Detecting Intrusions

When the RealPresence Group Series system detects a possible network intrusion, it logs an entry to the security log. This logging is controlled by the Enable Network Intrusion Detection System (NIDS) setting. The security log prefix identifies the type of packet detected, as shown in the following table.

Prefix

Packet Type

SECURITY: NIDS/unknown_tcp

Packet that attempts to connect or probe a closed TCP port

SECURITY: NIDS/unknown_udp

Packet that probes a closed UDP port

SECURITY: NIDS/invalid_tcp

TCP packet in an invalid state

SECURITY: NIDS/invalid_icmp

ICMP or ICMPv6 packet in an invalid state

SECURITY: NIDS/unknown

Packet with an unknown protocol number in the IP header

SECURITY: NIDS/flood

Stream of ICMP or ICMPv6 ping requests or TCP connections to an opened TCP port

Following the message prefix, the security log entry includes the timestamp and the IP, TCP, UDP, ICMP, or ICMPv6 headers. For example, the following security log entry shows an “unknown_udp” intrusion:


2009-05-08 21:32:52 WARNING kernel: SECURITY: NIDS/unknown_udp IN=eth0 OUT= MAC=00:e0:db:08:9a:ff:00:19:aa:da:11:c3:08:00 SRC=172.18.1.80 DST=172.18.1.170 LEN=28 TOS=0x00 PREC=0x00 TTL=63 ID=22458 PROTO=UDP SPT=1450 DPT=7788 LEN=8

For information on the Enable Network Intrusion Detection System (NIDS) setting, see the following topic.