topic Sysloging ACL violations in Network Security

Sysloging ACL violations

k.lapczuk — Sun, 10 Mar 2019 09:14:28 GMT

I have problem with configuring the alarms on IDS 4.1 when ACL violation syslog message is received. I have simple config on the router:

access-list 120 deny ip any host 10.10.17.254 log

access-list 120 permit ip any any

interface Ethernet0/0

ip address 10.10.17.254 255.255.254.0

ip access-group 120 in

logging trap debugging

logging 10.10.17.245

logging 10.10.17.17

The syslogs are sent - I can see it on my second Syslog server. The 10.10.17.245 is a IDS4250XL.

The configuration of the custom signature is as follows:

SERVICE.SYSLOG

-----------------------------------------------

version: 4.0 <protected>

signatures (min: 0, max: 1000, current: 1)

-----------------------------------------------

SIGID: 21000

SubSig: 0 <defaulted>

AclDataSource:

AclFilterName:

AlarmDelayTimer:

AlarmInterval:

AlarmSeverity: medium <defaulted>

AlarmThrottle: FireAll <defaulted>

AlarmTraits:

CapturePacket: False <defaulted>

ChokeThreshold:

Enabled: True <defaulted>

EventAction:

Facility:

FlipAddr:

MaxInspectLength:

MaxTTL:

MinHits:

Priority:

Protocol: IP default: UDP

ResetAfterIdle: 15 <defaulted>

SigComment:

SigName: SERVICE.SYSLOG <defaulted>

SigStringInfo:

SigVersion:

StorageKey: xxxx <defaulted>

SummaryKey: xxBx

ThrottleInterval: 15 <defaulted>

WantFrag:

As I checked with nmap, UDP port 514 on IDS4250 is closed. How can I open it to get the syslogs? Or is there any other way to get the ACL violation logs?

Re: Sysloging ACL violations

marcabal — Fri, 21 Jan 2005 17:56:04 GMT

Your signature definition is incomplete.

You need to specify:

AclDataSource:

AclFilterName:

AclDataSource is the IP Address of the router from which the syslog messages are being generated. Look at your tcpdump output to confirm which of the router's ips is being used as the source address of the syslog packets.

AclFilterName is the ACL Name/Number (in your case "120")

It has been awhile since I have dealt with the syslog stuff, but if my memmory serves me the sensor does not actually open port 514. Instead it sniffs the command and control port looking for specific packets (from the AclDataSource to the Sensor's Command and Control, UDP packet with destination port 514). This prevents the sensor from being intentionally or accidentally flooded with syslog packets from other machines. The syslogs sent to the sensor never get logged as syslog entries (the internal syslog is connected to any externally acessible port), instead they are sniffed by sensorApp, analyzed, and when needed turned into an IDS alarm.

Re: Sysloging ACL violations

k.lapczuk — Sat, 22 Jan 2005 21:22:29 GMT

I tried it as well, with no success. Syslogs are sent with correct ip address (logging source-interface). I tried also the log-acl-violation=true in the Network Access section of the config but, it didn't help. Any other ideas?