|
|
This chapter explains the function and syntax of the integrated Intrusion Detection System (IDS) commands. For more information about defaults and usage guidelines, see the corresponding chapter of the Cisco IOS Security Command Reference, Release 12.1.
To disable Cisco Secure IS IDS, remove all intrusion detection configuration entries, and release dynamic resources, use the clear ip audit configuration EXEC command.
clear ip audit configurationSyntax Description
This command has no arguments or keywords.
To reset statistics on packets analyzed and alarms sent, use the clear ip audit statistics EXEC command.
clear ip audit statisticsSyntax Description
This command has no arguments or keywords.
To apply an audit specification created with the ip audit command to a specific interface and for a specific direction, use the ip audit interface configuration command. Use the no version of this command to disable auditing of the interface for the specified direction.
ip audit audit-name {in | out}
Syntax Description
audit-name Name of an audit specification. in Inbound traffic. out Outbound traffic.
To specify the default actions for attack signatures, use the ip audit attack global configuration command. Use the no form of this command to set the default action for attack signatures.
ip audit attack {action [alarm] [drop] [reset]}
Syntax Description
action Specifies an action for the attack signature to take in response to a match. alarm Sends an alarm to the console, to the NetRanger Director, or to a syslog server. Used with the action keyword. drop Drops the packet. Used with the action keyword. reset Resets the TCP session. Used with the action keyword.
To specify the default actions for info signatures, use the ip audit info global configuration command. Use the no form of this command to set the default action for info signatures.
ip audit info {action [alarm] [drop] [reset]}
Syntax Description
action Sets an action for the info signature to take in response to a match. alarm Sends an alarm to the console, to the NetRanger Director, or to a syslog server. Used with the action keyword. drop Drops the packet. Used with the action keyword. reset Resets the TCP session. Used with the action keyword.
To create audit rules for info and attack signature types, use the ip audit name global configuration command. Use the no form of this command to delete an audit rule.
ip audit name audit-name {info | attack} [list standard-acl] [action [alarm] [drop] [reset]]
Syntax Description
audit-name Name for an audit specification. info Specifies that the audit rule is for info signatures. attack Specifies that the audit rule is for attack signatures. list Specifies an ACL to attach to the audit rule. standard-acl Integer representing an access control list. Use with the list keyword. action Specifies an action or actions to take in response to a match. alarm Sends an alarm to the console, to the NetRanger Director, or to a syslog server. Use with the action keyword. drop Drops the packet. Use with the action keyword. reset Resets the TCP session. Use with the action keyword.
To specify the methods of event notification, use the ip audit notify global configuration command. Use the no form of this command to disable event notifications.
ip audit notify {nr-director | log}
Syntax Description
nr-director Send messages in NetRanger format to the NetRanger Director or Sensor. log Send messages in syslog format.
To specify the local Post Office parameters used when sending event notifications to the NetRanger Director, use the ip audit po local global configuration command. Use the no form of this command to set the local Post Office parameters to their default settings.
ip audit po local hostid host-id orgid org-id
Syntax Description
hostid Specifies a NetRanger host ID. id-number (hostid) Unique integer in the range 1 to 65535 used in NetRanger communications to identify the local host. Use with the hostid keyword. orgid Specifies a NetRanger organization ID. id-number (orgid) Unique integer in the range 1 to 65535 used in NetRanger communications to identify the group to which the local host belongs. Use with the orgid keyword.
To specify the maximum number of event notifications that are placed in the router's event cue, use the ip audit po max-events global configuration command. Use the no version of this command to set the number of recipients to the default setting.
ip audit po max-events number-of-events
Syntax Description
number-of-events Integer in the range of 1 to 65535 that designates the maximum number of events allowable in the event cue.
To specify whether an address is on a protected network, use the ip audit po protected global configuration command. Use the no form of this command to remove network addresses from the protected network list. If you specify an IP address for removal, that address is removed from the list. If you do not specify an address, all IP addresses are removed from the list.
ip audit po protected ip-addr [to ip-addr]
Syntax Description
to Specifies a range of IP addresses. ip-addr IP address of a network host.
To specify one or more set of Post Office parameters for NetRanger Director(s) receiving event notifications from the router, use the ip audit po remote global configuration command. Use the no form of this command to remove a NetRanger Director's Post Office parameters as defined by host ID, organization ID, and IP address.
ip audit po remote hostid host-id orgid org-id rmtaddress ip-address localaddress ip-address [port port-number] [preference preference-number] [timeout seconds] [application {director | logger}]
Syntax Description
hostid Specifies a NetRanger host ID. host-id Unique integer in the range 1 to 65535 used in NetRanger communications to identify the local host. Use with the hostid keyword. orgid Specifies a NetRanger organization ID. org-id Unique integer in the range 1 to 65535 used in NetRanger communications to identify the group in which the local host belongs. Use with the orgid keyword. rmtaddress Specifies the IP address of the NetRanger Director. localaddress Specifies the IP address of the Cisco Secure IS IDS router. ip-address IP address of the NetRanger Director or Cisco Secure IS IDS router's interface. Use with the rmtaddress and localaddress keywords. port (Optional) Specifies a UDP port through which to send messages. port-number (Optional) Integer representing the UDP port on which the Director is listening for event notifications. Use with the port keyword. preference (Optional) Specifies a route preference for communication. preference-number Integer representing the relative priority of a route to a NetRanger Director, if more than one route exists. Use with the preference keyword. timeout (Optional) Specifies a timeout value for Post Office communications. seconds (Optional) Integer representing the heartbeat timeout value for Post Office communications. Use with the timeout keyword. application (Optional) Specifies the type of application that is receiving the Cisco Secure IS IDS messages. director Specifies that the receiving application is the NetRanger Director interface. logger Specifies that the receiving application is a NetRanger Sensor.
To attach a policy to a signature, use the ip audit signature global configuration command. You can set two policies: disable a signature or qualify the audit of a signature with an access list. Use the no form of this command to remove the policy. If the policy disabled a signature, then the no form of this command re-enables the signature. If the policy attached an access list to the signature, the no form of this command removes the access list.
ip audit signature signature-id {disable | list acl-list}
Syntax Description
signature-id Unique integer specifying a signature as defined in the NetRanger Network Security Database. disable Disables the ACL associated with the signature. list Specifies an ACL to associate with the signature. acl-list Unique integer specifying a configured ACL on the router. Use with the list keyword.
To specify the number of recipients in a mail message over which a spam attack is suspected, use the ip audit smtp global configuration command. Use the no version of this command to set the number of recipients to the default setting.
ip audit smtp spam number-of-recipients
Syntax Description
spam Specifies a threshold beyond which the Cisco Secure IS IDS alarms on spam e-mail. number-of-recipients Integer in the range of 1 to 65535 that designates the maximum number of recipients in a mail message before a spam attack is suspected. Use with the spam keyword.
To display additional configuration information, including default values that may not be displayed using the show run command, use the show ip audit configuration EXEC command.
show ip audit configurationSyntax Description
This command has no argument or keywords.
To display the interface configuration, use the show ip audit interface EXEC command.
show ip audit interfaceSyntax Description
This command has no arguments or keywords.
To display the number of packets audited and the number of alarms sent, among other information, use the show ip audit statistics EXEC command.
show ip audit statisticsSyntax Description
This command has no arguments or keywords.
Posted: Wed Jul 26 16:19:21 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.