Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX IDS Alerts via SNMP or SysLog

Status
Not open for further replies.
DavidHalko

DavidHalko

Technical User
Dec 8, 2002
20
0
0
US
How would one receive IDS alerts from a PIX via SNMP Traps or Syslog Events?

What is the message encoding for the IDS events in the traps or syslog events?

I have a PIX and if someone tries a "ping of death" or some other known intrusion, I would like to be able to log it and various other information about the event.

Thanks, EMS Architect
 
Sort by date Sort by votes
Hi there David, I'm not too familiar with PIX's notification features, but you must configure the delivery of SNMP traps or syslog mesages to your management server.

For the traps you don't really need to know the message encoding, just look in the Alarm Categories Browser of NNM and make the appropiate changes (add them as events according to the particular or global OID) and configure the events for them.

If PIX can send an alarm through syslog or SNMP when it detects a wrong icmp packet, etc...you can receive it under NNM and give it any format, no problem.

If you are going to use syslog for notifications, make sure to configure a "syslog facility" in your NNM server (something related to PIX, different "syslog category files" where the syslog messajes are goig to end up).

Hope this helps,
vlan52
[sunshine] vlan52
The end of wisdom is freedom. The end of culture is perfection. The end of
education is character. The end of knowledge is love.
 
Upvote 0 Downvote
I am familiar with sending traps and syslog messages from a PIX to an snmp manager or a syslog daemon.

The intrusion detection messages (which are detected via signatures) are at question. I have not been able to find these things, anywhere in the Cisco Documentation or how to even determine what one of these messages looks like.

- Thanks EMS Architect
 
Upvote 0 Downvote
Ohh..ok, I'm sorry then, but I'll get some details about the signatures and the events generated by PIX, perhaps a friend who has been playing with PIX for a while now can give me some feedback on this.

Sorry about the confussion, regards,
vlan52
[sunshine] vlan52
The end of wisdom is freedom. The end of culture is perfection. The end of
education is character. The end of knowledge is love.
 
Upvote 0 Downvote
Thanks a lot...

It has been like "pulling teeth" trying to figure out how to configure the PIX to send the IDS messages through a standards based mechanism, as well as determine what message is an ID message!

EMS Architect
 
Upvote 0 Downvote
Hi David, I've been looking around and found out that PIX comes with a set of very basic ID signatures, just five of them, very basic stuff.
Could you tell me which model do you currently have?

Also, since PIX comes with such a reduced number of "conditions" (or ID conditions), have you though about setting up an IDS instead?And having the IDS, which is particularly efficient, sending the messages to a management server?

Have you try Snort?At you may find an awesome piece of IDS, open source, always updated, always accurate and pretty easy to update.
One of the most important features, it comes already with a few scripts that let you send any messages by using snmptrap, syslog, etc...

Well, if you could tell me your PIX's model, we can find out something else perhaps, ok?

Best regards,
vlan52

[sunshine] vlan52
The end of wisdom is freedom. The end of culture is perfection. The end of
education is character. The end of knowledge is love.
 
Upvote 0 Downvote
I have some 515's and 525's. The IOS's are varied.

The PIX is supposed to detect/repell for dozens of intrusions according to dozens of signitures.

I remember reading a list of IDS codes, at one time, when my previous security expert showed me a printout.

Ever so often, during an IOS release, this count increases.

I am fairly certain that the PIX detects more than 5 IDS signatures.

Could there be 5 generic IDS events which can be used by multiple signitures?

Thanks, EMS Architect
 
Upvote 0 Downvote
Hi David, what I've found out so far is 515/525s come with 50 IDS signatures as default.

And also that the commands to enable syslog or snmp notification are the following:

logging on
logging trap (debugging comes as default - logs every single transaction, really useful))
logging facility (from 17 or 23 or 22 or 21 or 20)
logging server w.x.y.z

Regarding the command to access de IDS signatures config or view, my friend could not tell me but is supposed to be in the PIX manual or around the web.

hope this helps,
vlan52
[sunshine]

vlan52
The end of wisdom is freedom. The end of culture is perfection. The end of
education is character. The end of knowledge is love.
 
Upvote 0 Downvote
Hey -
>I've found out so far is 515/525s come with 50 IDS signatures as default.
...
>logging on
>logging trap (debugging comes as default...)
>logging facility (from 17 or 23 or 22 or 21 or 20)
>logging server w.x.y.z

OK - well, this I have had set up.

> but is supposed to be in the PIX manual or around the web.

ha ha... yea, I've been looking for a long time, now.

- Dave EMS Architect
 
Upvote 0 Downvote
Well, actually PIX comes with 53 IDS signatures (got an update from Cisco on this)...but who cares at this point, uh? ; )

I believe the commmands you are looking for are the ones under the following:

Enjoy!

Best regards,
vlan52
[sunshine] vlan52
The end of wisdom is freedom. The end of culture is perfection. The end of
education is character. The end of knowledge is love.
 
Upvote 0 Downvote
OK - so the current number is 53 signatures...

The URL you provided was pretty close...
This is a great little article on the Cisco IOS!

The problem is, these commands only work with the Cisco IOS 12.1 of the router IOS... not the PIX embedded operating system.

While this is somewhat discouraging, at least I know I am not going crazy and can see that someone else is having difficulty finding the information I am trying to dig up!

- Thanks, EMS Architect
 
Upvote 0 Downvote
David, Not sure if your problem was resolved yet.
the pix commands you need to use are:

ip audit

the syntax is a little different from the IOS syntax. here is the link to the pix command page.


If you've already resolved this issue maybe you could help me out. I'm trying to figure out if you need to use both the ip audit "attack" and "name" commands to get the IDS to log correctly. The "name" command is used to specify which signitures should be used while the "attack" command is used to set the action to be performed once a signiture is detected.

unfortunately the reference guide doesn't say whether you uneed both.

thanks

coffey
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

pavndla
  • Locked
  • Question
Adding a object in HP Open View NNM via script or any other
Replies
0
Views
111
pavndla
pavndla
Rob27
  • Locked
  • Question
HPO NNM Mail Alerts with BLAT.
Replies
0
Views
97
Rob27
Rob27
farvahari
  • Locked
  • Question
How can we use syslog in HP OpenView
Replies
0
Views
36
farvahari
farvahari
stoney66
  • Locked
  • Question
hpov snmp trap relay
Replies
0
Views
37
stoney66
stoney66
shabeer15
  • Locked
  • Question
SNMP general failure for Cisco ACS while snmpwalk-ing
Replies
0
Views
36
shabeer15
shabeer15

Part and Inventory Search

Sponsor

Back
Top