Re: Named Access-List option "log-update"

From: George Robbins (grr@shandakor.tharsis.com)
Date: Mon Oct 16 2000 - 15:56:02 EDT


Well, I supsect the description of access logging in the feature description
of "standard access-list logging" provides some illumination:

' The first packet that triggers the access list causes a logging
' message right away, and subsequent packets are collected over
' 5-minute intervals before they are displayed or logged. The logging
' message includes the access list number, whether the packet was
' permitted or denied, the source IP address of the packet, and the
' number of packets from that source permitted or denied in the prior
' 5-minute interval.

This makes the logging interval pretty obvious, and the knob to tweak
it has been around for a while, shows up in 11.1(26)-CC.

The threshold option is probably just coming from the opposite direction,
to disclose the hits to systlog based on either time or quantity.

IOS had lots of undocumented or hidden options, the undocumented ones
still interact with the command parser "help", the hidden ones are
blanked, but "work" if you know the syntax.

                                                George

> Date: Mon, 16 Oct 2000 23:06:44 +0400 (MSD)
> From: Basil Dolmatov <dol@east.ru>
> To: Kevin Gannon <kevin@gannons.net>
> Cc: Cisco NSP List <cisco-nsp@puck.nether.net>
> Subject: Re: Named Access-List option "log-update"
>
> I can guess... ;)
>
> logged ACL hits are buffered and flushed after default time
> interval (I guess 30 secs) or buffer overflow.
> You can tune behaviour in necessary direction, either to add
> reactivity, or to make it more sleepy and lazy in logging...
>
> another version - ACLs can be logged after specific number of hits in given rule
> i.e. effectively block random ACL hits and leave only massive attacks
> being logged.
>
> Both things would be attempts to combine possibility to avoid router
> to be knelt down by attacker, but to leave means to log source and
> method of attack.
>
> Just my 0.02
>
> --------------------------------------------------------
> Basil (Vasily) Dolmatov CCIE #5347, CCNP-Security, CCDA
>
>
> On Mon, 16 Oct 2000, Kevin Gannon wrote:
>
> > I was configuring some named access-lists and found the following:
> >
> > ip access-list log-update threshold
> >
> > I have checked the web site and the command references and
> > cant find any reference. Has anyone used it got a clue what it
> > can be used for it seems useful.
> >
> > Regards,
> > Kevin
> >
> >
> >
>
>



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:19 EDT