From: Menga, Justin (Justin.Menga@xxxxxxxxxx)
Date: Tue Dec 11 2001 - 17:35:02 GMT-3
The PIX has basic IDS capabilities with 59 signatures and will detect
common reconnaissance, etc attacks/scans. You need to set up a SYSLOG
server to collect the events. This will give you an idea of the various
port scans and ping sweeps that are nowadays continuosly occurring...
There are some show ip audit commands that summarize how many signatures
have been matched on the PIX itself, useful for a quick summary...
Regards,
Justin
-----Original Message-----
From: Jeremy [mailto:jeremy19@home.com]
Sent: Tuesday, 11 December 2001 5:39 p.m.
To: Jeffrey Sewell; ccielab@groupstudy.com
Subject: RE: OT: Quick way to check if Pix is being attacked
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Amen, Brother. Gotta Love Snort! They even port it for script kiddies
(i mean, windows users).
- -Jeremy
"Paranoia is a Scary Thing..."
- -----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Jeffrey Sewell
Sent: Monday, December 10, 2001 8:13 AM
To: 'ccielab@groupstudy.com'
Subject: Re: OT: Quick way to check if Pix is being attacked
Download snort (www.snort.org). It's an IDS, and it's
free. And if, after using it, you still want to pay
for one (it, in my opinion, beats the hell out of any
that you can buy), tell management that it was an eval
copy...
Otherwise, as another respondent suggested, start
sending the logs to a syslog server (you'll need to
log everything, not just deny events) and turn on
tcpdump on some unix/linux machine inside your
firewall and manually or--if you value your time and sanity--with a
script, start pouring over the logs from both, looking for scans of ip
addresses and/or ports and... well, the art of intrusion detection is
determining for *what*, exactly, to look. Start with the incidents page
(www.incidents.org).
- From a security standpoint it is harder to justify
*not* having an IDS. We are all constantly under
attack--but without an IDS how do we know that a
connection to port 80 is legitimate and not the latest
worm burrowing it's way in? Or out? Some form of an
IDS is the only way to determine if traffic which is,
by policy, allowed through the firewall is legitimate
or not. What good is a wall if there is no keeper at
the gate?
Sorry to meander--I've often found myself having to
justify IDS to management. Just trying to help prime
the pump for you--I know what a fight it can be.
Jeffrey
- --- "Dean, Justin" <Justin.Dean@nrtinc.com> wrote:
> Does anyone know how to see if your network is being
> attacked (or attemped
> to be attacked) from the internet, by looking at the
> PIX? Basically, I want
> to find some hard data that would justify looking
> into an IDS product.
> Thanks for any input. JD
> To unsubscribe from the CCIELAB list, send a message
> to
> majordomo@groupstudy.com with the body containing:
> unsubscribe ccielab
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:32:42 GMT-3