Ssm
The following scenario shows how to configure different SSM (System Service Monitoring) operations. SSM operations can be used to monitor several system states (e.g., CPU, memory, storage and temperature), activating or deactivating previously defined alarms when the monitored states reach certain threshold values.
Monitoring Storage
Description
In this scenario an SSM operation is configured in DUT0 to monitor the storage state of the system and activate or deactivate an alarm when said state reaches a defined threshold value. First, the alarm is activated when a new file is downloaded. Then the alarm is deactivated when the downloaded file is deleted.
Scenario
Step 1: Run command show system storage at DUT0 and expect this output:
Show output
Total Storage: 7.767 GB Free Storage: 7.416 GB Used Storage: 359.59 MB
Step 2: Set the following configuration in DUT0:
set service ssm log-level notice set service ssm operation OPER_STO alarm ALARM_STO activate value 373217.25 set service ssm operation OPER_STO alarm ALARM_STO deactivate value 369885.75 set service ssm operation OPER_STO description 'OPER_STO operation description' set service ssm operation OPER_STO interval 0.05 set service ssm operation OPER_STO type storage set system alarm ALARM_STO set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Note
To emulate an increase in storage usage, a file with a known size could be downloaded. To activate the alarm with this increase in storage used, the alarm activation threshold must be adjusted with the value resulting from adding the current used storage and the size of the new file to be downloaded. In this example, the value set as the activation threshold is 373217.25K, since the value of the current used storage is 368220K and the size of the new file to be downloaded is 6663K. Also, to emulate a decrease in storage used, the previously downloaded file could be deleted. To deactivate the alarm with this decrease in storage used, the alarm deactivation threshold must be adjusted with the value of the storage used before downloading the new file. In this example, the value set as the deactivation threshold is 369885.75K.
Step 3: Run command service ssm operation show at DUT0 and check if output contains the following tokens:
OPER_STOShow output
----------------------------------------------------------------------------------------------- Operation Type Last-Value Alarm Activate Deactivate Status Toggled Prev-toggled ----------------------------------------------------------------------------------------------- OPER_STO storage 368220.00 ALARM_STO 373217.25 369885.75 false
Step 4: Run command system alarm ALARM_STO show at DUT0 and check if output matches the following regular expressions:
(ALARM_STO)\s+(false)Show output
------------------------------------------------------------------- Alarm Status Toggled Prev-toggled Toggle-count Time up (%) ------------------------------------------------------------------- ALARM_STO false 0 0.00
Step 5: Run command service ssm operation OPER_STO show at DUT0 and check if output matches the following regular expressions:
(OPER_STO)\s+(storage)[\s\d.]+(ALARM_STO)[\s\d.]+(false)Show output
----------------------------------------------------------------------------------------------- Operation Type Last-Value Alarm Activate Deactivate Status Toggled Prev-toggled ----------------------------------------------------------------------------------------------- OPER_STO storage 368220.00 ALARM_STO 373217.25 369885.75 false
Step 6: Run command service ssm operation show at DUT0 and check if output matches the following regular expressions:
(OPER_STO)\s+(storage)[\s\d.]+(ALARM_STO)[\s\d.]+(false)Show output
----------------------------------------------------------------------------------------------- Operation Type Last-Value Alarm Activate Deactivate Status Toggled Prev-toggled ----------------------------------------------------------------------------------------------- OPER_STO storage 368220.00 ALARM_STO 373217.25 369885.75 false
Note
The previous command output should show that the operation has been created successfully and that the alarm is desactivated, since the storage used has not yet increased.
Step 7: Modify the following configuration lines in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24
Step 8: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.188 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.188/0.188/0.188/0.000 ms
Step 9: Run command file copy http://10.215.168.1/~robot/ssm_test_file running:// force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 6663k 100 6663k 0 0 316M 0 --:--:-- --:--:-- --:--:-- 309M
Step 10: Run command file show running:// at DUT0 and check if output contains the following tokens:
ssm_test_fileShow output
---------------------------------------------------------------------------------------- Name Type Size Last modified ---------------------------------------------------------------------------------------- OSDx\ version(1).gz application/gzip 36B 2024 Oct 7 09:22 auth/ directory 8.7KB 2024 Oct 7 09:21 base-enc.diff1 application/octet-stream 256B 2024 Oct 7 11:49 base-enc.rules application/octet-stream 272B 2024 Oct 7 11:49 base.diff1 text/plain 238B 2024 Oct 7 11:50 base.diff2 text/plain 510B 2024 Oct 7 11:43 base.diff2-aes256 application/octet-stream 528B 2024 Oct 7 11:50 base.rules text/plain 245B 2024 Oct 7 11:43 config.boot regular file, no read permission 349B 2024 Oct 7 09:24 coredump/ directory 4.0KB 2024 Oct 7 12:15 dos.rules text/plain 62KB 2024 Oct 7 11:57 drop-performance.rules text/plain 200B 2024 Oct 7 11:56 filehash-md5-drop.rules text/plain 113B 2024 Oct 7 11:51 filehash-sha1-drop.rules text/plain 116B 2024 Oct 7 11:52 filehash-sha256-drop.rules text/plain 122B 2024 Oct 7 11:52 firewall/ directory 4.0KB 2024 Oct 7 12:15 hashset-md5.list text/plain 33B 2024 Oct 7 11:51 hashset-sha1.list text/plain 40B 2024 Oct 7 11:52 hashset-sha256.list text/plain 65B 2024 Oct 7 11:52 http-alert.rules text/plain 85B 2024 Oct 7 11:43 kerneldump/ directory 4.4KB 2024 Oct 7 09:21 local.rules text/plain 357B 2024 Oct 7 11:43 log/ directory 298KB 2024 Oct 7 11:27 nids.html text/html 220B 2024 Oct 7 11:51 ruleset.tar.gz application/octet-stream 352B 2024 Oct 7 11:50 save-hist/ directory 4.0KB 2024 Oct 7 09:21 scripts/ directory 4.0KB 2024 Oct 4 11:24 ssm_test_file text/plain 6.6MB 2024 Oct 7 12:17 support/ directory 4.2KB 2024 Oct 7 10:28 suricata.minimal.rules text/plain 3.7MB 2024 Oct 7 11:43 test-performance-udp.rules text/plain 133B 2024 Oct 7 11:55 test-performance.rules text/plain 129B 2024 Oct 7 11:55 tls-alert.rules text/plain 201B 2024 Oct 7 11:52 tor.rules text/plain 714KB 2024 Oct 7 11:57 traffic-proxy.rules text/plain 129B 2024 Oct 7 12:14 uid text/html 220B 2024 Oct 7 11:43 user-data/ directory 4.0KB 2024 Oct 7 11:19
Note
With the previous command, a file with a known size is downloaded, thus causing an increase in the storage used.
Step 11: Run command show system storage at DUT0 and expect this output:
Show output
Total Storage: 7.767 GB Free Storage: 7.41 GB Used Storage: 366.098 MB
Step 12: Run command system alarm ALARM_STO show at DUT0 and check if output matches the following regular expressions:
(ALARM_STO)\s+(true)Show output
------------------------------------------------------------------------------------------------ Alarm Status Toggled Prev-toggled Toggle-count Time up (%) ------------------------------------------------------------------------------------------------ ALARM_STO true 2024-10-07 12:17:44.455002827 +00:00 1 31.23
Step 13: Run command service ssm operation OPER_STO show at DUT0 and check if output matches the following regular expressions:
(OPER_STO)\s+(storage)[\s\d.]+(ALARM_STO)[\s\d.]+(true)Show output
---------------------------------------------------------------------------------------------------------------------------- Operation Type Last-Value Alarm Activate Deactivate Status Toggled Prev-toggled ---------------------------------------------------------------------------------------------------------------------------- OPER_STO storage 368220.00 ALARM_STO 373217.25 369885.75 true 2024-10-07 12:17:44.455002827 +00:00
Step 14: Run command service ssm operation show at DUT0 and check if output matches the following regular expressions:
(OPER_STO)\s+(storage)[\s\d.]+(ALARM_STO)[\s\d.]+(true)Show output
---------------------------------------------------------------------------------------------------------------------------- Operation Type Last-Value Alarm Activate Deactivate Status Toggled Prev-toggled ---------------------------------------------------------------------------------------------------------------------------- OPER_STO storage 374884.00 ALARM_STO 373217.25 369885.75 true 2024-10-07 12:17:44.455002827 +00:00
Note
The previous command output should show that the alarm is activated, since the storage used has increased after downloading the new file.
Step 15: Delete a file by running file delete running://ssm_test_file.
Note
With the previous command, the downloaded file is deleted, thus causing a decrease in the storage used.
Step 16: Run command show system storage at DUT0 and expect this output:
Show output
Total Storage: 7.767 GB Free Storage: 7.416 GB Used Storage: 359.59 MB
Step 17: Run command system alarm ALARM_STO show at DUT0 and check if output matches the following regular expressions:
(ALARM_STO)\s+(false)Show output
------------------------------------------------------------------------------------------------------------------------ Alarm Status Toggled Prev-toggled Toggle-count Time up (%) ------------------------------------------------------------------------------------------------------------------------ ALARM_STO false 2024-10-07 12:17:45.443438230 +00:00 2024-10-07 12:17:44.455002827 +00:00 2 38.95
Step 18: Run command service ssm operation OPER_STO show at DUT0 and check if output matches the following regular expressions:
(OPER_STO)\s+(storage)[\s\d.]+(ALARM_STO)[\s\d.]+(false)Show output
---------------------------------------------------------------------------------------------------------------------------------------------------- Operation Type Last-Value Alarm Activate Deactivate Status Toggled Prev-toggled ---------------------------------------------------------------------------------------------------------------------------------------------------- OPER_STO storage 374884.00 ALARM_STO 373217.25 369885.75 false 2024-10-07 12:17:45.443438230 +00:00 2024-10-07 12:17:44.455002827 +00:00
Step 19: Run command service ssm operation show at DUT0 and check if output matches the following regular expressions:
(OPER_STO)\s+(storage)[\s\d.]+(ALARM_STO)[\s\d.]+(false)Show output
---------------------------------------------------------------------------------------------------------------------------------------------------- Operation Type Last-Value Alarm Activate Deactivate Status Toggled Prev-toggled ---------------------------------------------------------------------------------------------------------------------------------------------------- OPER_STO storage 374884.00 ALARM_STO 373217.25 369885.75 false 2024-10-07 12:17:45.443438230 +00:00 2024-10-07 12:17:44.455002827 +00:00
Note
The previous command output should show that the alarm is deactivated, since the storage used has decreased after the deletion of the downloaded file.