I have a client that has a 2621 running the ios firewall. We have configured the access-list to log violations to a syslog server when they occur. Does Cisco make or is there 3rd party software that will monitor the syslog entries for a repeated violation from the same source ip (or any protocol violations)? They want to setup 24/7 in house firewall monitoring that will page a tech if such a violation should occur.
Or is there a better way to accomplish this?
Id suggest using Cisco snmp mibs and Intrusion detection devices (http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t5/iosfw2/ios_ids.htm#xtocid205650) for added security to your network. Open Systems makes a software product named Private I that should work for you too. Check out their evaluation version at www.opensystems.com
CS Intrusion Detection has a feature that may help. The sensor can be the recipient of router ACL violation syslog messages. When it receives one, it then processes the message and builds an IDS alarm from the information contained and sends that on to the management station.
update, looks like PrivateI by opensystems will work. (opensystems.com) It has the reporting and notification features I am looking for. However; in order for the paging feature to work you must have email paging, in other works it just sends an email to you (or your pager).
You can manage, monitor, maintain and perform event correlation of all IDS, PIX, IOS firewall, VPN Concentrator, NT, UNIX and Checkpoint alerts through the use of Netforensics. Netforensics will solve the cumbersome task of managing security data. If you want further clarification and product capabilities contact me directly at firstname.lastname@example.org.
I use CiscoWorks to grep my syslog and Telalert to page on configured events (things like inbound PIX denys, interface up/downs, stuff I want to know about). I also have the NetRanger Director paging me (also using Telalert) on IDS hits (I have both IOS IDS in my edge routers and NR sensors behind same). If there is a problem with this, it's that I don't have any smart filtering to, for example, only page me after N violations from the same IP (but anybody sophisticated enough to throw a DOS attack my way is going to spoof addresses, so maybe I want to see 'em all anyway). Suffice to say I get paged alot :) .... but it's all good.