Ssm
The following scenario shows how to configure different SSM (System Service Monitoring) operations. SSM operations can be used to monitor several system states (e.g., CPU, memory, storage and temperature), activating or deactivating previously defined alarms when the monitored states reach certain threshold values.
Monitoring Storage
Description
In this scenario an SSM operation is configured in DUT0 to monitor the storage state of the system and activate or deactivate an alarm when said state reaches a defined threshold value. First, the alarm is activated when a new file is downloaded. Then the alarm is deactivated when the downloaded file is deleted.
Scenario
Step 1: Run command show system storage at DUT0 and expect this output:
Show output
Total Storage: 7.767 GB Free Storage: 7.384 GB Used Storage: 392.477 MB
Step 2: Set the following configuration in DUT0 :
set service ssm log-level notice set service ssm operation OPER_STO alarm ALARM_STO activate value 406893.25 set service ssm operation OPER_STO alarm ALARM_STO deactivate value 403561.75 set service ssm operation OPER_STO description 'OPER_STO operation description' set service ssm operation OPER_STO interval 0.05 set service ssm operation OPER_STO type storage set system alarm ALARM_STO set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Note
To emulate an increase in storage usage, a file with a known size could be downloaded. To activate the alarm with this increase in storage used, the alarm activation threshold must be adjusted with the value resulting from adding the current used storage and the size of the new file to be downloaded. In this example, the value set as the activation threshold is 406893.25K, since the value of the current used storage is 401896K and the size of the new file to be downloaded is 6663K. Also, to emulate a decrease in storage used, the previously downloaded file could be deleted. To deactivate the alarm with this decrease in storage used, the alarm deactivation threshold must be adjusted with the value of the storage used before downloading the new file. In this example, the value set as the deactivation threshold is 403561.75K.
Step 3: Run command service ssm operation show at DUT0 and check if output contains the following tokens:
OPER_STOShow output
----------------------------------------------------------------------------------------------- Operation Type Last-Value Alarm Activate Deactivate Status Toggled Prev-toggled ----------------------------------------------------------------------------------------------- OPER_STO storage 401896.00 ALARM_STO 406893.25 403561.75 false
Step 4: Run command system alarm ALARM_STO show at DUT0 and check if output matches the following regular expressions:
(ALARM_STO)\s+(false)Show output
------------------------------------------------------------------- Alarm Status Toggled Prev-toggled Toggle-count Time up (%) ------------------------------------------------------------------- ALARM_STO false 0 0.00
Step 5: Run command service ssm operation OPER_STO show at DUT0 and check if output matches the following regular expressions:
(OPER_STO)\s+(storage)[\s\d.]+(ALARM_STO)[\s\d.]+(false)Show output
----------------------------------------------------------------------------------------------- Operation Type Last-Value Alarm Activate Deactivate Status Toggled Prev-toggled ----------------------------------------------------------------------------------------------- OPER_STO storage 401896.00 ALARM_STO 406893.25 403561.75 false
Step 6: Run command service ssm operation show at DUT0 and check if output matches the following regular expressions:
(OPER_STO)\s+(storage)[\s\d.]+(ALARM_STO)[\s\d.]+(false)Show output
----------------------------------------------------------------------------------------------- Operation Type Last-Value Alarm Activate Deactivate Status Toggled Prev-toggled ----------------------------------------------------------------------------------------------- OPER_STO storage 401896.00 ALARM_STO 406893.25 403561.75 false
Note
The previous command output should show that the operation has been created successfully and that the alarm is desactivated, since the storage used has not yet increased.
Step 7: Modify the following configuration lines in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24
Step 8: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.255 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.255/0.255/0.255/0.000 ms
Step 9: Run command file copy http://10.215.168.1/~robot/ssm_test_file running:// force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 6663k 100 6663k 0 0 77.2M 0 --:--:-- --:--:-- --:--:-- 77.4M
Step 10: Run command file show running:// at DUT0 and check if output contains the following tokens:
ssm_test_fileShow output
---------------------------------------------------------------------------------------- Name Type Size Last modified ---------------------------------------------------------------------------------------- OSDx\ version(1).gz application/gzip 36B 2026 Feb 19 07:15 auth/ directory 13KB 2026 Feb 19 09:36 base-enc.diff1 application/octet-stream 256B 2026 Feb 19 10:51 base-enc.rules application/octet-stream 272B 2026 Feb 19 10:51 base.diff1 text/plain 238B 2026 Feb 19 10:51 base.diff2 text/plain 510B 2026 Feb 19 10:38 base.diff2-aes256 application/octet-stream 528B 2026 Feb 19 10:52 base.rules text/plain 245B 2026 Feb 19 10:38 config.boot regular file, no read permission 349B 2026 Feb 19 07:17 coredump/ directory 4.0KB 2026 Feb 19 10:48 dos.rules text/plain 62KB 2026 Feb 19 10:42 drop-performance.rules text/plain 200B 2026 Feb 19 10:41 filehash-md5-drop.rules text/plain 113B 2026 Feb 19 10:53 filehash-sha1-drop.rules text/plain 116B 2026 Feb 19 10:53 filehash-sha256-drop.rules text/plain 122B 2026 Feb 19 10:54 firewall/ directory 4.0KB 2026 Feb 19 10:59 hashset-md5.list text/plain 33B 2026 Feb 19 10:53 hashset-sha1.list text/plain 40B 2026 Feb 19 10:53 hashset-sha256.list text/plain 65B 2026 Feb 19 10:54 hs.rules text/plain 109KB 2026 Feb 19 10:38 http-alert.rules text/plain 85B 2026 Feb 19 10:38 kerneldump/ directory 4.3KB 2026 Feb 19 07:14 local.rules text/plain 357B 2026 Feb 19 10:47 log/ directory 1.6MB 2026 Feb 19 11:53 nids.html text/html 220B 2026 Feb 19 10:53 ruleset.tar.gz application/octet-stream 352B 2026 Feb 19 10:52 save-hist/ directory 4.0KB 2026 Feb 19 07:14 scripts/ directory 4.0KB 2026 Feb 19 06:53 ssm_test_file text/plain 6.6MB 2026 Feb 19 12:26 support/ directory 4.3KB 2026 Feb 19 07:16 suricata.minimal.rules text/plain 3.7MB 2026 Feb 19 10:38 test-performance-udp.rules text/plain 133B 2026 Feb 19 10:41 test-performance.rules text/plain 129B 2026 Feb 19 10:41 test_file_diff/ directory 8.1KB 2026 Feb 19 07:16 tls-alert.rules text/plain 201B 2026 Feb 19 10:54 tor.rules text/plain 714KB 2026 Feb 19 10:42 udp-alert.rules text/plain 78B 2026 Feb 19 10:38 uid text/html 220B 2026 Feb 19 10:46 user-data/ directory 4.0KB 2026 Feb 19 06:53 volatile/ directory 4.0KB 2026 Feb 19 08:53
Note
With the previous command, a file with a known size is downloaded, thus causing an increase in the storage used.
Step 11: Run command show system storage at DUT0 and expect this output:
Show output
Total Storage: 7.767 GB Free Storage: 7.377 GB Used Storage: 398.984 MB
Step 12: Run command system alarm ALARM_STO show at DUT0 and check if output matches the following regular expressions:
(ALARM_STO)\s+(true)Show output
-------------------------------------------------------------------------------------------- Alarm Status Toggled Prev-toggled Toggle-count Time up (%) -------------------------------------------------------------------------------------------- ALARM_STO true 2026-02-19 12:26:13.557830+00:00 1 20.16
Step 13: Run command service ssm operation OPER_STO show at DUT0 and check if output matches the following regular expressions:
(OPER_STO)\s+(storage)[\s\d.]+(ALARM_STO)[\s\d.]+(true)Show output
--------------------------------------------------------------------------------------------------------- Operation Type Last-Value Alarm Activate Deactivate Status Toggled Prev-toggled --------------------------------------------------------------------------------------------------------- OPER_STO storage 401896.00 ALARM_STO 406893.25 403561.75 true 1771503973.557830
Step 14: Run command service ssm operation show at DUT0 and check if output matches the following regular expressions:
(OPER_STO)\s+(storage)[\s\d.]+(ALARM_STO)[\s\d.]+(true)Show output
--------------------------------------------------------------------------------------------------------- Operation Type Last-Value Alarm Activate Deactivate Status Toggled Prev-toggled --------------------------------------------------------------------------------------------------------- OPER_STO storage 408560.00 ALARM_STO 406893.25 403561.75 true 1771503973.557830
Note
The previous command output should show that the alarm is activated, since the storage used has increased after downloading the new file.
Step 15: Delete a file by running file delete $running://ssm_test_file.
Note
With the previous command, the downloaded file is deleted, thus causing a decrease in the storage used.
Step 16: Run command show system storage at DUT0 and expect this output:
Show output
Total Storage: 7.767 GB Free Storage: 7.384 GB Used Storage: 392.477 MB
Step 17: Run command system alarm ALARM_STO show at DUT0 and check if output matches the following regular expressions:
(ALARM_STO)\s+(false)Show output
---------------------------------------------------------------------------------------------------------------- Alarm Status Toggled Prev-toggled Toggle-count Time up (%) ---------------------------------------------------------------------------------------------------------------- ALARM_STO false 2026-02-19 12:26:14.511089+00:00 2026-02-19 12:26:13.557830+00:00 2 31.89
Step 18: Run command service ssm operation OPER_STO show at DUT0 and check if output matches the following regular expressions:
(OPER_STO)\s+(storage)[\s\d.]+(ALARM_STO)[\s\d.]+(false)Show output
-------------------------------------------------------------------------------------------------------------- Operation Type Last-Value Alarm Activate Deactivate Status Toggled Prev-toggled -------------------------------------------------------------------------------------------------------------- OPER_STO storage 408560.00 ALARM_STO 406893.25 403561.75 false 1771503974.511089 1771503973.557830
Step 19: Run command service ssm operation show at DUT0 and check if output matches the following regular expressions:
(OPER_STO)\s+(storage)[\s\d.]+(ALARM_STO)[\s\d.]+(false)Show output
-------------------------------------------------------------------------------------------------------------- Operation Type Last-Value Alarm Activate Deactivate Status Toggled Prev-toggled -------------------------------------------------------------------------------------------------------------- OPER_STO storage 408560.00 ALARM_STO 406893.25 403561.75 false 1771503974.511089 1771503973.557830
Note
The previous command output should show that the alarm is deactivated, since the storage used has decreased after the deletion of the downloaded file.