cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
475
Views
0
Helpful
1
Replies

IDS Sensor blocking based on received syslog ACL denied messages.

g.schaarup
Level 1
Level 1

Hi / Help

How do I configure the 4230 Sensor (from the CSPM) to receive and generate alarms (and block) from syslog messages send from a Cisco router when an ACL denied is detected. For example how to make the sensor generate an alarm (and block ) based on a syslog message like this:

%SEC-6-IPACCESSLOGP: list 120 denied tcp 1.1.1.1(80) -> 2.2.2.2(1031)

I would appreciate if you could explain/describe the solution in details.

Especially how the sensor interpret the syslog text and how it "read" what to block.

I.e. what is the correct syslog "text syntax" to send before the Sensor "understand" it and make the blocking.

Thanks.

Gert Schaarup

1 Accepted Solution

Accepted Solutions

marcabal
Cisco Employee
Cisco Employee

The following link shows how to configure it through IDM on the sensor itself.

You will need to do the same steps using CSPM:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids8/13876_01.htm#xtocid35

When an ACL is created the user can put a keyword "log" at the end of a deny line in order to have a sylog message created when that line denies a packet. The syslogs get sent from the router to the sensor (router has to be configured to di this). The syslog messages for ACLs have a specific format that the sensor has been coded to identify. Within that format the ipaddress is in a specific spot. So if the sensor is configured properly then the sensor will create an alarm for that acl deny syslog message.

NOTE: The alarm is for that fact that the sensor received a acl deny syslog message from the router. The acl that denied the packet may have been user created or sensor created.

NOTE2: The alarm would be for a acl that was already created, blocking on the alarm would generate a new acl to block the address that is already blocked. So blocking on these alarms is not standard practice.

View solution in original post

1 Reply 1

marcabal
Cisco Employee
Cisco Employee

The following link shows how to configure it through IDM on the sensor itself.

You will need to do the same steps using CSPM:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids8/13876_01.htm#xtocid35

When an ACL is created the user can put a keyword "log" at the end of a deny line in order to have a sylog message created when that line denies a packet. The syslogs get sent from the router to the sensor (router has to be configured to di this). The syslog messages for ACLs have a specific format that the sensor has been coded to identify. Within that format the ipaddress is in a specific spot. So if the sensor is configured properly then the sensor will create an alarm for that acl deny syslog message.

NOTE: The alarm is for that fact that the sensor received a acl deny syslog message from the router. The acl that denied the packet may have been user created or sensor created.

NOTE2: The alarm would be for a acl that was already created, blocking on the alarm would generate a new acl to block the address that is already blocked. So blocking on these alarms is not standard practice.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: