Intrusion Detection Email Notification

Summary

This function sends out a mail notification to the designated mail address when the intrusion detection (IDS) detects an unauthorized access.

Notes

Compatible Models & Firmware Revisions

Model Revision GUI available
RTX5000 Rev.14.00.15 or later ×
FWX120 Rev.11.03.16 or later
RTX810 Rev.11.01.15 or later

Details

Mail notification target

In order to use the mail notification function against unauthorized access, you need to configure the router with the "ip I/F intrusion detection" and "mail notify trigger intrusion" commands. Mail notification is triggered when the intrusion detection (IDS) configured by the "ip I/F intrusion detection" command detects an unauthorized access and the detected information matches the condition specified by the "mail notify trigger intrusion" command.
The "mail notify trigger intrusion" command cannot change the targets of the mail notification based on the type of the unauthorized access (i.e. based on the option of the "ip I/F intrusion detection" command, which may be ["ip", "ip-option", "fragment", "icmp", "udp", "tcp", "ftp", or "winny"]). All types of detected unauthorized access are subject to notification.
Also, the "reject" option of the "ip I/F intrusion detection" command does not affect to the behavior of the mail notification.

Interfaces that can be specified using a command

The following table shows the interfaces you can specify using the "mail notify trigger intrusion" command:
When you specify "*" for the interface number of the PP/TUNNEL interface, mail notification will be enabled on all LAN/PP/TUNNEL interfaces.
You cannot specify a duplicated interface + direction for a single command.

RTX5000
Interface name Range
LAN lan1 to lan4 + lan1.1 to lan1.4 + lan2.1 to lan2.4 + lanN/1 to lanN/32 + "*"
PP 1 to 150+"*"
TUNNEL 1 to 3000+"*"
* All interfaces including LAN, PP, and TUNNEL
RTX810
Interface name Range
LAN lan1 to lan2 + lan1.1 to lan1.4 L lanN/1 to lanN/8 + "*"
PP 1 to 30+"*"
TUNNEL 1 to 50+"*"
* All interfaces including LAN, PP, and TUNNEL
FWX120
Interface name Range
LAN lan1 to lan2 + lan1.1 to lan1.4 L lanN/1 to lanN/8 + "*"
PP 1 to 30+"*"
TUNNEL 1 to 50+"*"
* All interfaces including LAN, PP, and TUNNEL

Trigger detection

The unauthorized access detected after the detection of the first trigger and before the time specified by the "notify-wait-time" option of the "mail template" command is sent out collectively in a single mail.
In addition, if other triggers that have the same template ID specified by the "mail notify trigger intrusion" command are detected before the wait time specified by the "mail template" command ("notify-wait-time" option), all triggers detected during the period are notified in a single mail.

If unauthorized access is frequently detected, you can suppress the number of mail notifications using the following steps:

  • Use the "mail template" command to configure a longer wait time ("notify-wait-time" option). (Up to 86400 seconds = 24 hours)
  • Use the "ip I/F intrusion detection repeat-control" command to reduce the period during which a notification is sent for the same attacks against the same host.

Manual execution

There is no available command for manually sending out mail notifications for the intrusion detection.

GUI

This section describes the GUI for the FWX120.

1. Mail Notification: Main screen

Main screen

A selection menu is added to the "Configure content of notifications" section on the main screen. You can navigate to the "Intrusion Detection System" settings screen by selecting from the menu.

2. Intrusion Detection Email Notification: Settings screen

Settings Screen

Configuration via the above image is equivalent to the following commands:

  • mail notify ID TEMPLATE_ID trigger intrusion IF_I [IF_I_NUM] DIR_I [IF_I [IF_I_NUM] DIR_I [...]]
  • mail template TEMPLATE_ID SERVER_ID "From: ADDRESS" "To:ADDRESS" ["Subject: SUBJECT"] ["Date: DATE"] ["MIME-Version:VERSION"] ["Content-Type:CONTENT_TYPE"] [notify-log=SW] [notify-wait-time=SEC]

Content in the "content of notifications" section is displayed according to the following behavior:

  • Only the currently enabled interfaces are displayed. (However, VLAN/LAN division is not available in the GUI)
  • Interfaces not specified by the "ip I/F intrusion detection" command are not displayed.

Command

Refer to the Command Reference for "Triggered Mail Notification Function".

Settings Examples

Here, you configure the intrusion detection, mail server, mail template, and triggers.
Once the configuration is complete, a mail notification is sent when an unauthorized access is detected by the intrusion detection.

ip lan1 intrusion detection in on
mail server name 1 (Server name)
mail server smtp 1 (SMTP server address)
mail template 1 1 From:(Sender's mail address) To:(Destination mail address) Subject:(Mail subject)
mail notify 1 1 trigger intrusion lan1 in


Example)
Model:  FWX120
Revision:  Rev.11.03.16


Name:  yamaha-srt100-00a0de111111
Time:  2016/11/25 14:01:34
Template ID:  1

ID   Time                Interface      Detected Intrusion
------------------------------------------------------------------------------
0001 2016/11/25 14:01:26       LAN1 [ in] ICMP too large
                                          (192.168.100.2   -> 192.168.100.1  ) 

Return to Top