Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Alarm(s) for attempted access to the sensor(s)?

Cisco IDS sensors have inherant 'access control lists' (if you will) that can control who can and cannot attempt to remotely manage them. My question is, with configured access parameters, is there any IDS alarm that will trigger an event (to which, notification in the form of logging to the event console, sending an email, etc.) that notifies the sensor administrator that someone is attempting to access the sensor?

I would find it beneficial to know if any internal employees are "knocking on the door" of the sensor's command and control interface. If there is going to be access control, there should also be some sort of accounting. I'd like to be able to view both a LOG of attempted (failed) accesses to my sensors and/or have an event triggered.

Does the feature exist?

New Member

Re: Alarm(s) for attempted access to the sensor(s)?

There is no exact feature like that, mostly because the packetd deamon is usually associated with the sniffing interface. In this situation there is no ip address to access it on. Usually the command and control interface is out of band and in it's own protected vlan. You can restrict as you say with tcp wrappers on the box itself however unless you designate the sniffing interface for the cmd and control interface you will not get alarms.

If you want to know which ip is accessing your sensor then I suggest you create an access-list on the vlan interface restrict to known ip addreses and log the denies.

CreatePlease to create content