How to setup IDS & PIX to send the alerts to CiscoWorks2000 server

In article , Bobs wrote: :I was looking for a way to setup IDS & PIX to send the alerts to :CiscoWorks2000 Box.

The only mechanism that the PIX has for sending IDS to anything is via syslog. It does, however, support selecting arbitrary ports, and supports syslog via tcp as well as syslog via udp. The effect is that you can have a process listening on an arbitrary port that reads the messages from the PIX and reformats them to be passed on elsewhere.

I should be more accurate: PIX can also send events via snmp trap. It is, though, not well-defined as to what SNMP trap messages will be sent. I have never seen one generated for IDS.

If you want to be serious about IDS, then I would not recommend relying on PIX. PIX's IDS has less than 50 signatures, and has no mechanism for adding more [at least not through 6.x]. And some of the signatures are really not very useful, all things considered.

Okay, so some random machine on the internet ping'd one of my IPs... now what? Just as is the case with the PIX syslog messages, these days there is a real glut of messages. There was a time when we were attached only 2 or 3 times a year, and I could pay attention to every one, writing nastygrams to the admins. Now, though... our local office was attacked three hundred and fifty thousand times on Monday alone, which is 4 times per second. If I were to spend 50% of my working time just investigating the attacks, I would have to investigate more than 1000 per minute just to keep up :(-

So, unless you are just curious, the PIX makes a lousy IDS, because it isn't smart enough to be able to filter useful information out of the noise. How often are you going to be willing to live with your pager going off?