Using a Standard ACL to help define the traffic to be audited by an audit rule is possible. In the following example, an audit rule named Attack.7 is created that uses ACL 25, which is defined later in the configuration. The ACL doesn’t behave the way you’d assume, particularly if you’re thinking of it as if it were filtering interface traffic. Instead, when used in this context, the deny statements are indicating that the private networks—192.168.0.0 to 192.168.255.0—aren’t filtered through the audit process because they’re trusted hosts. All other hosts are defined by the permit any statement and are to be processed by the audit rule.

Rtr1(config)#ip audit name Attack.7 list 25
Rtr1(config)#access-list 25 deny 192.168.0.0 0.0.255.255
Rtr1(config)#access-list 25 permit any

If some individual hosts or subnets should have been included in the audit, the following example shows how this might be addressed.

Rtr1(config)#ip audit name Attack.7 list 25
Rtr1(config)#access-list 25 permit host 192.168.1.117
Rtr1(config)#access-list 25 permit 192.168.100.16 0.0.15
Rtr1(config)#access-list 25 permit 192.168.8.0 0.0.1.255
Rtr1(config)#access-list 25 deny 192.168.0.0 0.0.255.255
Rtr1(config)#access-list 25 permit any