cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
301
Views
0
Helpful
3
Replies

PIX Logging

mtobkes
Level 1
Level 1

If I suspect that my network is under attack, what level should I be logging, and what should I be looking for, to tell if someone is attempting to attack my network? Thanks.

3 Replies 3

Patrick Iseli
Level 7
Level 7

Warning for logging should be fine.

Take a look for DROP packets from the same source IP. If a SYN Flooding is the problem.

Do you have Public services as http, smtp or others?

I suppose yes, then take a look if you have exessive amount of SYN packets on the protocol.

Easyest way to do that is putting a sniffer in place and do some statistical work.

Another way could be to put a NTOP host on the internet. http://www.ntop.org/ntop.html to see real time traffic.

sincerely

Patrick

garethhinton
Level 1
Level 1

I normally use 'log buff warn'

Nice and easy to 'clear log' and see up to date entries, nothing clogging your screen up when trying to configure.

Obviously if your pix is letting this straight through, you're not going to see it in the log, but if you're looking for attacks that your pix is currently protecting you from, it will be there.

Tighten up the pix where necessary and you can quickly see any genuine traffic you may have stopped inadvertantly.

Paul Greenberg
Level 1
Level 1

I'm not a big big specialist as others, but the real good solution is to set it to Notifications. Why?

1. On each access-list apply logging policy.

2. Install Kiwi (any syslog server)

3. You will not be able to determine the attack that's going in a wright way. That's why you need to log all the event's in a case that you will need the evidence.

4. Check all your servers that STATIC command translates. In the Event logs you can find a lot of interesting staff.

And after one day that you capture syslog messages, sit on them for a day, and try to analyze.

I usually do so.

Example is simple:

Somebone usually come to my web-site from such a site www.anonymizer.com/ What does it mean for any security specialist...right! He want's only look on a pictures on my site :)

Review Cisco Networking for a $25 gift card