Intrusion prevention, or auditing, is enabled on the PIX Security
Appliance with the ip audit commands. Using the ip
audit commands, audit policies can be created to specify the traffic
that is audited or to designate actions to be taken when a signature is
detected. After a policy is created, it can be applied to any PIX
interface.
Each interface can have two policies, one for informational
signatures and one for attack signatures. If both policies are going to be
active simultaneously, they should share the same policy name. When a policy
for a given signature class is created and applied to an interface, all
supported signatures of that class are monitored unless they are disabled with
the ip audit signature disable command.
The PIX
Security Appliance supports both inbound and outbound auditing. Auditing is
performed by looking at the IP packets as they arrive at an input interface.
For example, if an attack policy is applied to the outside interface, attack
signatures are triggered when attack traffic arrives at the outside interface
in an inward direction, either as inbound traffic or as return traffic from an
outbound connection.
In Figure
, the PIX
Security Appliance has an attack policy, which contains the alarm and drop
actions, applied to its outside interface. Therefore, the following series of
events takes place:
Step 1 The intruder attempts to
transfer a DNS zone from the DNS server on the DMZ.
Step 2 The PIX Security Appliance detects an
attack.
Step 3 The PIX Security Appliance drops
the connection and sends an IDS Syslog message to the Syslog server at
10.0.0.11.
The ip audit attack command
specifies the default actions to be taken for attack signatures
. The
no ip audit attack command resets the action to be taken
for attack signatures to the default action. The show ip audit
attack command displays the default attack actions. The ip
audit info, no ip audit info, and show
ip audit info commands perform the same functions for signatures
classified as informational. Specify the ip audit info
command without an action option to cancel event reactions.