Solved: Re: PIX IDS Signatures

r-lemaster · ‎08-13-2003

Does anyone know the PIX IDS signatures to block Ping sweeps and Port scans?

Do IDS signatures override ACLs previously set? For example; I want to allow people to ping me (I've allowed icmp echo in my ACL), but I want to drop Ping Sweeps and Port Scans.

Gracias.

gfullage · ‎08-13-2003

The PIX IDS signatures are all listed here:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/syslog/pixemsgs.htm#1032267

You'll notice that there isn't sigs for port scans and ping sweeps, primarily because the PIX doesn't detect these. This would involve the PIX keeping track of all pings or connection attempts and trying to figure out if a sweep is going on, this is not what the PIX is designed for.

If you want to see these then a NIDS system is the best way to go. PIX IDS is very limited and only looks for a very small subset of signatures, and most of those signatures just involve one packet, not trying to piece together multiple packets to different hosts or ports.

View solution in original post

gfullage · ‎08-13-2003

The PIX IDS signatures are all listed here:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/syslog/pixemsgs.htm#1032267

You'll notice that there isn't sigs for port scans and ping sweeps, primarily because the PIX doesn't detect these. This would involve the PIX keeping track of all pings or connection attempts and trying to figure out if a sweep is going on, this is not what the PIX is designed for.

If you want to see these then a NIDS system is the best way to go. PIX IDS is very limited and only looks for a very small subset of signatures, and most of those signatures just involve one packet, not trying to piece together multiple packets to different hosts or ports.