This EEM script (TCL policy) monitors the routing table of an IOS router in order to find if the router has seen an invalid LSA, which would mean there was an attempt to exploit CVE-2013-0149. If an exploit was seen the script generates a syslog. The script runs every EEM_OSPF_PERIOD seconds and its maximum runtime can be EEM_OSPF_MAX_RUNTIME seconds.
This policy requires the followin EEM environment variables to be set:
- EEM_OSPF_PERIOD <1-100> (seconds)
- EEM_OSPF_MAX_RUNTIME <1-100> (seconds)
An example of the EEM policy commands that are needed on the router after copying the tcl eem_ospf_vln.tcl in the router's flash: are
event manager environment EEM_OSPF_PERIOD 20
event manager environment EEM_OSPF_MAX_RUNTIME 5
event manager directory user policy "flash:/"
event manager policy eem_ospf_vuln.tcl
The script is attached below.