update project

8cc6808a · thl-cmk · fc3ab6ce · 8cc6808a · 8cc6808a · 8cc6808a
Commit 8cc6808a authored 2 years ago by thl-cmk
--- a/agent_based/cisco_vpn_tunnel.py
+++ b/agent_based/cisco_vpn_tunnel.py
@@ -19,6 +19,7 @@
 # 2022-01-19: added workaround for not matching IKE_OID_end and cipSecTunIkeTunnelIndexfor not matching
 #             IKE_OID_end and cipSecTunIkeTunnelIndex, try to match IPSec nad IKE sa by remote address
 # 2022-04-01: changed IPSec SA count output to check levels
+# 2022-12-17: checked input values for isdigit()

 # snmpwalk sample
 #
@@ -68,14 +69,8 @@ class IpsecSa:

 @dataclass
 class IkeSa:
-    # local_type: int
-    # local_value: str
    local_addr: str
-    # local_name: str
-    # remote_type: int
-    # remote_value: str
    remote_addr: str
-    # remote_name: str
    active_time: int
    in_octets: int
    in_pkts: int
@@ -156,7 +151,7 @@ def parse_cisco_vpn_tunnel(string_table: List[StringTable]) -> Dict[str, IkeSa]:

    # summarize IPSec SAs, ASSUMPTION: except for counters all SA attributes are identical per IKE index
    for ike_tunnel_index, ike_tunnel_alive, tun_remote_addr, active_time, hc_in_octets, in_pkts, in_drop_pkts, \
-        hc_out_octets, out_pkts, out_drop_pkts in ipsec_tunnel_entry:
+            hc_out_octets, out_pkts, out_drop_pkts in ipsec_tunnel_entry:

        if ike_tunnel_index.isdigit():
            ipsec_sa = ipsec_sa_summary.setdefault(
@@ -164,13 +159,13 @@ def parse_cisco_vpn_tunnel(string_table: List[StringTable]) -> Dict[str, IkeSa]:
                IpsecSa(0, 0, 0, 0, 0, 0, 0, 0, 0, tun_remote_addr)
            )
            ipsec_sa.sa_count += 1
-            ipsec_sa.hc_in_octets += int(hc_in_octets)
-            ipsec_sa.in_pkts += int(in_pkts)
-            ipsec_sa.in_drop_pkts += int(in_drop_pkts)
-            ipsec_sa.hc_out_octets += int(hc_out_octets)
-            ipsec_sa.out_pkts += int(out_pkts)
-            ipsec_sa.out_drop_pkts += int(out_drop_pkts)
-            if int(active_time) // 100 > ipsec_sa.active_time:
+            ipsec_sa.hc_in_octets += int(hc_in_octets) if hc_in_octets.isdigit() else 0
+            ipsec_sa.in_pkts += int(in_pkts) if in_pkts.isdigit() else 0
+            ipsec_sa.in_drop_pkts += int(in_drop_pkts) if in_drop_pkts.isdigit() else 0
+            ipsec_sa.hc_out_octets += int(hc_out_octets) if hc_out_octets.isdigit() else 0
+            ipsec_sa.out_pkts += int(out_pkts) if out_pkts.isdigit() else 0
+            ipsec_sa.out_drop_pkts += int(out_drop_pkts) if out_drop_pkts.isdigit() else 0
+            if active_time.isdigit and (int(active_time) // 100 > ipsec_sa.active_time):
                ipsec_sa.active_time = int(active_time) // 100

    # IKE SA
@@ -185,26 +180,21 @@ def parse_cisco_vpn_tunnel(string_table: List[StringTable]) -> Dict[str, IkeSa]:
                remote_addr = remote_value
            if len(remote_addr.split('.')) == 4:
                ike_sa = IkeSa(
-                    # local_type=int(local_type),
-                    # local_value=local_value,
                    local_addr=_cisco_vpn_tunnel_render_ipv4_address(local_addr),
-                    # local_name=local_name,
-                    # remote_type=int(remote_type),
-                    # remote_value=remote_value,
                    remote_addr=remote_addr,
-                    # remote_name=remote_name,
-                    active_time=int(active_time) // 100,
-                    in_octets=int(in_octets),
-                    in_pkts=int(in_pkts),
-                    in_drop_pkts=int(in_droppkts),
-                    out_octets=int(out_octets),
-                    out_pkts=int(out_pkts),
-                    out_drop_pkts=int(out_droppkts),
-                    status=int(status),
-                    nego_mode=int(nego_mode),
+                    active_time=int(active_time) // 100 if active_time.isdigit() else 0,
+                    in_octets=int(in_octets) if in_octets.isdigit() else 0,
+                    in_pkts=int(in_pkts) if in_pkts.isdigit() else 0,
+                    in_drop_pkts=int(in_droppkts) if in_droppkts.isdigit() else 0,
+                    out_octets=int(out_octets) if out_octets.isdigit() else 0,
+                    out_pkts=int(out_pkts) if out_pkts.isdigit() else 0,
+                    out_drop_pkts=int(out_droppkts) if out_droppkts.isdigit() else 0,
+                    status=int(status) if status.isdigit() else 0,
+                    nego_mode=int(nego_mode) if nego_mode.isdigit() else 0,
                    # if/else is workaround for not matching IKE_OID_end and cipSecTunIkeTunnelIndex
                    # try to match IPSec sa by remote address
-                    ipsec_summary=ipsec_sa_summary.get(index) if ipsec_sa_summary.get(index) is not None else _get_ipsec_sa_by_remote_address(save_remote_addr, ipsec_sa_summary)
+                    ipsec_summary=ipsec_sa_summary.get(index) if ipsec_sa_summary.get(
+                        index) is not None else _get_ipsec_sa_by_remote_address(save_remote_addr, ipsec_sa_summary)
                )
                vpntunnel.update({remote_addr: ike_sa})

@@ -416,7 +406,8 @@ register.check_plugin(
    check_default_parameters={
        'state': 3,  # default state for tunnel not found
        'missing_ipsec_sa_state': 1,
-        'tunnels': [],  # list of tunnel specific not found states ('<ip-address>', '<alias>', <not_found_state>, <no_ipsec_sa>)
+        'tunnels': [],  # list of tunnel specific not found states
+                        # ('<ip-address>', '<alias>', <not_found_state>, <no_ipsec_sa>)
    },
    check_ruleset_name='cisco_vpn_tunnel',
 )
--- a/cisco_vpn_tunnel.mkp
+++ b/cisco_vpn_tunnel.mkp
--- a/packages/cisco_vpn_tunnel
+++ b/packages/cisco_vpn_tunnel
@@ -11,7 +11,7 @@
 'name': 'cisco_vpn_tunnel',
 'num_files': 3,
 'title': 'Monitor Cisco VPN Tunnel',
- 'version': '20220401.v0.3a',
+ 'version': '20221217.v0.3b',
 'version.min_required': '2.0.0',
 'version.packaged': '2021.09.20',
 'version.usable_until': None}
\ No newline at end of file