alerting / reporting pix 515

hborn · ‎05-23-2002

hi there

we are using a pix 515 within our company. the only problem not solved yet is the alerting and reporting by the pix. SNMP traps and syslogd are configured and sent to a linx server server and stored into files. for logging, this is ok, but what possibilities do I have, if i want an alert (f.e. email) to be sent if a portscan or other attack happens? do I have to write my own parser? I hope there is a linux tool which helps me out to filter for certain messages and take the appropriate action or any other way of alerting mechanism. I couldn't find any useful information on cisco's website.

thanks so much for your effort.

hans

a-vazquez · ‎05-30-2002

There are two Windows products that might help you. The first is PIX Firewall manager which has some basic reporting and alerting. This is available on Cisco’s site. The other is by Cisco’s partner at www.opensystems.com called Private I. I know of nothing for a unix platform. You might also consider IDS for intrusion detection and scanning capabilities.

bhose · ‎05-31-2002

Hi Hans,

PIX 6.X comes with some basic IDS capabilities. If you were to configured the pix IDS to send alerts to the linux syslog server you could use somthing like program swatch to watch the syslog file and send an alert based on a string match.

Swatch is a small perl program that is setup to watch a log file for a string and when its sees the string can be setup to send an email. Basic but it works.

Regards Brett