Four show commands are used to verify and monitor IDS configuration and performance. These commands include
show ip audit statistics
show ip audit configuration
show ip audit interface
show ip audit all
Use the show ip audit statistics EXEC command to display the number of packets audited and the number of alarms sent, among other information. This command shows any signatures used, how many interfaces are configured for audit, and a summary of session information.
Rtr1#show ip audit statistics Signature audit statistics [process switch:fast switch] ?signature 2000 packets audited: [1:569] ?signature 2004 packets audited: [2:569] Interfaces configured for audit 2 Session creations since subsystem startup or last reset 3 Current session counts (estab/half-open/terminating) [1:0:0] Maxever session counts (estab/half-open/terminating) [1:1:0] Last session created 00:00:10 Last statistic reset never Rtr1#
To reset the audit statistics for packets analyzed and alarms sent, use the clear ip audit statistics EXEC command. This command could be handy to eliminate historical data when trying to see current activity. If the data is being logged, clearing these counters shouldn’t present any downside. The syntax is
Rtr1#clear ip audit statistics
Use the show ip audit configuration EXEC command to display additional configuration information, including default values that might not be displayed using the show run command. You can tell this configuration is logging to a Syslog server only and not doing anything more than logging events for info signatures (alarm only). It’s performing all three actions on attack signatures:
Rtr1#show ip audit configuration Event notification through syslog is enabled Event notification through Net Director is disabled Default action(s) for info signatures is alarm Default action(s) for attack signatures is alarm Default threshold of recipients for spam signature is 25 PostOffice:HostID:0 OrgID:0 Msg dropped:0 ?????????:Curr Event Buf Size:0 ?Configured:100 Post Office is not enabled - No connections are active Audit Rule Configuration Audit name Audit-1 ???info actions alarm ???attack actions alarm drop reset Rtr1#
Use the show ip audit interface EXEC command to display the interface configuration. This command shows the auditing being done on each interface.
Rtr1#show ip audit interface Interface Configuration Interface FastEthernet0 ?Inbound IDS audit rule is Audit-1 ???info actions alarm ???attack actions alarm drop reset ?Outgoing IDS audit rule is not set Interface Serial1 ?Inbound IDS audit rule is Audit-1 ???info actions alarm ???attack actions alarm drop reset ?Outgoing IDS audit rule is not set Rtr1#
Use the catch-all command—show ip audit all—to include the output from the previous commands:
Rtr1#show ip audit all Event notification through syslog is enabled Event notification through Net Director is disabled Default action(s) for info signatures is alarm Default action(s) for attack signatures is alarm Default threshold of recipients for spam signature is 25 PostOffice:HostID:0 OrgID:0 Msg dropped:0 ?????????:Curr Event Buf Size:0 ?Configured:100 Post Office is not enabled - No connections are active Audit Rule Configuration Audit name Audit-1 ???info actions alarm ???attack actions alarm drop reset Interface Configuration Interface FastEthernet0 ?Inbound IDS audit rule is Audit-1 ???info actions alarm ???attack actions alarm drop reset ?Outgoing IDS audit rule is not set Interface Serial1 ?Inbound IDS audit rule is Audit-1 ???info actions alarm ???attack actions alarm drop reset ?Outgoing IDS audit rule is not set Rtr1#