cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
675
Views
0
Helpful
2
Replies

acl violation question

c-fay
Level 1
Level 1

I use a acl in my router to get violation information,IDS can work well,I can

get any information I want in event view.(the acl number is 110)

But,I set new acl in the same router on my vty line:

access-list 10 permit 172.10.10.1

access-list 10 deny any log

line vty 0 4

access-class 10 in

now,I add a acl violation signature 10 in my signature template and update it,

but I can't look any alarm about vty access deny log .

Is the vty diff interface normal acl ? how can I do it to get vty access violation in my CSPM?

thankx~~

2 Replies 2

marcabal
Cisco Employee
Cisco Employee

This is the first time I've seen somebody try this with the router/sensor.

Things to consider/try:

1) Since it is the same router as you already have alarms being generated for acl 110 denials then compare the sensor configuration for the 10 acl to the sensor configuration to the 110 acl and make sure they are the same.

2) The sensor relies on a very specific format for the acl denial syslog message. It could be that syslog message is different when the acl is applied to a vty than when applied to a router interface. I also don't whether or not the log feature works when applied to the vty.

What you could do is generate the syslog messages for both the 110 acl denial and the 10 acl denial on the vty line and compare the syntax of the 2 acl messages.

(You could snoop for the syslog messages or configure the router to send to a syslog server for this test, and analyze the messages on the syslog server)

If the syntax differs or if no syslog is generated for the 10 acl then the sensor won't be able to generate an alarm.

3) Another possibility is that the 10 acl is a standard acl, while the 110 acl is an extended acl. The syslog messages generated by standard acls could be different than those generated by extended acls. If so then you might try creating an extended acl 120 to use instead of acl 10 and see if it works.

After I change to extended acl,it can work!

the sensor only received have source and dest ip log format.

thankx !