We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x

pix and snort? obviously I'm not clear on the concept...

amlp
amlp asked
on
Medium Priority
596 Views
Last Modified: 2013-11-16
Got a pix 501

OUTSIDE goes to the Big Bad Outside (corporate, internet, etc)

INSIDE goes to us, all warm and fuzzy and fat and dumb and happy.

I am sending pix syslog information back to a loghost NETMON on INSIDE's subnet.

Thinking about setting up snort on LOGHOST to detect if the PIX is seeing weird stuff from OUTSIDE.

How does one set up snort to work with a pix?  

googling on 'pix snort'  'cisco snort' 'pix snort howto' yields hits that are dealing with questions more esoteric than 'how do I get it to work'.  If there are any howtos that people know of, that would be welcome.

Thanks!

Comment
Watch Question

Commented:
I don't think you can directly monitor a PIX firewall, there not being a monitor port and all, but you can use the capture command to save a pcap file and open it with ethereal, or tcpdump. Here is a tutorial on using the command.

http://www.computernetworkinghelp.com/content/view/40/1/
A quick google search turns up:

SnortALog : Snort Analyser Logs
http://jeremy.chartier.free.fr/snortalog/

"Snortalog is a Perl-based Snort log analyzer on steroids with output options to ASCII text, HTML, and graphs (formatted in JPEG, GIF, or PNG). Snortalog is configured and managed from a GUI interface, and it runs on either Linux or Windows. It reads output from Snort in any format (no other tool that we've seen has this feature), including syslog, provides fast and full alerts, and then builds flat text or HTML summary reports. Snortalog's summary reports are similar to ACID's reports, but more compact."

Author

Commented:
OK, here's what I didn't get (I think).

snort is at core a packet sniffer with some pattern detection rules and abilities above it.

I was thinking it was like a nagios with definable input channels and pattern detection rules.
Rich RumbleSecurity Samurai
CERTIFIED EXPERT
Top Expert 2006
Commented:
If you wanted to use Snort in this way... your limiting yourself greatly. Snort contains signatures for hundreds of exploits, as well as has the ability to track sessions and determin port scanning, and other attacks. You can mirror, or "span" the port your pix is on and sniff everything in/out without affecting the traffic, as your sniffing port is being "CC'd" all the packets in/out. Snort is capable of sniffing Gig connections and speeds.
You can make your own signatures for snort very easy to alert you in the way you describe, but I think you'll be missing some data you might otherwise find interesting. Your pix log will not tell you if a user is using a P2P program on the inside to DL mp3's etc.. from the outside. The log's won't tell you if a scan took place, if a IIS buffer overflow was attempted on your servers, if one of your users is spreading MyDOOM from your lan to the outside world...
There are false positives to be certain, but they fewer than ever before.
You can use a program like SnortSam to update your firewalls on the fly when certain rules are triggered also: http://www.snortsam.net/
-rich

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Commented:
snort can be customised to do detect different signatures that might match threats.
you wont be able to directly monitor a pix.
if you want to sniff the internal network . do mirror the port where inside interface of pix is connected to the switch (cisco switches  do this fine).  then connect the mirrored portto the snort or ids watever u have.

chck this link for new snort rules.
http://www.bleedingsnort.com/sec/

renill
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.