Cisco IDS Alarms

Alarms are a core component of IDS signatures. Here are the fundamental facts about alarms and signatures:

• An alarm is generated by the Sensor when an enabled signature is triggered.

• Alarms are stored locally on the Sensor and can be pulled by one or more hosts, which subscribe to the event "feed." The hosts can subscribe to the event feed on an as-needed basis.

• Alarms have a severity level that is assigned through the AlarmSeverity signature engine master parameter.

Alarm Severity Levels

It's very important to not only recognize the four alarm severity levels, but to be able to articulate them as well. The four alarm severity levels are

• Informational

• Low

• Medium

• High

The following subsections discuss these levels in detail.

Informational

An informational alarm is generated when the activity that triggered a signature is not considered an immediate threat but might provide some useful information.

Low

An alarm with a severity level of low is generated when abnormal activity is detected but is unlikely to originate from malicious intentions or to cause an immediate threat.

Medium

A medium -level alarm is generated when abnormal activity that could be perceived as malicious is detected and is likely to cause an immediate threat.

High

An alarm with a high severity level is generated when attacks used to gain access or cause a DoS are detected, and an immediate threat is very likely.

Remember that the four alarm severity levels are informational, low, medium, and high.