Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
405
Views
9
Helpful
2
Replies

Doubt in IPS log

linker.team
Level 1
Level 1

‎06-22-2007 04:34 AM - edited ‎03-10-2019 03:40 AM

Hi,

I am trying to develop a script which will list events based on certain conditions. For this i need to know about all the attributes in the logs.

Below is a sample log,

05-12-2007 23:57:28 192.x.x.x local7.warn 2069294: 2080360: May 12 2007 23:56:48.813 CDT: %IPS-4-SIGNATURE: Sig:3109 Subsig:0 Sev:75 [<SRC IP>:<SRC_PORT> -> <Destination IP>:<DST_PORT>] RiskRating:56

Following are the attributes which i am unable to determine,

192.x.x.x - ip of the device ?

SEV:75 - severity ? then what is "4" in %IPS-4 ? what is the range for this ?

what is RiskRating:56 ?

thanx in advance.

-S-

Labels:
0 Helpful
2 Replies 2

rhermes
Level 7
Level 7

‎06-22-2007 09:36 AM

The 192.x.x.x is the IP address of the device sending this syslog, most likely the IOS IPS router.

SEV: 75 Must be a new numerical way of desrcibing severity, what version of IOS are you running, >12.4.6T?

The 4 in %IPS-4 is the syslog level, 4 is the Warning level http://www.routergod.com/agentsmith/

RiskRating is a Cisco thing (you really didn't search CCO much before porting your questions, did you?)

http://cisco.com/en/US/products/hw/vpndevc/ps4077/products_white_paper0900aecd80191021.shtml

linker.team
Level 1
Level 1
In response to rhermes

‎06-26-2007 06:49 AM

Thx for the reply.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card