https://community.cisco.com/t5/network-security/pix-506-enabling-ids/m-p/119637#M601559 <P>Hi,</P><P></P><P>Just a quick question. I'm running a pix 506 with software version 6.3. I was asked to look into configuring the IDS part of the firewall. Is there any white papers explaning how to configure it properly? I have experience with cisco's firewalls but im fairly new to IDS. Any help would be greatly appreciated.</P> Fri, 21 Feb 2020 06:54:30 GMT sysadmin 2020-02-21T06:54:30Z https://community.cisco.com/t5/network-security/pix-506-enabling-ids/m-p/119637#M601559 <P>Hi,</P><P></P><P>Just a quick question. I'm running a pix 506 with software version 6.3. I was asked to look into configuring the IDS part of the firewall. Is there any white papers explaning how to configure it properly? I have experience with cisco's firewalls but im fairly new to IDS. Any help would be greatly appreciated.</P> Fri, 21 Feb 2020 06:54:30 GMT https://community.cisco.com/t5/network-security/pix-506-enabling-ids/m-p/119637#M601559 sysadmin 2020-02-21T06:54:30Z https://community.cisco.com/t5/network-security/pix-506-enabling-ids/m-p/119638#M601560 <HTML><HEAD></HEAD><BODY><P>Keep in mid that PIX IDS is very limited, it only looks for 59 signatures, a very small subset of the over 300 that a proper IDS sysem will detect. In addition to that the signatures are not updated in a very timely fashion.</P><P></P><P>Here's the command reference:</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#1101884" target="_blank">http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#1101884</A></P><P></P><P>The subset of signatures that the PIX IDS will look for and report on is listed here:</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63syslog/pixemsgs.htm#1138590" target="_blank">http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63syslog/pixemsgs.htm#1138590</A></P><P></P><P></P><P>The two commands you see initially in a lot of configurations:</P><P></P><P> ip audit info action alarm</P><P> ip audit attack action alarm</P><P></P><P>set up the default action for both info and attack alarms (see the link above for which ones are which).</P><P></P><P>In its simplest form, all you need to do is define an audit process and</P><P>apply it to an interface. The PIX is different to IOS however, in that you</P><P>can't specify an info policy AND an attack policy with the same name. You have</P><P>to do the following:</P><P></P><P> ip audit name test1 info action alarm</P><P> ip audit name test2 attack action alarm drop reset</P><P></P><P>then add both to the interface (note each interface can have two policies</P><P>assigned, one info and one attack):</P><P></P><P> ip audit interface outside test1</P><P> ip audit interface outside test2</P><P></P><P>If you want to change the actions, you have to remove the name and then re-add</P><P>it with the new actions. </P><P></P><P>Now when you ping the interface you'll get the following on the console:</P><P></P><P>400014: IDS:2004 ICMP echo request from 172.18.124.142 to 172.18.124.148 on</P><P>interface outside</P><P></P><P></P><P>You can disable particular signatures with the same command as IOS:</P><P></P><P> ip audit signature 2004 disable</P><P></P></BODY></HTML> Mon, 04 Aug 2003 22:47:54 GMT https://community.cisco.com/t5/network-security/pix-506-enabling-ids/m-p/119638#M601560 gfullage 2003-08-04T22:47:54Z https://community.cisco.com/t5/network-security/pix-506-enabling-ids/m-p/119639#M601561 <HTML><HEAD></HEAD><BODY><P>Sorry for the late reply, I'm aware that it is limited, but management doesn't want to spend that much on IDS. Thanks for your help, I'll defenately take a look into this.</P></BODY></HTML> Thu, 14 Aug 2003 19:24:32 GMT https://community.cisco.com/t5/network-security/pix-506-enabling-ids/m-p/119639#M601561 sysadmin 2003-08-14T19:24:32Z