Viewing Ids Alarms - AudioCodes Mediant 800B User Manual

12.3.4 Viewing IDS Alarms

The device uses SNMP (and Syslog) to notify the detection of malicious attacks. The trap
displays the IDS Policy and Rule, and the Policy-Match index.
The device sends the SNMP alarm, acIDSPolicyAlarm whenever a threshold of a specific
IDS Policy rule is crossed. For each scope that crosses this threshold, the device sends an
additional SNMP event (trap) - acIDSThresholdCrossNotification - indicating the specific
details (IP address or IP address:port). If the trap severity level is raised, the alarm of the
former severity is cleared and the device then sends a new alarm with the new severity.
The SNMP alarm is cleared after a user-defined period (configured by the ini file
parameter, IDSAlarmClearPeriod) during which no thresholds have been crossed.
However, this "quiet" period must be at least twice the Threshold Window value (configured
in 'Configuring IDS Policies' on page 137). For example, if IDSAlarmClearPeriod is set to
20 sec and the Threshold Window is set to 15 sec, the IDSAlarmClearPeriod parameter is
ignored and the alarm is cleared only after 30 seconds (2 x 15 sec).
The figure below shows an example of IDS alarms in the Active Alarms table (Viewing
Active Alarms), where a minor threshold alarm is cleared and replaced by a major
threshold alarm:
You can also view the IDS alarms in the CLI:

To view active IDS alarms:
show voip security ids active-alarm all

To view all IP addresses that crossed the threshold for an active IDS alarm:
show voip security ids active-alarm match * rule *
The device also sends IDS notifications in Syslog messages to a Syslog server (if enabled
- see Configuring Syslog). The table below shows the Syslog text message per malicious
event:
Table ‎ 1 2-6: Types of Malicious Events and Syslog Text String
Type
Connection
TLS authentication failure
Abuse

Malformed
Messages






Authentication
Failure 
User's Manual
Figure ‎ 1 2-8: IDS Alarms in Active Alarms Table
Description
Message exceeds a user-defined maximum
message length (50K)
Any SIP parser error
Message policy match
Basic headers not present
Content length header not present (for TCP)
Header overflow
Local authentication ("Bad digest" errors)
Remote authentication (SIP 401/407 is sent if
original message includes authentication)
142
Mediant 800B GW & E-SBC
Syslog String
abuse-tls-auth-fail

malformed-invalid-
msg-len

malformed-parse-error

malformed-message-
policy

malformed-miss-
header

malformed-miss-
content-len

malformed-header-
overflow

auth-establish-fail

auth-reject-response
Document #: LTRT-10274