User's Manual 184 Document #: LTRT-27055
Mediant 1000B Gateway & E-SBC
The figure below displays an example of IDS alarms in the Active Alarms table
(''Viewing Active Alarms'' on page 877). In this example, a Minor threshold alarm
is cleared and replaced by a Major threshold alarm:
Figure 13-8: IDS Alarms in Active Alarms Table
acIDSBlacklistNotification event: The device sends this event whenever an attacker
(remote host at IP address and/or port) is added to or removed from the blacklist.
You can also view IDS alarms through CLI:
To view all active IDS alarms:
# show voip ids active-alarm all
To view all IP addresses that have crossed the threshold for an active IDS alarm:
# show voip ids active-alarm match <IDS Match Policy ID> rule <IDS Rule ID>
The IP address is displayed only if the 'Threshold Scope' parameter is set to IP or
IP+Port; otherwise, only the alarm is displayed.
To view the blacklist:
# show voip ids blacklist active
For example:
Active blacklist entries:
10.33.5.110(NI:0) remaining 00h:00m:10s in blacklist
Where SI is the SIP Interface and NI is the network interface.
The device also sends IDS notifications and alarms in Syslog messages to a Syslog
server. This occurs only if you have configured Syslog (see ''Enabling Syslog'' on page
966). An example of a Syslog message with IDS alarms and notifications is shown below:
Figure 13-9: Syslog Message Example with IDS Alarms and Notifications
The table below lists the Syslog text messages per malicious event:
Table 13-6: Types of Malicious Events and Syslog Text String
Reason Description Syslog String
Connection
Abuse
TLS authentication failure abuse-tls-auth-fail
Malformed
Messages
Message exceeds a user-defined maximum
message length (50K)
Any SIP parser error
Message policy match
Basic headers not present
Content length header not present (for TCP)
Header overflow
malformed-invalid-
msg-len
malformed-parse-error
malformed-message-
policy
malformed-miss-
header
malformed-miss-
content-len
To Next Page
Loading...
