Verifying the IDS Configuration
Verifying the IDS Configuration
Four show commands are used to verify and monitor IDS configuration and performance. These commands include
-
show ip audit statistics
-
show ip audit configuration
-
show ip audit interface
-
show ip audit all
The show ip audit statistics Command
Use the show ip audit statistics EXEC command to display the number of packets audited and the number of alarms sent, among other information. This command shows any signatures used, how many interfaces are configured for audit, and a summary of session information.
Rtr1#show ip audit statistics Signature audit statistics [process switch:fast switch] ?signature 2000 packets audited: [1:569] ?signature 2004 packets audited: [2:569] Interfaces configured for audit 2 Session creations since subsystem startup or last reset 3 Current session counts (estab/half-open/terminating) [1:0:0] Maxever session counts (estab/half-open/terminating) [1:1:0] Last session created 00:00:10 Last statistic reset never Rtr1#
The clear ip audit statistics Command.
To reset the audit statistics for packets analyzed and alarms sent, use the clear ip audit statistics EXEC command. This command could be handy to eliminate historical data when trying to see current activity. If the data is being logged, clearing these counters shouldn’t present any downside. The syntax is
Rtr1#clear ip audit statistics
The show ip audit configuration Command
Use the show ip audit configuration EXEC command to display additional configuration information, including default values that might not be displayed using the show run command. You can tell this configuration is logging to a Syslog server only and not doing anything more than logging events for info signatures (alarm only). It’s performing all three actions on attack signatures:
Rtr1#show ip audit configuration Event notification through syslog is enabled Event notification through Net Director is disabled Default action(s) for info signatures is alarm Default action(s) for attack signatures is alarm Default threshold of recipients for spam signature is 25 PostOffice:HostID:0 OrgID:0 Msg dropped:0 ?????????:Curr Event Buf Size:0 ?Configured:100 Post Office is not enabled - No connections are active Audit Rule Configuration Audit name Audit-1 ???info actions alarm ???attack actions alarm drop reset Rtr1#
The show ip audit interface Command
Use the show ip audit interface EXEC command to display the interface configuration. This command shows the auditing being done on each interface.
Rtr1#show ip audit interface Interface Configuration Interface FastEthernet0 ?Inbound IDS audit rule is Audit-1 ???info actions alarm ???attack actions alarm drop reset ?Outgoing IDS audit rule is not set Interface Serial1 ?Inbound IDS audit rule is Audit-1 ???info actions alarm ???attack actions alarm drop reset ?Outgoing IDS audit rule is not set Rtr1#
The show ip audit all Command
Use the catch-all command—show ip audit all—to include the output from the previous commands:
Rtr1#show ip audit all Event notification through syslog is enabled Event notification through Net Director is disabled Default action(s) for info signatures is alarm Default action(s) for attack signatures is alarm Default threshold of recipients for spam signature is 25 PostOffice:HostID:0 OrgID:0 Msg dropped:0 ?????????:Curr Event Buf Size:0 ?Configured:100 Post Office is not enabled - No connections are active Audit Rule Configuration Audit name Audit-1 ???info actions alarm ???attack actions alarm drop reset Interface Configuration Interface FastEthernet0 ?Inbound IDS audit rule is Audit-1 ???info actions alarm ???attack actions alarm drop reset ?Outgoing IDS audit rule is not set Interface Serial1 ?Inbound IDS audit rule is Audit-1 ???info actions alarm ???attack actions alarm drop reset ?Outgoing IDS audit rule is not set Rtr1#
