Viewing Ids Alarms - AudioCodes Mediant 3000 User Manual

Parameter
Subnet
[IDSMatch_Subnet]
Policy
[IDSMatch_Policy]

14.3.4 Viewing IDS Alarms

For the IDS feature, the device sends the following SNMP traps:

Traps that notify the detection of malicious attacks:
•
acIDSPolicyAlarm: The device sends this alarm whenever a threshold of a
specific IDS Policy rule is crossed. The trap displays the crossed severity
threshold (Minor or Major), IDS Policy and IDS Rule, and the IDS Policy-Match
index.
•
acIDSThresholdCrossNotification: The device sends this event for each scope
(IP address) that crosses the threshold. In addition to the crossed severity
threshold (Minor or Major) of the IDS Policy-Match index, this event shows the IP
address (or IP address:port) of the malicious attacker.
If the severity level is raised, the alarm of the former severity is cleared and the
device sends a new alarm with the new severity. The alarm is cleared after a
user-defined period (configured by the ini file parameter, IDSAlarmClearPeriod)
during which no thresholds have been crossed. However, this "quiet" period must
be at least twice the 'Threshold Window' value (configured in ''Configuring IDS
Policies'' on page 163). For example, if you set IDSAlarmClearPeriod to 20 sec
and 'Threshold Window' to 15 sec, the IDSAlarmClearPeriod parameter is
ignored and the alarm is cleared only after 30 seconds (2 x 15 sec).
User's Manual

A comma-separated list of Proxy Set IDs (e.g., 1,3,4)

A hyphen "-" indicates a range of Proxy Sets (e.g., 3,4-7 means
IDs 3, and 4 through 7)

A prefix of an exclamation mark "!" means negation of the set (e.g.,
!3,4-7 means all indexes excluding 3, and excluding 4 through 7)
Notes:

Only the IP address of the Proxy Set is considered (not port).

If a Proxy Set has multiple IP addresses, the device considers the
Proxy Set as one entity and includes all its IP addresses in the
same IDS count.
Defines the subnet to which the IDS Policy is assigned. This indicates
the subnets from where the attacks are coming from. The following
syntax can be used:

Basic syntax is a subnet in CIDR notation (e.g., 10.1.0.0/16 means
all sources with IP address in the range 10.1.0.0–10.1.255.255)

An IP address can be specified without the prefix length to refer to
the specific IP address.

Each subnet can be negated by prefixing it with "!", which means
all IP addresses outside that subnet.

Multiple subnets can be specified by separating them with "&"
(and) or "|" (or) operations. For example:

10.1.0.0/16 | 10.2.2.2: includes subnet 10.1.0.0/16 and IP
address 10.2.2.2.

!10.1.0.0/16 & !10.2.2.2: includes all addresses except those
of subnet 10.1.0.0/16 and IP address 10.2.2.2. Note that the
exclamation mark "!" appears before each subnet.

10.1.0.0/16 & !10.1.1.1: includes subnet 10.1.0.0/16, except IP
address 10.1.1.1.
Assigns an IDS Policy (configured in ''Configuring IDS Policies'' on
page 163).
168
Description
Document #: LTRT-89738
Mediant 3000