Cisco IDS log format

Unanswered Question
Nov 24th, 2008

Hi,

Where can I find the description of Cisco IDS log format? I can find information about total signatures and the meaning of the signatures. But I cannot find the following:

1) what are the different log formats supported by Cisco IDS (XML, plain text etc)

2) what parameters to expect in the log messages and the order, meaning of the same.

For eg: if I saw following sample message in a website. How do I understand what each parameter is supposed to mean.

4,1001256,2002/04/11,01:17:49,2002/04/10,20:17:49,10008,100,101,OUT,IN,5,5126,

0,TCP/IP,64.194.107.85,W.X.Y.124,32768,80,0.0.0.0,

Thanks

KAD

I have this problem too.
1 vote
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
smalkeric Mon, 12/01/2008 - 12:49

Follwoing is one of the example of IDS log format message:

%PIX|ASA-4-4000nn: IPS:number string from IP_address to IP_address on

interface interface_name

Explanation Messages 400000 through 400051 are Cisco Intrusion Detection System signature messages. For more information, see the Cisco Intrusion Detection System User Guide.

Recommended Action For more information, see the Cisco Intrusion Detection System User Guide. All signature messages are not supported by the security appliance in this release. IPS system log messages all start with 4-4000nn and have the following format:

number - The signature number.

string - The signature message-approximately the same as the NetRanger signature message.

IP_address - The local to remote address to which the signature applies.

interface_name - The name of the interface on which the signature originated.

For example:

%PIX|ASA-4-400013 IPS:2003 ICMP redirect from 10.4.1.2 to 10.2.1.1 on interface dmz

%PIX|ASA-4-400032 IPS:4051 UDP Snork attack from 10.1.1.1 to 192.168.1.1 on interface

outside

anusuya_k Mon, 12/01/2008 - 21:03

Thanks for the response. But the format %PIX|ASA-4-4000nn is specific to IDS/IPS module messages on Cisco ASA/PIX. I am looking for the message format of Cisco IDS appliance itself. I understand cisco IDS supports SDEE, so when it is exported as text, it may generate the text format logs as I put in the initial message. I am looking for description of this log format.

Thanks

KAD

Actions

This Discussion