Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

how to determine PortScan attempts ?

Hi,

From the Cisco Pix Firewall logs is it possible to determine if "PortScan" attack has occured ?

Appreciate an early reply.

-S-

4 REPLIES
Silver

Re: how to determine PortScan attempts ?

No, I think it is not possible. If you want to track the port scan attacks, go for Intrusion Prevention system (IPS) solution.

Gold

Re: how to determine PortScan attempts ?

Yes, but not without some external tools to the parse PIX logs. Do a google search on "pix syslog port scan detection" and "pix log analysis".

New Member

Re: how to determine PortScan attempts ?

Thanks for your reply folks.

In Cisco Pix Firewalls, the PIX-ID for "Built {inbound|outbound} TCP connection" is %PIX-6-302013.

Similarly, Is there a PIX-ID that corresponds to Port Scan attempt ?

-S-

Re: how to determine PortScan attempts ?

Hi,

There is no syslog message which reports any kind of reconnaissance - and the built-in ip audit signatures don't detect this either.

You can do this with netflow if you have the right software (but not on pix), but by far the best method is signature based because there are so many variations on the theme (i.e. tcp port sweeps, udp port sweeps, distributed port scans, ping sweeps, etc.)

Although you could catch some of these scans with log file analysis you wouldn't catch them all and the amount of logging you'd have to turn on might impact the pix performance.

HTH

Andrew.

181
Views
7
Helpful
4
Replies
CreatePlease login to create content