pix and snort? obviously I'm not clear on the concept...

Got a pix 501

OUTSIDE goes to the Big Bad Outside (corporate, internet, etc)

INSIDE goes to us, all warm and fuzzy and fat and dumb and happy.

I am sending pix syslog information back to a loghost NETMON on INSIDE's subnet.

Thinking about setting up snort on LOGHOST to detect if the PIX is seeing weird stuff from OUTSIDE.

How does one set up snort to work with a pix?  

googling on 'pix snort'  'cisco snort' 'pix snort howto' yields hits that are dealing with questions more esoteric than 'how do I get it to work'.  If there are any howtos that people know of, that would be welcome.


Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I don't think you can directly monitor a PIX firewall, there not being a monitor port and all, but you can use the capture command to save a pcap file and open it with ethereal, or tcpdump. Here is a tutorial on using the command.

A quick google search turns up:

SnortALog : Snort Analyser Logs

"Snortalog is a Perl-based Snort log analyzer on steroids with output options to ASCII text, HTML, and graphs (formatted in JPEG, GIF, or PNG). Snortalog is configured and managed from a GUI interface, and it runs on either Linux or Windows. It reads output from Snort in any format (no other tool that we've seen has this feature), including syslog, provides fast and full alerts, and then builds flat text or HTML summary reports. Snortalog's summary reports are similar to ACID's reports, but more compact."

amlpAuthor Commented:
OK, here's what I didn't get (I think).

snort is at core a packet sniffer with some pattern detection rules and abilities above it.

I was thinking it was like a nagios with definable input channels and pattern detection rules.
Rich RumbleSecurity SamuraiCommented:
If you wanted to use Snort in this way... your limiting yourself greatly. Snort contains signatures for hundreds of exploits, as well as has the ability to track sessions and determin port scanning, and other attacks. You can mirror, or "span" the port your pix is on and sniff everything in/out without affecting the traffic, as your sniffing port is being "CC'd" all the packets in/out. Snort is capable of sniffing Gig connections and speeds.
You can make your own signatures for snort very easy to alert you in the way you describe, but I think you'll be missing some data you might otherwise find interesting. Your pix log will not tell you if a user is using a P2P program on the inside to DL mp3's etc.. from the outside. The log's won't tell you if a scan took place, if a IIS buffer overflow was attempted on your servers, if one of your users is spreading MyDOOM from your lan to the outside world...
There are false positives to be certain, but they fewer than ever before.
You can use a program like SnortSam to update your firewalls on the fly when certain rules are triggered also: http://www.snortsam.net/
snort can be customised to do detect different signatures that might match threats.
you wont be able to directly monitor a pix.
if you want to sniff the internal network . do mirror the port where inside interface of pix is connected to the switch (cisco switches  do this fine).  then connect the mirrored portto the snort or ids watever u have.

chck this link for new snort rules.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.