On Wed, Oct 22, 2003 at 05:22:16PM -0400, Brian Ford wrote: > The other thing we did is to allow the suppression of messages based on the > ID. So if you don't like the "Built Dynamic Translation" message you can > make it so your PIX never emits that message again. And when I say never I > mean until you take that line out of the configuration. But it does I don't want to turn this into a PIX-thread - but I will :-) This feature isn't as great as it seems. To be honest, the PIX still has a ways to go before its ACL support is as good as IOS. Why? Because under IOS you can tell an *individual* ACL whether it's going to log or not. Under the PIX, all you can do is log, or block logging on a "message number" - you can't get any finer grained. e.g. our PIX blocks TONNES of outgoing TCP port 137,139 connections: Windows is TERRIBLE at promiscuously throwing packets about. There is so much that it is causing nothing but grief on our security loggers - so I want to disable them. They come under rule %PIX-4-106023 - but if I disable that, I also lose logging of internal hosts connecting to anything else - such as port 135 - which implies BLASTER. I don't want to miss seeing that, so I can't block %PIX-4-106023... :-( -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Wed Oct 22 2003 - 20:32:50 PDT