01-24-2003 12:58 AM - edited 02-20-2020 09:20 PM
Hi / Help
How do I configure the 4230 Sensor (from the CSPM) to receive and generate alarms (and block) from syslog messages send from a Cisco router when an ACL denied is detected. For example how to make the sensor generate an alarm (and block ) based on a syslog message like this:
%SEC-6-IPACCESSLOGP: list 120 denied tcp 1.1.1.1(80) -> 2.2.2.2(1031)
I would appreciate if you could explain/describe the solution in details.
Especially how the sensor interpret the syslog text and how it "read" what to block.
I.e. what is the correct syslog "text syntax" to send before the Sensor "understand" it and make the blocking.
Thanks.
Gert Schaarup
Solved! Go to Solution.
01-24-2003 11:30 AM
The following link shows how to configure it through IDM on the sensor itself.
You will need to do the same steps using CSPM:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids8/13876_01.htm#xtocid35
When an ACL is created the user can put a keyword "log" at the end of a deny line in order to have a sylog message created when that line denies a packet. The syslogs get sent from the router to the sensor (router has to be configured to di this). The syslog messages for ACLs have a specific format that the sensor has been coded to identify. Within that format the ipaddress is in a specific spot. So if the sensor is configured properly then the sensor will create an alarm for that acl deny syslog message.
NOTE: The alarm is for that fact that the sensor received a acl deny syslog message from the router. The acl that denied the packet may have been user created or sensor created.
NOTE2: The alarm would be for a acl that was already created, blocking on the alarm would generate a new acl to block the address that is already blocked. So blocking on these alarms is not standard practice.
01-24-2003 11:30 AM
The following link shows how to configure it through IDM on the sensor itself.
You will need to do the same steps using CSPM:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids8/13876_01.htm#xtocid35
When an ACL is created the user can put a keyword "log" at the end of a deny line in order to have a sylog message created when that line denies a packet. The syslogs get sent from the router to the sensor (router has to be configured to di this). The syslog messages for ACLs have a specific format that the sensor has been coded to identify. Within that format the ipaddress is in a specific spot. So if the sensor is configured properly then the sensor will create an alarm for that acl deny syslog message.
NOTE: The alarm is for that fact that the sensor received a acl deny syslog message from the router. The acl that denied the packet may have been user created or sensor created.
NOTE2: The alarm would be for a acl that was already created, blocking on the alarm would generate a new acl to block the address that is already blocked. So blocking on these alarms is not standard practice.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: