No Port Scan/Sweep Signature included. The pix uses 59 (I think) signatures from the Cisco Netranger Intrusion Detection Product. They chose them from the supposedely worst/most common exploits. I would like to see a feature where an offender could be auto-shunned such as the real Netranger product supports with a managed edge router configuration, but I am not holding my breath. It would also be nice if they detect SYN Sweeps and block/Shun them after 4 succesive access attempts in under 2 seconds (similar to the Snort Portscan module). Are you listening Cisco? http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/syslog/pixemsgs.htm#18407 List of Signatures and classifications If you are interested in IDS look into Snort, it provides far better logging, configuration , and rule writing than the builtin Pix IDS. Not to mention you can run Snort on Windows or Linux. A single sensor could monitor all the firewall interfaces if it had enough network cards. I have run three instances of Snort on the same box without a performance problem (PIII-500/256MB RAM/ATA6610GB). Each instance can have its own configuration and rule set, or they can share. for more info check: www.snort.org Official site www.silicondefense.com Compiled Windows Binaries and instructions
Ken Claussen MCSE CCNA CCA "In Theory it should work as you describe, but the difference between theory and reality is the truth! For this we all strive" -----Original Message----- From: David Ishmael [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 16, 2002 12:17 PM To: [EMAIL PROTECTED] Subject: PIX IDS Configuration Hey all, got a quick PIX question for the list. I've got a PIX running version 6.1 and configured the internal IDS according to the documentation as follows: ip audit name IDSattack attack action alarm drop reset ip audit name IDSinfo info action alarm ip audit interface outside IDSinfo ip audit interface outside IDSattack Where 'outside' is the outside interface. I just ran a port scan against an internal server from outside the network and the PIX didn't respond. Does the PIX not have an IDS signature for port scans? Is the configuration wrong? Anybody ever used the PIX IDS? Any help is always appreciated... -- David Ishmael, CCNA/IVCP Sr. Engineer, Windward Consulting Group 2300 Corporate Park Drive Suite 400 Herndon, VA 20171 [EMAIL PROTECTED] (571) 332-6234 "Engineers don't think outside the box, they redesign it" EMAIL DISCLAIMER The information contained in this message, and any attachment, is confidential and proprietary information, and may be legally privileged. It is intended for the above named recipient(s) only and is transmitted in confidence. It should be safeguarded to prevent unauthorized, negligent, or inadvertent use or disclosure. This message is proprietary to Windward Consulting Group, Inc. and may not be disclosed, forwarded, distributed, or reproduced, without the express permission of Windward. If this message is received in error, the sender should be notified and the message and any attachments deleted. Email transmission cannot be guaranteed to be secure or error free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of email transmission. �2002 Windward Consulting Group, Inc _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
