Hi.. Groups, FYI, I have syslog turned on. In fact, I found some IDS alarm message in my syslog (as shown below) when I ping from 100.198.165.199(inside) to 192.168.3.21(outside). I feel this is unneccessary IDS alarm. But when I do a portscan on my PIX inside IP (100.198.167.201), it doesn't give me any alarm.
Dec 12 11:22:31 100.198.167.201 Dec 12 2002 04:05:49: %PIX-4-400014: IDS:2004 ICMP echo request from 100.198.165.199 to 192.168.3.21 on interface inside Dec 12 11:22:31 100.198.167.201 Dec 12 2002 04:05:49: %PIX-4-400010: IDS:2000 ICMP echo reply from 192.168.3.21 to 192.168.3.101 on interface outside I think PIX IDS is really not that good Thanks and Regards Kenny >From: "Juli Hato" >Reply-To: "Juli Hato" >To: [EMAIL PROTECTED] >Subject: Re: Why PIX's IDS can't detect a port scan? [7:59052] >Date: Thu, 12 Dec 2002 09:23:48 GMT > >Halo Kenny, > >Make sure the logging system is on: >---- Logging to sys-log server------- >Logging on >Logging host Inside xxx.xxx.xxx.xxx > >You cannot upgrade the PIX Firewall Signature. PIX only monitor for 59 >Signature. Need more signature? Then go to IDS. An IDS can monitor up to >300 >or more Signatures. > >The Cisco PIX Device Manager is no more than a GUI configuration tool. > >Best Regards, >HATO > > > > > >From: "Kenny Smith" > >Reply-To: "Kenny Smith" > >To: [EMAIL PROTECTED] > >Subject: Why PIX's IDS can't detect a port scan? [7:59052] > >Date: Thu, 12 Dec 2002 08:44:10 GMT > > > >Hi.. I implemented IDS in both PIX firewall outside and inside >interface, > >but when I do a portscan on my PIX firewall's inside interface IP, I >can't > >see any IDS alarm on my PIX log. Why? Below is my IDS config on my PIX > >inside interface. > > > >ip audit name inside-attack attack action alarm > >ip audit name inside-info info action alarm > > > >ip audit interface inside inside-info > >ip audit interface inside inside-attack > > > >nameif ethernet0 outside security0 > >nameif ethernet1 inside security100 > > > >************************************************************************ > > > >Q2) By the way, how to add a new IDS signature to our PIX config? upgrade > >the PIX Device Manager? > > > > > > > >_________________________________________________________________ > >The new MSN 8: smart spam protection and 2 months FREE* > >http://join.msn.com/?page=features/junkmail >_________________________________________________________________ >The new MSN 8: advanced junk mail protection and 2 months FREE* >http://join.msn.com/?page=features/junkmail _________________________________________________________________ Add photos to your messages with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=59150&t=59052 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]