Core issue

The Cisco Intrusion Detection System (IDS) functionality on the PIX Firewall is only available in PIX Operating System (OS) version 6.0 and later. However, some signatures supported in the Cisco IDS Sensor are not available in the PIX.

Resolution

The PIX lists these single-packet IDS signature messages:

• 1000-1006      
• 1100      
• 1102      
• 1103      
• 2000-2012      
• 2150      
• 2151      
• 2154      
• 3040-3042      
• 4050-4052      
• 6050-6053      
• 6100-6103      
• 6150-6155      
• 6175      
• 6180      
• 6190

The PIX lists single packet (atomic) Cisco IDS signature messages through the System Log (Syslog). All PIX IDS Syslog messages start with %PIX-4-4000nn (where nn is in the range of 00 through 51) and have this format:

%PIX-4-4000nn IDS:number string from IP_address to IP_address on interface interface_name

These descriptions define the format:

• The number is the signature number.  
     
• The string is the signature message, and is approximately the same as the NetRanger signature message.  
     
• The IP_address is the local to remote address to which the signature applies.  
     
• The interface_name is the name of the interface where the signature originated.

For example:

%PIX-4-400013 IDS:2003 ICMP redirect from 10.4.1.2 to 10.2.1.1 on interface dmz

This means that the IDS log message 400013 is for the signature "ICMP redirect", whose signature ID is 2003.

For more information on the PIX IDS Syslog messages and the commands used by the PIX to handle the signatures, refer to the Managing IDS Syslog Messages of Accessing and Monitoring PIX Firewall.