FireGen for Pix Log Analysis Report

Altair Technologies - "sample" firewall log analysis for the period
Thu Mar 11 00:00:00 2004 to Thu Mar 11 23:59:59 2004

FirewallSectionsFirst messageLast message
172.17.1.15  Summary Message types Message Details Protocols Traffic Denials VPN,IDS,Management 03/11/04 00:00:31 03/11/04 18:01:05

-
Research links: - Go to top
TCP/IP Protocol
PIX message code
Whois
Latest Pix logs analysis recommendations
Altair Technologies Cisco Pix discussion forum
Send your comments or suggestions to the FireGen developers!
 
Glossary
Analysis performance
-
Keywords: - Go to top
Keywords to includeNot configured
Keywords to exclude6-106015
-
Analyzed logs: - Go to top
Analyzed log(s) Log size (kb) Log entries Log type
C:\Docs\Projects\Pix\2.0\syslog-2004-03-11.log 1,889.86 10,784 WinSyslog with PIX time stamp
-
Summary for the 172.17.1.15 firewall. : - Go to top
Level Severity Description Total
1 Alert Immediate action needed 0
2 Critical Critical condition 1
3 Error Error condition 365
4 Warning Warning condition 4
5 Notification Normal but significant condition 754
6 Informational Informational message only 9,409
7 Debugging Appears during debugging only 1
    Total 10,534
-
Message types distribution for the 172.17.1.15 firewall. : - Go to top
No Code Total Example
1 2-106017 1 Deny IP due to Land Attack from 64.53.150.209 to 209.161.200.227
2 3-106011 363 Deny inbound (No xlate) udp src outside:61.221.171.82/3273 dst outside:209.161.200.230/1434
3 3-315004 2 Fail to establish SSH session because PIX RSA host key retrieval failed.
4 4-106023 2 Deny tcp src inside:172.17.1.102/4177 dst outside:69.6.57.7/80 by access-group "acl_inbound"
5 4-400013 1 IDS:2003 ICMP redirect from 64.53.150.209 to 192.168.1.1 on interface outside
6 4-400032 1 IDS:4051 UDP Snork attack from 64.53.150.209 to 192.168.1.1 on interface outside
7 5-111001 2 Begin configuration: 172.17.1.102 writing to memory
8 5-111004 2 172.17.1.102 end configuration: OK
9 5-111005 2 console end configuration: OK
10 5-111007 8 Begin configuration: console reading from terminal
11 5-304001 740 172.17.1.70 Accessed URL 65.54.194.117:/ADSAdClient31.dll?GetAd?PG=NBCHIA?AP=?TF=_blank
12 6-109005 1 Authentication succeeded for user 'jmoore' from 209.161.200.235/0 to 0.0.0.0/0 on interface IKE-XAUTH
13 6-109011 1 Authen Session Start: user 'jmoore', sid 3
14 6-302001 1,645 Built outbound TCP connection 364050 for faddr 65.54.194.117/80 gaddr 209.161.200.226/42445 laddr 172.17.1.70/2722
15 6-302002 1,646 Teardown TCP connection 364041 faddr 64.14.131.71/80 gaddr 209.161.200.226/42439 laddr 172.17.1.70/2711 duration 0:00:51 bytes 6842 (TCP Reset-I)
16 6-302005 1,194 Built UDP connection for faddr 207.136.100.40/7097 gaddr 209.161.200.226/37745 laddr 172.17.1.40/1035
17 6-302006 1,186 Teardown UDP connection for faddr 207.136.100.40/7097 gaddr 209.161.200.226/37745 laddr 172.17.1.40/1035
18 6-302010 107 6 in use, 114 most used
19 6-303002 39 172.17.1.102 Retrieved 205.227.137.57:delta.ini
20 6-305001 1,792 Portmapped translation built for gaddr 209.161.200.226/42447 laddr 172.17.1.70/2731
21 6-305004 1,779 Teardown portmap translation for global 209.161.200.226/42445 local 172.17.1.70/2722
22 6-307002 6 Permitted Telnet login session from 172.17.1.102
23 6-315002 1 Permitted SSH session from 172.17.1.102 on interface inside for user "pix"
24 6-315003 2 SSH login session failed from 172.17.1.102 (3 attempts) on interface inside by user ""
25 6-315011 5 SSH session from 172.17.1.102 on interface inside for user "pix" terminated normally
26 6-602301 2 sa created, (sa) sa_dest= 209.161.200.235, sa_prot= 50, sa_spi= 0xa6afc495(2796536981), sa_trans= esp-des esp-md5-hmac , sa_conn_id= 9
27 6-602302 3 deleting SA, (sa) sa_dest= 209.161.200.235, sa_prot= 50, sa_spi= 0x3de88ffc(1038651388), sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2
28 7-702301 1 lifetime expiring, (sa) sa_dest= 209.161.200.226, sa_prot= 50, sa_spi= 0x21a09f69(564174697), sa_trans= esp-des esp-md5-hmac , sa_conn_id= 1, (identity) local= 209.161.200.226, remote= 209.161.200.235, local_proxy
-
Message details for the 172.17.1.15 firewall: - Go to top
-
Severity level 1 (Alert) details for the 172.17.1.15 firewall. : - Go to top
No First Message Last Message Code Message Count
No messages with severity level 1 were recorded.

-
Severity level 2 (Critical) details for the 172.17.1.15 firewall. : - Go to top
No First Message Last Message Code Message Count
1 03/11/04 12:49:20 03/11/04 17:40:15 2-106017 Deny IP due to Land Attack from 64.53.150.209 to 209.161.200.227 1

-
Severity level 3 (Error) details for the 172.17.1.15 firewall. : - Go to top
No First Message Last Message Code Message Count
1 03/11/04 08:32:08 03/11/04 17:40:15 3-106011 Deny inbound (No xlate) tcp src outside:83.157.142.37/nnnn dst outside:209.161.200.227/135 6
2 03/11/04 08:40:54 03/11/04 17:40:15 3-106011 Deny inbound (No xlate) icmp src outside:209.161.230.194 dst outside:209.161.200.227 (type 8, code 0) 5
3 03/11/04 04:39:37 03/11/04 17:40:15 3-106011 Deny inbound (No xlate) icmp src outside:209.163.187.3 dst outside:209.161.200.227 (type 8, code 0) 5
4 03/11/04 08:32:08 03/11/04 17:40:15 3-106011 Deny inbound (No xlate) tcp src outside:83.157.142.37/nnnn dst outside:209.161.200.228/135 4
5 03/11/04 12:38:04 03/11/04 17:40:15 3-106011 Deny inbound (No xlate) tcp src outside:209.162.130.14/nnnn dst outside:209.161.200.227/445 3
6 03/11/04 15:08:07 03/11/04 17:40:15 3-106011 Deny inbound (No xlate) tcp src outside:172.142.34.19/nnnn dst outside:209.161.200.227/135 3
7 03/11/04 08:40:54 03/11/04 17:40:15 3-106011 Deny inbound (No xlate) icmp src outside:209.161.230.194 dst outside:209.161.200.230 (type 8, code 0) 3
8 03/11/04 07:05:51 03/11/04 17:40:15 3-106011 Deny inbound (No xlate) tcp src outside:65.69.126.157/nnnn dst outside:209.161.200.227/135 3
9 03/11/04 14:20:52 03/11/04 17:40:15 3-106011 Deny inbound (No xlate) tcp src outside:209.86.0.224/nnnn dst outside:209.161.200.227/135 3
10 03/11/04 02:20:17 03/11/04 17:40:15 3-106011 Deny inbound (No xlate) tcp src outside:209.161.171.38/nnnn dst outside:209.161.200.230/135 3
11 03/11/04 04:39:37 03/11/04 17:40:15 3-106011 Deny inbound (No xlate) icmp src outside:209.163.187.3 dst outside:209.161.200.230 (type 8, code 0) 3
12 03/11/04 09:47:58 03/11/04 17:40:15 3-106011 Deny inbound (No xlate) tcp src outside:203.146.193.136/nnnn dst outside:209.161.200.227/135 3
13 03/11/04 08:42:24 03/11/04 17:40:15 3-106011 Deny inbound (No xlate) tcp src outside:212.126.218.124/nnnn dst outside:209.161.200.227/21 3
14 03/11/04 02:20:17 03/11/04 17:40:15 3-106011 Deny inbound (No xlate) tcp src outside:209.161.171.38/nnnn dst outside:209.161.200.227/135 3
15 03/11/04 08:27:52 03/11/04 17:40:15 3-106011 Deny inbound (No xlate) tcp src outside:81.33.7.251/nnnn dst outside:209.161.200.227/135 3
16 03/11/04 13:10:35 03/11/04 17:40:15 3-106011 Deny inbound (No xlate) tcp src outside:69.19.18.104/nnnn dst outside:209.161.200.227/135 3
17 03/11/04 05:27:21 03/11/04 17:40:15 3-106011 Deny inbound (No xlate) tcp src outside:63.90.3.55/nnnn dst outside:209.161.200.227/135 3
18 03/11/04 06:54:16 03/11/04 17:40:15 3-106011 Deny inbound (No xlate) tcp src outside:64.164.53.2/nnnn dst outside:209.161.200.227/135 3
19 03/11/04 05:21:14 03/11/04 17:40:15 3-106011 Deny inbound (No xlate) tcp src outside:209.139.2.21/nnnn dst outside:209.161.200.227/135 3
20 03/11/04 01:10:51 03/11/04 17:40:15 3-106011 Deny inbound (No xlate) tcp src outside:216.209.93.71/nnnn dst outside:209.161.200.227/135 3
21 03/11/04 03:01:31 03/11/04 17:40:15 3-106011 Deny inbound (No xlate) tcp src outside:24.93.30.147/nnnn dst outside:209.161.200.227/135 3
22 03/11/04 15:58:02 03/11/04 17:40:15 3-106011 Deny inbound (No xlate) tcp src outside:217.34.66.13/nnnn dst outside:209.161.200.228/139 3
23 03/11/04 07:44:02 03/11/04 17:40:15 3-106011 Deny inbound (No xlate) tcp src outside:218.144.184.36/nnnn dst outside:209.161.200.228/445 3
24 03/11/04 02:20:23 03/11/04 17:40:15 3-106011 Deny inbound (No xlate) tcp src outside:208.186.151.157/nnnn dst outside:209.161.200.227/443 3
25 03/11/04 07:06:12 03/11/04 17:40:15 3-106011 Deny inbound (No xlate) tcp src outside:65.69.126.157/nnnn dst outside:209.161.200.227/445 3
There were more messages to be reported but the listing is limited to 25!!!

-
Severity level 4 (Warning) details for the 172.17.1.15 firewall. : - Go to top
No First Message Last Message Code Message Count
1 03/11/04 13:47:40 03/11/04 17:40:15 4-106023 Deny tcp src inside:172.17.1.102/nnnn dst outside:69.6.57.7/80 by access-group "acl_inbound" 2
2 03/11/04 13:34:36 03/11/04 17:40:15 4-400013 IDS:2003 ICMP redirect from 64.53.150.209 to 192.168.1.1 on interface outside 1
3 03/11/04 13:13:40 03/11/04 17:40:15 4-400032 IDS:4051 UDP Snork attack from 64.53.150.209 to 192.168.1.1 on interface outside 1

-
Severity level 5 (Notification) details for the 172.17.1.15 firewall. : - Go to top
No First Message Last Message Code Message Count
1 03/11/04 11:26:46 03/11/04 17:40:15 5-304001 172.17.1.102 Accessed URL 64.235.234.140:/ac/acmelogo.jpg 13
2 03/11/04 10:41:15 03/11/04 17:40:15 5-304001 172.17.1.102 Accessed URL 66.163.175.128:/feed/pg4?s=quotes 10
3 03/11/04 10:54:26 03/11/04 17:40:15 5-111007 Begin configuration: 172.17.1.102 reading from terminal 7
4 03/11/04 13:34:42 03/11/04 17:40:15 5-304001 172.17.1.102 Accessed URL 69.28.159.140:/mm_cdn/01068ABAASAAAAAsDq0mG.Pth3YbANncOnzAvOaXPiWXbxImylXyL5JzhApAtK6k27bxNA6FFoVAkCsUvcLKYtO7ilT2u_.DAhmtra1IxvQ--/album_image/amg/drd400/d485/d48583l9l32.jpg 6
5 03/11/04 13:34:36 03/11/04 17:40:15 5-304001 172.17.1.102 Accessed URL 63.236.14.37:/nova/images/small-play-button.gif 4
6 03/11/04 17:46:56 03/11/04 17:40:15 5-304001 172.17.1.70 Accessed URL 63.146.96.171:/wst/images/2314369.JPG 3
7 03/11/04 13:34:09 03/11/04 17:40:15 5-304001 172.17.1.102 Accessed URL 63.236.14.26:/mmjb/check.cgi 3
8 03/11/04 17:52:38 03/11/04 17:40:15 5-304001 172.17.1.70 Accessed URL 63.215.124.60:/i/msnbc/Components/Art/SITEWIDE/Marquee/bn_marquee2.gif 3
9 03/11/04 10:55:47 03/11/04 17:40:15 5-111005 172.17.1.102 end configuration: OK 3
10 03/11/04 10:47:05 03/11/04 17:40:15 5-304001 172.17.1.102 Accessed URL 64.236.16.246:/ 3
11 03/11/04 17:46:56 03/11/04 17:40:15 5-304001 172.17.1.70 Accessed URL 63.146.96.171:/wst/images/2402631.JPG 3
12 03/11/04 10:47:05 03/11/04 17:40:15 5-304001 172.17.1.102 Accessed URL 64.236.24.28:/ 3
13 03/11/04 17:47:10 03/11/04 17:40:15 5-304001 172.17.1.70 Accessed URL 65.18.223.30:/images/citysites-cp-nytimes.jpg 3
14 03/11/04 17:31:39 03/11/04 17:40:15 5-304001 172.17.1.70 Accessed URL 212.58.240.131:/nol/shared/img/branded_puffs/line_prog.gif 2
15 03/11/04 12:47:04 03/11/04 17:40:15 5-304001 172.17.1.102 Accessed URL 64.233.161.104:/ 2
16 03/11/04 17:57:25 03/11/04 17:40:15 5-304001 172.17.1.70 Accessed URL 207.46.245.33:/css/html40.css 2
17 03/11/04 17:06:39 03/11/04 17:40:15 5-304001 172.17.1.70 Accessed URL 212.58.240.38:/media/images/39876000/jpg/_39876654_apbahrain300.jpg 2
18 03/11/04 14:43:44 03/11/04 17:40:15 5-304001 172.17.1.102 Accessed URL 63.236.14.21:/mmjb/ev/mx?EVENT=MXTrackDone&VER=8%2E20%2E0107MMD&OS=WinXPSP1&MMUID=957308CF%2DD475%2D4261%2DAC46%2D21A5D52566AD&SEQ=1&TRACKPOS=5&STATION%5FID=artistMatch%253a300%253a%253a 2
19 03/11/04 17:34:04 03/11/04 17:40:15 5-304001 172.17.1.70 Accessed URL 206.112.74.4:/images/pixel.gif 2
20 03/11/04 17:18:27 03/11/04 17:40:15 5-304001 172.17.1.70 Accessed URL 216.239.41.104:/pagead/show_ads.js 2
21 03/11/04 11:37:41 03/11/04 17:40:15 5-304001 172.17.1.102 Accessed URL 207.46.248.244:/library/images/support/emailicon.gif 2
22 03/11/04 17:31:40 03/11/04 17:40:15 5-304001 172.17.1.70 Accessed URL 212.58.240.131:/media/images/39870000/jpg/_39870384_obese_66.jpg 2
23 03/11/04 17:37:05 03/11/04 17:40:15 5-304001 172.17.1.70 Accessed URL 207.61.132.8:/images/2004/03/11/international/040312_web_MADRIDmap.gif 2
24 03/11/04 17:47:08 03/11/04 17:40:15 5-304001 172.17.1.70 Accessed URL 209.11.106.40:/sales/listingJS.asp 2
25 03/11/04 17:37:04 03/11/04 17:40:15 5-304001 172.17.1.70 Accessed URL 207.61.132.8:/images/2004/03/11/international/11cnd-blast.10.184.jpg 2
There were more messages to be reported but the listing is limited to 25!!!

-
Severity level 6 (Informational) details for the 172.17.1.15 firewall. : - Go to top
No First Message Last Message Code Message Count
1 03/11/04 12:22:56 03/11/04 17:40:15 6-305001 Portmapped translation built for gaddr 209.161.200.226/nnnn laddr 172.17.1.102/nnnn 636
2 03/11/04 12:23:41 03/11/04 17:40:15 6-305004 Teardown portmap translation for global 209.161.200.226/nnnn local 172.17.1.102/nnnn 612
3 03/11/04 00:20:07 03/11/04 17:40:15 6-302006 Teardown UDP connection for faddr 207.136.100.40/nnnn gaddr 209.161.200.226/nnnn laddr 172.17.1.40/nnnn 337
4 03/11/04 00:19:51 03/11/04 17:40:15 6-302005 Built UDP connection for faddr 207.136.100.40/nnnn gaddr 209.161.200.226/nnnn laddr 172.17.1.40/nnnn 337
5 03/11/04 12:24:01 03/11/04 17:40:15 6-302005 Built UDP connection for faddr 207.136.100.40/nnnn gaddr 209.161.200.226/nnnn laddr 172.17.1.40/nnnn 282
6 03/11/04 12:24:12 03/11/04 17:40:15 6-302006 Teardown UDP connection for faddr 207.136.100.40/nnnn gaddr 209.161.200.226/nnnn laddr 172.17.1.40/nnnn 271
7 03/11/04 10:39:42 03/11/04 17:40:15 6-305001 Portmapped translation built for gaddr 209.161.200.226/nnnn laddr 172.17.1.102/nnnn 209
8 03/11/04 10:42:07 03/11/04 17:40:15 6-305004 Teardown portmap translation for global 209.161.200.226/nnnn local 172.17.1.102/nnnn 206
9 03/11/04 16:42:25 03/11/04 17:40:15 6-305001 Portmapped translation built for gaddr 209.161.200.226/nnnn laddr 172.17.1.70/nnnn 204
10 03/11/04 16:43:09 03/11/04 17:40:15 6-305004 Teardown portmap translation for global 209.161.200.226/nnnn local 172.17.1.70/nnnn 193
11 03/11/04 17:39:58 03/11/04 17:40:15 6-305004 Teardown portmap translation for global 209.161.200.226/nnnn local 172.17.1.70/nnnn 190
12 03/11/04 17:39:27 03/11/04 17:40:15 6-305001 Portmapped translation built for gaddr 209.161.200.226/nnnn laddr 172.17.1.70/nnnn 183
13 03/11/04 00:09:04 03/11/04 17:40:15 6-305004 Teardown portmap translation for global 209.161.200.226/nnnn local 172.17.1.40/nnnn 135
14 03/11/04 00:06:39 03/11/04 17:40:15 6-305001 Portmapped translation built for gaddr 209.161.200.226/nnnn laddr 172.17.1.40/nnnn 135
15 03/11/04 17:39:28 03/11/04 17:40:15 6-302006 Teardown UDP connection for faddr 207.136.100.40/nnnn gaddr 209.161.200.226/nnnn laddr 172.17.1.40/nnnn 88
16 03/11/04 17:39:28 03/11/04 17:40:15 6-302005 Built UDP connection for faddr 207.136.100.40/nnnn gaddr 209.161.200.226/nnnn laddr 172.17.1.40/nnnn 85
17 03/11/04 12:24:01 03/11/04 17:40:15 6-305001 Portmapped translation built for gaddr 209.161.200.226/nnnn laddr 172.17.1.40/nnnn 75
18 03/11/04 12:24:42 03/11/04 17:40:15 6-305004 Teardown portmap translation for global 209.161.200.226/nnnn local 172.17.1.40/nnnn 74
19 03/11/04 00:09:04 03/11/04 17:40:15 6-302006 Teardown UDP connection for faddr 209.161.200.227/514 gaddr 209.161.200.226/nnnn laddr 172.17.1.10/nnnn 71
20 03/11/04 00:09:04 03/11/04 17:40:15 6-305004 Teardown portmap translation for global 209.161.200.226/nnnn local 172.17.1.10/nnnn 71
21 03/11/04 00:06:47 03/11/04 17:40:15 6-302005 Built UDP connection for faddr 209.161.200.227/514 gaddr 209.161.200.226/nnnn laddr 172.17.1.10/nnnn 71
22 03/11/04 00:06:47 03/11/04 17:40:15 6-305001 Portmapped translation built for gaddr 209.161.200.226/nnnn laddr 172.17.1.10/nnnn 71
23 03/11/04 16:58:40 03/11/04 17:40:15 6-302001 Built outbound TCP connection nnnnn for faddr 212.58.240.142/80 gaddr 209.161.200.226/nnnn laddr 172.17.1.70/nnnn 64
24 03/11/04 16:58:41 03/11/04 17:40:15 6-302002 Teardown TCP connection nnnnn faddr 212.58.240.142/80 gaddr 209.161.200.226/nnnn laddr 172.17.1.70/nnnn duration 0:00:01 bytes nnnnn (TCP FINs) 62
25 03/11/04 17:39:28 03/11/04 17:40:15 6-305004 Teardown portmap translation for global 209.161.200.226/nnnn local 172.17.1.102/nnnn 59
There were more messages to be reported but the listing is limited to 25!!!

-
Severity level 7 (Debugging) details for the 172.17.1.15 firewall. : - Go to top
No First Message Last Message Code Message Count
1 03/11/04 13:50:41 03/11/04 17:40:15 7-702301 lifetime expiring, (sa) sa_dest= 209.161.200.226, sa_prot= 50, sa_spi= 0x21a09f69(564174697), sa_trans= esp-des esp-md5-hmac , sa_conn_id= 1, (identity) local= 209.161.200.226, remote= 209.161.200.235, local_proxy 1

-
Protocol statistics for the 172.17.1.15 firewall: - Go to top
-
Web traffic (HTTP/HTTPS) - Top 50 internal users (outbound connections) for the 172.17.1.15 firewall: - Go to top
No Source IP Source Host Destination IP Destination Host Connections Comments
1 172.17.1.102 dell3943.acme.local 65.54.244.253 hotmail.com 85  
2 172.17.1.70 dell4323.acme.local 212.58.240.142 www.bbc.co.uk 64  
3 172.17.1.102 dell3943.acme.local 64.4.241.32 paypal.com 55 HTTPS 
4 172.17.1.102 dell3943.acme.local 63.236.14.21 musicmatch.com 42  
5 172.17.1.102 dell3943.acme.local 208.223.219.206 www.charter.com 37  
6 172.17.1.102 dell3943.acme.local 216.220.63.73 moneris.com 34 HTTPS 
7 172.17.1.102 dell3943.acme.local 69.28.154.140 limelightnetworks.com 29  
8 172.17.1.70 dell4323.acme.local 212.58.240.131 www.bbc.co.uk 29  
9 172.17.1.70 dell4323.acme.local 212.58.240.38 www.bbc.co.uk 25  
10 172.17.1.102 dell3943.acme.local 63.236.14.37 musicmatch.com 24  
11 172.17.1.102 dell3943.acme.local 64.4.60.7 dav.bay0.hotmail.com 23  
12 172.17.1.102 dell3943.acme.local 212.58.240.144 www.bbc.co.uk 23  
13 172.17.1.70 dell4323.acme.local 62.189.244.254   22  
14 172.17.1.70 dell4323.acme.local 207.61.132.8   19  
15 172.17.1.70 dell4323.acme.local 199.246.67.114 www.globeandmail.com 16  
16 172.17.1.102 dell3943.acme.local 65.54.229.253 hotmail.com 15  
17 172.17.1.102 dell3943.acme.local 207.69.130.52 webmail.atl.earthlink.net 15 HTTPS 
18 172.17.1.70 dell4323.acme.local 199.246.67.210 www.globeandmail.com 14  
19 172.17.1.102 dell3943.acme.local 207.46.248.244 support.microsoft.com 13  
20 172.17.1.102 dell3943.acme.local 64.235.234.140 europa.lunarpages.com 13  
21 172.17.1.70 dell4323.acme.local 199.239.137.245   11  
22 172.17.1.102 dell3943.acme.local 216.239.37.99   10  
23 172.17.1.102 dell3943.acme.local 66.163.175.128 data1.my.vip.sc5.yahoo.com 10  
24 172.17.1.70 dell4323.acme.local 216.52.17.116 192.168.112.2O7.net 10  
25 172.17.1.70 dell4323.acme.local 63.146.96.171   10  
26 172.17.1.102 dell3943.acme.local 69.28.159.140 limelightnetworks.com 9  
27 172.17.1.102 dell3943.acme.local 216.52.17.118 102.112.2o7.net 9 HTTPS 
28 172.17.1.70 dell4323.acme.local 207.46.245.33 msnbcbusiness.com 9  
29 172.17.1.102 dell3943.acme.local 205.188.250.25 cb.icq.com 8  
30 172.17.1.102 dell3943.acme.local 207.68.172.249 msn.com 7  
31 172.17.1.102 dell3943.acme.local 64.236.42.63 www.cnn.com 7  
32 172.17.1.70 dell4323.acme.local 208.254.18.131   6  
33 172.17.1.102 dell3943.acme.local 63.236.14.12 musicmatch.com 6  
34 172.17.1.70 dell4323.acme.local 209.68.10.225 masterview.ikonosnewmedia.com 6  
35 172.17.1.70 dell4323.acme.local 206.112.74.4   6  
36 172.17.1.70 dell4323.acme.local 212.58.240.140 www.bbc.co.uk 6  
37 172.17.1.70 dell4323.acme.local 12.130.12.31   6  
38 172.17.1.102 dell3943.acme.local 64.236.40.55 www.cnn.com 6  
39 172.17.1.102 dell3943.acme.local 63.236.14.26 musicmatch.com 6  
40 172.17.1.70 dell4323.acme.local 199.239.137.200   6  
41 172.17.1.102 dell3943.acme.local 207.68.173.243 msn.com 5  
42 172.17.1.70 dell4323.acme.local 64.14.128.200   5  
43 172.17.1.102 dell3943.acme.local 64.236.16.246 www.cnn.com 5  
44 172.17.1.70 dell4323.acme.local 206.65.183.220   5  
45 172.17.1.102 dell3943.acme.local 64.12.174.121 ads.web.aol.com 5  
46 172.17.1.70 dell4323.acme.local 63.215.124.60 unknown.level3.net 5  
47 172.17.1.102 dell3943.acme.local 69.28.154.149 limelightnetworks.com 5  
48 172.17.1.70 dell4323.acme.local 199.246.67.250 www.globeandmail.com 5  
49 172.17.1.102 dell3943.acme.local 220.164.144.132   5  
50 172.17.1.70 dell4323.acme.local 209.11.106.40   5  
-
Web traffic (HTTP/HTTPS) - Top 50 visited sites for the 172.17.1.15 firewall: - Go to top
No Web site HTTPS Count
1 www.bbc.co.uk   150
2 hotmail.com   106
3 musicmatch.com   86
4 limelightnetworks.com   71
5 paypal.com Yes 55
6 www.globeandmail.com   38
7 www.charter.com   37
8 moneris.com Yes 34
9 www.cnn.com   29
10 62.189.244.254   25
11 dav.bay0.hotmail.com   23
12 207.61.132.8   19
13 webmail.atl.earthlink.net Yes 15
14 msn.com   15
15 support.microsoft.com   13
16 europa.lunarpages.com   13
17 199.239.137.245   11
18 192.168.112.2O7.net   10
19 data1.my.vip.sc5.yahoo.com   10
20 216.239.37.99   10
21 unknown.level3.net   10
22 63.146.96.171   10
23 ads.web.aol.com   9
24 102.112.2o7.net Yes 9
25 msnbcbusiness.com   9
26 cb.icq.com   8
27 208.254.18.131   6
28 masterview.ikonosnewmedia.com   6
29 12.130.12.31   6
30 199.239.137.200   6
31 206.112.74.4   6
32 220.164.144.132   5
33 google.com   5
34 64.14.128.200   5
35 209.11.106.40   5
36 206.65.183.220   5
37 xml.eshop.msn.com   4
38 216.58.170.30   4
39 67.72.120.62   4
40 akamai.com   4
41 199.239.136.200   3
42 www.cisco.com   3
43 citysitesny.com   3
44 clustera.icq.com   3
45 143.101.75.110   3
46 chart.l.bigcharts.com   3
47 209.11.106.51   2
48 activex.microsoft.com   2
49 wu-ori.microsoft.com   2
50 v4-ori.windowsupdate.microsoft.com   2
-
Web traffic (HTTP/HTTPS) - Top 50 incoming connections for the 172.17.1.15 firewall: - Go to top
No Source IP Source Host Destination IP Destination Host Connections Comments
1 66.194.6.70 66-194-6-70.gen.twtelecom.net 172.17.1.40 public.acme.local 1  
2 210.117.67.213   172.17.1.40 public.acme.local 1  
3 209.164.24.114 209.164.24.114.ptr.us.xo.net 172.17.1.40 public.acme.local 1  
-
Email (SMTP) - Top 50 outbound connections for the 172.17.1.15 firewall: - Go to top
No Source IP Source Host Destination IP Destination Host Connections Comments
1 172.17.1.40 public.acme.local 65.182.142.112 mail.sender-services.net 20  
2 172.17.1.40 public.acme.local 69.50.208.107 mymail.magi.net 2  
3 172.17.1.40 public.acme.local 66.180.119.165   2  
4 172.17.1.40 public.acme.local 208.213.162.21   2  
5 172.17.1.40 public.acme.local 199.181.134.14   1  
6 172.17.1.102 dell3943.acme.local 66.30.36.214 h00a00c44c647.ne.client2.attbi.com 1  
7 172.17.1.40 public.acme.local 129.7.104.60 uhdlx13.dt.uh.edu 1  
8 172.17.1.40 public.acme.local 65.39.203.11 mail.support1.net 1  
9 172.17.1.40 public.acme.local 212.113.20.197   1  
10 172.17.1.40 public.acme.local 64.4.50.99 mc1.bay6.hotmail.com 1  
11 172.17.1.40 public.acme.local 216.200.145.35 sitemail.everyone.net 1  
12 172.17.1.40 public.acme.local 216.93.166.122 mx2.dnsvr.com 1  
13 172.17.1.40 public.acme.local 67.97.239.131 mail.ryanco.com 1  
14 172.17.1.40 public.acme.local 207.217.121.218 pop08.earthlink.net 1  
15 172.17.1.102 dell3943.acme.local 64.235.234.140 europa.lunarpages.com 1  
16 172.17.1.40 public.acme.local 216.92.192.163 qs666.pair.com 1  
17 172.17.1.40 public.acme.local 66.185.95.98 esmtp.bloor.is.net.cable.rogers.com 1  
-
Email (SMTP) - Top 50 inbound connections for the 172.17.1.15 firewall: - Go to top
No Source IP Source Host Destination IP Destination Host Connections Comments
1 66.30.36.214 h00a00c44c647.ne.client2.attbi.com 172.17.1.40 public.acme.local 16  
2 24.5.248.156 c-24-5-248-156.client.comcast.net 172.17.1.40 public.acme.local 12  
3 66.31.242.140 h0008744dc9d0.ne.client2.attbi.com 172.17.1.40 public.acme.local 12  
4 66.191.183.182 cpe-66-191-183-182.spa.sc.charter.com 172.17.1.40 public.acme.local 12  
5 81.195.87.106   172.17.1.40 public.acme.local 12  
6 69.105.197.100 adsl-69-105-197-100.dsl.scrm01.pacbell.net 172.17.1.40 public.acme.local 11 Potential spammer 
7 64.4.240.67 paypal.com 172.17.1.40 public.acme.local 9  
8 67.97.239.131 mail.ryanco.com 172.17.1.40 public.acme.local 6  
9 216.5.163.55 data1.exhedra.com 172.17.1.40 public.acme.local 5 Spammer? 
10 217.156.36.6   172.17.1.40 public.acme.local 5  
11 200.84.115.110   172.17.1.40 public.acme.local 4  
12 217.99.142.52 pc52.pila.cvx.ppp.tpnet.pl 172.17.1.40 public.acme.local 4  
13 82.38.206.222 82-38-206-222.cable.ubr05.shef.blueyonder.co.uk 172.17.1.40 public.acme.local 4 Potential spammer 
14 82.217.158.72 qn-82-217-158-72.quicknet.nl 172.17.1.40 public.acme.local 4  
15 216.239.51.5 google.com 172.17.1.40 public.acme.local 4  
16 211.109.35.85   172.17.1.40 public.acme.local 3  
17 200.118.10.155 dynamic-ip-cr20011810155.cable.net.co 172.17.1.40 public.acme.local 3  
18 66.187.232.134 mail.rhn.redhat.com 172.17.1.40 public.acme.local 3  
19 200.78.116.130 dsl-200-78-116-130.prod-infinitum.com.mx 172.17.1.40 public.acme.local 3 Potential spammer 
20 200.206.168.235 200-206-168-235.dsl.telesp.net.br 172.17.1.40 public.acme.local 3 Potential spammer 
21 200.171.144.79 200-171-144-79.dsl.telesp.net.br 172.17.1.40 public.acme.local 3 Potential spammer 
22 68.90.242.25 adsl-68-90-242-25.dsl.hstntx.swbell.net 172.17.1.40 public.acme.local 3 Potential spammer 
23 65.222.14.154   172.17.1.40 public.acme.local 3  
24 200.207.7.86 200-207-7-86.dialdata.net.br 172.17.1.40 public.acme.local 3  
25 200.213.211.19   172.17.1.40 public.acme.local 3  
26 24.201.158.13 modemcable013.158-201-24.mc.videotron.ca 172.17.1.40 public.acme.local 3 Potential spammer 
27 148.63.43.155 vsat-148-63-43-155.c001.g4.mrt.starband.net 172.17.1.40 public.acme.local 3 Potential spammer 
28 200.207.164.53 200-207-164-53.dsl.telesp.net.br 172.17.1.40 public.acme.local 3 Potential spammer 
29 200.207.127.219 200-207-127-219.dsl.telesp.net.br 172.17.1.40 public.acme.local 3 Potential spammer 
30 12.202.167.124 12-202-167-124.client.insightbb.com 172.17.1.40 public.acme.local 3  
31 200.251.170.125   172.17.1.40 public.acme.local 3  
32 24.173.135.234 rrcs-se-24-173-135-234.biz.rr.com 172.17.1.40 public.acme.local 3  
33 200.206.133.62 200-206-133-62.speedyterra.com.br 172.17.1.40 public.acme.local 3  
34 200.118.110.93 static-ip-cr20011811093.cable.net.co 172.17.1.40 public.acme.local 3  
35 200.78.37.104 dsl-200-78-37-104.prod-infinitum.com.mx 172.17.1.40 public.acme.local 3  
36 216.0.195.51 relay1.aelita.com 172.17.1.40 public.acme.local 2  
37 62.59.190.80   172.17.1.40 public.acme.local 2  
38 200.60.225.35 client-200.60.225.35.speedy.net.pe 172.17.1.40 public.acme.local 2  
39 212.113.20.197   172.17.1.40 public.acme.local 2  
40 200.21.19.38   172.17.1.40 public.acme.local 2  
41 208.41.6.199 208-41-6-199.client.dsl.net 172.17.1.40 public.acme.local 2 Potential spammer 
42 217.160.106.138 monitorware.de 172.17.1.40 public.acme.local 2  
43 69.6.7.58 tekmailer.com 172.17.1.40 public.acme.local 2  
44 64.4.240.74 paypal.com 172.17.1.40 public.acme.local 2  
45 206.54.145.20 mail-out.fnf.com 172.17.1.40 public.acme.local 2  
46 66.98.86.167 167sdl30m51.codetel.net.do 172.17.1.40 public.acme.local 2  
47 64.4.240.75 paypal.com 172.17.1.40 public.acme.local 2  
48 142.163.96.236 warp142163096236.newtel.com 172.17.1.40 public.acme.local 2  
49 68.123.227.173 adsl-68-123-227-173.dsl.irvnca.pacbell.net 172.17.1.40 public.acme.local 2 Potential spammer 
50 213.157.174.55   172.17.1.40 public.acme.local 2  
-
Email clients (POP3/IMAP) - Top 50 connections for the 172.17.1.15 firewall: - Go to top
No Source IP Source Host Destination IP Destination Host Protocol Connections Direction Comments
1 172.17.1.102 dell3943.acme.local 64.235.234.140 europa.lunarpages.com TCP/110 - pop3 51 out  
2 80.97.48.21 dev21.histria.ro 172.17.1.40 public.acme.local TCP/143 - imap 37 in  
3 69.19.34.66 dpc691934066.direcpc.com 172.17.1.40 public.acme.local TCP/143 - imap 35 in  
4 64.228.41.54 toronto-ppp226571.sympatico.ca 172.17.1.40 public.acme.local TCP/143 - imap 12 in  
5 195.20.106.85   172.17.1.40 public.acme.local TCP/110 - pop3 11 in Sorin 
6 80.97.89.49   172.17.1.40 public.acme.local TCP/143 - imap 10 in  
7 217.19.7.89 net2-89.seanet.ro 172.17.1.40 public.acme.local TCP/143 - imap 3 in  
8 172.17.1.102 dell3943.acme.local 209.161.200.227 mx1.altairtech.ca TCP/143 - imap 1 out  
-
Custom protocol 1 - MS RPC (TCP/135) - Top 50 connections for the 172.17.1.15 firewall: - Go to top
No Source IP Source Host Destination IP Destination Host Connections Direction Comments
No MS RPC connections recorded. Logging level 6 required for this type of information.
-
Custom protocol 2 - RDP (TCP/3389) - Top 50 connections for the 172.17.1.15 firewall: - Go to top
No Source IP Source Host Destination IP Destination Host Connections Direction Comments
No RDP connections recorded. Logging level 6 required for this type of information.
-
Custom protocol 3 - NetBIOS (UDP/137) - Top 50 connections for the 172.17.1.15 firewall: - Go to top
No Source IP Source Host Destination IP Destination Host Connections Direction Comments
No NetBIOS connections recorded. Logging level 6 required for this type of information.
-
SSH,Telnet (TCP/22,TCP/23) - Top 50 connections for the 172.17.1.15 firewall: - Go to top
No Source IP Source Host Destination IP Destination Host Protocol Connections Direction Comments
No SSH,Telnet connections. Logging level 6 required for this type of information.
-
Other protocols - Top 50 connections for the 172.17.1.15 firewall: - Go to top
No Source IP Source Host Destination IP Destination Host Protocol Connections Direction Comments
1 172.17.1.40 public.acme.local 207.136.100.40 ns1.look.ca UDP/1024+ - dns 762 out  
2 172.17.1.102 dell3943.acme.local 198.77.116.8 ns.direcpc.com UDP/1024+ - dns 164 out  
3 172.17.1.10   209.161.200.227 mx1.altairtech.ca UDP/1024+ - dns 78 in  
4 172.17.1.40 public.acme.local 216.218.202.31   TCP/21 - ftp 65 out  
5 172.17.1.20   209.161.200.227 mx1.altairtech.ca UDP/1024+ - dns 59 in  
6 172.17.1.10   209.161.200.227 mx1.altairtech.ca UDP/514 - syslog 23 in  
7 172.17.1.20   209.161.200.227 mx1.altairtech.ca UDP/514 - syslog 16 in  
8 172.17.1.40 public.acme.local 209.148.64.40 ns2.look.ca UDP/1024+ - dns 12 out  
9 172.17.1.40 public.acme.local 198.77.116.8 ns.direcpc.com UDP/1024+ - dns 11 out  
10 172.17.1.40 public.acme.local 192.168.7.77   UDP/1024+ - dns 10 out  
11 172.17.1.40 public.acme.local 192.168.236.1   UDP/138 - netbios 8 out  
12 172.17.1.40 public.acme.local 192.168.189.1   UDP/138 - netbios 8 out  
13 172.17.1.40 public.acme.local 209.61.184.105 server1.gfi.com TCP/21 - ftp 6 out  
14 172.17.1.102 dell3943.acme.local 205.227.137.57 ftpdal.nai.com TCP/21 - ftp 4 out  
15 172.17.1.40 public.acme.local 192.41.162.32 l3.NSTLD.COM UDP/1024+ - dns 4 out  
16 172.17.1.8   209.161.200.227 mx1.altairtech.ca UDP/1024+ - dns 3 in  
17 172.17.1.40 public.acme.local 66.216.95.69   TCP/21 - ftp 3 out  
18 172.17.1.40 public.acme.local 198.41.0.4 a.root-servers.net UDP/1024+ - dns 3 out  
19 172.17.1.40 public.acme.local 192.35.51.32 f3.NSTLD.COM UDP/428 2 out  
20 172.17.1.40 public.acme.local 202.57.96.4 taal.smart-ntt.com UDP/1024+ - dns 2 out  
21 172.17.1.40 public.acme.local 209.17.66.10 pongo.calgate.net UDP/1024+ - dns 2 out  
22 172.17.1.102 dell3943.acme.local 209.161.200.227 mx1.altairtech.ca UDP/1024+ - dns 2 out  
23 172.17.1.40 public.acme.local 192.5.6.32 chia.arin.net UDP/1024+ - dns 2 out  
24 172.17.1.40 public.acme.local 202.57.96.3 arayat.smart-ntt.com UDP/1024+ - dns 2 out  
25 172.17.1.40 public.acme.local 209.17.66.79 dns2.optigate.net UDP/1024+ - dns 2 out  
26 172.17.1.102 dell3943.acme.local 64.12.200.89 ibucp-vip-m.blue.aol.com TCP/5190 - icq 1 out  
27 172.17.1.40 public.acme.local 209.170.216.2 ns2.viawest.net UDP/1024+ - dns 1 out  
28 172.17.1.40 public.acme.local 61.213.162.91 ns4.verio.net UDP/1024+ - dns 1 out  
29 172.17.1.40 public.acme.local 193.0.0.193 ns.ripe.net UDP/1024+ - dns 1 out  
30 172.17.1.40 public.acme.local 216.239.32.10 ns1.google.com UDP/428 1 out  
31 172.17.1.40 public.acme.local 202.12.27.33 m.root-servers.net UDP/1024+ - dns 1 out  
32 172.17.1.40 public.acme.local 192.58.128.30 j.root-servers.net UDP/1024+ - dns 1 out  
33 172.17.1.40 public.acme.local 192.67.14.17 u.ns.verio.net UDP/1024+ - dns 1 out  
34 172.17.1.40 public.acme.local 129.250.35.33 c.ns.verio.net UDP/1024+ - dns 1 out  
35 172.17.1.40 public.acme.local 216.87.64.12 ns1.viawest.net UDP/1024+ - dns 1 out  
36 172.17.1.102 dell3943.acme.local 63.251.254.11   UDP/370 - nai-antivirus-securecast 1 out  
37 172.17.1.40 public.acme.local 202.9.145.7 sdns01.minnambalam.com UDP/1024+ - dns 1 out  
38 172.17.1.40 public.acme.local 129.7.1.20 post-office.uh.edu UDP/1024+ - dns 1 out  
39 172.17.1.40 public.acme.local 129.7.1.1 walnut.cc.uh.edu UDP/1024+ - dns 1 out  
40 172.17.1.40 public.acme.local 128.63.2.53 h.root-servers.net UDP/428 1 out  
41 172.17.1.102 dell3943.acme.local 216.155.193.143 msg.dcn.yahoo.com TCP/5050 - yahoo messenger 1 out  
42 172.17.1.40 public.acme.local 216.239.34.10 ns2.google.com UDP/428 1 out  
43 172.17.1.70 dell4323.acme.local 192.5.41.209 ntp2.usno.navy.mil UDP/123 - ntp 1 out  
44 172.17.1.102 dell3943.acme.local 205.188.9.112   TCP/5190 - icq 1 out  
45 172.17.1.102 dell3943.acme.local 216.155.193.139 msg.dcn.yahoo.com TCP/5050 - yahoo messenger 1 out  
46 172.17.1.25   209.161.200.227 mx1.altairtech.ca UDP/1024+ - dns 1 in  
47 172.17.1.70 dell4323.acme.local 198.77.116.8 ns.direcpc.com UDP/1024+ - dns 1 out  
48 172.17.1.102 dell3943.acme.local 209.161.200.227 mx1.altairtech.ca TCP/389 - ldap 1 out  
49 172.17.1.40 public.acme.local 202.9.145.6 pdns01.minnambalam.com UDP/1024+ - dns 1 out  
-
Protocols - Top 50 for the 172.17.1.15 firewall - ordered by connections: - Go to top
No ProtocolConnections %  
1 UDP/1024+ - dns 1,132 39.87                                         
2 TCP/80 - http 914 32.19                                  
3 TCP/25 - smtp 367 12.92              
4 TCP/443 - ssl-https 121 4.26      
5 TCP/143 - imap 98 3.45     
6 TCP/21 - ftp 78 2.74    
7 TCP/110 - pop3 62 2.18    
8 UDP/514 - syslog 39 1.37   
9 UDP/138 - netbios 16 0.56  
10 UDP/428 5 0.17  
11 TCP/5050 - yahoo messenger 2 0.07  
12 TCP/5190 - icq 2 0.07  
13 UDP/370 - nai-antivirus-securecast 1 0.03  
14 UDP/123 - ntp 1 0.03  
15 TCP/389 - ldap 1 0.03  
-
Protocols - Top 50 for the 172.17.1.15 firewall - ordered by traffic: - Go to top
No Protocol Total Traffic %   Bytes In Bytes Out
1 TCP/80 - http 48,944,886 86.97                                                                                         2,860 48,942,026
2 TCP/21 - ftp 3,929,829 6.98         0 3,929,829
3 TCP/25 - smtp 1,748,621 3.11      1,600,946 147,675
4 TCP/443 - ssl-https 1,040,378 1.85    0 1,040,378
5 TCP/143 - imap 572,488 1.02    572,488 0
6 TCP/110 - pop3 27,467 0.05   15,002 12,465
7 TCP/5050 - yahoo messenger 6,236 0.01   0 6,236
8 TCP/5190 - icq 5,971 0.01   0 5,971
Total 0     2,191,296 54,084,580
Unknown 0 Traffic that could not be mapped to a specific protocol or as inbound/outbound
-
FTP downloads - Top 50 for the 172.17.1.15 firewall: - Go to top
No FTP client IP FTP client host FTP server IP FTP server host File Count Comments
1 172.17.1.40 public.acme.local 216.218.202.31   nvc5.txt 11  
2 172.17.1.40 public.acme.local 216.218.202.31   bitdefender.txt 10  
3 172.17.1.40 public.acme.local 216.218.202.31   eed.txt 10  
4 172.17.1.102 dell3943.acme.local 205.227.137.57 ftpdal.nai.com delta.ini 1  
5 172.17.1.102 dell3943.acme.local 205.227.137.57 ftpdal.nai.com update.ini 1  
6 172.17.1.40 public.acme.local 216.218.202.31   nvc5.zip 1  
7 172.17.1.40 public.acme.local 216.218.202.31   bitdefender.zip 1  
8 172.17.1.40 public.acme.local 209.61.184.105 server1.gfi.com eed.txt 1  
9 172.17.1.40 public.acme.local 216.218.202.31   eed.zip 1  
10 172.17.1.40 public.acme.local 209.61.184.105 server1.gfi.com bitdefender.txt 1  
11 172.17.1.40 public.acme.local 209.61.184.105 server1.gfi.com nvc5.txt 1  
-
FTP uploads - Top 50 for the 172.17.1.15 firewall: - Go to top
No FTP client IP FTP client host FTP server IP FTP server host File Count Comments
No FTP Uploads recorded - Level 5 (Notification) logging is required to capture FTP uploads.
-
Traffic statistics for the 172.17.1.15 firewall: - Go to top
-
Internal IP addresses - Top 50 for the 172.17.1.15 firewall: - Go to top
No Source IP Source Host Connections Protocols Traffic (kb) Comments
1 172.17.1.102 dell3943.acme.local 712 TCP/143 - imap, TCP/80 - http, TCP/5050 - yahoo messenger, TCP/389 - ldap, TCP/21 - ftp, TCP/110 - pop3, TCP/443 - ssl-https, TCP/25 - smtp, TCP/5190 - icq41,925  
2 172.17.1.40 public.acme.local 551 TCP/80 - http, TCP/21 - ftp, TCP/25 - smtp6,116  
3 172.17.1.70 dell4323.acme.local 382 TCP/80 - http, TCP/443 - ssl-https8,757  
-
Total traffic by hour for the 172.17.1.15 firewall: - Go to top
Hours Bytes Inbound Bytes Outbound Bytes Unknown Bytes Total %  
00 - 01 33,273 5,156 0 38,429 0.07  
01 - 02 169,945 1,342 0 171,287 0.29  
02 - 03 26,852 1,341 0 28,193 0.05  
03 - 04 187,595 19,082 0 206,677 0.36  
04 - 05 65,054 1,341 0 66,395 0.11  
05 - 06 47,302 2,517,485 0 2,564,787 4.41      
06 - 07 47,479 1,340 0 48,819 0.08  
07 - 08 91,452 45,456 0 136,908 0.24  
08 - 09 342,454 1,338 0 343,792 0.59  
09 - 10 131,021 1,353,340 0 1,484,361 2.55    
10 - 11 156,091 256,784 0 412,875 0.71  
11 - 12 31,001 830,613 47,416 909,030 1.56   
12 - 13 171,914 456,605 0 628,519 1.08   
13 - 14 37,390 859,558 1,837,790 2,734,738 4.70      
14 - 15 114,875 9,688,110 0 9,802,985 16.85                  
15 - 16 27,803 26,946 0 54,749 0.09  
16 - 17 472,914 8,462,245 0 8,935,159 15.36                 
17 - 18 36,881 29,313,505 0 29,350,386 50.46                                                    
18 - 19 0 242,993 0 242,993 0.42  
19 - 20 0 0 0 0 0  
20 - 21 0 0 0 0 0  
21 - 22 0 0 0 0 0  
22 - 23 0 0 0 0 0  
23 - 24 0 0 0 0 0  
Total 2,191,296 54,084,580 1,885,206 58,161,082    
Total 2,140 kb 52,817 kb 1,841 kb 56,798 kb    
-
Inbound traffic by hour for the 172.17.1.15 firewall: - Go to top
Hours Bytes Inbound %  
00 - 01 33,273 1.52   
01 - 02 169,945 7.76         
02 - 03 26,852 1.23   
03 - 04 187,595 8.56          
04 - 05 65,054 2.97    
05 - 06 47,302 2.16    
06 - 07 47,479 2.17    
07 - 08 91,452 4.17      
08 - 09 342,454 15.63                 
09 - 10 131,021 5.98       
10 - 11 156,091 7.12         
11 - 12 31,001 1.41   
12 - 13 171,914 7.85         
13 - 14 37,390 1.71   
14 - 15 114,875 5.24       
15 - 16 27,803 1.27   
16 - 17 472,914 21.58                       
17 - 18 36,881 1.68   
18 - 19 0 0  
19 - 20 0 0  
20 - 21 0 0  
21 - 22 0 0  
22 - 23 0 0  
23 - 24 0 0  
Total 2,191,296    
Total 2,140 kb    
-
Outbound traffic by hour for the 172.17.1.15 firewall: - Go to top
Hours Bytes Outbound %  
00 - 01 5,156 0.01  
01 - 02 1,342 0.00  
02 - 03 1,341 0.00  
03 - 04 19,082 0.04  
04 - 05 1,341 0.00  
05 - 06 2,517,485 4.65      
06 - 07 1,340 0.00  
07 - 08 45,456 0.08  
08 - 09 1,338 0.00  
09 - 10 1,353,340 2.50    
10 - 11 256,784 0.47  
11 - 12 830,613 1.54   
12 - 13 456,605 0.84  
13 - 14 859,558 1.59   
14 - 15 9,688,110 17.91                   
15 - 16 26,946 0.05  
16 - 17 8,462,245 15.65                 
17 - 18 29,313,505 54.20                                                        
18 - 19 242,993 0.45  
19 - 20 0 0  
20 - 21 0 0  
21 - 22 0 0  
22 - 23 0 0  
23 - 24 0 0  
Total 54,084,580    
Total 52,817 kb    
-
Denials statistics for the 172.17.1.15 firewall: - Go to top
-
Denied connections - Top 30 for the 172.17.1.15 firewall: - Go to top
No Source IP Source Host Destination IP Destination Host Protocol Reason Count Location Comments
183.157.142.37 dyn-83-157-142-37.ppp.tiscali.fr 209.161.200.227 mx1.altairtech.ca TCP/135 - ms rpcNo xlate 6 external  
2209.161.230.194   209.161.200.227 mx1.altairtech.ca ICMP/8 - echoNo xlate 5 external  
3209.163.187.3 idsint.integrateddigitalsolutions.net 209.161.200.227 mx1.altairtech.ca ICMP/8 - echoNo xlate 5 external  
483.157.142.37 dyn-83-157-142-37.ppp.tiscali.fr 209.161.200.228 mx2.altairtech.ca TCP/135 - ms rpcNo xlate 4 external  
5212.126.218.124 da7cc.unt0.etta.i-u.de 209.161.200.227 mx1.altairtech.ca TCP/21 - ftpNo xlate 3 external  
669.19.18.104 dpc691918104.direcpc.com 209.161.200.227 mx1.altairtech.ca TCP/135 - ms rpcNo xlate 3 external  
7209.161.171.38 chev3640-modem-4.unicom-alaska.com 209.161.200.230   TCP/135 - ms rpcNo xlate 3 external  
864.164.53.2   209.161.200.227 mx1.altairtech.ca TCP/135 - ms rpcNo xlate 3 external  
9209.139.2.21   209.161.200.227 mx1.altairtech.ca TCP/135 - ms rpcNo xlate 3 external  
1065.69.126.157 adsl-65-69-126-157.dsl.tulsok.swbell.net 209.161.200.227 mx1.altairtech.ca TCP/135 - ms rpcNo xlate 3 external  
1181.33.7.251 251.Red-81-33-7.pooles.rima-tde.net 209.161.200.227 mx1.altairtech.ca TCP/135 - ms rpcNo xlate 3 external  
12208.186.151.157 208-186-151-157.nrp3.brv.mn.frontiernet.net 209.161.200.227 mx1.altairtech.ca TCP/443 - ssl-httpsNo xlate 3 external  
13209.161.171.38 chev3640-modem-4.unicom-alaska.com 209.161.200.227 mx1.altairtech.ca TCP/135 - ms rpcNo xlate 3 external  
1424.93.30.147 roc-24-93-30-147.rochester.rr.com 209.161.200.227 mx1.altairtech.ca TCP/135 - ms rpcNo xlate 3 external  
15218.144.184.36   209.161.200.228 mx2.altairtech.ca TCP/445 - netbiosNo xlate 3 external  
16209.162.130.14 209-162-130-14.cortland.com 209.161.200.227 mx1.altairtech.ca TCP/445 - netbiosNo xlate 3 external  
17209.161.230.194   209.161.200.230   ICMP/8 - echoNo xlate 3 external  
18203.146.193.136 r248-cmilf2.n.loxinfo.net.th 209.161.200.227 mx1.altairtech.ca TCP/135 - ms rpcNo xlate 3 external  
1965.69.126.157 adsl-65-69-126-157.dsl.tulsok.swbell.net 209.161.200.227 mx1.altairtech.ca TCP/445 - netbiosNo xlate 3 external  
20209.86.0.224 user-38lc070.dialup.mindspring.com 209.161.200.227 mx1.altairtech.ca TCP/135 - ms rpcNo xlate 3 external  
21172.142.34.19 ac8e2213.ipt.aol.com 209.161.200.227 mx1.altairtech.ca TCP/135 - ms rpcNo xlate 3 external  
22209.163.187.3 idsint.integrateddigitalsolutions.net 209.161.200.230   ICMP/8 - echoNo xlate 3 external  
2363.90.3.55   209.161.200.227 mx1.altairtech.ca TCP/135 - ms rpcNo xlate 3 external  
24216.209.93.71 hse-toronto-ppp119300.sympatico.ca 209.161.200.227 mx1.altairtech.ca TCP/135 - ms rpcNo xlate 3 external  
25217.34.66.13 host217-34-66-13.in-addr.btopenworld.com 209.161.200.228 mx2.altairtech.ca TCP/139 - netbiosNo xlate 3 external  
2664.164.53.2   209.161.200.228 mx2.altairtech.ca TCP/135 - ms rpcNo xlate 2 external  
2780.142.225.88 p508EE158.dip.t-dialin.net 209.161.200.230   TCP/1433 - ms sqlNo xlate 2 external  
2881.53.110.127 AMontsouris-109-1-8-127.w81-53.abo.wanadoo.fr 209.161.200.227 mx1.altairtech.ca TCP/445 - netbiosNo xlate 2 external  
29172.142.34.19 ac8e2213.ipt.aol.com 209.161.200.230   TCP/135 - ms rpcNo xlate 2 external  
3080.142.225.88 p508EE158.dip.t-dialin.net 209.161.200.227 mx1.altairtech.ca TCP/1433 - ms sqlNo xlate 2 external  
-
Denied protocols - Top 30 for the 172.17.1.15 firewall: - Go to top
No Protocol Reason Count
1TCP/135 - ms rpcNo xlate 53
2ICMP/8 - echoNo xlate 16
3TCP/445 - netbiosNo xlate 11
4TCP/1433 - ms sqlNo xlate 4
5TCP/443 - ssl-httpsNo xlate 3
6TCP/21 - ftpNo xlate 3
7TCP/139 - netbiosNo xlate 3
-
Denied IP addresses - Top 30 for the 172.17.1.15 firewall: - Go to top
No Source IP Source Host Count Location Comments
1 83.157.142.37 dyn-83-157-142-37.ppp.tiscali.fr 12 external  
2 209.163.187.3 idsint.integrateddigitalsolutions.net 10 external  
3 209.161.230.194   9 external  
4 209.162.130.14 209-162-130-14.cortland.com 6 external  
5 216.209.93.71 hse-toronto-ppp119300.sympatico.ca 6 external  
6 209.139.2.21   6 external  
7 212.126.218.124 da7cc.unt0.etta.i-u.de 6 external  
8 203.146.193.136 r248-cmilf2.n.loxinfo.net.th 6 external  
9 69.19.18.104 dpc691918104.direcpc.com 6 external  
10 209.86.0.224 user-38lc070.dialup.mindspring.com 6 external  
11 63.90.3.55   6 external  
12 208.186.151.157 208-186-151-157.nrp3.brv.mn.frontiernet.net 6 external  
13 64.164.53.2   6 external  
14 209.161.171.38 chev3640-modem-4.unicom-alaska.com 6 external  
15 24.93.30.147 roc-24-93-30-147.rochester.rr.com 6 external  
16 81.33.7.251 251.Red-81-33-7.pooles.rima-tde.net 6 external  
17 65.69.126.157 adsl-65-69-126-157.dsl.tulsok.swbell.net 6 external  
18 172.142.34.19 ac8e2213.ipt.aol.com 6 external  
19 217.34.66.13 host217-34-66-13.in-addr.btopenworld.com 5 external  
20 217.225.237.141 pD9E1ED8D.dip.t-dialin.net 5 external  
21 80.191.170.150   4 external  
22 218.70.60.5   4 external  
23 149.169.140.155 thehawser.dhcp.asu.edu 4 external  
24 217.46.185.185 host217-46-185-185.in-addr.btopenworld.com 4 external  
25 80.142.225.88 p508EE158.dip.t-dialin.net 4 external  
26 82.83.145.5 dsl-082-083-145-005.arcor-ip.net 4 external  
27 218.144.184.36   3 external  
28 209.115.243.152 dsl-abby-209-115-243-152-cgy.nucleus.com 2 external  
29 62.42.120.141 CZ1-RAS-9-u-0140.du.onolab.com 2 external  
30 24.93.170.161 a1-2a161.neo.rr.com 2 external  
-
Targeted IP addresses (by denied connections) - Top 30 for the 172.17.1.15 firewall: - Go to top
No Destination IP Destination Host Count Comments
1 209.161.200.227 mx1.altairtech.ca 183  
2 209.161.200.230   91  
3 209.161.200.228 mx2.altairtech.ca 90  
4 69.6.57.7   2  
-
Various statistics (VPN, IDS, Management) for the 172.17.1.15 firewall: - Go to top
-
VPN Events - Top 50 for the 172.17.1.15 firewall: - Go to top
No Operation Source IP Source host Destination IP Destination host Count Comments
1 Tunnel deleted     209.161.200.226 mail.altairtech.ca Used protocol number 50 - SA parameters: esp-des esp-md5-hmac  
2 Tunnel established     209.161.200.226 mail.altairtech.ca Using protocol number 50 - SA parameters: esp-des esp-md5-hmac 
3 Tunnel established     209.161.200.235   Using protocol number 50 - SA parameters: esp-des esp-md5-hmac 
4 User authentication initiated     -   User jmoore 
5 Tunnel terminated 209.161.200.226 mail.altairtech.ca 209.161.200.235   Reason: Lifetime expired 
6 Tunnel deleted     209.161.200.235   Used protocol number 50 - SA parameters: esp-des esp-md5-hmac  
7 Authentication success 209.161.200.235   0.0.0.0   User jmoore via IKE-XAUTH 
-
IDS Events - Top 50 for the 172.17.1.15 firewall: - Go to top
No Source IP Source host Destination IP Destination host Interface IDS Event Count Comments
1 64.53.150.209 d53-64-209-150.nap.wideopenwest.com 192.168.1.1 dmzbastion.acme.local outside  ICMP redirect (IDS signature: 2003) Scanned the firewall on March 2 
2 64.53.150.209 d53-64-209-150.nap.wideopenwest.com 192.168.1.1 dmzbastion.acme.local outside  UDP Snork attack (IDS signature: 4051) Scanned the firewall on March 2 
-
Firewall management - Top 50 for the 172.17.1.15 firewall: - Go to top
No Client IP Client host Protocol Count Operation Comments
1 172.17.1.102 dell3943.acme.local Terminal 7 Listed configuration  
2 172.17.1.102 dell3943.acme.local Telnet 6 Successful login  
3 172.17.1.102 dell3943.acme.local Console 2 Finished configuration - OK  
4 172.17.1.102 dell3943.acme.local Console 2 Saved configuration to memory  
5 console   Terminal 1 Listed configuration  
6 172.17.1.102 dell3943.acme.local SSH 1 Failed login (3 attempts) on interface inside by user "" 
7 172.17.1.102 dell3943.acme.local SSH 1 Failed login (3 attempts) on interface inside by user "telnet" 

* * *

-
Messages matching include keywords: - Go to top
None
-
Glossary of terms used in this report: - Go to top
No Term Explanation
1 Addresses generating denial messages IP addresses that caused the firewall to generate a deny message (see "Denial messages"). It helps in identifying potential intruders or abusers.
2 Bytes in
Bytes out		 Cisco defines the traffic "in" or "out" based on how a connection was initiated. If an HTTP connection is initiated by an internal IP address (i.e. a typical web browsing) all the traffic generated is labeled as "out" even though in fact, most of the traffic is coming from the web server
3 Denial messages Messages recorded by the firewall when a connection is denied. Connections can be denied by the lack of access list for the protocol or source/destination IPs or for their lack of validity.
4 Denied protocols Protocols used in various deny messages recorded by the firewall (see "Denial messages")
5 Message types distribution Offers a quick overview of the type of messages found in the analyzed logs. An example of each type of message is given.
6 Severity level Cisco PIX messages category based on their criticality for the functionality of the firewall and their security implications.
7 Internal IP addresses Hosts considered "internal" by the PIX firewall.
8 Unknown traffic When they are initiated, the firewall assigns to each connection a connection id and labels it as "inbound" or "outbound" When the connection is terminated the firewall records the number of bytes that were transferred but the "direction" of this traffic can be identified only by matching the connection IDs. If the initial message is missing from the log, no connection matching can be done and the "direction" of the traffic cannot be established. This typically happens when a connection is initiated shortly before midnight and it is terminated after 12:00 pm. This way, the connection information lies in 2 logs.
-
Analysis performance: - Go to top
Report generated on 05/03/04 13:46:51
Analysis duration: 8 seconds
Log lines analyzed: 10,784
Kb log analyzed: 1,889.86
Analysis speed: 1,348 lines/second
Analysis speed: 236 kb/second
Hosts in DNS cache: 6,180
DNS resolution took 0 seconds .