01-11-2007 09:43 PM - edited 03-10-2019 03:25 AM
Hi,
From the Cisco Pix Firewall logs is it possible to determine if "PortScan" attack has occured ?
Appreciate an early reply.
-S-
01-17-2007 03:01 PM
No, I think it is not possible. If you want to track the port scan attacks, go for Intrusion Prevention system (IPS) solution.
01-18-2007 06:14 AM
Yes, but not without some external tools to the parse PIX logs. Do a google search on "pix syslog port scan detection" and "pix log analysis".
01-25-2007 03:41 AM
Thanks for your reply folks.
In Cisco Pix Firewalls, the PIX-ID for "Built {inbound|outbound} TCP connection" is %PIX-6-302013.
Similarly, Is there a PIX-ID that corresponds to Port Scan attempt ?
-S-
01-25-2007 05:21 AM
Hi,
There is no syslog message which reports any kind of reconnaissance - and the built-in ip audit signatures don't detect this either.
You can do this with netflow if you have the right software (but not on pix), but by far the best method is signature based because there are so many variations on the theme (i.e. tcp port sweeps, udp port sweeps, distributed port scans, ping sweeps, etc.)
Although you could catch some of these scans with log file analysis you wouldn't catch them all and the amount of logging you'd have to turn on might impact the pix performance.
HTH
Andrew.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide