Version 6.8 151 Mediant 2600 E-SBC
User's Manual 13. Security
and 'Threshold Window' to 15 sec, the IDSAlarmClearPeriod parameter is
ignored and the alarm is cleared only after 30 seconds (2 x 15 sec).
The figure below displays an example of IDS alarms in the Active Alarms table
(''Viewing Active Alarms'' on page 479). In this example, a Minor threshold alarm
is cleared and replaced by a Major threshold alarm:
Figure 13-8: IDS Alarms in Active Alarms Table
acIDSBlacklistNotification event: The device sends this event whenever an attacker
(remote host at IP address and/or port) is added to or removed from the blacklist.
You can also view IDS alarms in the CLI, using the following commands:
To view all active IDS alarms:
# show voip security ids active-alarm all
To view all IP addresses that crossed the threshold for an active IDS alarm:
# show voip security ids active-alarm match <IDS Match Policy ID> rule
<IDS Rule ID>
The IP address is displayed only if the 'Threshold Scope' parameter is set to IP or
IP+Port; otherwise, only the alarm is displayed.
To view the blacklist:
# show voip security ids blacklist active
For example:
Active blacklist entries:
10.33.5.110(NI:0) remaining 00h:00m:10s in blacklist
Where SI is the SIP Interface and NI is the network interface.
The device also sends IDS notifications and alarms in Syslog messages to a Syslog
server. This only occurs if you have configured Syslog (see ''Enabling Syslog'' on page
505). An example of a Syslog message with IDS alarms and notifications is shown below:
Figure 13-9: Syslog Message Example with IDS Alarms and Notifications
The table below lists the Syslog text messages per malicious event:
Table 13-6: Types of Malicious Events and Syslog Text String
Type Description Syslog String
Connection
Abuse
TLS authentication failure abuse-tls-auth-fail
Malformed
Messages
Message exceeds a user-defined maximum
message length (50K)
Any SIP parser error
Message policy match
Basic headers not present
malformed-invalid-
msg-len
malformed-parse-error
malformed-message-
policy
To Next Page
Loading...
Need help?
General
