The PIX Security Appliance performs intrusion detection by using
intrusion detection signatures
. With intrusion
detection enabled, the PIX can detect signatures and generate a response when a
set of rules is matched to network activity. It can monitor packets for more
than 55 intrusion detection signatures and can be configured to send an alarm
to a Syslog server or a server running Cisco Security Monitor, drop the packet,
or reset the TCP connection. The signatures supported by the PIX are a subset
of the signatures supported by the Cisco IDS product family.
The PIX
Security Appliance can detect two different types of signatures, these are
informational signatures and attack signatures. Information class signatures
are signatures that are triggered by normal network activity that in itself is
not considered to be malicious, but can be used to determine the validity of an
attack or for forensics purposes. Attack class signatures are signatures that
are triggered by an activity known to be, or that could lead to, unauthorized
data retrieval, system access, or privileged escalation.
The table in
Figure
lists
examples of the IDS signatures supported by the PIX Security Appliance.
IDS Syslog messages all start with %PIX-4-4000nn and have the
following format:
%PIX-4- 4000nn IDS: sig_num
sig_msg from ip_addr to ip_addr on interface
int_name
For example,
%PIX-4-400013 IDS:2003 ICMP redirect from 10.4.1.2 to
10.2.1.1 on interface dmz, and %PIX-4-400032 IDS:4051 UDP Snork attack from
10.1.1.1 to 192.168.1.1 on interface outside.