cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

783
Views
0
Helpful
3
Replies
Highlighted
Beginner

Network Scans

Hi all

Im trying to figure out how to get network scans and dos attacks to show up in my syslog server for my CIsco ASA 5520.

Just with the basic IPS support on the device i cannot seem to get anything to show up on my syslog server?

Network scans dont appear to be part of the standard IDS signatures since its just a network port scan?

Any direction on this would be appreciated.

Regards

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

I don't know of a way to directly detect scans from an ASA. I have seen some indirect scan detection performed on firewall logs in a customized SIM (Intelitactics) via correlation.

You may be better served asking this question in the firewall forum.

- Bob

View solution in original post

3 REPLIES 3
Highlighted
Rising star

Do you have an AIP-SSM sensor module for your 5520?

If you do, then you should be able to detect network and host scanning on you network.

The Sensor module will not output to a syslog server, you can use the free Cisco IPS Manager Express

http://www.cisco.com/en/US/products/ps9610/index.html

You can also set the signatures for scans to send an SNMP trap when they fire to your SNMP server.

- Bob

Highlighted

We actually do not own the AIP-SSM sensor module i was trying to accomplish basic ids with the ASA 5520 only...

to log scans to syslog etc.

Highlighted

I don't know of a way to directly detect scans from an ASA. I have seen some indirect scan detection performed on firewall logs in a customized SIM (Intelitactics) via correlation.

You may be better served asking this question in the firewall forum.

- Bob

View solution in original post

Content for Community-Ad