This EEM script (TCL policy) monitors the routing table of an IOS router in order to find if the router has seen an invalid LSA, which would mean there was an attempt to exploit CVE-2013-0149. If an exploit was seen the script generates a syslog. The script runs every EEM_OSPF_PERIOD seconds and its maximum runtime can beEEM_OSPF_MAX_RUNTIME seconds.
This policy requires the followin EEM environment variables to be set:
EEM_OSPF_PERIOD <1-100> (seconds)
EEM_OSPF_MAX_RUNTIME <1-100> (seconds)
An example of the EEM policy commands that are needed on the router after copying the tcl eem_ospf_vln.tclin the router's flash: are