Configuring Advanced Threat Protection

Using the Instrumentation Monitor

Operating Notes

To generate alerts for monitored events, you must enable the instru- mentation monitoring log and/or SNMP trap. The threshold for each monitored parameter can be adjusted to minimize false alarms (see “Configuring Instrumentation Monitor” on page 8-35).

When a parameter exceeds its threshold, an alert (event log message and/or SNMP trap) is generated to inform network administrators of this condition. The following example shows an event log message that occurs when the number of MAC addresses learned in the forwarding table exceeds the configured threshold:

Standard Date/Time Prefix

 

“inst-mon” label indicates an

 

 

 

Threshold

 

Current

 

 

Monitored

 

 

for Event Log Messages

 

Instrumentation Monitor event

 

Parameter

 

Value

 

Value

 

 

 

 

 

 

 

 

 

W 05/27/06 12:10:16 inst-mon: Limit for MAC addr count (300) is exceeded (321)

Figure 8-8. Example of Event Log Message generated by Instrumentation Monitor

Alerts are automatically rate limited to prevent filling the log file with redundant information. The following is an example of alerts that occur when the device is continually subject to the same attack (too many MAC addresses in this instance):

W 01/01/90 00:05:00 inst-mon: Limit for MAC addr count (300) is exceeded (321)

W 01/01/90 00:10:00 inst-mon: Limit for MAC addr count (300) is exceeded (323)

W 01/01/90 00:15:00 inst-mon: Limit for MAC addr count (300) is exceeded (322)

W 01/01/90 00:20:00 inst-mon: Limit for MAC addr count (300) is exceeded (324)

W 01/01/90 00:20:00 inst-mon: Ceasing logs for MAC addr count for 15 minutes

Figure 8-9. Example of rate limiting when multiple messages are generated

In the preceding example, if a condition is reported 4 times (persists for more than 15 minutes) then alerts cease for 15 minutes. If after 15 minutes the condition still exists, the alerts cease for 30 minutes, then for 1 hour, 2 hours, 4 hours, 8 hours, and after that the persisting condition is reported once a day. As with other event log entries, these alerts can be sent to a syslog server.

Known Limitations: The instrumentation monitor runs once every five minutes. The current implementation does not track information such as the port, MAC, and IP address from which an attack is received.

8-34