Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
273
Views
0
Helpful
3
Replies

IDS Syslog message won't go away.....

zehren
Level 1
Level 1

‎05-28-2003 12:54 PM - edited ‎03-09-2019 03:27 AM

Hi,

I am trying to filter out a IP that keeps sending a UPD BOMB. I have created a ACL that should filter out the IP. In my syslog I still keep getting the message below. I am wondering if this will keep happening or have I not configured the ACL correctly?

I do understand that IDS and Firewall should work together and I am in the process of doing this. Could this possibly be the problem?

5044: May 28 13:13:28.805 MST: %IDS-4-UDP_BOMB_SIG: Sig:4050:UDP Bomb - from 12.158.33.18 to 65.*.*.*

access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 100 deny ip 192.168.1.0 0.0.0.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 deny ip 12.158.33.18 0.0.0.1 any

access-list 101 deny ip 192.168.1.0 0.0.0.255 any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 permit ip any any

access-list 110 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 110 permit ip 192.168.1.0 0.0.0.255 any

access-list 120 permit ip host 192.168.1.2 192.168.2.0 0.0.0.255

Thanks for the help

Tony D

Labels:
0 Helpful
3 Replies 3

gfullage
Cisco Employee
Cisco Employee

‎05-28-2003 05:55 PM

This all depends on where you have these ACL's applied and in which direction. For this to work you'd have to have ACL 101 applied inbound on whatever interface is receiving this alert.

0 Helpful

zehren
Level 1
Level 1
In response to gfullage

‎05-29-2003 08:19 AM

Thank you for the reply....

Here is that information. I believe it to be correct.

interface Loopback0

ip address 1.1.1.1 255.255.255.0

!

interface Ethernet0

description connected to Internet

ip address 65.*.*.* 255.255.255.252

ip access-group 101 in

ip nat outside

ip audit zehren-audit in

no ip route-cache

no ip mroute-cache

half-duplex

crypto map clientmap

!

interface FastEthernet0

description connected to Our Office

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip policy route-map nonat2

speed auto

Thanks again

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to zehren

‎05-29-2003 04:37 PM

OK, that looks OK. Keep in mind though, that IDS processing is done BEFORE ACL processing (see http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt3/scdids.htm#1000896 unde the Functional Description section).

This is done so that admin's can see attacks even though the ACL will then prevent them. If the ACL denied them straight away then you'd never know if you were under attack. This is why you're seeing the IDS alert, but if you then do a "sho access-list 101" you should see hits on the deny line for that host.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents