ACL Hit counting

Unanswered Question
Mar 29th, 2007

Hi.i am intended to find some way to counting the total ACL hit on by border Routers/Switchs as a base-lining method and detect the DOS attack facing my network.after 2 month searching cisco and googeling i find no explicit way to do that (for example with SNMP MIB), so i try to write a shell script that can process the ACL logged messages stored on my central Syslog server and visualizing the result via RRD-Tool.that work but it seems Syslog messages stored on Syslog server sometimes differs with each other in string format.that cause the shell script (it use awk programming languages and other unix shell utility) failed to process the log files and crash.the result is no update on RRD and it's graph.i want to know is there other way to count the ACL hit (total ACE hits for a given ACL)without my messy and cumbersome code ? is there any MIB for ACL hits count ? also i use "Fwlogwatch" a very powerful log analyzer and "Rsyslog" (central syslog server with mysql support and log separation by Host).

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (3 ratings)
David Stanford Thu, 03/29/2007 - 08:34

It doesn't look like there is a MIB object currently available to record ACL hits. There have been a couple of enhancement requests filed to add this support, but none yet.

Previously you could use an object from the OLD-CISCO-IP-MIB as a workaround -- "actViolation" but as

it has been deprecated it may not be supported or return the expected results.

abolfathi_0248 Thu, 03/29/2007 - 09:26

it seems there is not any MIB support for both Security ACL / QOS ACL.i use "snmpwalk" to browse the full MIB Tree on cisco gears but there wasn't any useful information (even about the ACE list , ACL name , ...).i am wonderful regarding to Cisco MIB broad range of capability , why still Cisco gears suffer from such no-exist very important feature.

David Stanford Thu, 03/29/2007 - 09:32

I know that part of the reason we don't have a specific MIB for ACL's is due to security. If someone can query all of the ACL info on a device then it may create security issues.

I know that if you have snmp RW you can pull the config, but I wouldn't think RO access to read ACL info being a good idea. It may be useful, but could be more trouble than its worth.

abolfathi_0248 Thu, 03/29/2007 - 09:58

you are right Davistan.but think about how it can be useful if you be able to count the ACL Hit on your policy enforcement devices.Netflow is perfect but what it give you just traffic accounting.i believe Base-line methodology with Netflow don't let you know about access violation,but counting the ACL hits (especially on the Edge) give you quick view about reconnaissance attack , DOS attack.something else : even with Snmp RW access to cisco gear you can't add,delete or modify the ACL on the fly.the only way is to copy "config" file via snmp to NMS and change the config file by hand, then uploading the config file to you can see this limitation not from security concern point of view.

avmabe Tue, 04/03/2007 - 13:17

As above posters indicated... this is not possible via SNMP. I researched this back when the blaster virus hit my network at a previous company. I had TAC cases opened and ended up submitting a feature request but nothing ever came from it.

In years since, if I need this functionality the only way to extract it was via scripts that logged in and parsed out what I wanted.

abolfathi_0248 Sat, 04/07/2007 - 10:09

to solving this problem , i complete my last effort and complete my Shell-Script to work bug freee.that work fine , and now i have a baseline for Dropped packets and detect spikes on ACL occur on Edge-devices.what i do was :

1- send SYSLOG from my policy enforcement devices to a central syslog server.i use "Rsyslog" because it can separate syslog messages by SENDER address and log them to separate files (also log them in Mysql DB)

2- run my shell-script every 10 minute and calculate the ACL Hit on Edge devcies.

3- visualizing the result by RRD-Tool.

it is i can detect attacks , DOS and traffic anomalies within i don't consume my time for checking the policy violation.if someone interest about the shell script i can post it.


This Discussion