Detecting Intrusions - Polycom HDX 4000 Series Administrator's Manual

Polycom, Inc.
Artisan Technology Group - Quality Instrumentation ... Guaranteed | (888) 88-SOURCE | www.artisantg.com
• PIP (not available on the Polycom HDX 4000 series or Polycom Touch
Control)
• Keypad Audio Confirmation (not available on the Polycom Touch
Control)
• Far Site Name Display Time (not available on the Polycom Touch Control)
• Dual Monitor Emulation (not available on the Polycom Touch Control)
• Allow Video Display on Web (this setting is unavailable when the Security
Profile is set to Maximum)

Detecting Intrusions

The Polycom HDX system logs an entry to the security log when it detects a
possible network intrusion. This logging is controlled in the web interface by
the Admin Settings > General Settings > Security > Security Settings >
Security Mode setting. When this setting is enabled, logging of possible
intrusion attempts is enabled. When a possible intrusion attempt is logged, the
security log prefix identifies the type of packet detected, as shown in the
following table.
Prefix
SECURITY: NIDS/unknown_tcp
SECURITY: NIDS/unknown_udp
SECURITY: NIDS/invalid_tcp
SECURITY: NIDS/invalid_icmp
SECURITY: NIDS/unknown
SECURITY: NIDS/flood
Following the message prefix, the security log entry includes the timestamp
and the IP, TCP, UDP, ICMP, or ICMPv6 headers. For example, the following
security log entry shows an "unknown_udp" intrusion:
2009-05-08 21:32:52 WARNING kernel: SECURITY: NIDS/unknown_udp
IN=eth0 OUT= MAC=00:e0:db:08:9a:ff:00:19:aa:da:11:c3:08:00
SRC=172.18.1.80 DST=172.18.1.170 LEN=28 TOS=0x00 PREC=0x00 TTL=63
ID=22458 PROTO=UDP SPT=1450 DPT=7788 LEN=8
Packet Type
Packet that attempts to connect or probe a
closed TCP port
Packet that probes a closed UDP port
TCP packet in an invalid state
ICMP or ICMPv6 packet in an invalid state
Packet with an unknown protocol number in
the IP header
Stream of ICMP or ICMPv6 ping requests or
TCP connections to an opened TCP port
Security
8–13