cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
386
Views
9
Helpful
2
Replies

Doubt in IPS log

linker.team
Level 1
Level 1

Hi,

I am trying to develop a script which will list events based on certain conditions. For this i need to know about all the attributes in the logs.

Below is a sample log,

05-12-2007 23:57:28 192.x.x.x local7.warn 2069294: 2080360: May 12 2007 23:56:48.813 CDT: %IPS-4-SIGNATURE: Sig:3109 Subsig:0 Sev:75 [<SRC IP>:<SRC_PORT> -> <Destination IP>:<DST_PORT>] RiskRating:56

Following are the attributes which i am unable to determine,

192.x.x.x - ip of the device ?

SEV:75 - severity ? then what is "4" in %IPS-4 ? what is the range for this ?

what is RiskRating:56 ?

thanx in advance.

-S-

2 Replies 2

rhermes
Level 7
Level 7

The 192.x.x.x is the IP address of the device sending this syslog, most likely the IOS IPS router.

SEV: 75 Must be a new numerical way of desrcibing severity, what version of IOS are you running, >12.4.6T?

The 4 in %IPS-4 is the syslog level, 4 is the Warning level http://www.routergod.com/agentsmith/

RiskRating is a Cisco thing (you really didn't search CCO much before porting your questions, did you?)

http://cisco.com/en/US/products/hw/vpndevc/ps4077/products_white_paper0900aecd80191021.shtml

Thx for the reply.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: