Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
620
Views
7
Helpful
4
Replies

how to determine PortScan attempts ?

linker.team
Level 1
Level 1

‎01-11-2007 09:43 PM - edited ‎03-10-2019 03:25 AM

Hi,

From the Cisco Pix Firewall logs is it possible to determine if "PortScan" attack has occured ?

Appreciate an early reply.

-S-

Labels:
0 Helpful
4 Replies 4

irisrios
Level 6
Level 6

‎01-17-2007 03:01 PM

No, I think it is not possible. If you want to track the port scan attacks, go for Intrusion Prevention system (IPS) solution.

0 Helpful

mhellman
Level 7
Level 7

‎01-18-2007 06:14 AM

Yes, but not without some external tools to the parse PIX logs. Do a google search on "pix syslog port scan detection" and "pix log analysis".

linker.team
Level 1
Level 1
In response to mhellman

‎01-25-2007 03:41 AM

Thanks for your reply folks.

In Cisco Pix Firewalls, the PIX-ID for "Built {inbound|outbound} TCP connection" is %PIX-6-302013.

Similarly, Is there a PIX-ID that corresponds to Port Scan attempt ?

-S-

0 Helpful

andrew.burns
Level 7
Level 7
In response to linker.team

‎01-25-2007 05:21 AM

Hi,

There is no syslog message which reports any kind of reconnaissance - and the built-in ip audit signatures don't detect this either.

You can do this with netflow if you have the right software (but not on pix), but by far the best method is signature based because there are so many variations on the theme (i.e. tcp port sweeps, udp port sweeps, distributed port scans, ping sweeps, etc.)

Although you could catch some of these scans with log file analysis you wouldn't catch them all and the amount of logging you'd have to turn on might impact the pix performance.

HTH

Andrew.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card