diff --git a/agent_based/cisco_vpn_tunnel.py b/agent_based/cisco_vpn_tunnel.py
index 856187ca12be7facfbdda5c279a34ae68a9eb96e..1f8bc1ce68b005dea349f11bf69ff31cbab47255 100644
--- a/agent_based/cisco_vpn_tunnel.py
+++ b/agent_based/cisco_vpn_tunnel.py
@@ -19,6 +19,7 @@
# 2022-01-19: added workaround for not matching IKE_OID_end and cipSecTunIkeTunnelIndexfor not matching
# IKE_OID_end and cipSecTunIkeTunnelIndex, try to match IPSec nad IKE sa by remote address
# 2022-04-01: changed IPSec SA count output to check levels
+# 2022-12-17: checked input values for isdigit()
# snmpwalk sample
#
@@ -68,14 +69,8 @@ class IpsecSa:
@dataclass
class IkeSa:
- # local_type: int
- # local_value: str
local_addr: str
- # local_name: str
- # remote_type: int
- # remote_value: str
remote_addr: str
- # remote_name: str
active_time: int
in_octets: int
in_pkts: int
@@ -156,7 +151,7 @@ def parse_cisco_vpn_tunnel(string_table: List[StringTable]) -> Dict[str, IkeSa]:
# summarize IPSec SAs, ASSUMPTION: except for counters all SA attributes are identical per IKE index
for ike_tunnel_index, ike_tunnel_alive, tun_remote_addr, active_time, hc_in_octets, in_pkts, in_drop_pkts, \
- hc_out_octets, out_pkts, out_drop_pkts in ipsec_tunnel_entry:
+ hc_out_octets, out_pkts, out_drop_pkts in ipsec_tunnel_entry:
if ike_tunnel_index.isdigit():
ipsec_sa = ipsec_sa_summary.setdefault(
@@ -164,13 +159,13 @@ def parse_cisco_vpn_tunnel(string_table: List[StringTable]) -> Dict[str, IkeSa]:
IpsecSa(0, 0, 0, 0, 0, 0, 0, 0, 0, tun_remote_addr)
)
ipsec_sa.sa_count += 1
- ipsec_sa.hc_in_octets += int(hc_in_octets)
- ipsec_sa.in_pkts += int(in_pkts)
- ipsec_sa.in_drop_pkts += int(in_drop_pkts)
- ipsec_sa.hc_out_octets += int(hc_out_octets)
- ipsec_sa.out_pkts += int(out_pkts)
- ipsec_sa.out_drop_pkts += int(out_drop_pkts)
- if int(active_time) // 100 > ipsec_sa.active_time:
+ ipsec_sa.hc_in_octets += int(hc_in_octets) if hc_in_octets.isdigit() else 0
+ ipsec_sa.in_pkts += int(in_pkts) if in_pkts.isdigit() else 0
+ ipsec_sa.in_drop_pkts += int(in_drop_pkts) if in_drop_pkts.isdigit() else 0
+ ipsec_sa.hc_out_octets += int(hc_out_octets) if hc_out_octets.isdigit() else 0
+ ipsec_sa.out_pkts += int(out_pkts) if out_pkts.isdigit() else 0
+ ipsec_sa.out_drop_pkts += int(out_drop_pkts) if out_drop_pkts.isdigit() else 0
+ if active_time.isdigit and (int(active_time) // 100 > ipsec_sa.active_time):
ipsec_sa.active_time = int(active_time) // 100
# IKE SA
@@ -185,26 +180,21 @@ def parse_cisco_vpn_tunnel(string_table: List[StringTable]) -> Dict[str, IkeSa]:
remote_addr = remote_value
if len(remote_addr.split('.')) == 4:
ike_sa = IkeSa(
- # local_type=int(local_type),
- # local_value=local_value,
local_addr=_cisco_vpn_tunnel_render_ipv4_address(local_addr),
- # local_name=local_name,
- # remote_type=int(remote_type),
- # remote_value=remote_value,
remote_addr=remote_addr,
- # remote_name=remote_name,
- active_time=int(active_time) // 100,
- in_octets=int(in_octets),
- in_pkts=int(in_pkts),
- in_drop_pkts=int(in_droppkts),
- out_octets=int(out_octets),
- out_pkts=int(out_pkts),
- out_drop_pkts=int(out_droppkts),
- status=int(status),
- nego_mode=int(nego_mode),
+ active_time=int(active_time) // 100 if active_time.isdigit() else 0,
+ in_octets=int(in_octets) if in_octets.isdigit() else 0,
+ in_pkts=int(in_pkts) if in_pkts.isdigit() else 0,
+ in_drop_pkts=int(in_droppkts) if in_droppkts.isdigit() else 0,
+ out_octets=int(out_octets) if out_octets.isdigit() else 0,
+ out_pkts=int(out_pkts) if out_pkts.isdigit() else 0,
+ out_drop_pkts=int(out_droppkts) if out_droppkts.isdigit() else 0,
+ status=int(status) if status.isdigit() else 0,
+ nego_mode=int(nego_mode) if nego_mode.isdigit() else 0,
# if/else is workaround for not matching IKE_OID_end and cipSecTunIkeTunnelIndex
# try to match IPSec sa by remote address
- ipsec_summary=ipsec_sa_summary.get(index) if ipsec_sa_summary.get(index) is not None else _get_ipsec_sa_by_remote_address(save_remote_addr, ipsec_sa_summary)
+ ipsec_summary=ipsec_sa_summary.get(index) if ipsec_sa_summary.get(
+ index) is not None else _get_ipsec_sa_by_remote_address(save_remote_addr, ipsec_sa_summary)
)
vpntunnel.update({remote_addr: ike_sa})
@@ -416,7 +406,8 @@ register.check_plugin(
check_default_parameters={
'state': 3, # default state for tunnel not found
'missing_ipsec_sa_state': 1,
- 'tunnels': [], # list of tunnel specific not found states ('<ip-address>', '<alias>', <not_found_state>, <no_ipsec_sa>)
+ 'tunnels': [], # list of tunnel specific not found states
+ # ('<ip-address>', '<alias>', <not_found_state>, <no_ipsec_sa>)
},
check_ruleset_name='cisco_vpn_tunnel',
)
diff --git a/cisco_vpn_tunnel.mkp b/cisco_vpn_tunnel.mkp
index c2791813b414eee4ce3a879373facdb3fb64b616..48af5d5949ccf1ac6f93fd815336c313d73be923 100644
Binary files a/cisco_vpn_tunnel.mkp and b/cisco_vpn_tunnel.mkp differ
diff --git a/packages/cisco_vpn_tunnel b/packages/cisco_vpn_tunnel
index 7c6ea78435abf2567e040183cba6af9cbd05ec86..87606471cde29577bd829fd4470c4a5c05ced18b 100644
--- a/packages/cisco_vpn_tunnel
+++ b/packages/cisco_vpn_tunnel
@@ -11,7 +11,7 @@
'name': 'cisco_vpn_tunnel',
'num_files': 3,
'title': 'Monitor Cisco VPN Tunnel',
- 'version': '20220401.v0.3a',
+ 'version': '20221217.v0.3b',
'version.min_required': '2.0.0',
'version.packaged': '2021.09.20',
'version.usable_until': None}
\ No newline at end of file