TABLE OF CONTENTS Cisco has a dedicated Intrusion Detection System (IDS) product called Cisco Secure IDS. A limited part of this IDS functionality is implemented in both Cisco IOS and Cisco PIX. Because the PIX is basically an OSI Layers 3 and 4 filtering device, it can detect only simple attacks that happen at these network communication layers and can be detected by inspecting a single packet in the data stream. PIX IDS signatures are a subset of the Cisco Secure IDS signature set. To upgrade signatures, the whole PIX firmware must be updated. Intrusion detection can be configured on each interface in inbound and outbound directions. When the PIX detects each signature, it generates an alert ("informational" or "attack," depending on the severity of the attack) and sends it via syslog to the configured destination.
Unfortunately, Cisco's own documentation is not clear about signatures supported in each specific version. The best way to check what your PIX can do in the area of intrusion detection is to browse a list of syslog messages produced by the specific version ( Cisco PIX Firewall System Log Messages guide). For v6.2, syslog messages numbered from 400 000 to 400 050 are reserved for IDS messages. Their format is shown here:
%PIX-4-4000: : from to on interface
This syslog message means that PIX has detected an attack with number ( sig_num) and name ( sig_msg). The two IP addresses show the origin and destination...
