Why PIX's IDS can't detect a port scan? [7:59052]
Hi.. I implemented IDS in both PIX firewall outside and inside interface, but when I do a portscan on my PIX firewall's inside interface IP, I can't see any IDS alarm on my PIX log. Why? Below is my IDS config on my PIX inside interface. ip audit name inside-attack attack action alarm ip audit name inside-info info action alarm ip audit interface inside inside-info ip audit interface inside inside-attack nameif ethernet0 outside security0 nameif ethernet1 inside security100 Q2) By the way, how to add a new IDS signature to our PIX config? upgrade the PIX Device Manager? _ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=59052t=59052 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Why PIX's IDS can't detect a port scan? [7:59052]
do you have a Syslog Server satup? From: Kenny Smith Date: 2002/12/12 Thu AM 03:44:10 EST To: [EMAIL PROTECTED] Subject: Why PIX's IDS can't detect a port scan? [7:59052] Hi.. I implemented IDS in both PIX firewall outside and inside interface, but when I do a portscan on my PIX firewall's inside interface IP, I can't see any IDS alarm on my PIX log. Why? Below is my IDS config on my PIX inside interface. ip audit name inside-attack attack action alarm ip audit name inside-info info action alarm ip audit interface inside inside-info ip audit interface inside inside-attack nameif ethernet0 outside security0 nameif ethernet1 inside security100 Q2) By the way, how to add a new IDS signature to our PIX config? upgrade the PIX Device Manager? _ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail Greg Owens 202-398-2552 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=59067t=59052 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Why PIX's IDS can't detect a port scan? [7:59052]
Hi Hato, Could you recommend an IDS ? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=59089t=59052 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Why PIX's IDS can't detect a port scan? [7:59052]
PIX IDS is very simple. You have only 20 predefined attacks that are checked. To allow PIX to detect port scan, Cisco should rewrite a large part of the code of the IDS. PIX IDS is only a support to Cisco IDS (IDS Sensors/Directors and so on) solution (which have the same problem too, Cisco IDS is very limited in functionality, because Cisco try to gives more push on scalability). What IDS you need? There are better and free IDS on the internet (no matter what cisco saying). -Original Message- From: alaerte Vidali [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 12, 2002 6:31 PM To: [EMAIL PROTECTED] Subject: Re: Why PIX's IDS can't detect a port scan? [7:59052] Hi Hato, Could you recommend an IDS ? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=59094t=59052 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Why PIX's IDS can't detect a port scan? [7:59052]
Hi, Could you indicate some free ones for Unix Solaris ? Alaerte Delian Delchev @groupstudy.com em 12/12/2002 13:46:02 Favor responder a Delian Delchev Enviado Por: [EMAIL PROTECTED] Para: [EMAIL PROTECTED] cc: Assunto:RE: Why PIX's IDS can't detect a port scan? [7:59052] PIX IDS is very simple. You have only 20 predefined attacks that are checked. To allow PIX to detect port scan, Cisco should rewrite a large part of the code of the IDS. PIX IDS is only a support to Cisco IDS (IDS Sensors/Directors and so on) solution (which have the same problem too, Cisco IDS is very limited in functionality, because Cisco try to gives more push on scalability). What IDS you need? There are better and free IDS on the internet (no matter what cisco saying). -Original Message- From: alaerte Vidali [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 12, 2002 6:31 PM To: [EMAIL PROTECTED] Subject: Re: Why PIX's IDS can't detect a port scan? [7:59052] Hi Hato, Could you recommend an IDS ? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=59102t=59052 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Why PIX's IDS can't detect a port scan? [7:59052]
Here is an email that was sent to the list a while back and because you have unix experience you should have zero problems getting this going in a few hours. Spend no money and do this, read my how to here http://www.homenethelp.com/openbsd/bsd-firewall.asp This box can then be also used for a IDS so you can track the hacking I have had plenty of people email me saying it works great it is simple and written so boneheads like me can understand it. So if I can do it I know you can to. This makes your isp happy and also you happy because it keeps money in your pocket. Elijah Come ride the rage http://www.digitalrage.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 12, 2002 12:45 PM To: [EMAIL PROTECTED] Subject: RE: Why PIX's IDS can't detect a port scan? [7:59052] Hi, Could you indicate some free ones for Unix Solaris ? Alaerte Delian Delchev @groupstudy.com em 12/12/2002 13:46:02 Favor responder a Delian Delchev Enviado Por: [EMAIL PROTECTED] Para: [EMAIL PROTECTED] cc: Assunto:RE: Why PIX's IDS can't detect a port scan? [7:59052] PIX IDS is very simple. You have only 20 predefined attacks that are checked. To allow PIX to detect port scan, Cisco should rewrite a large part of the code of the IDS. PIX IDS is only a support to Cisco IDS (IDS Sensors/Directors and so on) solution (which have the same problem too, Cisco IDS is very limited in functionality, because Cisco try to gives more push on scalability). What IDS you need? There are better and free IDS on the internet (no matter what cisco saying). -Original Message- From: alaerte Vidali [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 12, 2002 6:31 PM To: [EMAIL PROTECTED] Subject: Re: Why PIX's IDS can't detect a port scan? [7:59052] Hi Hato, Could you recommend an IDS ? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=59105t=59052 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Why PIX's IDS can't detect a port scan? [7:59052]
Hi.. Groups, FYI, I have syslog turned on. In fact, I found some IDS alarm message in my syslog (as shown below) when I ping from 100.198.165.199(inside) to 192.168.3.21(outside). I feel this is unneccessary IDS alarm. But when I do a portscan on my PIX inside IP (100.198.167.201), it doesn't give me any alarm. Dec 12 11:22:31 100.198.167.201 Dec 12 2002 04:05:49: %PIX-4-400014: IDS:2004 ICMP echo request from 100.198.165.199 to 192.168.3.21 on interface inside Dec 12 11:22:31 100.198.167.201 Dec 12 2002 04:05:49: %PIX-4-400010: IDS:2000 ICMP echo reply from 192.168.3.21 to 192.168.3.101 on interface outside I think PIX IDS is really not that good Thanks and Regards Kenny From: Juli Hato Reply-To: Juli Hato To: [EMAIL PROTECTED] Subject: Re: Why PIX's IDS can't detect a port scan? [7:59052] Date: Thu, 12 Dec 2002 09:23:48 GMT Halo Kenny, Make sure the logging system is on: Logging to sys-log server--- Logging on Logging host Inside xxx.xxx.xxx.xxx You cannot upgrade the PIX Firewall Signature. PIX only monitor for 59 Signature. Need more signature? Then go to IDS. An IDS can monitor up to 300 or more Signatures. The Cisco PIX Device Manager is no more than a GUI configuration tool. Best Regards, HATO From: Kenny Smith Reply-To: Kenny Smith To: [EMAIL PROTECTED] Subject: Why PIX's IDS can't detect a port scan? [7:59052] Date: Thu, 12 Dec 2002 08:44:10 GMT Hi.. I implemented IDS in both PIX firewall outside and inside interface, but when I do a portscan on my PIX firewall's inside interface IP, I can't see any IDS alarm on my PIX log. Why? Below is my IDS config on my PIX inside interface. ip audit name inside-attack attack action alarm ip audit name inside-info info action alarm ip audit interface inside inside-info ip audit interface inside inside-attack nameif ethernet0 outside security0 nameif ethernet1 inside security100 Q2) By the way, how to add a new IDS signature to our PIX config? upgrade the PIX Device Manager? _ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail _ The new MSN 8: advanced junk mail protection and 2 months FREE* http://join.msn.com/?page=features/junkmail _ Add photos to your messages with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=59150t=59052 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]