The PIX (or any other firewall log) will not show all possible connections. Asume that a host of a DMZ is hacked, the attacker will try to connect to other hosts in the DMZ. If these connections are not normal an IDS system will detect it, but a firewall log does not include any entry, because the network borders are not crossed.
The Sensor can be configured to alarm on TCP connections (3000 signatures) and UDP traffic (4000 signatures). You can use the filter mechanism (RecordofExclude) to filter out all alarms except the ones you are interested in detecting. The mechanics of the configuration differ depending if you are using CSPM or the Unix Director. So yes, the IDS can be tailored for this scenario.
Now to use your example, I would have a couple of questions.
1) Where is your Sensor placed? If it is behind a firewall and a connection request is made for TCP port 666, the Sensor would not see this if it is also behind the firewall and this port is being blocked.
2) Are you also going to monitor any outgoing connections from this web server? As mentioned, if a hacker does gain access and attempts to initiate outbound connections, is this allowed for blocked.
The sensor will be placed behind a firewall. Otherwise it would not make any sense for this scenario for me. Please correct me, if I'm wron, but the signatures 3000 and 4000, are reacting on some selected ports and not on all ports. It is better than nothing, but not exactly what I want.
The basic idea is, to report any behaviour that is not allowed by the policy. This answers question 2. It has to monitor every connection incoming and outgoing and report any policy breaks. If a web server, for example, is hacked, the attacker will try to use it as a hop for the next hosts in the DMZ, except for web defacements. A sensor placed inside of a DMZ would recognize the unusual connection attempts and give us the ability to check the maschine for intruders.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :