Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4400
Views
0
Helpful
2
Replies

Cisco IDS log format

anusuya_k
Level 1
Level 1

‎11-24-2008 03:02 AM - edited ‎03-10-2019 04:23 AM

Hi,

Where can I find the description of Cisco IDS log format? I can find information about total signatures and the meaning of the signatures. But I cannot find the following:

1) what are the different log formats supported by Cisco IDS (XML, plain text etc)

2) what parameters to expect in the log messages and the order, meaning of the same.

For eg: if I saw following sample message in a website. How do I understand what each parameter is supposed to mean.

4,1001256,2002/04/11,01:17:49,2002/04/10,20:17:49,10008,100,101,OUT,IN,5,5126,

0,TCP/IP,64.194.107.85,W.X.Y.124,32768,80,0.0.0.0,

Thanks

KAD

1 person had this problem
Labels:
0 Helpful
2 Replies 2

smalkeric
Level 6
Level 6

‎12-01-2008 12:49 PM

Follwoing is one of the example of IDS log format message:

%PIX|ASA-4-4000nn: IPS:number string from IP_address to IP_address on

interface interface_name

Explanation Messages 400000 through 400051 are Cisco Intrusion Detection System signature messages. For more information, see the Cisco Intrusion Detection System User Guide.

Recommended Action For more information, see the Cisco Intrusion Detection System User Guide. All signature messages are not supported by the security appliance in this release. IPS system log messages all start with 4-4000nn and have the following format:

number - The signature number.

string - The signature message-approximately the same as the NetRanger signature message.

IP_address - The local to remote address to which the signature applies.

interface_name - The name of the interface on which the signature originated.

For example:

%PIX|ASA-4-400013 IPS:2003 ICMP redirect from 10.4.1.2 to 10.2.1.1 on interface dmz

%PIX|ASA-4-400032 IPS:4051 UDP Snork attack from 10.1.1.1 to 192.168.1.1 on interface

outside

0 Helpful

anusuya_k
Level 1
Level 1
In response to smalkeric

‎12-01-2008 09:03 PM

Thanks for the response. But the format %PIX|ASA-4-4000nn is specific to IDS/IPS module messages on Cisco ASA/PIX. I am looking for the message format of Cisco IDS appliance itself. I understand cisco IDS supports SDEE, so when it is exported as text, it may generate the text format logs as I put in the initial message. I am looking for description of this log format.

Thanks

KAD

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card