cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
220
Views
0
Helpful
1
Replies

Alarm(s) for attempted access to the sensor(s)?

s309973
Level 1
Level 1

Cisco IDS sensors have inherant 'access control lists' (if you will) that can control who can and cannot attempt to remotely manage them. My question is, with configured access parameters, is there any IDS alarm that will trigger an event (to which, notification in the form of logging to the event console, sending an email, etc.) that notifies the sensor administrator that someone is attempting to access the sensor?

I would find it beneficial to know if any internal employees are "knocking on the door" of the sensor's command and control interface. If there is going to be access control, there should also be some sort of accounting. I'd like to be able to view both a LOG of attempted (failed) accesses to my sensors and/or have an event triggered.

Does the feature exist?

1 Reply 1

jlimbo
Level 1
Level 1

There is no exact feature like that, mostly because the packetd deamon is usually associated with the sniffing interface. In this situation there is no ip address to access it on. Usually the command and control interface is out of band and in it's own protected vlan. You can restrict as you say with tcp wrappers on the box itself however unless you designate the sniffing interface for the cmd and control interface you will not get alarms.

If you want to know which ip is accessing your sensor then I suggest you create an access-list on the vlan interface restrict to known ip addreses and log the denies.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: