Rule ID
SV-80877r1_rule
Version
V1R2
CCIs
Without the capability to generate audit records with a severity code it is difficult to track and handle detection events.<br /><br />While auditing and logging are closely related, they are not the same. Logging is recording data about events that take place in a system, while auditing is the use of log records to identify security-relevant information such as system or user accesses. In short, log records are audited to establish an accurate history. Without logging, it would be impossible to establish an audit trail.<br /><br />The IDPS must have the capability to collect and log the severity associated with the policy, rule, or signature. IDPS products often have either pre-configured and/or a configurable method for associating an impact indicator or severity code with signatures and rules, at a minimum.
Use the following command to view the IDP rules:<br /><br />[edit]<br />show security idp status<br /><br />The IDP traffic log can also be inspected to verify that IDP detection events contain a severity level in the log record.<br /><br />If active IDP rules exist that do not include a severity level, this is a finding.
Example configuration to set the severity level on the IDP rules:<br /><br />Define an attack as match criteria.<br />[edit security idp idp-policy base-policy rulebase-ips rule R1]<br />set match attacks predefined-attack-groups "TELNET-Critical"<br /><br />Specify an action for the rule.<br />[edit security idp idp-policy base-policy rulebase-ips rule R1]<br />set then action drop-connection<br /><br />Specify notification and logging options for the rule.<br />[edit security idp idp-policy base-policy rulebase-ips rule R1]<br />set then notification log-attacks alert<br /><br />Set the severity level for the rule.<br /><br />[edit security idp idp-policy base-policy rulebase-ips rule R1] <br /><br />set then severity critical