Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IDS Syslog message won't go away.....

Hi,

I am trying to filter out a IP that keeps sending a UPD BOMB. I have created a ACL that should filter out the IP. In my syslog I still keep getting the message below. I am wondering if this will keep happening or have I not configured the ACL correctly?

I do understand that IDS and Firewall should work together and I am in the process of doing this. Could this possibly be the problem?

5044: May 28 13:13:28.805 MST: %IDS-4-UDP_BOMB_SIG: Sig:4050:UDP Bomb - from 12.158.33.18 to 65.*.*.*

access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 100 deny ip 192.168.1.0 0.0.0.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 deny ip 12.158.33.18 0.0.0.1 any

access-list 101 deny ip 192.168.1.0 0.0.0.255 any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 permit ip any any

access-list 110 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 110 permit ip 192.168.1.0 0.0.0.255 any

access-list 120 permit ip host 192.168.1.2 192.168.2.0 0.0.0.255

Thanks for the help

Tony D

3 REPLIES
Cisco Employee

Re: IDS Syslog message won't go away.....

This all depends on where you have these ACL's applied and in which direction. For this to work you'd have to have ACL 101 applied inbound on whatever interface is receiving this alert.

New Member

Re: IDS Syslog message won't go away.....

Thank you for the reply....

Here is that information. I believe it to be correct.

interface Loopback0

ip address 1.1.1.1 255.255.255.0

!

interface Ethernet0

description connected to Internet

ip address 65.*.*.* 255.255.255.252

ip access-group 101 in

ip nat outside

ip audit zehren-audit in

no ip route-cache

no ip mroute-cache

half-duplex

crypto map clientmap

!

interface FastEthernet0

description connected to Our Office

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip policy route-map nonat2

speed auto

Thanks again

Cisco Employee

Re: IDS Syslog message won't go away.....

OK, that looks OK. Keep in mind though, that IDS processing is done BEFORE ACL processing (see http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt3/scdids.htm#1000896 unde the Functional Description section).

This is done so that admin's can see attacks even though the ACL will then prevent them. If the ACL denied them straight away then you'd never know if you were under attack. This is why you're seeing the IDS alert, but if you then do a "sho access-list 101" you should see hits on the deny line for that host.

105
Views
0
Helpful
3
Replies