Viewing Ids Alarms - AudioCodes Mediant 800 User Manual
Gateways & session border controllers
Hide thumbs
Also See for Mediant 800:
- Reference manual (195 pages) ,
- Configuration manual (81 pages) ,
- Installation manual (64 pages)
Table of Contents
Advertisement
CHAPTER 14 Security
Viewing IDS Alarms
For the IDS feature, the device sends the following SNMP traps:
■
Traps that notify the detection of malicious attacks:
●
acIDSPolicyAlarm: The device sends this alarm whenever a threshold of a specific IDS
Policy rule is crossed. The trap displays the crossed severity threshold (Minor or Major),
IDS Policy and IDS Rule, and the IDS Policy-Match index.
●
acIDSThresholdCrossNotification: The device sends this event for each scope (IP
address) that crosses the threshold. In addition to the crossed severity threshold (Minor or
Major) of the IDS Policy-Match index, this event shows the IP address (or IP address:port)
of the malicious attacker.
If the severity level is raised, the alarm of the former severity is cleared and the device
sends a new alarm with the new severity. The alarm is cleared after a user-defined timeout
during which no thresholds have been crossed.
➢
To configure IDS alarm cleared timeout:
1.
Open the IDS General Settings page (Setup menu > Signaling & Media tab > Intrusion
Detection folder > IDS General Settings).
2.
From the 'IDS Alarm Clear Period' field (IDSAlarmClearPeriod), enter the timeout (in seconds)
after which the alarm is cleared if no IDS thresholds have been crossed during the timeout.
3. Click Apply.
However, this "quiet" timeout period must be at least twice the 'Threshold Window' value
(configured in
20 sec and 'Threshold Window' to 15 sec, the IDSAlarmClearPeriod parameter is ignored
and the alarm is cleared only after 30 seconds (2 x 15 sec).
The figure below displays an example of IDS alarms in the Active Alarms table
Active
threshold alarm:
■
acIDSBlacklistNotification event: The device sends this event whenever an attacker (remote
host at IP address and/or port) is added to or removed from the blacklist.
You can also view IDS alarms through CLI:
■
To view all active IDS alarms:
# show voip ids active-alarm all
■
To view all IP addresses that have crossed the threshold for an active IDS alarm:
# show voip ids active-alarm match <IDS Match Policy ID> rule <IDS Rule ID>
The IP address is displayed only if the 'Threshold Scope' parameter is set to IP or IP+Port;
otherwise, only the alarm is displayed.
■
To view the blacklist, see
Configuring IDS
Policies). For example, if you set IDSAlarmClearPeriod to
Alarms). In this example, a Minor threshold alarm is cleared and replaced by a Major
Viewing IDS Active Blacklist
Mediant 800 Gateway & E-SBC | User's Manual
on page 1026
- 154 -
(Viewing
- Quick Links:
- Default Ip Address
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
