Hi,
ASA1/2 (7.7.3.10) ------IPS----------- SYSLOG SERVER (150.1.7.20) I configured a custom signature for syslog messaging between host A and B. ASA1/ASA2 are in active/standby mode producing syslogs and IPS suppose to pick this up. I can see ips sig triggers when it sees from ipA to IPB port 514 with "alert high 85" evIdsAlert: eventId=1376465320547002492 vendor=Cisco severity=high alarmTraits=32768 originator: hostId: IPS appName: sensorApp appInstanceId: 1203 time: Nov 11, 2013 22:12:19 UTC offset=0 timeZone=UTC signature: description=syslog id=61000 version=custom type=other created=20000101 subsigId: 0 sigDetails: My Sig Info interfaceGroup: vs0 vlan: 3 participants: attacker: addr: 7.7.3.10 locality=OUT port: 514 target: addr: 150.1.7.20 locality=OUT port: 514 os: idSource=unknown type=unknown relevance=relevant riskRatingValue: 85 targetValueRating=medium attackRelevanceRating=relevant threatRatingValue: 85 interface: ge0_0 protocol: udp ------------------------------------------------------------------------------------------------------------------------- $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ------------------------------------------------------------------------------------------------------------------------- *PROBLEM: * I can see the same sign triggered with the following: (alert 75 and destination 0.0.0.0) *What is 0.0.0.0 is doing here? I never configured it on my custom sig.and why alert level is 75 ? and on the above one is 85 ? my original config is 75.* evIdsAlert: eventId=1376465320547002493 vendor=Cisco severity=high alarmTraits=32768 originator: hostId: IPS appName: sensorApp appInstanceId: 1203 time: Nov 11, 2013 22:12:34 UTC offset=0 timeZone=UTC signature: description=syslog id=61000 version=custom type=other created=20000101 subsigId: 0 sigDetails: My Sig Info interfaceGroup: vs0 vlan: 3 participants: attacker: addr: 7.7.3.10 locality=OUT port: 0 target: addr: 0.0.0.0 locality=OUT port: 0 os: idSource=unknown type=unknown relevance=unknown summary: 8 final=true initialAlert=1376465320547002492 summaryType=Regular alertDetails: Regular Summary: 8 events this interval ; riskRatingValue: 75 targetValueRating=medium threatRatingValue: 75 interface: ge0_0 protocol: udp
_______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc