[c-nsp] Automatic responses from events in a PIX
Justin Shore
justin at justinshore.com
Tue Oct 16 15:51:41 EDT 2007
Asbjorn Hojmark - Lists wrote:
>> I have a user who claims that they've configured their PIX to
>> take an action after it sees a certain number of rogue packets
>> (ie, portscan). They claim that it's configured to stop all
>> traffic after it sees 70 rogue packets from any one given IP.
>>
>> In my years of administrating PIXs I don't recall ever coming
>> across a reactionary feature such as this.
>
> There are various ways to do stuff along those lines. See
> http://tinyurl.com/ywt5th and, most notably, Threat Detection
> in 8.0.
To recap the replies, there are ways to do something along these lines
with IPS modules, IPS/IDS-like features in the 8.x line of code, or MARS
but there aren't any methods of doing this with the older code unless a
3rd-party app is used to watch the syslog output and react. I don't
know what model of PIX/ASA she has but if she does have one I would
seriously doubt if it is running 8.x (especially considering someone
would have had to upgrade it to 8.x for her since 8.x isn't shipping on
anything yet). I would also doubt if she has an ASA with the IPS module
or a 3rd-party app watching the syslog output.
At this point I'm going to say that it's probably an odd Sonicwall
feature or the user is simply mis-interpreting what's going on here
altogether. Either or both is very likely at this point.
Thanks for the input,
Justin
More information about the cisco-nsp
mailing list