Viewing Ids Alarms - AudioCodes Mediant 1000B User Manual
Analog & digital voip media gateway enterprise session border controller gateway & e-sbc
Hide thumbs
Also See for Mediant 1000B:
- User manual (1281 pages) ,
- Hardware installation manual (92 pages) ,
- Configuration note (52 pages)
Table of Contents
Advertisement
User's Manual
13.3.4 Viewing IDS Alarms
For the IDS feature, the device sends the following SNMP traps:
Traps that notify the detection of malicious attacks:
•
acIDSPolicyAlarm: The device sends this alarm whenever a threshold of a
specific IDS Policy rule is crossed. The trap displays the crossed severity
threshold (Minor or Major), IDS Policy and IDS Rule, and the IDS Policy-Match
index.
•
acIDSThresholdCrossNotification: The device sends this event for each scope
(IP address) that crosses the threshold. In addition to the crossed severity
threshold (Minor or Major) of the IDS Policy-Match index, this event shows the IP
address (or IP address:port) of the malicious attacker.
If the severity level is raised, the alarm of the former severity is cleared and the
device sends a new alarm with the new severity. The alarm is cleared after a
user-defined period (configured by the ini file parameter, IDSAlarmClearPeriod)
during which no thresholds have been crossed. However, this "quiet" period must
be at least twice the 'Threshold Window' value (configured in ''Configuring IDS
Policies'' on page 149). For example, if you set IDSAlarmClearPeriod to 20 sec
and 'Threshold Window' to 15 sec, the IDSAlarmClearPeriod parameter is
ignored and the alarm is cleared only after 30 seconds (2 x 15 sec).
The figure below displays an example of IDS alarms in the Active Alarms table
(''Viewing Active Alarms'' on page 631). In this example, a Minor threshold alarm
is cleared and replaced by a Major threshold alarm:
acIDSBlacklistNotification event: The device sends this event whenever an attacker
(remote host at IP address and/or port) is added to or removed from the blacklist.
You can also view IDS alarms in the CLI, using the following commands:
To view all active IDS alarms:
# show voip security ids active-alarm all
To view all IP addresses that crossed the threshold for an active IDS alarm:
# show voip security ids active-alarm match <IDS Match Policy ID> rule
<IDS Rule ID>
The IP address is displayed only if the 'Threshold Scope' parameter is set to IP or
IP+Port; otherwise, only the alarm is displayed.
To view the blacklist:
# show voip security ids blacklist active
For example:
Active blacklist entries:
10.33.5.110(NI:0) remaining 00h:00m:10s in blacklist
Where SI is the SIP Interface and NI is the network interface.
The device also sends IDS notifications and alarms in Syslog messages to a Syslog
server. This only occurs if you have configured Syslog (see ''Enabling Syslog'' on page
681). An example of a Syslog message with IDS alarms and notifications is shown below:
Version 6.8
Figure 13-8: IDS Alarms in Active Alarms Table
155
Mediant 1000B Gateway & SBC
13. Security
Advertisement
Chapters
Table of Contents
