Learning How to Create Behavior Models - How to Use Trap Masks - How to Create a Trap Mask -
What is a Trap Mask? Review and Summary

How to Create a Trap Mask

In this next scenario, you want to know if any of the nodes in the CriticalDevices group are communicating without proper authorization. You will create a trap mask to "mask out" or filter out any SNMP trap that warns of an authentication failure. Since the mask will be useless without an associated alarm, you will create an alarm as well.

The scenario includes four activities:

Creating a New Trap Mask

This first activity will step you through the process of creating a new trap mask that will listen for an SNMP trap signaling an authentication failure.

To create a new trap mask:

Open a NerveCenter Client and connect to an appropriate NerveCenter Server.
From the Admin menu, choose Mask List.

NerveCenter displays the Mask List window.

The Mask List window contains a list of the trap masks in the NerveCenter database for the active server.
From the Mask List window, select New.
The Mask Definition window appears.

The Mask Definition window allows you to examine, create, or change a trap mask definition.
In the Name field, type 1CheckAuth.
From the Generic list, select the generic trap number AuthFail = 4.
You are telling the mask only to respond to an agent sending a generic SNMP trap 4. An agent sends a trap 4 when it receives an SNMP message with a bad community string.
Skip the From and From Only buttons. Also skip the Enterprise and Specific fields.
These fields will be explained later.
In the Trigger Type field, select Simple Trigger.
The Simple Trigger field is enabled.
You would use the Trigger Function option only if you need to conditionally fire a trigger based on the contents of the trap's variable bindings. For this activity, a simple trigger will do.
In the Simple Trigger field, type authFailTrig.
In the Enabled frame, select On.
Select Save, then Cancel to close.

The mask will now be listening for AuthFail traps. However, as we saw, with the 1CheckTraffic poll, the trap mask is useless until we have an alarm associated with it. In the next activity you will create an alarm for the mask.

Creating an Alarm to be Triggered by a Mask

In the last activity, you created a mask called 1CheckAuth to detect for SNMP AuthFail traps. You now need an alarm that will be triggered when the trap is detected.

This next activity steps you through the process of creating an alarm that will alert you when an authentication failure is detected.

To create an alarm to be triggered by a mask:

From the Admin menu, choose Alarm Definition List.

NerveCenter displays the Alarm Definition window.
From the Alarm Definition List window, select New.
The Alarm Definition window appears.
In the Name field, type 1FailedAuth.
Set the Property field to myNodes and the Scope field to Node.
In the alarm's state diagram, add a state with a severity of Major and the name Trap4Received.
Size and position the state icon so that it is easy to read.
Create a transition from the Ground state to the Trap4Received state that is triggered by authFailTrig.
In the Transition Definition window, select New Action.
A list of action alarms appears.
From the alarm action list, select Log to File.
NerveCenter displays the Log to File Action window.
In the File Name field, type myLog.
Leave Default Data checked.
Select On in the Enable and Verbose Output fields.
Select OK.
The Log to File Action window closes. The Log to File action is included in the Actions list.
The Log to File alarm action writes information about an alarm transition to an ASCII text file. Since you entered a file name, the log file will be written to the directory installation_directory/Log (Windows) or installation_directory/userfiles/logs (UNIX). If you enter a full pathname, the log file is written to the directory you specified.
In the Transition Definition window, select OK.
The authFailTrig transition now appears in the state diagram. Size and position the icons as needed.
In the Enabled frame, select On.
Select Save.

You have just completed creating an alarm that will respond to the 1CheckAuth mask. The only step left is to have a trap for the mask to detect. The next activity will step you through one way you can use NerveCenter to generate a trap.

Using Trapgen to Generate a Trap

In the last activity, you created the 1FailedAuth alarm to respond to the 1CheckAuth mask. Previously, you created the 1CheckAuth mask to listen for a generic 4 trap. Since SNMP traps are unsolicited and sent in response to specific conditions on your network, it may be some time until one of your managed nodes sends this particular trap.

This next activity will step you through the process of artificially creating a generic 4 trap using the NerveCenter utility trapgen.

To use trapgen to generate a trap:

Check to make sure the 1CheckAuth mask and the 1FailedAuth alarm are On.
From the command line (MS-DOS command prompt or UNIX shell) type:
trapgen server_name "" a_node_name 4 0 ""
You are commanding your platform to generate a trap with the following specifications:
- server_name should be the name of the current active server for NerveCenter.
- "" for enterprise sends the trap with a default value.
- a_node_name should be the name of one of your nodes in the CriticalDevices property group.
- 4 for generic_trap sends an SNMP trap 4 (AuthFail).
- 0 for specific_trap is required, since the generic trap is not an enterprise-specific trap (6).
- "" for time_stamp sends the trap with a default value.
Press Enter.
Return to the NerveCenter client window. From the Admin menu, choose Alarm Summary.
NerveCenter displays the Alarm Summary window. The instance for the alarm 1FailedAuth should appear in the Alarm Summary list.

Locate in the directory installation_directory/Log (Windows) or installation_directory/userfiles/logs (UNIX) the file myLog. Open this file with an ASCII text editor such as Notepad (Windows) or vi (UNIX).

myLog as it Appears in Notepad

In the last activity, you specified that when the alarm 1FailedAuth transitioned from the Ground state to the Trap4Received state that it would perform the Log to File action. The myLog file represents the results of that action.

What is NerveCenter doing?

NerveCenter uses trapgen to simulate a node sending a generic 4 (AuthFail) trap.

The 1CheckAuth mask detects the trap 4 and fires the authFailTrig trigger.
The trigger authFailTrig causes the 1FailedAuth alarm to transition from the Ground state to the Trap4Received state.
NerveCenter performs the action associated with the transition. In this case, it logs the alarm instance to the file myLog.

What is NerveCenter doing?
NerveCenter uses trapgen to simulate a node sending a generic 4 (AuthFail) trap. The 1CheckAuth mask detects the trap 4 and fires the authFailTrig trigger. The trigger authFailTrig causes the 1FailedAuth alarm to transition from the Ground state to the Trap4Received state. NerveCenter performs the action associated with the transition. In this case, it logs the alarm instance to the file myLog.

You have just created a behavior model that will log to a file any instance of an authentication failure on any of the nodes in the CriticalDevices property group. To do this you created a mask that would detect SNMP generic 4 traps.

In the next activity you will modify this mask to enhance its filtering process, using the trigger function of the mask.

What are generic and enterprise-specific trap numbers?
In the last activity you generated a trap with the generic trap number 4 and the enterprise-specific trap number 0. Generic trap numbers distinguish between seven major types of traps. The first six are SNMP-defined traps. Trap number 6 is reserved for enterprise-specific traps. Enterprise-specific trap numbers are vendor-defined positive integers that identify particular traps. The meaning of specific trap numbers should be included in the documentation provided by the vendor of the device.

What are generic and enterprise-specific trap numbers?

In the last activity you generated a trap with the generic trap number 4 and the enterprise-specific trap number 0.

Generic trap numbers distinguish between seven major types of traps. The first six are SNMP-defined traps. Trap number 6 is reserved for enterprise-specific traps.

Enterprise-specific trap numbers are vendor-defined positive integers that identify particular traps. The meaning of specific trap numbers should be included in the documentation provided by the vendor of the device.

Defining a Trigger Function

In the previous activities you created a mask that would alert you when the agent of a node in your CriticalDevices property group sent an SNMP generic 4 trap. But suppose one of the devices in this group generates frequent authorization failures; the constant string of authorization traps may become annoying.

In this next activity you will use the trigger function of a mask to filter out all failed authorization traps for a particular node.

To define a trigger function:

From the Admin menu, choose Mask List.

NerveCenter displays the Mask List window.
Highlight the 1CheckAuth mask, and select Open.
The Mask Definition window for 1CheckAuth appears. If 1CheckAuth is still enabled, all the fields will be grayed out.
If the mask is on, in the Enable frame, select Off.
In the Trigger Type area, select Trigger Function.
In the Mask Definition window, select the Trigger Function tab.
The Trigger Function page appears.
In the text box, type the following Perl script:
if ($NodeName ne "your_node_name") {
FireTrigger ("authFailTrig");
}
Be sure to substitute the full name of one of your own managed nodes for your_node_name in the first line of the function.
This trigger function tests the name of the node that caused the trap and fires the trigger only if the node does not match the one you specified.
Select the Mask tab.
In the Enable frame, select On.
Select Save.
Open the Alarm Summary window.

Follow the steps in the last activity, Using Trapgen to Generate a Trap to test the modified mask:

First, generate a trap specifying for a_node_name the name of a device in the CriticalDevices group that is different from the node excluded by the trigger function. If everything is working properly, that alarm instance should appear in the Alarm Summary window.

Next, generate a trap specifying for a_node_name the name of the device that you excluded by the trigger function. If everything is working properly, nothing should appear in the Alarm Summary window.

What is NerveCenter doing?
NerveCenter uses trapgen to simulate a node sending a generic 4 (AuthFail) trap. The 1CheckAuth mask detects the trap 4 and determines if the node is the problem node. If the node is not the problem node, it fires the authFailTrig trigger. The authFailTrig trigger causes the 1FailedAuth alarm to transition from the Ground state to the Trap4Received state. NerveCenter performs the action associated with the transition. In this case, it logs the alarm instance to the myLog file.

What is NerveCenter doing?

NerveCenter uses trapgen to simulate a node sending a generic 4 (AuthFail) trap.

The 1CheckAuth mask detects the trap 4 and determines if the node is the problem node.
If the node is not the problem node, it fires the authFailTrig trigger.
The authFailTrig trigger causes the 1FailedAuth alarm to transition from the Ground state to the Trap4Received state.
NerveCenter performs the action associated with the transition. In this case, it logs the alarm instance to the myLog file.

You now know how to use alarms, polls, and masks, the main elements in NerveCenter behavior models. In Chapter 6, How to Use Behavior Models you will begin learning how to use behavior models to achieve monitoring of your network that is smart and relevant.

What is a Trap Mask?	Review and Summary
	29 July 2003