Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1399
Views
0
Helpful
4
Replies

Pix 501 Logs - Where I can see attacks (from hackers)?

admin_2
Level 3
Level 3

‎08-09-2002 11:37 AM - edited ‎02-20-2020 10:12 PM

Hi,

how can I see in the Pix 501 logs all the

attacks I had (like port scanning etc.)?

It seems there aren't.

This information is important for me.

Befor using Pix 501 I was using a firewall software (ZoneAlarm)

and it's add to the logs all the hackers activities.

Thanks.

Mark.

0 Helpful
4 Replies 4

yusuff
Cisco Employee
Cisco Employee

‎08-10-2002 12:11 AM

You need to enable 'ip audit' i.e. IDS feature on the PIX which scans for common signatures/attacks.

Cisco Intrusion Detection System (Cisco IDS) provides the following for IP-based systems:

Traffic auditing. Application-level signatures will only be audited as part of an active session.

Applies the audit to an interface.

Supports different audit policies. Traffic matching a signature triggers a range of configurable actions.

Disables the signature audit.

Enables IDS and still disables actions of a signature class (informational, attack).

Auditing is performed by looking at the IP packets as they arrive at an input interface, if a packet triggers a signature and the configured action does not drop the packet, then the same packet can trigger other signatures.

PIX Firewall supports both inbound and outbound auditing.

For a complete list of supported Cisco IDS signatures, their wording, and whether they are attack or informational messages, refer to Cisco PIX Firewall System Log Messages.

Supported IDS Signatures

------------------------------------

PIX Firewall lists the following single-packet IDS signature messages: 1000-1006, 1100, 1102, 1103, 2000-2012, 2150, 2151, 2154, 3040-3042, 4050-4052, 6050-6053, 6100-6103, 6150-6155, 6175, 6180, and 6190.

IDS syslog messages all start with %PIX-4-4000nn and have the following format:

%PIX-4-400013 IDS:2003 ICMP redirect from 10.4.1.2 to 10.2.1.1 on interface dmz

%PIX-4-400032 IDS:4051 UDP Snork attack from 10.1.1.1 to 192.168.1.1 on interface outside

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/gl.htm#xtocid9

HTH

R/Yusuf

0 Helpful

Not applicable
In response to yusuff

‎08-10-2002 07:02 AM

Thanks, I have read documentation about "ip audit" but I haven't exactly understand what to do.

I have a default Pix 501 configuration.

In the PDM / Monitoring tab / PDMLog / View

I see all the logs but not %PIX-4-4000nn

the attacks logs.

How can I enable them?

There is a specific CLI or PDM command?

Thanks.

Mark.

0 Helpful

albadger
Level 1
Level 1
In response to

‎08-10-2002 07:27 AM

Hi Mark,

You will need to configure IP Audit, as per the command reference (http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/gl.htm#xtocid9) before you will see the %PIX-4-4000nn in the syslog.

The link will take you to commands that you can enter at the command line of PDM or at the console of the firewall.

0 Helpful

Not applicable
In response to albadger

‎08-10-2002 11:35 AM

Thank you,

I use the PIX 501 in a small office installation

and I have seen that the CLI commands are quite difficults.

To test the PIX I have runned from the web

some "hacker" tests like portscanning etc.

and the Pix correctly stop them.

The only problem is that I can't see these attacks in the Pix logs.

The configuration is:

===

IP AUDIT INFO ACTION ALARM

IP AUDIT ATTACK ACTION ALARM

===

1) I have to change something in the "IP AUDIT" commands or related?

2) I have to create a "syslog server" or

I can see the "PIX-4-4000nn" logs in the PDM / Monitoring tab / PDMLogs / View?

Thanks again.

Mark.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card