Syslog Messages

Firewalls track single-packet (atomic) messages using syslog. For Cisco products, a list of messages can be found at:

www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/syslog

IDS syslog messages all start with %PIX-4-4000nn and have the following format:

%PIX-4-4000nn IDS:sig_num sig_msg from ip_addr to ip_addr on interface int_name

For example:

%PIX-4-400013 IDS:2003 ICMP redirect from 10.4.1.2 to 10.2.1.1 on interface dmz

%PIX-4-400032 IDS:4051 UDP Snork attack from 10.1.1.1 to 192.168.1.1 on interface outside

 

Options:

sig_num Signature number
sig_msg Signature message. Similar to the NetRanger signature message.
ip_addr Local to remote address to which the signature applies.
int_name Interface on which the signature originated.

You can determine which messages display with the following commands:

  1. Attach a global policy to a signature. Used to disable or exclude a signature from auditing.

    ip audit signature signature_number disable

  2. Remove the policy from a signature. Used to reenable a signature.

    no ip audit signature signature_number

  3. Display disabled signatures.

    show ip audit signature [signature_number]

  4. Specify the default action to be taken for signatures classified as informational signatures.

    ip audit info [action [alarm] [drop] [reset]]

    The alarm option indicates that when a signature match is detected in a packet, firewall reports the event to all configured syslog servers. The drop option drops the offending packet. The reset option drops the offending packet and closes the connection if it is part of an active connection. The default is alarm. To cancel event reactions, specify the ip audit info command without an action option.

  5. Set the action to be taken for signatures classified as informational and reconnaissance to the default action.

    no ip audit info

  6. Display the default informational actions.

    show ip audit info

  7. Specify the default actions to be taken for attack signatures. The action options are as previously described.

    ip audit attack [action [alarm] [drop] [reset]]

  8. Set the action to be taken for attack signatures to the default action.

    no ip audit attack

  9. Display the default attack actions.

    show ip audit attack

    An audit policy (audit rule) defines the attributes for all signatures that can be applied to an interface along with a set of actions. Using an audit policy the user may limit the traffic that is audited or specify actions to be taken when the signature matches. Each audit policy is identified by a name and can be defined for informational or attack signatures. Each interface can have two policies; one for informational signatures and one for attack signatures. If a policy is defined without actions, then the configured default actions will take effect. Each policy requires a different name.

  10. All informational signatures except those disabled or excluded by the ip audit signature command are considered part of the policy. The actions are the same as described previously.

    ip audit name audit_name info [action [alarm] [drop] [reset]]

  11. Remove the audit policy audit_name.

    no ip audit name audit_name [info]

  12. All attack signatures except those disabled or excluded by the ip audit signature command are considered part of the policy. The actions are the same as described previously.

    ip audit name audit_name attack [action [alarm] [drop] [reset]]

  13. Remove the audit specification audit_name.

    no ip audit name audit_name [attack]

  14. Display all audit policies or specific policies referenced by name and possibly type.

    show ip audit name [name [info | attack]]

  15. Applies an audit specification or policy (via the ip audit name command) to an interface.

    ip audit interface if_name audit_name

  16. Removes a policy from an interface.

    no ip audit interface [if_name]

  17. Displays the interface configuration.

    show ip audit interface