[Snort-users] Snort 2.6 working with Snortsam, Redhat and a Cisco ASA
pmelson at ...11827...
Thu Apr 5 17:16:47 EDT 2007
On 4/5/07, Lang, Robert <Robert.Lang at ...13183...> wrote:
> Has anyone had any luck getting rule blocking working with Snortsam and
> a Cisco ASA? It works like a charm with our Watchguard Firewall, but
> with our PIX/ASA I always get a message that says "Error: [pix] Did not
> receive a response waiting for logon prompt from PIX at x.x.x.x".
Using telnet to manage firewalls? Tsk-tsk. :-)
The problem is either that:
1) Cisco routers and firewalls by default skip the standard "login:"
prompt most telnet servers offer up and go right to "Password:" Use
the 'pix' directive in your snortsam conf file instead:
pix 10.0.0.1 [telnetpass] [enablesecret] [config]
2) You *are* using the pix directive and you have AAA user
authentication turned on on the PIX and it *is* generating a "login:"
pix 10.0.0.1 [user]/[password] [enablesecret] [config]
Seriously, though, I would consider building Snort with flexresp and
modifying those rules that pertain to you to fire off ICMP type 3 or
TCP RST packets that will cause whatever firewall to drop the
connection. Then you can turn telnet off. :-)
More information about the Snort-users