Configuring Ip Logging - Cisco 4215 - Intrusion Detection Sys Sensor Configuration Manual

Configuring Signatures

Configuring IP Logging

You can configure a sensor to generate an IP session log when the sensor detects an attack. When IP
logging is configured as a response action for a signature and the signature is triggered, all packets to
and from the source address of the alert are logged for a specified period of time.
Use the ip-log command in the signature definition submode to configure IP logging.
The following options apply:
•
•
•
When the sensor meets any one of the IP logging conditions, it stops IP logging.
Note
To configure the IP logging parameters, follow these steps:
Step 1 Log in to the CLI using an account with administrator or operator privileges.
Step 2 Enter IP log submode:
sensor# configure terminal
sensor(config)# service signature-definition sig0
sensor(config-sig)# ip-log
Specify the IP logging parameters:
Step 3
a.
b.
c.
Verify the settings:
Step 4
sensor(config-sig-ip)# show settings
ip-log
-----------------------------------------------
-----------------------------------------------
sensor(config-sig-ip)#
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
7-28
ip-log-bytes—Identifies the maximum number of bytes you want logged.
The valid value is 0 to 2147483647. The default is 0.
ip-log-packets—Identifies the number of packets you want logged.
The valid value is 0 to 65535. The default is 0.
ip-log-time—Identifies the duration you want the sensor to log.
The valid value is 30 to 300 seconds. The default is 30 seconds.
Specify the maximum number of bytes you want logged:
sensor(config-sig-ip)# ip-log-bytes 200000
Specify the number of packets you want logged:
sensor(config-sig-ip)# ip-log-packets 150
Specify the length of time you want the sensor to log:
sensor(config-sig-ip)# ip-log-time 60
ip-log-packets: 150 default: 0
ip-log-time: 60 default: 30
ip-log-bytes: 200000 default: 0
Chapter 7 Defining Signatures
78-16527-01