Verifying the IDS Configuration

Verifying the IDS Configuration

Four show commands are used to verify and monitor IDS configuration and performance. These commands include

  • show ip audit statistics

  • show ip audit configuration

  • show ip audit interface

  • show ip audit all

The show ip audit statistics Command

Use the show ip audit statistics EXEC command to display the number of packets audited and the number of alarms sent, among other information. This command shows any signatures used, how many interfaces are configured for audit, and a summary of session information.

Rtr1#show ip audit statistics
Signature audit statistics [process switch:fast switch]
 ?signature 2000 packets audited: [1:569]
 ?signature 2004 packets audited: [2:569]
Interfaces configured for audit 2
Session creations since subsystem startup or last reset 3
Current session counts (estab/half-open/terminating) [1:0:0]
Maxever session counts (estab/half-open/terminating) [1:1:0]
Last session created 00:00:10
Last statistic reset never
Rtr1#

The clear ip audit statistics Command.

To reset the audit statistics for packets analyzed and alarms sent, use the clear ip audit statistics EXEC command. This command could be handy to eliminate historical data when trying to see current activity. If the data is being logged, clearing these counters shouldn’t present any downside. The syntax is

Rtr1#clear ip audit statistics

The show ip audit configuration Command

Use the show ip audit configuration EXEC command to display additional configuration information, including default values that might not be displayed using the show run command. You can tell this configuration is logging to a Syslog server only and not doing anything more than logging events for info signatures (alarm only). It’s performing all three actions on attack signatures:

Rtr1#show ip audit configuration
Event notification through syslog is enabled
Event notification through Net Director is disabled
Default action(s) for info signatures is alarm
Default action(s) for attack signatures is alarm
Default threshold of recipients for spam signature is 25
PostOffice:HostID:0 OrgID:0 Msg dropped:0
 ?????????:Curr Event Buf Size:0 ?Configured:100
Post Office is not enabled - No connections are active
Audit Rule Configuration
 Audit name Audit-1
 ???info actions alarm
 ???attack actions alarm drop reset
Rtr1#

The show ip audit interface Command

Use the show ip audit interface EXEC command to display the interface configuration. This command shows the auditing being done on each interface.

Rtr1#show ip audit interface
Interface Configuration
 Interface FastEthernet0
 ?Inbound IDS audit rule is Audit-1
 ???info actions alarm
 ???attack actions alarm drop reset
 ?Outgoing IDS audit rule is not set
 Interface Serial1
 ?Inbound IDS audit rule is Audit-1
 ???info actions alarm
 ???attack actions alarm drop reset
 ?Outgoing IDS audit rule is not set
Rtr1#

The show ip audit all Command

Use the catch-all command—show ip audit all—to include the output from the previous commands:

Rtr1#show ip audit all
Event notification through syslog is enabled
Event notification through Net Director is disabled
Default action(s) for info signatures is alarm
Default action(s) for attack signatures is alarm
Default threshold of recipients for spam signature is 25
PostOffice:HostID:0 OrgID:0 Msg dropped:0
 ?????????:Curr Event Buf Size:0 ?Configured:100
Post Office is not enabled - No connections are active
Audit Rule Configuration
 Audit name Audit-1
 ???info actions alarm
 ???attack actions alarm drop reset
Interface Configuration
 Interface FastEthernet0
 ?Inbound IDS audit rule is Audit-1
 ???info actions alarm
 ???attack actions alarm drop reset
 ?Outgoing IDS audit rule is not set
 Interface Serial1
 ?Inbound IDS audit rule is Audit-1
 ???info actions alarm
 ???attack actions alarm drop reset
 ?Outgoing IDS audit rule is not set
Rtr1#



Part III: Virtual Private Networks (VPNs)
 
ASPTreeView.com
 
Evaluation has ј»Т№ЛОИЙРКexpired.
Info...