I would appreciate if someone could tell me how to configure the Custom signature Engine SERVICE.SYSLOG to make the sensor accept access-list violation from a router. I.e. how should the Parameters in the SERVICE.SYSLOG should be set to make it work. And is there other configuration issues concerning this(like is it necessary to configure the acl violation router both in the AclDataSource parameter and in the Data source under the Group TOC)
If so then all you have to do is create a new signature in the SERVICE.SYSLOG engine.
Give it a unique Signature ID and SubSignature ID.
Give it any name you want for SigName and a description in SigStringInfo.
Place the IP Address of the router in the AclDataSource field within the signature definition (you put the address in this field where the signature is defined and do not need to go to another field in another window; in the older 3.x the ACL Data sources were configured separately but in 4.x the ACL Data Source is configured directly in the signature itself)
NOTE: This IP needs to be for the interface of the router where the syslog messages will come from. You may need to sniff the network to see which interface ip the router is sending the syslog messages from because it may not be what you consider the primary ip address of your router.
Place the name ofthe ACL (spell exactly as created) in the AclFilterName.
If you want to get fancy you can even configure the facility and priority levels of the syslog message to look for. BUT I don't recommend doing this on your first try.
On the router itself you will need to execute:
logging trap info
And then at the end of each deny line in the ACL you will need to add the keyword "log" which will cause the deny line to create the syslog message:
access-list 199 deny tcp host 10.1.1.1 any log
NOTE: The alarm will only fire for ACL deny lines generating syslog messages that match the ACL you designated in the alarm. Other syslog messages from the router will be ignored including syslogs from other ACLs.
For more information on configuring the router you can look at step 1-7 of the "Configuring User-Defined ACLs" section from the older 3.1 documentation:
1. FYI its not possible to configure/change the Signature ID and SubSignature ID, the IDS MC does this.
2. My sensor SERVICE.SYSLOG configuration looks like this:
sensor233# sh conf | be SERVICE.SYSLOG
signatures SIGID 20000 SubSig 0
ACL Violation 120
3. As the SummaryKey is a "required" parameter I configured it for AaBb as one of the suggested values by the IDS MC. But Im not sure if this is correct and if this is the cause for my "not working" problem. The same issue was the case for StorageKey (this I left with the default value)
4. When the sensor get a syslog like:
%SEC-6-IPACCESSLOGP: list 120 denied tcp 220.127.116.11(0) -> 18.104.22.168(0), 1 packet
from a AclDataSource (with the correct ip source address) I see that the sensor (on a sniffer) reply with ICMP Destination unreachable.
5. A show tech-support shows following stat for the sysslogd:
Linux sensor233 2.4.18-5smpbigphys #4 SMP Wed Nov 20 16:28:44 CST 2002 i686 unknown
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...