IDS fleeing PIX

Similar Questions

• Notifaction IDS on PIX

  Is there a way to have the PIX send e-mail notice when a certain event occurs, for example an alarm in identifiers.

  No sorry, the PIX does not something like this. It will only send a syslog message when it detects an IDS alert.

• Fleeing from a host on the PIX 520 but alerts that are still coming to the IDS

  Last week I saw allot of traffic from a particular host that triggers alerts IDS. After investigating the source, I added a statement SHUN to the pix. When I do a 'sho shun stat' of the NTC for this host is quite high (352) and rises. I still get alerts of the IDS on this particular host (Fragment IP and host sweeps). I guess if I was fleeing from an IP address, I don't receive alerts of IDS on that. Can someone explain what I am doing wrong? Thanks in advance.

  Seems obvious, but can't hurt to ask - where the sniff of your sensor interface? Of course, if your sniffing interface is located outside the pix, then junk traffic will always reach the pix - it just won't be through it.

  In addition, are fleeing this host for these alarms? Doing a show 'show shun' that host being blocked FOR the time you see alerts for this particular host?

  Jeff

• Fleeing does not work with pix 6.1 (4)

  I use IDS sensor version 3,0000 S36 and pix version 6.1 (4), and I'm doing fleeing on pix using telnet. But I am facing the problem in the errors.managed:

  17/12/2002 13:32:06UTC E Read error [operation now in progress] fd [3]

  17/12/2002 13:33:11UTC Comm E timeout for [pix_IP]. No recovery will be given at this time.

  17/12/2002 13:33:57UTC Comm E timeout for [pix_IP]. No recovery will be given at this time.

  Notes:

  -the configuration file managed.conf is correct

  -I can telnet manually (from the command line) of the sensor for the pix, so there is no problem of communication.

  -I know that this problem is reported for pix 6.2 (1), it applies also to 6.1 (4)?

  -in the file managed.conf is the conf: "NetDevice [pix_IP] PIX [telnet_pass] [enable_pass].

  but when I run the command "nrgetbulk 10003 hostid orgid 1 NetDevice" on the sensor, I get:

  "Cisco [telnet_pass] [enable_pass] [pix_IP].

  Anyone have a solution beside the answer "use ssh?

  You can get a little more detailed diagnostic information

  by running the command "nrget 10003 hostid orgid 1 diagnosis.

  This will tell you the status of all net devices used to fleeing.

  You can also determine whether the CSCdx55215 bug occurs

  on your sensor:

  The sensor, telnet to the PIX command line. If you

  See the banner "User access authentication", then the

  bug will occur and you will need to get the nr.managed

  Engineering code for CSCdx55215.

  Here is a link that requires a CCO, the version code beta account:

  http://www.Cisco.com/cgi-bin/tablebuild.pl/NIDs

  If you download the file, please send me an email

  ([email protected] / * /) and I'll give installation instructions.

  I'm sure you see this bug because one of

  the side effects, is that the PIX is misleading as router

  (i.e. Cisco instead of PIX).

• Configure the PIX 501 for IDS

  I have a PIX 501 with wired high-speed LAN headquarters inside and outside. Which would be a solid policy IDS to enable and what interfaces it must be applied to? There will be other measures necessary to enable IDS?

  IDS on the PIX itself is very limited, it checks only 59 signatures listed here (http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/gl.htm#xtocid9 under the section of signatures supported IDS). The signatures themselves are pretty basic.

  If you do not want to activate this, then for the signatures of attacks I would fix for drop/alarm/reset action, which is the default anyway.

  You will also need to set the logging to a syslog server and monitoring for any 4000nn messages in syslog, cause it event IDS.

• PIX IDS signatures

  Does anyone know the PIX IDS signatures to block Ping scans and Port scans?

  Do the substitution of signatures IDS ACL defined previously? For example; I want to allow people to ping - me (I allowed icmp echo in my ACL), but I want to drop Ping Sweeps and Port scans.

  Gracias.

  PIX IDS signatures are all listed here:

  http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/PIX/pix_62/syslog/pixemsgs.htm#1032267

  You will notice that it isn't sigs for the port scans and ping sweeps, mainly because it does not detect the PIX. This would imply the PIX to keep track of all the pings or connection attempts and try to understand that if a scanning goes, this is not what the PIX is designed for.

  If you want to see these then a NID system is the best way to go. IDS PIX is very limited and don't look for a very small subset of the signatures, and most of these signatures simply consist of a package, do not try to reconstitute several packages to different hosts or ports.

• PIX: IDS drop allowed vs ACL

  Do the substitution of signatures IDS ACL defined previously?

  If I allowed response echo in my ACL, but I put the ID to drop packets in response to echo, which will make the PIX?

  The ACL or the ID have precedence in PIX?

  DROPS number ID substitute allowed ACL.

• Fleeing to a pix

  I fleeing configured but I'm confused about configuration of blocking on the signatures. What is the difference between block host and terminal block? On my signatures now I host checked block and the shun works, but she only creats a block for the sport and dport of that one event and it allows for multiple entries for the same IP address. Blocking the whole IP address connection block?

  Theoretically, the host block blocks all packets from that source address. Terminal blcoks block just a connection based on the source and dest professional IP/port. However, the PIX works a little different.

  For automatic avoids the sensor sends the IP source, destination ip, source port and destination port. The Pix block simply all packets from that IP address. The additional information is used by the Pix to remove this one respect of his paintings of connection. If the connection was not removed from the table of connection, then it is theoretically possible that if the shun was removed shortly after the application then the original connection may not yet have expired, and the attacker could continue the attack on the original connection. By removing the connection from the table, this ensures that the original connection cannot be used to continue the attack after removing the shun.

  Thus, the sensor may shun not only one connection on the Pix, the Pix itself because does not support using the command of shun shun a single connection. The shun command Pix will always flee the source address regardless of whether or not the additional connection information is provided.

• IDS PIX "fat Ping".

  Is it possible to allow ping big answers through the signature of PIX IDS attack without completely turning off the ID?

  Hello

  Use the command 'ip signature verification' to disable this signature

  signature verification IP:

  Specify the message to display, establish a comprehensive policy to a signature and disable or exclude a signature verification.

  I think that the signature is 2151: large ICMP traffic

  Hope this helps,

  Christophe

• How to interpret error PIX IDS

  Hi all

  For example, I got this error: "all ID files: 6053 DNS request.»

  Where can I know exactly what this and other means of ID messages and what are the ramifications of them and if possible corrective measures.

  Peace

  Roy

  The "6053" in this post (and all messages of type ID in the PIX) is the number of signatures. You can check what it means in seeking to network security database (NSDB) here:

  http://www.Cisco.com/cgi-bin/front.x/CSEC/idsAllList.pl

  Note that the PIX does not check for all these signatures, only a small subset of them in fact.

• Prevention of Spam PIX IDS

  Some firewalls (such as raptors) have a function that will check the incoming IP/domain mail to make sure that the domain name of the sender can be reached (reverse) via the IP address of the sender. This prevents spammers from sending mail to your e-mail with falsified addresses server. PIX it? How about you check sending IPs against block lists? It would be cool. And nachos. Nachos are cool, too.

  Nope, is who does not offer the pix.

  IMHO these functions are better achieved at the level of the server e-mail - this way, the e-mail administrators are more fully accountable for the reception and delivery of emails throughout the org and to the ' net, rather than splitting of responsibilities between the security personnel and email admins

• Integration with the PIX IDS firewall

  I read the Release Notes for Cisco Intrusion Detection System Sensor Version 3.0 S4 (1), and tripped on the new features of this version it pretends the integration with the PIX firewall

  How do implement you this? What kind of integration offer?

  Instructions for the sensor and the basic configuration of PIX can be found here:

  http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/csids/csids8/13870_01.htm#xtocid23

  Instructions for sensor and PIX SSH configuration can be found here:

  http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/csids/csids8/13870_01.htm#xtocid16

  You can configure the sensor to connect to the PIX via telnet when

  using the PIX inside interface, otherwise you have to use SSH.

  SSH with 3des encryption is supported in version 3.0 or later

  sensors for connections of PIX.

  Warning: If you use telnet with a version 6.2.1 or PIX more late or if

  you want to use SSH with encryption on any PIX, so you

  need a patch for your sensor. If so, open a case of TAC and demand

  the latest version of nr.managed engineering. Reference

  [email protected] / * / for any question.

• The system IDS 4215 sensor no IPLogs

  Can someone enlighten me please?

  I have configured a sensor 4215 running the latest version 4 of the software & signatures.

  I have configure the sensor to use a Pix to help fleeing, the configuration worked for more than a week and I chose some to block on signatures and it works and I can see guests in the red list.

  My problem is that under , there is no listed log files,

  Is this correct?

  In version 3 on a 4210 sensor there are several listed log files, these are downloadable on my local machine, where as soon as I could import them in event IDS Viewer and display all events, this is no longer how it's done in version 4?

  What I can do under , is see the list of events that have been posted through the web page of IDM.

  Any help would be greatly appreciated.

  Concerning

  Mark

  First of all, I think that there is some confusion between the IP logs and alarms logs.

  There are 2 types of log files in version 3.x.

  The traditional log file which contained alarms in a comma delimited format that can be imported into VEI.

  The second was an IP trail which was a log of the actual binary packages that have been observed after the signing of fire.

  The action of "log" on the signature would result in the creation of a file of Log of IP and had nothing to do with or no alarm was recorded in the comma-delimited log file.

  Logging of alarms in the comma-delimited log file was controlled by will loggerd has been enabled on the sensor and if loggerd has been installed as a destination for messages in the destination file.

  In version 3.x, you might download individual logs to your own PC files and open them in IEV or load them into your own database.

  In version 4.x is therefore more the concept of individual alarms for files and the log of the IP on the sensor data.

  The alarm logs have been replaced by a circular buffer called eventStore. It can be compared to a large circular database. The eventStore is 4 GB in size and when it is full will begin to overwrite the oldest alarms with the most recent alarms.

  IP logs have been replaced by a similar circular storage for the journal of intellectual property data.

  The data of the alarm in version 4.x cannot be FTP'd the sensor as a diary of the alarm.

  Instead, you have two options:

  (1) use IDM to query the eventstore and pull the alarms that match some criteria. You can then view messages in plain text format.

  (2) use the command "Show events" CLI to do the same thing as IDM can do.

  3) contact Cisco TAC and ask for RDEP specification which provides the syntax for you to create your own queries to plug into the sensor and fire alarms in a raw XML format that you can then load into your own database.

  (4) If you are a user of VEI then the 4.x VEI has the ability to pull older alarms of the probe.

  http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/csids/csids10/idmiev/swchap6.htm#604023

  In the device properties simply, with the older start time and VEI will automatically extract in these earlier events of the sensor.

  NOTE: It is not a function import that can import plain text or events XML you would see options 1, 2 or 3 above. SO if you want to see in VEI then use option 4.

  Now for iplogs they can be FTP'd to the sensor using the command copy. But iplogs are the binary packet data and not a list of alarms. They are created only when the action of "log" is selected.

  NOTE: IP logging consumes resources sensor and can slow down the performance of the sensor. It is not necessary to IP Log an alarm to see the alarm itself VEI or other management positions. If the action of "journal" that should rarely be used when the binary packet data are necessary.

• PIX configuration as a blocking device w / GANYMEDE + authentication

  Hello

  I have a PIX running version 6.3 (1). The PIX is configured to use a Server 3.1 CSACS AAA authentication and authorization more GANYMEDE +. The sensor is 2.0000 Sig46 running.

  Before adding AAA for the PIX, the sensor has been able to connect and set up to Shun correctly. Since the addition of the configuration of the AAA for the PIX, I was unable to get the sensor to connect to the PIX for fleeing.

  I created a login and password with rights admin for the IDS sensor connect to create leaks. I could authenticate and build manually fled via a Telnet and SSH connection using this connection. I tried to remove and re-add lock several times.

  When I configure the PIX as a blocking Telnet device, I see the State of the Net as "initializing" device when you look at the statistics of the IDM. When I configure the PIX as a SSH blocking device-, I consider the State as "inactive".

  Please let me know if you have any suggestions - if not I guess I will open a case with TAC. Thanks in advance for the help!

  Kind regards

  Chad

  Make sure the PIX is in the list of allowed hosts. From the cli, type

  end of config

  SSH - key host (ip interface pix)

  Check that you have associated the pix of polarity

  logical device. The logical device record contains the username,

  password password and activate. Using IDM, it is selected in a

  drop-down list on the page of blocking devices.

• Questions about IDS 4.0 and 4.0 VEI

  I played with IDS/IDM/VEI 4.0 and so far, I am really impressed with the upgrade!

  A few questions/suggestions:

  (1) with IDM, to detect the signature configuration, is there a quick way to edit a particular number of signature? For example I mean tune signature 3041 - the only way I can find to do if I don't know the category is to collect all the signatures, then try to guess which page it's. I think that the previous version had a pop-up that listed the range of signatures on each page.

  (2) a Suggestion: in VEI, looking at a view, the first column is a group, and the second column contains the number of elements contained in this group. However, a double click on the first column does not give detail, only double clicking on column 2. It would be nice if the first column is also. (For example, for the severity level group, it would be nice to double-click on the word 'High' to see all the signatures of high status.)

  (3) is there a simple way to VEI or IDM to see connections have been blocked? It would be nice to have a summary paper when connections have been blocked and which IP addresses have been affected. It would also be groovy if it was shown in the VEI in the individual events (IE. Add a column 'Action' showing what decisions have been taken, as appropriate for each shot of signature)

  (4) is it possible to export the settings I changed default value? So far I've just kept a Notepad file that lists the signatures I've set in case I have to re - install. (And from the looks of it, upgrade to the latest signatures wiped out my block settings)

  (5) what is the difference between ShunHost & ShunConnection? The documentation does not really. And it is designed to work with IOS vs Pix fleeing?

  (6) the Docs for IDM imply that system variables can be used in the event filters, but when I try to apply the system IN variable for a filter, it won't let me so I have to type in logical addresses.

  That's all for now!

  I am pleased to hear that you like the new versions. My answers to some of these questions/comments I hope to improve your experience.

  (1) with IDM, to detect the signature configuration, is there a quick way to edit a particular number of signature? For example I mean tune signature 3041 - the only way I can find to do if I don't know the category is to collect all the signatures, then try to guess which page it's. I think that the previous version had a pop-up that listed the range of signatures on each page.

  ANSWER: not at the moment. We have heard this feature of multiple users request. A future version 4.0 is already planned to bring back the feature 3.1 (announcement of the signature by page range). Cannot comment on when this version will be released.

  An alternative until then would be to select the option to view all transmissions on the page (it will take a while to load), then use the search button in your browser to take you to the line for the signature.

  (2) a Suggestion: in VEI, looking at a view, the first column is a group, and the second column contains the number of elements contained in this group. However, a double click on the first column does not give detail, only double clicking on column 2. It would be nice if the first column is also. (For example, for the severity level group, it would be nice to double-click on the word 'High' to see all the signatures of high status.)

  ANSWER: I'll pass it on the developers.

  (3) is there a simple way to VEI or IDM to see connections have been blocked? It would be nice to have a summary paper when connections have been blocked and which IP addresses have been affected. It would also be groovy if it was shown in the VEI in the individual events (IE. Add a column 'Action' showing what decisions have been taken, as appropriate for each shot of signature)

  ANSWER: IDM manual locking tab will provide you with the current block list as allow you to add blocks or remove existing blocks.

  It's called 'Manual blocking' but it will also show you the current 'automatic blocking' (you may switch to another screen IDM, and then return to be refreshed with the latest red list)

  http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/csids/csids9/idmiev/swchap5.htm#195940

  Also, you can run the line "view events" to show you what the blocks have been tried. If I remember correctly, the events to see the line you would be: "view the events of the NAC" where the time and date is the entrance earlier you want to display. (NOTE: NAC = Network Access Controller - replacement for managed in the new sensor V4.0).

  I recommend playing with the different possibilities to show events to see the different information that the sensor can bring in the new CLI.

  In addition, the attempted action is now included in the alarm itself and IEV should have a column IPLOG, SHUN and TCP Reset show what action was attempted. You check the settings, and then make sure that you have these selected columns is displayed in your view. (The actions attempts are visible when looking at individual alarms and not all summary windows)

  (4) is it possible to export the settings I changed default value? So far I've just kept a Notepad file that lists the signatures I've set in case I have to re - install. (And from the looks of it, upgrade to the latest signatures wiped out my block settings)

  CLI the commmands to check:

  more current-config - gives a style CLI listing the configuraiton, under the area of virtualSensor, it shows you just changes to the signatures rather than see the definition of default full signature.

  Copy current-config config backup - backups your current config in a storage space on the sensor itself

  Copy current-config - allows you to save your configuration to the location. The location could be an ftp server, or scp.

  Example:

  copy @10.1.1.1/config-backups/sensor1-config ftp://usercurrent config

  (5) what is the difference between ShunHost & ShunConnection? The documentation does not really. And it is designed to work with IOS vs Pix fleeing?

  Shun host creates the following ACL entry:

  refuse any ip

  SO it blocks all packets from the source.

  Shun connection on the otherhand creates the following ACL entry

  (NOTE: I am doing this out of memory so I'm not entirely because of my response below, you may need to test to know for sure):

  refuse eq

  SO it blocks only the packets from the source to the ip of the victim who go to the same port where the attack occurred.

  NOTE: Multiple connections to the same srcip Shun may cause the glines being combined into a single host Shun to prevent that IP to fill your ACL list.

  Regarding IOS vs PIX. The above commands are for IOS. Similar entries can be seen with the command "run away" from the Pix, but no matter what you enter with the command "run away" from the Pix, he will always shun the entire source ip address. So if you Shun connections with a Pix command "escape" has other information, but the Pix will always shun the sourceip together.

  (6) the Docs for IDM imply that system variables can be used in the event filters, but when I try to apply the system IN variable for a filter, it won't let me so I have to type in logical addresses.

  Looks like maybe it's a bug.