Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
992
Views
0
Helpful
3
Replies

Network Scans

Go to solution
laphil
Beginner
Beginner

‎10-24-2011 01:07 PM - edited ‎03-10-2019 05:31 AM

Hi all

Im trying to figure out how to get network scans and dos attacks to show up in my syslog server for my CIsco ASA 5520.

Just with the basic IPS support on the device i cannot seem to get anything to show up on my syslog server?

Network scans dont appear to be part of the standard IDS signatures since its just a network port scan?

Any direction on this would be appreciated.

Regards

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
rhermes
Rising star
Rising star
In response to laphil

‎10-24-2011 02:24 PM

I don't know of a way to directly detect scans from an ASA. I have seen some indirect scan detection performed on firewall logs in a customized SIM (Intelitactics) via correlation.

You may be better served asking this question in the firewall forum.

- Bob

View solution in original post

0 Helpful
3 Replies 3

Go to solution
rhermes
Rising star
Rising star

‎10-24-2011 01:23 PM

Do you have an AIP-SSM sensor module for your 5520?

If you do, then you should be able to detect network and host scanning on you network.

The Sensor module will not output to a syslog server, you can use the free Cisco IPS Manager Express

http://www.cisco.com/en/US/products/ps9610/index.html

You can also set the signatures for scans to send an SNMP trap when they fire to your SNMP server.

- Bob

0 Helpful

Go to solution
laphil
Beginner
Beginner
In response to rhermes

‎10-24-2011 01:44 PM

We actually do not own the AIP-SSM sensor module i was trying to accomplish basic ids with the ASA 5520 only...

to log scans to syslog etc.

0 Helpful

Go to solution
rhermes
Rising star
Rising star
In response to laphil

‎10-24-2011 02:24 PM

I don't know of a way to directly detect scans from an ASA. I have seen some indirect scan detection performed on firewall logs in a customized SIM (Intelitactics) via correlation.

You may be better served asking this question in the firewall forum.

- Bob

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents