Configure Intrusion Prevention on the PIX Security Appliance
Intrusion detection and the PIX Security Appliance

The PIX Security Appliance performs intrusion detection by using intrusion detection signatures . With intrusion detection enabled, the PIX can detect signatures and generate a response when a set of rules is matched to network activity. It can monitor packets for more than 55 intrusion detection signatures and can be configured to send an alarm to a Syslog server or a server running Cisco Security Monitor, drop the packet, or reset the TCP connection. The signatures supported by the PIX are a subset of the signatures supported by the Cisco IDS product family.

The PIX Security Appliance can detect two different types of signatures, these are informational signatures and attack signatures. Information class signatures are signatures that are triggered by normal network activity that in itself is not considered to be malicious, but can be used to determine the validity of an attack or for forensics purposes. Attack class signatures are signatures that are triggered by an activity known to be, or that could lead to, unauthorized data retrieval, system access, or privileged escalation.

The table in Figure lists examples of the IDS signatures supported by the PIX Security Appliance.

IDS Syslog messages all start with %PIX-4-4000nn and have the following format:

%PIX-4- 4000nn IDS: sig_num sig_msg from ip_addr to ip_addr on interface int_name

For example,

%PIX-4-400013 IDS:2003 ICMP redirect from 10.4.1.2 to 10.2.1.1 on interface dmz, and %PIX-4-400032 IDS:4051 UDP Snork attack from 10.1.1.1 to 192.168.1.1 on interface outside.