Core issue
The Cisco Intrusion Detection System (IDS) functionality on the PIX Firewall is only available in PIX Operating System (OS) version 6.0 and later. However, some signatures supported in the Cisco IDS Sensor are not available in the PIX.
Resolution
The PIX lists these single-packet IDS signature messages:
- 1000-1006
- 1100
- 1102
- 1103
- 2000-2012
- 2150
- 2151
- 2154
- 3040-3042
- 4050-4052
- 6050-6053
- 6100-6103
- 6150-6155
- 6175
- 6180
- 6190
The PIX lists single packet (atomic) Cisco IDS signature messages through the System Log (Syslog). All PIX IDS Syslog messages start with %PIX-4-4000nn
(where nn is in the range of 00 through 51) and have this format:
%PIX-4-4000nn IDS:number string from IP_address to IP_address on interface interface_name
These descriptions define the format:
- The
number
is the signature number.
- The
string
is the signature message, and is approximately the same as the NetRanger signature message.
- The
IP_address
is the local to remote address to which the signature applies.
- The
interface_name
is the name of the interface where the signature originated.
For example:
%PIX-4-400013 IDS:2003 ICMP redirect from 10.4.1.2 to 10.2.1.1 on interface dmz
This means that the IDS log message 400013 is for the signature "ICMP redirect", whose signature ID is 2003.
For more information on the PIX IDS Syslog messages and the commands used by the PIX to handle the signatures, refer to the Managing IDS Syslog Messages of Accessing and Monitoring PIX Firewall.