All Cisco-Network Study Notes: Configuring Auditing

Configuring Auditing

Auditing is configured application the ip analysis command.Auditing can be angry on

or off, altered auditing behavior can be created, the behavior can be activated to

specific interfaces, and specific signatures can be angry on or off.The easiest

configuration requires you to accredit a name for the auditing policy, specify

actions (one for advisory signatures and one for advance signatures) to be

taken, and administer the activity to an interface.The accomplishments that can be taken are:

Anxiety Back PIX detects a signature in the packet, it letters with the

message declared ahead to all configured syslog servers.

Bead Back this activity is configured, PIX drops the behind packet.

Displace This activity agency that PIX should bead the packet and abutting the

connection if this packet was a allotment of an accessible connection.

The absence activity is alarm. Activity agreement usually takes no added than

two commands:

ip analysis name advice activity [drop | anxiety | displace ]

ip analysis name advance activity [drop | anxiety | displace ]

For example, the afterward commands actualize a activity with the name myaudit

and specify that back an advisory signature is matched, the PIX should

send an anxiety to syslog, and back an advance signature is matched, the PIX should

drop the packet:

PIX1(config)# ip analysis name myaudit advice activity alarm

PIX1(config)# ip analysis name myaudit advance activity drop

It is accessible to omit the activity in the configuration. In this case, the default

action is applied. Absence accomplishments are configured via these commands:

ip analysis advice activity [drop | anxiety | displace ]

ip analysis advance activity [drop | anxiety | displace ]

www.syngress.com

180 Chapter 4 • Advanced PIX Configurations

If not changed, the absence activity is alarm. Note that if you affair alone the

following command but not the agnate advance command, no advance signatures

will be matched:

PIX1(config)# ip analysis name myaudit advice activity alarm

On the added hand, if you configure the activity in the afterward manner,

omitting the activity for advisory signatures, both advisory and attack

signatures will be matched, and the absence activity (alarm) will be activated back a

packet is akin with an advisory signature:

PIX1(config)# ip analysis name myaudit info

PIX1(config)# ip analysis name myaudit advance activity drop

After creating a policy, you charge to administer it to an interface in adjustment to activate

IDS on the interface. For example:

PIX1(config)# ip analysis interface alfresco myaudit

This agency that all signatures and accomplishments configured should be akin on

the alfresco interface.The accepted anatomy of this command is:

ip analysis interface

if_name is the name of an interface area the IDS has to analysis for

packets.

audit_name is a name of the activity that describes which accomplishments to take.

As an example, let’s configure a simple IDS on the alfresco interface, which

will accelerate an anxiety back an advisory signature is akin and bead the

connection back an advance is noticed:

PIX1(config)# ip analysis name myaudit advice alarm

PIX1(config)# ip analysis name myaudit advance activity drop

PIX1(config)# ip analysis interface alfresco myaudit

Each command has its no equivalent, which removes the command from the

configuration. For example:

PIX1(config)# no ip analysis interface alfresco myaudit

PIX1(config)# no ip analysis name myaudit info

Another command allows accessible allowance of all IDS agreement accompanying to an

interface, policy, or absence action:

www.syngress.com

Advanced PIX Configurations • Chapter 4 181

The afterward set of commands displays the agnate agreement of

IDS accompanying to the interface, audit, or absence action.This cipher artlessly shows the

commands you entered back configuring these parameters:

show ip analysis interface

show ip analysis info

show ip analysis attack

show ip analysis name