Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
3984
Views
0
Helpful
0
Comments

OSPF LSA vulnerability monitoring - EEM script

Panos Kampanakis
Cisco Employee
Cisco Employee

on ‎07-17-2013 07:38 AM

This EEM script (TCL policy) monitors the routing table of an IOS router in order to find if the router has seen an invalid LSA, which would mean there was an attempt to exploit CVE-2013-0149. If an exploit was seen the script generates a syslog. The script runs every EEM_OSPF_PERIOD seconds and its maximum runtime can be EEM_OSPF_MAX_RUNTIME seconds.

This policy requires the followin EEM environment variables to be set:

  • EEM_OSPF_PERIOD <1-100> (seconds)
  • EEM_OSPF_MAX_RUNTIME <1-100> (seconds)

An example of the EEM policy commands that are needed on the router after copying the tcl eem_ospf_vln.tcl in the router's flash: are 

event manager environment EEM_OSPF_PERIOD 20
event manager environment EEM_OSPF_MAX_RUNTIME 5
event manager directory user policy "flash:/"
event manager policy eem_ospf_vuln.tcl

The script is attached below.

Labels:
15364649-eem_ospf_vuln.tcl.zip
15364235-eem_ospf_vuln.tcl.zip
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents