15.3.4 Viewing IDS Alarms
The device uses SNMP (and Syslog) to notify the detection of malicious attacks. The trap
displays the IDS Policy and Rule, and the Policy-Match index.
The device sends the SNMP alarm, acIDSPolicyAlarm whenever a threshold of a specific
IDS Policy rule is crossed. For each scope that crosses this threshold, the device sends an
additional SNMP event (trap) - acIDSThresholdCrossNotification - indicating the specific
details (IP address or IP address:port). If the trap severity level is raised, the alarm of the
former severity is cleared and the device then sends a new alarm with the new severity.
The SNMP alarm is cleared after a user-defined period (configured by the ini file
parameter, IDSAlarmClearPeriod) during which no thresholds have been crossed.
However, this "quiet" period must be at least twice the Threshold Window value (configured
in 'Configuring IDS Policies' on page 143). For example, if IDSAlarmClearPeriod is set to
20 sec and the Threshold Window is set to 15 sec, the IDSAlarmClearPeriod parameter is
ignored and the alarm is cleared only after 30 seconds (2 x 15 sec).
The figure below shows an example of IDS alarms in the Active Alarms table (Viewing
Active Alarms), where a minor threshold alarm is cleared and replaced by a major
threshold alarm:
Figure 9: IDS Alarms in Active Alarms Table
You can also view the IDS alarms in the CLI:
To view all IP addresses that crossed the threshold for an active IDS alarm:
show voip security ids active-alarm match * rule *
The device also sends IDS notifications in Syslog messages to a Syslog server (if enabled
- see Configuring Syslog). The table below shows the Syslog text message per malicious
event:
Types of Malicious Events and Syslog Text String
Type Description Syslog String
Connection
Abuse
TLS authentication failure abuse-tls-auth-fail
Malformed
Messages
Message exceeds a user-defined maximum
message length (50K)
Any SIP parser error
Message policy match
Basic headers not present
Content length header not present (for TCP)
Header overflow
malformed-invalid-
msg-len
malformed-parse-error
malformed-message-
policy
malformed-miss-
header
malformed-miss-
content-len
malformed-header-
overflow
Authentication
Failure
Local authentication ("Bad digest" errors)
Remote authentication (SIP 401/407 is sent if
original message includes authentication)
auth-establish-fail
auth-reject-response
To Next Page
Loading...
Need help?
General
