pix and snort? obviously I'm not clear on the concept...

Posted on 2006-03-30
Last Modified: 2013-11-16
Got a pix 501

OUTSIDE goes to the Big Bad Outside (corporate, internet, etc)

INSIDE goes to us, all warm and fuzzy and fat and dumb and happy.

I am sending pix syslog information back to a loghost NETMON on INSIDE's subnet.

Thinking about setting up snort on LOGHOST to detect if the PIX is seeing weird stuff from OUTSIDE.

How does one set up snort to work with a pix?  

googling on 'pix snort'  'cisco snort' 'pix snort howto' yields hits that are dealing with questions more esoteric than 'how do I get it to work'.  If there are any howtos that people know of, that would be welcome.


Question by:amlp
    LVL 4

    Expert Comment

    I don't think you can directly monitor a PIX firewall, there not being a monitor port and all, but you can use the capture command to save a pcap file and open it with ethereal, or tcpdump. Here is a tutorial on using the command.
    LVL 3

    Expert Comment

    A quick google search turns up:

    SnortALog : Snort Analyser Logs

    "Snortalog is a Perl-based Snort log analyzer on steroids with output options to ASCII text, HTML, and graphs (formatted in JPEG, GIF, or PNG). Snortalog is configured and managed from a GUI interface, and it runs on either Linux or Windows. It reads output from Snort in any format (no other tool that we've seen has this feature), including syslog, provides fast and full alerts, and then builds flat text or HTML summary reports. Snortalog's summary reports are similar to ACID's reports, but more compact."


    Author Comment

    OK, here's what I didn't get (I think).

    snort is at core a packet sniffer with some pattern detection rules and abilities above it.

    I was thinking it was like a nagios with definable input channels and pattern detection rules.
    LVL 38

    Assisted Solution

    by:Rich Rumble
    If you wanted to use Snort in this way... your limiting yourself greatly. Snort contains signatures for hundreds of exploits, as well as has the ability to track sessions and determin port scanning, and other attacks. You can mirror, or "span" the port your pix is on and sniff everything in/out without affecting the traffic, as your sniffing port is being "CC'd" all the packets in/out. Snort is capable of sniffing Gig connections and speeds.
    You can make your own signatures for snort very easy to alert you in the way you describe, but I think you'll be missing some data you might otherwise find interesting. Your pix log will not tell you if a user is using a P2P program on the inside to DL mp3's etc.. from the outside. The log's won't tell you if a scan took place, if a IIS buffer overflow was attempted on your servers, if one of your users is spreading MyDOOM from your lan to the outside world...
    There are false positives to be certain, but they fewer than ever before.
    You can use a program like SnortSam to update your firewalls on the fly when certain rules are triggered also:
    LVL 5

    Accepted Solution

    snort can be customised to do detect different signatures that might match threats.
    you wont be able to directly monitor a pix.
    if you want to sniff the internal network . do mirror the port where inside interface of pix is connected to the switch (cisco switches  do this fine).  then connect the mirrored portto the snort or ids watever u have.

    chck this link for new snort rules.


    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    Suggested Solutions

    If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
    Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    24 Experts available now in Live!

    Get 1:1 Help Now