we are using a pix 515 within our company. the only problem not solved yet is the alerting and reporting by the pix. SNMP traps and syslogd are configured and sent to a linx server server and stored into files. for logging, this is ok, but what possibilities do I have, if i want an alert (f.e. email) to be sent if a portscan or other attack happens? do I have to write my own parser? I hope there is a linux tool which helps me out to filter for certain messages and take the appropriate action or any other way of alerting mechanism. I couldn't find any useful information on cisco's website.
There are two Windows products that might help you. The first is PIX Firewall manager which has some basic reporting and alerting. This is available on Ciscos site. The other is by Ciscos partner at www.opensystems.com called Private I. I know of nothing for a unix platform. You might also consider IDS for intrusion detection and scanning capabilities.
PIX 6.X comes with some basic IDS capabilities. If you were to configured the pix IDS to send alerts to the linux syslog server you could use somthing like program swatch to watch the syslog file and send an alert based on a string match.
Swatch is a small perl program that is setup to watch a log file for a string and when its sees the string can be setup to send an email. Basic but it works.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...