Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
769
Views
0
Helpful
2
Replies

Sysloging ACL violations

k.lapczuk
Level 1
Level 1

‎01-21-2005 05:57 AM - edited ‎03-10-2019 01:14 AM

I have problem with configuring the alarms on IDS 4.1 when ACL violation syslog message is received. I have simple config on the router:

access-list 120 deny ip any host 10.10.17.254 log

access-list 120 permit ip any any

interface Ethernet0/0

ip address 10.10.17.254 255.255.254.0

ip access-group 120 in

logging trap debugging

logging 10.10.17.245

logging 10.10.17.17

The syslogs are sent - I can see it on my second Syslog server. The 10.10.17.245 is a IDS4250XL.

The configuration of the custom signature is as follows:

SERVICE.SYSLOG

-----------------------------------------------

version: 4.0 <protected>

signatures (min: 0, max: 1000, current: 1)

-----------------------------------------------

SIGID: 21000

SubSig: 0 <defaulted>

AclDataSource:

AclFilterName:

AlarmDelayTimer:

AlarmInterval:

AlarmSeverity: medium <defaulted>

AlarmThrottle: FireAll <defaulted>

AlarmTraits:

CapturePacket: False <defaulted>

ChokeThreshold:

Enabled: True <defaulted>

EventAction:

Facility:

FlipAddr:

MaxInspectLength:

MaxTTL:

MinHits:

Priority:

Protocol: IP default: UDP

ResetAfterIdle: 15 <defaulted>

SigComment:

SigName: SERVICE.SYSLOG <defaulted>

SigStringInfo:

SigVersion:

StorageKey: xxxx <defaulted>

SummaryKey: xxBx

ThrottleInterval: 15 <defaulted>

WantFrag:

As I checked with nmap, UDP port 514 on IDS4250 is closed. How can I open it to get the syslogs? Or is there any other way to get the ACL violation logs?

Labels:
0 Helpful
2 Replies 2

marcabal
Cisco Employee
Cisco Employee

‎01-21-2005 09:56 AM

Your signature definition is incomplete.

You need to specify:

AclDataSource:

AclFilterName:

AclDataSource is the IP Address of the router from which the syslog messages are being generated. Look at your tcpdump output to confirm which of the router's ips is being used as the source address of the syslog packets.

AclFilterName is the ACL Name/Number (in your case "120")

It has been awhile since I have dealt with the syslog stuff, but if my memmory serves me the sensor does not actually open port 514. Instead it sniffs the command and control port looking for specific packets (from the AclDataSource to the Sensor's Command and Control, UDP packet with destination port 514). This prevents the sensor from being intentionally or accidentally flooded with syslog packets from other machines. The syslogs sent to the sensor never get logged as syslog entries (the internal syslog is connected to any externally acessible port), instead they are sniffed by sensorApp, analyzed, and when needed turned into an IDS alarm.

0 Helpful

k.lapczuk
Level 1
Level 1
In response to marcabal

‎01-22-2005 01:22 PM

I tried it as well, with no success. Syslogs are sent with correct ip address (logging source-interface). I tried also the log-acl-violation=true in the Network Access section of the config but, it didn't help. Any other ideas?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card