Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
284
Views
4
Helpful
2
Replies

PIX 506 enabling IDS

sysadmin
Level 1
Level 1

‎08-04-2003 10:59 AM - edited ‎02-20-2020 10:54 PM

Hi,

Just a quick question. I'm running a pix 506 with software version 6.3. I was asked to look into configuring the IDS part of the firewall. Is there any white papers explaning how to configure it properly? I have experience with cisco's firewalls but im fairly new to IDS. Any help would be greatly appreciated.

0 Helpful
2 Replies 2

gfullage
Cisco Employee
Cisco Employee

‎08-04-2003 03:47 PM

Keep in mid that PIX IDS is very limited, it only looks for 59 signatures, a very small subset of the over 300 that a proper IDS sysem will detect. In addition to that the signatures are not updated in a very timely fashion.

Here's the command reference:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#1101884

The subset of signatures that the PIX IDS will look for and report on is listed here:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63syslog/pixemsgs.htm#1138590

The two commands you see initially in a lot of configurations:

ip audit info action alarm

ip audit attack action alarm

set up the default action for both info and attack alarms (see the link above for which ones are which).

In its simplest form, all you need to do is define an audit process and

apply it to an interface. The PIX is different to IOS however, in that you

can't specify an info policy AND an attack policy with the same name. You have

to do the following:

ip audit name test1 info action alarm

ip audit name test2 attack action alarm drop reset

then add both to the interface (note each interface can have two policies

assigned, one info and one attack):

ip audit interface outside test1

ip audit interface outside test2

If you want to change the actions, you have to remove the name and then re-add

it with the new actions.

Now when you ping the interface you'll get the following on the console:

400014: IDS:2004 ICMP echo request from 172.18.124.142 to 172.18.124.148 on

interface outside

You can disable particular signatures with the same command as IOS:

ip audit signature 2004 disable

sysadmin
Level 1
Level 1
In response to gfullage

‎08-14-2003 12:24 PM

Sorry for the late reply, I'm aware that it is limited, but management doesn't want to spend that much on IDS. Thanks for your help, I'll defenately take a look into this.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card