Reading intrusion alerts and resetting alert flags

Notice of security violations

When the switch detects an intrusion on a port, it sets an "alert flag" for that port and makes the intrusion information available as described below. While the switch can detect additional intrusions for the same port, it does not list the next chronological intrusion for that port in the Intrusion Log until the alert flag for that port has been reset.

When a security violation occurs on a port configured for Port Security, the switch responds in the following ways to notify you:

The switch sets an alert flag for that port. This flag remains set until:
- You use either the CLI, menu interface, or WebAgent to reset the flag.
- The switch is reset to its factory default configuration.
The switch enables notification of the intrusion through the following means:
- In the CLI:
  - The show port-security intrusion-log command displays the Intrusion Log
  - The log command displays the Event Log
- In the menu interface:
  - The Port Status screen includes a per-port intrusion alert
  - The Event Log includes per-port entries for security violations
- In the WebAgent:
  - The Alert Log includes entries for per-port security violations
  - The Intrusion Log lists per-port security violation entries
- In network management applications such as HP PCM+ via an SNMP trap sent to a network management station

How the intrusion log operates

When the switch detects an intrusion attempt on a port, it enters a record of this event in the Intrusion Log. No further intrusion attempts on that port will appear in the Log until you acknowledge the earlier intrusion event by resetting the alert flag.

The Intrusion Log lists the 20 most recently detected security violation attempts, regardless of whether the alert flags for these attempts have been reset. This gives you a history of past intrusion attempts. Thus, for example, if there is an intrusion alert for port A1 and the Intrusion Log shows two or more entries for port 1, only the most recent entry has not been acknowledged (by resetting the alert flag). The other entries give you a history of past intrusions detected on port A1.

Multiple intrusion log entries for the same port

HP Switch(config)# show port-security intrusion-log
 Status and Counters - Intrusion Log

 Port  MAC Address     Date / Time
 ----- ------------- --------------------------
 1     080009-e93d4f   03/07/11 21:09:34
 1     080009-e93d4f   03/07/11 10:18:43

The log shows the most recent intrusion at the top of the listing. You cannot delete Intrusion Log entries (unless you reset the switch to its factory-default configuration). Instead, if the log is filled when the switch detects a new intrusion, the oldest entry is dropped off the listing and the newest entry appears at the top of the listing.

Keeping the intrusion log current by resetting alert flags

When a violation occurs on a port, an alert flag is set for that port and the violation is entered in the Intrusion Log. The switch can detect and handle subsequent intrusions on that port, but will not log another intrusion on the port until you reset the alert flag for either all ports or for the individual port.

NOTE: On a given port, if the intrusion action is to send an SNMP trap and then disable the port (send-disable), and an intruder is detected on the port, then the switch sends an SNMP trap, sets the port's alert flag, and disables the port. If you re-enable the port without resetting the port's alert flag, then the port operates as follows:

The port comes up and will block traffic from unauthorized devices it detects.
If the port detects another intruder, it will send another SNMP trap, but will not become disabled again unless you first reset the port's intrusion flag.

This operation enables the port to continue passing traffic for authorized devices while you take the time to locate and eliminate the intruder. Otherwise, the presence of an intruder could cause the switch to repeatedly disable the port.

Checking for intrusions, listing intrusion alerts, and resetting alert flags (Menu)

The menu interface indicates per-port intrusions in the Port Status screen, and provides details and the reset function in the Intrusion Log screen.

From the Main Menu select:

1. Status and Counters

4. Port Status

Port status screen with intrusion alert on port 3
Type [I] (Intrusion log) to display the Intrusion Log.

The Intrusion Log display

This example shows two intrusions for port 3 and one intrusion for port 1. In this case, only the most recent intrusion at port 3 has not been acknowledged (reset). This is indicated by the following:
- Because the Port Status screen Port status screen with intrusion alert on port 3 does not indicate an intrusion for port 1, the alert flag for the intrusion on port 1 has already been reset.
- Since the switch can show only one uncleared intrusion per port, the alert flag for the older intrusion for port A3 in this example has also been previously reset.
The intrusion log holds up to 20 intrusion records and deletes an intrusion record only when the log becomes full and a new intrusion is subsequently detected.

NOTE: The "prior to " text in the record for the earliest intrusion means that a switch reset occurred at the indicated time and that the intrusion occurred prior to the reset.
To acknowledge the most recent intrusion entry on port 3 and enable the switch to enter a subsequently detected intrusion on this port, type [R] For Reset alert flags.

Note that if there are unacknowledged intrusions on two or more ports, this step resets the alert flags for all such ports.

If you then re-display the port status screen, you will see that the Intrusion Alert entry for port 3 has changed to "No". That is, your evidence that the Intrusion Alert flag has been acknowledged (reset) is that the Intrusion Alert column in the port status display no longer shows "Yes" for the port on which the intrusion occurred (port 3 in this example). (Because the Intrusion Log provides a history of the last 20 intrusions detected by the switch, resetting the alert flags does not change its content. Thus, displaying the Intrusion Log again will result in the same display as in The Intrusion Log display, above.)

Checking for intrusions, listing intrusion alerts, and resetting alert flags (CLI)

The following commands display port status, including whether there are intrusion alerts for any ports, list the last 20 intrusions, and either reset the alert flag on all ports or for a specific port for which an intrusion was detected. The record of the intrusion remains in the log. For more information, see Operating notes for port security.

Syntax:

show interfaces brief

List intrusion alert status (and other port status information)'.

show port-security intrusion-log

List intrusion log content.

clear intrusion-flags

Clear intrusion flags on all ports.

port-security [e] <port-number> clear-intrusion-flag

Clear the intrusion flag on one or more specific ports.

Example:

In the following example, executing show interfaces brief lists the switch port status, indicating an intrusion alert on port 1.

An unacknowledged intrusion alert in a port status display

To see the details of the intrusion, enter the show port-security intrusion-log command. For example:

The intrusion log with multiple entries for the same port

The above example shows three intrusions for port 1. Since the switch can show only one uncleared intrusion per port, the older two intrusions in this example have already been cleared by earlier use of the clear intrusion-log or the port-security <port-list> clear-intrusion-flag command. The intrusion log holds up to 20 intrusion records, and deletes intrusion records only when the log becomes full and new intrusions are subsequently added. The "prior to " text in the record for the third intrusion means that a switch reset occurred at the indicated time and that the intrusion occurred prior to the reset.

To clear the intrusion from port 1 and enable the switch to enter any subsequent intrusion for port 1 in the Intrusion Log, execute the port-security clear-intrusion-flag command. If you then re-display the port status screen, you will see that the Intrusion Alert entry for port 1 has changed to "No". (Executing show port-security intrusion-log again will result in the same display as above, and does not include the Intrusion Alert status.)

HP Switch(config)# port-security 1 clear-intrusion-flag

HP Switch(config)# show interfaces brief

Port status screen after alert flags reset

For more on clearing intrusions, see Keeping the intrusion log current by resetting alert flags.

Using the Event Log to find intrusion alerts (CLI)

The Event Log lists port security intrusions as:

W MM/DD/YY HH:MM:SS FFI: port A3 — Security Violation

where "W" is the severity level of the log entry and FFI is the system module that generated the entry. For further information, display the Intrusion Log, as shown below.

From the manager or Configuration level:

Syntax:

log <search-text>

For <search-text>, use ffi, security, or violation.

Log listing with and without detected security violations

For more Event Log information, see "Using the Event Log to identify problem sources" in the Management and Configuration Guide for your switch.


	NOTE: The "prior to " text in the record for the earliest intrusion means that a switch reset occurred at the indicated time and that the intrusion occurred prior to the reset.

prev	up	next
Port security and MAC Lockout	home	Operating notes for port security