PIX 520 Firewall logserver/monitor + IDS

[haknwak]

Need help finding a reasonably priced product that meets these requirements. (trying to avoid the major $$$ for Cisco Works)

I need to log and monitor firewall activity as well as need a full blown IDS system. The software must be compatible with M$ NT or Win2k. Have SQL servers for database storage and manipulation.

Have found plenty of firewall logservers but no IDS systems that will meet above requirements and use the text based logfiles created by those servers.

PIX 520 (two in failover mode)
6509 Switch

tia

 

[JGWohlford]

Did you ever find a suitable solution? Just curious as I am searching for products to perform similarly for my PIX 506...

Thanks!

 

[anenigma4u2]

Try Kiwi from

http://www.kiwisyslog.com

 

[pabica]

Kiwi is great for small firewall logs... it is a good Win syslog server daemon... but the display program reads the whole log into memory at one time...

the Pix log is very usefull and contains LOTS of information if you set the logging level to the maximum... you get URL's and all sorts of things logged... cool...

If you have a reasonable sized group (>500 users) try writing some perl code to split the log into smaller pieces and then you can write custom scripts to look for activity of interest... porn, p2p, ids alerts, etc..

As for an IDS.. the SNORT group has a version that runs on Win and works great...

for either the PIX or IDS, you need to teach yourself all about attacks and the defenses against them... to make reasonable sense of the results...

Good Luck,
Bill..

 

[JGWohlford]

Thanks for the info! I am using Kiwi syslogd already and agree that it is essential to have a tool to parse and report on data coming off the PIX. Do you recommend any particular texts for getting a better handle on identifying and defending against different attacks?

Thanks again!