01-21-2005 05:57 AM - edited 03-10-2019 01:14 AM
I have problem with configuring the alarms on IDS 4.1 when ACL violation syslog message is received. I have simple config on the router:
access-list 120 deny ip any host 10.10.17.254 log
access-list 120 permit ip any any
interface Ethernet0/0
ip address 10.10.17.254 255.255.254.0
ip access-group 120 in
logging trap debugging
logging 10.10.17.245
logging 10.10.17.17
The syslogs are sent - I can see it on my second Syslog server. The 10.10.17.245 is a IDS4250XL.
The configuration of the custom signature is as follows:
SERVICE.SYSLOG
-----------------------------------------------
version: 4.0 <protected>
signatures (min: 0, max: 1000, current: 1)
-----------------------------------------------
SIGID: 21000
SubSig: 0 <defaulted>
AclDataSource:
AclFilterName:
AlarmDelayTimer:
AlarmInterval:
AlarmSeverity: medium <defaulted>
AlarmThrottle: FireAll <defaulted>
AlarmTraits:
CapturePacket: False <defaulted>
ChokeThreshold:
Enabled: True <defaulted>
EventAction:
Facility:
FlipAddr:
MaxInspectLength:
MaxTTL:
MinHits:
Priority:
Protocol: IP default: UDP
ResetAfterIdle: 15 <defaulted>
SigComment:
SigName: SERVICE.SYSLOG <defaulted>
SigStringInfo:
SigVersion:
StorageKey: xxxx <defaulted>
SummaryKey: xxBx
ThrottleInterval: 15 <defaulted>
WantFrag:
As I checked with nmap, UDP port 514 on IDS4250 is closed. How can I open it to get the syslogs? Or is there any other way to get the ACL violation logs?
01-21-2005 09:56 AM
Your signature definition is incomplete.
You need to specify:
AclDataSource:
AclFilterName:
AclDataSource is the IP Address of the router from which the syslog messages are being generated. Look at your tcpdump output to confirm which of the router's ips is being used as the source address of the syslog packets.
AclFilterName is the ACL Name/Number (in your case "120")
It has been awhile since I have dealt with the syslog stuff, but if my memmory serves me the sensor does not actually open port 514. Instead it sniffs the command and control port looking for specific packets (from the AclDataSource to the Sensor's Command and Control, UDP packet with destination port 514). This prevents the sensor from being intentionally or accidentally flooded with syslog packets from other machines. The syslogs sent to the sensor never get logged as syslog entries (the internal syslog is connected to any externally acessible port), instead they are sniffed by sensorApp, analyzed, and when needed turned into an IDS alarm.
01-22-2005 01:22 PM
I tried it as well, with no success. Syslogs are sent with correct ip address (logging source-interface). I tried also the log-acl-violation=true in the Network Access section of the config but, it didn't help. Any other ideas?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide