Pix 501 Logs - Where I can see attacks (from hackers)?

admin_2 · ‎08-09-2002

Hi,

how can I see in the Pix 501 logs all the

attacks I had (like port scanning etc.)?

It seems there aren't.

This information is important for me.

Befor using Pix 501 I was using a firewall software (ZoneAlarm)

and it's add to the logs all the hackers activities.

Thanks.

Mark.

yusuff · ‎08-10-2002

You need to enable 'ip audit' i.e. IDS feature on the PIX which scans for common signatures/attacks.

Cisco Intrusion Detection System (Cisco IDS) provides the following for IP-based systems:

Traffic auditing. Application-level signatures will only be audited as part of an active session.

Applies the audit to an interface.

Supports different audit policies. Traffic matching a signature triggers a range of configurable actions.

Disables the signature audit.

Enables IDS and still disables actions of a signature class (informational, attack).

Auditing is performed by looking at the IP packets as they arrive at an input interface, if a packet triggers a signature and the configured action does not drop the packet, then the same packet can trigger other signatures.

PIX Firewall supports both inbound and outbound auditing.

For a complete list of supported Cisco IDS signatures, their wording, and whether they are attack or informational messages, refer to Cisco PIX Firewall System Log Messages.

Supported IDS Signatures

------------------------------------

PIX Firewall lists the following single-packet IDS signature messages: 1000-1006, 1100, 1102, 1103, 2000-2012, 2150, 2151, 2154, 3040-3042, 4050-4052, 6050-6053, 6100-6103, 6150-6155, 6175, 6180, and 6190.

IDS syslog messages all start with %PIX-4-4000nn and have the following format:

%PIX-4-400013 IDS:2003 ICMP redirect from 10.4.1.2 to 10.2.1.1 on interface dmz

%PIX-4-400032 IDS:4051 UDP Snork attack from 10.1.1.1 to 192.168.1.1 on interface outside

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/gl.htm#xtocid9

HTH

R/Yusuf

Report Inappropriate Content · ‎08-10-2002

Thanks, I have read documentation about "ip audit" but I haven't exactly understand what to do.

I have a default Pix 501 configuration.

In the PDM / Monitoring tab / PDMLog / View

I see all the logs but not %PIX-4-4000nn

the attacks logs.

How can I enable them?

There is a specific CLI or PDM command?

Thanks.

Mark.

albadger · ‎08-10-2002

Hi Mark,

You will need to configure IP Audit, as per the command reference (http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/gl.htm#xtocid9) before you will see the %PIX-4-4000nn in the syslog.

The link will take you to commands that you can enter at the command line of PDM or at the console of the firewall.

Report Inappropriate Content · ‎08-10-2002

Thank you,

I use the PIX 501 in a small office installation

and I have seen that the CLI commands are quite difficults.

To test the PIX I have runned from the web

some "hacker" tests like portscanning etc.

and the Pix correctly stop them.

The only problem is that I can't see these attacks in the Pix logs.

The configuration is:

===

IP AUDIT INFO ACTION ALARM

IP AUDIT ATTACK ACTION ALARM

===

1) I have to change something in the "IP AUDIT" commands or related?

2) I have to create a "syslog server" or

I can see the "PIX-4-4000nn" logs in the PDM / Monitoring tab / PDMLogs / View?

Thanks again.

Mark.