Just FYI
Using ACL's does limit the information you get to the Syslog server compared to what you would get using Conduits. Cisco was supposed to be working on a fix for it. On Revisions of code before 5.3.1 you would just get Protocol XX (ie 6,17,1) and no port.. At least after 5.3.1 you get TCP,UDP... I have contacted Cisco several times on this issue and I get the "Next Release" responce :) Anyone know if this is fixed in 6.0?
Regards,
Mike D'Onofrio
> Our PIX does not indicate source or destination ports
> perhaps because the "IP spoof" criteria was already
> triggered in its logic chain, denying the packet and
> making a syslog entry.
It's been my experience that the PIX will not provide port information if
the packet is blocked by an ACL. However, it *will* provide port
information if the packet is blocked because there is no "conduit"
allowing the traffic.
I'm not sure if the spoof detection mechanism supercedes this.
Hope this helps.
-Blake
--------------------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service
For more information on SecurityFocus' SIA service which automatically alerts you to
the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
--------------------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service
For more information on SecurityFocus' SIA service which automatically alerts you to
the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Received on Jul 06 2001
Intro
