08-04-2003 10:59 AM - edited 02-20-2020 10:54 PM
Hi,
Just a quick question. I'm running a pix 506 with software version 6.3. I was asked to look into configuring the IDS part of the firewall. Is there any white papers explaning how to configure it properly? I have experience with cisco's firewalls but im fairly new to IDS. Any help would be greatly appreciated.
08-04-2003 03:47 PM
Keep in mid that PIX IDS is very limited, it only looks for 59 signatures, a very small subset of the over 300 that a proper IDS sysem will detect. In addition to that the signatures are not updated in a very timely fashion.
Here's the command reference:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#1101884
The subset of signatures that the PIX IDS will look for and report on is listed here:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63syslog/pixemsgs.htm#1138590
The two commands you see initially in a lot of configurations:
ip audit info action alarm
ip audit attack action alarm
set up the default action for both info and attack alarms (see the link above for which ones are which).
In its simplest form, all you need to do is define an audit process and
apply it to an interface. The PIX is different to IOS however, in that you
can't specify an info policy AND an attack policy with the same name. You have
to do the following:
ip audit name test1 info action alarm
ip audit name test2 attack action alarm drop reset
then add both to the interface (note each interface can have two policies
assigned, one info and one attack):
ip audit interface outside test1
ip audit interface outside test2
If you want to change the actions, you have to remove the name and then re-add
it with the new actions.
Now when you ping the interface you'll get the following on the console:
400014: IDS:2004 ICMP echo request from 172.18.124.142 to 172.18.124.148 on
interface outside
You can disable particular signatures with the same command as IOS:
ip audit signature 2004 disable
08-14-2003 12:24 PM
Sorry for the late reply, I'm aware that it is limited, but management doesn't want to spend that much on IDS. Thanks for your help, I'll defenately take a look into this.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide