        STATUS current
        DESCRIPTION
          "The type of the Internet address that was the attack source."
        ::= { sidaAlertEntry 6}

    sidaAlertSrcAddress OBJECT-TYPE
        SYNTAX InetAddress
        MAX-ACCESS read-only
        STATUS current
        DESCRIPTION
          " The Internet addresses of the entity from which the attack
            originated, if known. "
        ::= { sidaAlertEntry 7}

    sidaAlertDstAddressType OBJECT-TYPE
        SYNTAX InetAddressType
        MAX-ACCESS read-only
        STATUS current
        DESCRIPTION
          "The type of the Internet address that was the attack target."
        ::= { sidaAlertEntry 8}

    sidaAlertDstAddress OBJECT-TYPE
        SYNTAX InetAddress
        MAX-ACCESS read-only
        STATUS current
        DESCRIPTION
          " The Internet address of the entity to which the attack
            was destined, if known."
        ::= { sidaAlertEntry 9}

    sidaAlertSrcPort OBJECT-TYPE
        SYNTAX INTEGER
        MAX-ACCESS read-only
        STATUS current
        DESCRIPTION
          " The port number from where the attack has originated "
        ::= { sidaAlertEntry 10}

    sidaAlertDstPort OBJECT-TYPE
        SYNTAX INTEGER
        MAX-ACCESS read-only
        STATUS current
        DESCRIPTION
          " The port number to which the attack is destined "
        ::= { sidaAlertEntry 11}

    sidaAlertStartTime OBJECT-TYPE
        SYNTAX SnmpAdminString
        MAX-ACCESS read-only
        STATUS current
        DESCRIPTION
          " The local date and time when the event causing this alert
            was first detected."
        ::= { sidaAlertEntry 12}

    sidaAlertOccurrences OBJECT-TYPE
        SYNTAX Gauge
        MAX-ACCESS read-only
        STATUS current
        DESCRIPTION
          " The number of occurrences of the event that is being
            reported in the alert."
        ::= { sidaAlertEntry 13}

   sidaAlertTypes   OBJECT IDENTIFIER ::= { snortIDSAlertMIB 3 }
   sidaAlertGeneric NOTIFICATION-TYPE
       OBJECTS { sidaSensorVersion, 
                 sidaSensorAddressType,     sidaSensorAddress,  
                 sidaAlertTimeStamp,        sidaAlertMsg,
                 sidaAlertMoreInfo,         sidaAlertSrcAddressType, 
                 sidaAlertSrcAddress,       sidaAlertDstAddressType,
                 sidaAlertDstAddress,       sidaAlertSrcPort,
                 sidaAlertDstPort }
       STATUS  current
       DESCRIPTION
               "The Sida Alert Generic Trap is sent whenever an 
                event is detected by snort (rules) and no specific 
                Alert is found applicable."
       ::= { sidaAlertTypes 1 }

    -- Conformance information
    sidaConformance OBJECT IDENTIFIER ::= { snortIDSAlertMIB 4 }

    sidaGroups      OBJECT IDENTIFIER ::= { sidaConformance 1 }
    sidaCompliances OBJECT IDENTIFIER ::= { sidaConformance 2 }
    -- Compliance statements
    sidaAlertCompliance MODULE-COMPLIANCE
        STATUS  current
        DESCRIPTION
                "The compliance statement for SNMP entities
                 which implement the
                            SNORT-INTRUSION-DETECTION-ALERT-MIB."
        MODULE  -- this module
            MANDATORY-GROUPS { sidaAlertGroup }
        ::= { sidaCompliances 1 }
    -- Units of conformance
    sidaAlertGroup    OBJECT-GROUP
        OBJECTS {
                    sidaSensorID,
                    sidaSensorDescription,
                    sidaSensorVersion,
                    sidaSensorLocation,
                    sidaSensorAddressType,
                    sidaSensorAddress,
                    sidaSensorInterfaceIndex,
                    sidaSensorManufacturer,
                    sidaSensorProductName,
                    sidaSensorProductID,
                    sidaAlertID,
                    sidaAlertTimeStamp,
                    sidaAlertActionsTaken,
                    sidaAlertMsg,
                    sidaAlertMoreInfo,
                    sidaAlertSrcAddressType,
                    sidaAlertSrcAddress,
                    sidaAlertDstAddressType,
                    sidaAlertDstAddress,
                    sidaAlertSrcPort,
                    sidaAlertDstPort,
                    sidaAlertStartTime,
                    sidaAlertOccurrences,
                    sidaAlertGeneric 
       }
        STATUS  current
        DESCRIPTION
                " A collection of objects for generation and despatch of
                  alerts pertaining to intrusions detected."
        ::= { sidaGroups 1 }
   END
