Cisco Cisco Firepower Management Center 4000 Entwickleranleitung
3-22
FireSIGHT System Remediation API Guide
Chapter 3 Communicating with the Remediation Subsystem
Defining Exit Statuses
<pe_item>dest_protocol</pe_item>
</policy_event_data>
</remediation_type>
<remediation_type name="acl_insert">
<display_name>ACL Insertion</display_name>
<policy_event_data>
<pe_item>src_ip_addr</pe_item>
<pe_item>src_port</pe_item>
<pe_item>src_protocol</pe_item>
<pe_item>dest_ip_addr</pe_item>
<pe_item>dest_port</pe_item>
<pe_item>dest_protocol</pe_item>
</policy_event_data>
<config_template>
<integer>
<name>acl_num</name>
<display_name>ACL Number</display_name>
</integer>
</config_template>
</remediation_type>
The example above contains 3 remediation types:
block_src
,
block_dest
, and
acl_insert
. Each of
these requires specific correlation event (
pe_item
) data. The
acl_insert
remediation type also requires
configuration data, which is specified in its
config_template
child element; users must provide an ACL
number when they configure instances of that type.
Defining Exit Statuses
The remediation subsystem expects to receive an exit status, or return code, in the form of an integer
from your remediation module.
from your remediation module.
Cisco provides a set of predefined exit status messages your remediation module can return. You can
return predefined exit statuses, which correspond to integer values between 1 and 128, inclusive. The
following lists and describes these predefined exit status codes.
return predefined exit statuses, which correspond to integer values between 1 and 128, inclusive. The
following lists and describes these predefined exit status codes.
Table 3-14
Predefined Exit Statuses
Exit Status
Description
0
Successful completion of remediation.
1
Error in the input provided to the remediation module.
2
Error in the remediation module configuration.
3
Error logging into the remote device or server.
4
Unable to gain required privileges on remote device or server.
5
Timeout logging into remote device or server.
6
Timeout executing remote commands or servers.
7
The remote device or server was unreachable.
8
The remediation was attempted but failed.
10
A white-list match was found.
11
Failed to execute remediation program
20
Unknown/unexpected error.