Installation & Operation Manual 398 Document # LTRT-92224
Mediant 8000
33.19 Intrusion Detection Events
When a malicious user tries to gain access to the CLI Interface on SC boards, several
security-related events occur (e.g. the user may attempt to enter an incorrect
username and/or password). These events are recorded by the operating system in
the /var/adm/messages log file and are reported by the Mediant 8000 software to the
EMS and additional SNMP managers as Intrusion Detection Events. Each Intrusion
Detection Event contains the following data:
detailed event description (e.g. “REPEATED LOGIN FAILURES ON /dev/pts/2
FROM 10.7.13.104”)
event severity
intrusion time
description of the SC board where intrusion was detected
In certain environments, an Intrusion Detection Event may be issued for normal
activity – e.g. there may be some automated network scanner that periodically tries to
access the Media Gateway with incorrect credentials and thus triggers an Intrusion
Detection Event. For such environments, it is possible to prevent the reporting of the
specific events by modifying the Intrusion Detection Filter parameter. The latter is a
plain text filter applied to all line entries in the /var/adm/messages log file to
determine whether each entry must be reported as an Intrusion Detection Event.
The Intrusion Detection Filter has the following format:
keywordA;keywordB1&&keywordB2;keywordC
The following rules apply:
A keyword starting with ! implies that the string must not contain this keyword
&& implies logical AND; for example apple&&!green matches strings that
contains the word apple and not the word green.
Spaces are supported
To Next Page
Loading...
