Initializing the Post Office
Initializing the Post Office
Only three commands initialize the Post Office system on a router. This section introduces the purpose, syntax, and examples of each. If the Cisco Secure IDS Director isn’t being used, the only command that should be used is the ip audit notify command to specify that alarms be sent to a Syslog server to preserve a record of the event.
| Note? |
Each time a change is made to the Post Office configuration, the router must be reloaded. |
The ip audit notify Command
Use the global configuration mode command ip audit notify to specify the method(s) of event notification. If alarms are to be sent to a Cisco Secure IDS Director, use the nr-director keyword in the command syntax. If alarms are to be sent to a Syslog server, use the log keyword in the command syntax. The two commands can be used together to log to both devices. Use the no version of this command to return the number to the default setting. The syntax is
Rtr1(config)#ip audit notify {nr-director | log}
Rtr1(config)#no ip audit notify {nr-director | log}
|
nr-director |
Sends messages in Director format to the Cisco Secure Director or Sensor |
|
log |
Sends messages in syslog format |
This command was introduced in IOS 12.0(5)T. The default is to send messages in syslog format.
The following example directs logging to both the Cisco Secure IDS Director and a Syslog server.
Rtr1(config)#ip audit notify nr-director
Rtr1(config)#no ip audit notify log
While they’re not a part of IDS, the following commands must also be issued to identify the Syslog server, using the IP address or host name and direct logging input to the server.
Rtr1(config)#logging 192.168.1.10
Rtr1(config)#logging on
Without these commands, the output would be displayed on the router console and would look like the following output. Notice the output includes the IDS signature detected, plus the source and destination IP addresses.
01:04:33: %IDS-4-ICMP_ECHO_SIG: Sig:2004:ICMP Echo Request - from 192.168.1.10 t o 192.168.2.1 01:04:34: %IDS-4-ICMP_ECHO_REPLY_SIG: Sig:2000:ICMP Echo Reply - from 192.168.2. 1 to 192.168.1.10
The previous signatures triggered are
|
2000 ICMP Echo Reply (Info, Atomic) |
Triggers when an IP datagram is received with the IP header protocol field set to 1 (ICMP) and the type field in the ICMP header set to 0 (Echo Reply) |
|
2004 ICMP Echo Request (Info, Atomic) |
Triggers when an IP datagram is received with the IP header protocol field set to 1 (ICMP) and the type field in the ICMP header set to 8 (Echo Request) |
Figure 7-2 shows what the entries might look like in a Syslog server. The sample uses a free Syslog daemon from Kiwi Enterprises.
Figure 7-2: Sample Syslog output showing IDS activity
If messages are sent to the Cisco Secure IDS Director, then it’s necessary also to configure the Cisco Secure Director’s Post Office transport parameters for both the router (using the ip audit po local command) and the Cisco Secure IDS Director (using the ip audit po remote command).
The ip audit po local Command
Use the global configuration mode command ip audit po local to specify the local Post Office parameters used when sending event notifications to the Cisco Secure IDS Director. Use the no form of this command to set the local Post Office parameters to their default settings. The syntax is as follows:
Rtr1(config)#ip audit po local hostid host-id orgid org-id
Rtr1(config)#no ip audit po local [hostid host-id orgid org-id]
|
host-id |
Unique integer (1–65535) that identifies the router |
|
org-id |
Unique integer (1–65535) that identifies the organization to which both the router and the Director belong |
This command was introduced in IOS 12.0(5)T. The default organization ID is 1. The default host ID is 1.
In the following example, the local host is assigned a host ID of 777 and an organization ID of 25:
Rtr1(config)#ip audit po local hostid 777 orgid 25
The ip audit po remote Command
Use the global configuration mode command ip audit po remote to specify one or more sets of Post Office parameters for Cisco Secure IDS Director(s) receiving event notifications from the router. A router can report to more than one Director by adding an ip audit po remote command for each Director. Use the no form of this command to remove a Director’s Post Office parameters as defined by host ID, organization ID, and IP address. The syntax is
Rtr1(config)# ip audit po remote hostid host-id orgid org-id rmtaddress ip-add localaddress ip-add [port port-num] [preference pref-num] [timeout seconds] [application {director | logger}]
|
host-id |
Unique integer (1–65535) that identifies the router. |
|
org-id |
Unique integer (1–65535) that identifies the organization to which both the router and the Director belong. |
|
rmtaddress ip-add |
The Director’s IP address. |
|
localaddress ip-add |
The router’s interface IP address. |
|
port-num |
The UDP port the Director listens for alarms (the default is 45000). |
|
pref-num |
The relative priority of the route to the Director (1 is the default). If more than one route is used to reach the same Director, then one must be a primary route (preference 1) and, the other, a secondary route (preference 2). |
|
seconds |
The integer representing the heartbeat timeout value—in seconds—the Post Office waits before it determines a connection has timed out (the default is 5). |
|
app-type |
Either director (Cisco Secure IDS Director ) or logger (the default is director). |
This command was introduced in IOS 12.0(5)T. The default organization ID is 1, the default host ID is 1, the default UDP port number is 45000, and the default preference is 1. The default heartbeat timeout is five seconds.
Director vs. Logger Application
Use logger application instead of the default director when sending Post Office notifications to a sensor. Sending to a logging application means no alarms are sent to a GUI. Instead, the Cisco Secure IDS alarm data is written to a flat file, which can then be processed with scripts or filters, such as perl and awk, or staged to a database. Use logger only in advanced applications where you want the alarms only to be logged and not displayed.
Multiple Routes to the Same Director
More than one route can be established to the same Director by giving each route a preference number that establishes the relative priority of routes. The router always attempts to use the lowest numbered route, switching automatically to the next higher number when a route fails and then switching back when the route begins functioning again.
In this example, two routes for the same dual-homed (residing on two networks) IDS Director are defined.
Rtr1(config)#ip audit po remote hostid 777 orgid 25 rmtaddress 192.168.1.3 localaddress 192.168.1.1 preference 1
Rtr1(config)#ip audit po remote hostid 777 orgid 25 rmtaddress 192.168.6.3 localaddress 192.168.6.1 preference 2
The router will use the first entry to establish communication with the Director, host ID 777, and organization ID 25. The router will switch to the secondary route if the preferred route fails. When the preferred route returns to service, the router switches back and closes the secondary route.
In this example, the Director is assigned a longer heartbeat timeout value, with a default of five seconds, because of predictable network congestion. This is also designated as a logger application.
Rtr1(config)#ip audit po remote hostid 727 orgid 25 rmtaddress 192.168.4.3 localaddress 192.168.4.1 timeout 10 application logger
After you configure the router, it’s necessary to add the Cisco IOS Firewall IDS router’s Post Office information to Cisco Secure IDS Sensors and Directors communicating with the router. This process is covered in the last four chapters of the book.
| Note? |
Remember, if the Post Office features are added or changed, then it’s necessary to save the configuration and reload the router. |
