pix and snort? obviously I'm not clear on the concept...

Posted on 2006-03-30
Medium Priority
Last Modified: 2013-11-16
Got a pix 501

OUTSIDE goes to the Big Bad Outside (corporate, internet, etc)

INSIDE goes to us, all warm and fuzzy and fat and dumb and happy.

I am sending pix syslog information back to a loghost NETMON on INSIDE's subnet.

Thinking about setting up snort on LOGHOST to detect if the PIX is seeing weird stuff from OUTSIDE.

How does one set up snort to work with a pix?  

googling on 'pix snort'  'cisco snort' 'pix snort howto' yields hits that are dealing with questions more esoteric than 'how do I get it to work'.  If there are any howtos that people know of, that would be welcome.


Question by:amlp

Expert Comment

ID: 16337106
I don't think you can directly monitor a PIX firewall, there not being a monitor port and all, but you can use the capture command to save a pcap file and open it with ethereal, or tcpdump. Here is a tutorial on using the command.


Expert Comment

ID: 16337510
A quick google search turns up:

SnortALog : Snort Analyser Logs

"Snortalog is a Perl-based Snort log analyzer on steroids with output options to ASCII text, HTML, and graphs (formatted in JPEG, GIF, or PNG). Snortalog is configured and managed from a GUI interface, and it runs on either Linux or Windows. It reads output from Snort in any format (no other tool that we've seen has this feature), including syslog, provides fast and full alerts, and then builds flat text or HTML summary reports. Snortalog's summary reports are similar to ACID's reports, but more compact."


Author Comment

ID: 16338511
OK, here's what I didn't get (I think).

snort is at core a packet sniffer with some pattern detection rules and abilities above it.

I was thinking it was like a nagios with definable input channels and pattern detection rules.
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 100 total points
ID: 16339028
If you wanted to use Snort in this way... your limiting yourself greatly. Snort contains signatures for hundreds of exploits, as well as has the ability to track sessions and determin port scanning, and other attacks. You can mirror, or "span" the port your pix is on and sniff everything in/out without affecting the traffic, as your sniffing port is being "CC'd" all the packets in/out. Snort is capable of sniffing Gig connections and speeds.
You can make your own signatures for snort very easy to alert you in the way you describe, but I think you'll be missing some data you might otherwise find interesting. Your pix log will not tell you if a user is using a P2P program on the inside to DL mp3's etc.. from the outside. The log's won't tell you if a scan took place, if a IIS buffer overflow was attempted on your servers, if one of your users is spreading MyDOOM from your lan to the outside world...
There are false positives to be certain, but they fewer than ever before.
You can use a program like SnortSam to update your firewalls on the fly when certain rules are triggered also: http://www.snortsam.net/

Accepted Solution

renill earned 150 total points
ID: 16359079
snort can be customised to do detect different signatures that might match threats.
you wont be able to directly monitor a pix.
if you want to sniff the internal network . do mirror the port where inside interface of pix is connected to the switch (cisco switches  do this fine).  then connect the mirrored portto the snort or ids watever u have.

chck this link for new snort rules.


Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like me and like multiple layers of protection, read on!
When you put your credit card number into a website for an online transaction, surely you know to look for signs of a secure website such as the padlock icon in the web browser or the green address bar.  This is one way to protect yourself from oth…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question