Firewalls - ip audit

ip audit

To configure IDS signature use. (Configuration mode.)
[no] ip audit attack [action [alarm] [drop] [reset]] show ip audit attack [no] ip audit info [action [alarm] [drop] [reset]] show ip audit info [no] ip audit interface if_name audit_name show ip audit interface [no] ip audit name audit_name attack [action [alarm] [drop] [reset]] show ip audit name [name [info | attack]] [no] ip audit name audit_name info [action [alarm] [drop] [reset]] show ip audit name [no] ip audit signature signature_number disable show ip audit signature [signature_number] clear ip audit [name | signature | interface | attack | info]

Syntax

audit attack Specify the default actions to be taken for attack signatures.

audit info Specify the default actions to be taken for informational signatures.

audit interface Apply an audit specification or policy (via the ip audit name command) to an interface.

audit name Specify informational signatures, except those disabled or excluded by the ip audit signature command, as part of the policy.

audit signature Specify which messages to display, attach a global policy to a signature, and disable or exclude a signature from auditing.

action actions The alarm option indicates that when a signature match is detected in a packet, firewall reports the event to all configured syslog servers. The drop option drops the offending packet The reset option drops the offending packet and closes the connection if it is part of an active connection. The default is alarm.

clear Resets name, signature, interface, attack, info to their default values.

audit_name Audit policy name viewed with the show ip audit name command.

signature_number IDS signature number.

Usage

Cisco Intrusion Detection System (Cisco IDS) is an IP-only feature that provides some level of flexibility for the user to customize the amount of traffic that needs to be audited and logged.
The Cisco IDS features provide the following:

Traffic auditing. Application level signatures will only be audited as part of an active session.
Apply the audit to an interface.
Support different audit policies. Traffic matching a signature triggers a range of configurable actions.
Disable the signature audit.
Enable IDS and still disable actions of a signature class (informational, attack).

Auditing is performed by looking at the IP packets as they arrive at an input interface, if a packet triggers a signature and the configured action does not drop the packet then the same packet can trigger other signatures.
The firewall supports both inbound and outbound auditing.
For a complete list of supported Cisco IDS signatures, their wording, and whether they are attack or informational messages, refer to Cisco firewall System Log Messages .
Refer to the Cisco Secure Intrusion Detection System Version 2.2.1 User Guide for detailed information on each signature. You can view the "NSDB and Signatures" chapter of this guide at the following website:

www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids1/csidsug/sigs.htm

Commands

ip audit attack

Specifies the default actions to be taken for attack signatures. An audit policy (audit rule) defines the attributes for all signatures that can be applied to an interface along with a set of actions. Using an audit policy may limit the traffic that is audited or specify actions to be taken when the signature matches. Each audit policy is identified by a name and can be defined for informational or attack signatures. Each interface can have two policies; one for informational signatures and one for attack signatures. If a policy is defined without actions, then the configured default actions will take effect. Each policy requires a different name.
The no ip audit attack command resets the action to be taken for attack signatures to the default action. The show ip audit attack command displays the default attack actions.

ip audit info

Specifies the default action to be taken for signatures classified as informational signatures.
The no ip audit info command sets the action to be taken for signatures classified as informational and reconnaissance to the default action. The show ip audit info displays the default informational actions.
To cancel event reactions, specify the ip audit info command without an action option.

ip audit interface

Applies an audit specification or policy (via the ip audit name command) to an interface. The no ip audit interface command removes a policy from an interface. The show ip audit interface command displays the interface configuration.

ip audit name

Specifies the informational signatures except those disabled or excluded by the ip audit signature command that are considered part of the policy. The no ip audit name audit_name command removes the audit policy audit_name. The show ip audit name command displays all audit policies or specific policies referenced by name and possibly type.

ip audit signature

Specifies which messages to display, attaches a global policy to a signature, and disables or excludes a signature from auditing. The no ip audit signature signature_number command removes the policy from a signature. Used to reenable a signature. The show ip audit signature command displays disabled signatures.

Supported IDS Signatures

The firewall lists the following single-packet IDS signature messages: 1000-1006, 1100, 1102, 1103, 2000-2012, 2150, 2151, 2154, 3040-3042, 4050-4052, 6050-6053, 6100-6103, 6150-6155, 6175, 6180, and 6190. All signature messages are not supported by firewall in this release. IDS syslog messages all start with %PIX-4-4000nn and have the following format:
%PIX-4-4000nn IDS:sig_num sig_msg from faddr to laddr on interface int_name

For example:
%PIX-4-400013 IDS:2003 ICMP redirect from 10.4.1.2 to 10.2.1.1 on interface dmz
%PIX-4-400032 IDS:4051 UDP Snork attack from 10.1.1.1 to 192.168.1.1 on interface outside

Options:

sig_num The signature number.

sig_msg The signature message—approximately the same as the Cisco IDS signature message.

faddr The IP address of the foreign host initiating the attack. ("Foreign" is relative; attacks can be perpetrated either from outside to an inside host, or from the inside to an outside host.)

laddr The IP address of the local host to which the attack is directed. ("Local" is relative; attacks can be perpetrated either from outside to an inside host, or from the inside to an outside host.)

int_name The name of the interface on which the signature originated.

Examples

Disable signature 6102 globally:
ip audit signature 6102 disable

Specify default informational actions:
ip audit name attack1 info

Specify an attack policy:
ip audit name attack2 attack action alarm drop reset

Apply a policy to an interface:
ip audit interface outside attack1
ip audit interface inside attack2

audit attack	Specify the default actions to be taken for attack signatures.
audit info	Specify the default actions to be taken for informational signatures.
audit interface	Apply an audit specification or policy (via the ip audit name command) to an interface.
audit name	Specify informational signatures, except those disabled or excluded by the ip audit signature command, as part of the policy.
audit signature	Specify which messages to display, attach a global policy to a signature, and disable or exclude a signature from auditing.
action actions	The alarm option indicates that when a signature match is detected in a packet, firewall reports the event to all configured syslog servers. The drop option drops the offending packet The reset option drops the offending packet and closes the connection if it is part of an active connection. The default is alarm.
clear	Resets name, signature, interface, attack, info to their default values.
audit_name	Audit policy name viewed with the show ip audit name command.
signature_number	IDS signature number.

sig_num	The signature number.
sig_msg	The signature message—approximately the same as the Cisco IDS signature message.
faddr	The IP address of the foreign host initiating the attack. ("Foreign" is relative; attacks can be perpetrated either from outside to an inside host, or from the inside to an outside host.)
laddr	The IP address of the local host to which the attack is directed. ("Local" is relative; attacks can be perpetrated either from outside to an inside host, or from the inside to an outside host.)
int_name	The name of the interface on which the signature originated.