FireGen for Pix Log Analysis Report

Altair Technologies - "sample" firewall log analysis for the period
Thu Mar 11 00:00:00 2004 to Thu Mar 11 23:59:59 2004

FirewallSectionsFirst messageLast message
172.17.1.15  Summary Message types Message Details Protocols Traffic Denials VPN,IDS,Management 03/11/04 00:00:31 03/11/04 18:01:05

-
Research links: - Go to top
TCP/IP Protocol
PIX message code
Whois
Latest Pix logs analysis recommendations
Altair Technologies Cisco Pix discussion forum
Send your comments or suggestions to the FireGen developers!
 
Glossary
Analysis performance
-
Keywords: - Go to top
Keywords to includeNot configured
Keywords to exclude6-106015
-
Analyzed logs: - Go to top
Analyzed log(s) Log size (kb) Log entries Log type
C:\Docs\Projects\Pix\2.0\syslog-2004-03-11.log 1,889.86 10,784 WinSyslog with PIX time stamp
-
Summary for the 172.17.1.15 firewall. : - Go to top
Level Severity Description Total
1 Alert Immediate action needed 0
2 Critical Critical condition 1
3 Error Error condition 365
4 Warning Warning condition 4
5 Notification Normal but significant condition 754
6 Informational Informational message only 9,409
7 Debugging Appears during debugging only 1
    Total 10,534
-
Message types distribution for the 172.17.1.15 firewall. : - Go to top
No Code Total Example
1 2-106017 1 Deny IP due to Land Attack from 64.53.150.209 to 209.161.200.227
2 3-106011 363 Deny inbound (No xlate) udp src outside:61.221.171.82/3273 dst outside:209.161.200.230/1434
3 3-315004 2 Fail to establish SSH session because PIX RSA host key retrieval failed.
4 4-106023 2 Deny tcp src inside:172.17.1.102/4177 dst outside:69.6.57.7/80 by access-group "acl_inbound"
5 4-400013 1 IDS:2003 ICMP redirect from 64.53.150.209 to 192.168.1.1 on interface outside
6 4-400032 1 IDS:4051 UDP Snork attack from 64.53.150.209 to 192.168.1.1 on interface outside
7 5-111001 2 Begin configuration: 172.17.1.102 writing to memory
8 5-111004 2 172.17.1.102 end configuration: OK
9 5-111005 2 console end configuration: OK
10 5-111007 8 Begin configuration: console reading from terminal
11 5-304001 740 172.17.1.70 Accessed URL 65.54.194.117:/ADSAdClient31.dll?GetAd?PG=NBCHIA?AP=?TF=_blank
12 6-109005 1 Authentication succeeded for user 'jmoore' from 209.161.200.235/0 to 0.0.0.0/0 on interface IKE-XAUTH
13 6-109011 1 Authen Session Start: user 'jmoore', sid 3
14 6-302001 1,645 Built outbound TCP connection 364050 for faddr 65.54.194.117/80 gaddr 209.161.200.226/42445 laddr 172.17.1.70/2722
15 6-302002 1,646 Teardown TCP connection 364041 faddr 64.14.131.71/80 gaddr 209.161.200.226/42439 laddr 172.17.1.70/2711 duration 0:00:51 bytes 6842 (TCP Reset-I)
16 6-302005 1,194 Built UDP connection for faddr 207.136.100.40/7097 gaddr 209.161.200.226/37745 laddr 172.17.1.40/1035
17 6-302006 1,186 Teardown UDP connection for faddr 207.136.100.40/7097 gaddr 209.161.200.226/37745 laddr 172.17.1.40/1035
18 6-302010 107 6 in use, 114 most used
19 6-303002 39 172.17.1.102 Retrieved 205.227.137.57:delta.ini
20 6-305001 1,792 Portmapped translation built for gaddr 209.161.200.226/42447 laddr 172.17.1.70/2731
21 6-305004 1,779 Teardown portmap translation for global 209.161.200.226/42445 local 172.17.1.70/2722
22 6-307002 6 Permitted Telnet login session from 172.17.1.102
23 6-315002 1 Permitted SSH session from 172.17.1.102 on interface inside for user "pix"
24 6-315003 2 SSH login session failed from 172.17.1.102 (3 attempts) on interface inside by user ""
25 6-315011 5 SSH session from 172.17.1.102 on interface inside for user "pix" terminated normally
26 6-602301 2 sa created, (sa) sa_dest= 209.161.200.235, sa_prot= 50, sa_spi= 0xa6afc495(2796536981), sa_trans= esp-des esp-md5-hmac , sa_conn_id= 9
27 6-602302 3 deleting SA, (sa) sa_dest= 209.161.200.235, sa_prot= 50, sa_spi= 0x3de88ffc(1038651388), sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2
28 7-702301 1 lifetime expiring, (sa) sa_dest= 209.161.200.226, sa_prot= 50, sa_spi= 0x21a09f69(564174697), sa_trans= esp-des esp-md5-hmac , sa_conn_id= 1, (identity) local= 209.161.200.226, remote= 209.161.200.235, local_proxy
-
Message details for the 172.17.1.15 firewall: - Go to top
-
Severity level 1 (Alert) details for the 172.17.1.15 firewall. : - Go to top
No First Message Last Message Code Message Count
No messages with severity level 1 were recorded.

-
Severity level 2 (Critical) details for the 172.17.1.15 firewall. : - Go to top
No First Message Last Message Code Message Count
1 03/11/04 12:49:20 03/11/04 17:40:15 2-106017 Deny IP due to Land Attack from 64.53.150.209 to 209.161.200.227 1

-
Severity level 3 (Error) details for the 172.17.1.15 firewall. : - Go to top
No First Message Last Message Code Message Count
1 03/11/04 08:32:08 03/11/04 17:40:15 3-106011 Deny inbound (No xlate) tcp src outside:83.157.142.37/nnnn dst outside:209.161.200.227/135 6
2 03/11/04 08:40:54 03/11/04 17:40:15 3-106011 Deny inbound (No xlate) icmp src outside:209.161.230.194 dst outside:209.161.200.227 (type 8, code 0) 5
3 03/11/04 04:39:37 03/11/04 17:40:15 3-106011 Deny inbound (No xlate) icmp src outside:209.163.187.3 dst outside:209.161.200.227 (type 8, code 0) 5
4 03/11/04 08:32:08 03/11/04 17:40:15 3-106011 Deny inbound (No xlate) tcp src outside:83.157.142.37/nnnn dst outside:209.161.200.228/135 4
5 03/11/04 12:38:04 03/11/04 17:40:15 3-106011 Deny inbound (No xlate) tcp src outside:209.162.130.14/nnnn dst outside:209.161.200.227/445 3
6 03/11/04 15:08:07 03/11/04 17:40:15 3-106011 Deny inbound (No xlate) tcp src outside:172.142.34.19/nnnn dst outside:209.161.200.227/135 3
7 03/11/04 08:40:54 03/11/04 17:40:15 3-106011 Deny inbound (No xlate) icmp src outside:209.161.230.194 dst outside:209.161.200.230 (type 8, code 0) 3
8 03/11/04 07:05:51 03/11/04 17:40:15 3-106011 Deny inbound (No xlate) tcp src outside:65.69.126.157/nnnn dst outside:209.161.200.227/135 3
9 03/11/04 14:20:52 03/11/04 17:40:15 3-106011 Deny inbound (No xlate) tcp src outside:209.86.0.224/nnnn dst outside:209.161.200.227/135 3
10 03/11/04 02:20:17 03/11/04 17:40:15 3-106011 Deny inbound (No xlate) tcp src outside:209.161.171.38/nnnn dst outside:209.161.200.230/135 3
11 03/11/04 04:39:37 03/11/04 17:40:15 3-106011 Deny inbound (No xlate) icmp src outside:209.163.187.3 dst outside:209.161.200.230 (type 8, code 0) 3
12 03/11/04 09:47:58 03/11/04 17:40:15 3-106011 Deny inbound (No xlate) tcp src outside:203.146.193.136/nnnn dst outside:209.161.200.227/135 3
13 03/11/04 08:42:24 03/11/04 17:40:15 3-106011 Deny inbound (No xlate) tcp src outside:212.126.218.124/nnnn dst outside:209.161.200.227/21 3
14 03/11/04 02:20:17 03/11/04 17:40:15 3-106011 Deny inbound (No xlate) tcp src outside:209.161.171.38/nnnn dst outside:209.161.200.227/135 3
15 03/11/04 08:27:52 03/11/04 17:40:15 3-106011 Deny inbound (No xlate) tcp src outside:81.33.7.251/nnnn dst outside:209.161.200.227/135 3
16 03/11/04 13:10:35 03/11/04 17:40:15 3-106011 Deny inbound (No xlate) tcp src outside:69.19.18.104/nnnn dst outside:209.161.200.227/135 3
17 03/11/04 05:27:21 03/11/04 17:40:15 3-106011 Deny inbound (No xlate) tcp src outside:63.90.3.55/nnnn dst outside:209.161.200.227/135 3
18 03/11/04 06:54:16 03/11/04 17:40:15 3-106011 Deny inbound (No xlate) tcp src outside:64.164.53.2/nnnn dst outside:209.161.200.227/135 3
19 03/11/04 05:21:14 03/11/04 17:40:15 3-106011 Deny inbound (No xlate) tcp src outside:209.139.2.21/nnnn dst outside:209.161.200.227/135 3
20 03/11/04 01:10:51 03/11/04 17:40:15 3-106011 Deny inbound (No xlate) tcp src outside:216.209.93.71/nnnn dst outside:209.161.200.227/135 3
21 03/11/04 03:01:31 03/11/04 17:40:15 3-106011 Deny inbound (No xlate) tcp src outside:24.93.30.147/nnnn dst outside:209.161.200.227/135 3
22 03/11/04 15:58:02 03/11/04 17:40:15 3-106011 Deny inbound (No xlate) tcp src outside:217.34.66.13/nnnn dst outside:209.161.200.228/139 3
23 03/11/04 07:44:02 03/11/04 17:40:15 3-106011 Deny inbound (No xlate) tcp src outside:218.144.184.36/nnnn dst outside:209.161.200.228/445 3
24 03/11/04 02:20:23 03/11/04 17:40:15 3-106011 Deny inbound (No xlate) tcp src outside:208.186.151.157/nnnn dst outside:209.161.200.227/443 3
25 03/11/04 07:06:12 03/11/04 17:40:15 3-106011 Deny inbound (No xlate) tcp src outside:65.69.126.157/nnnn dst outside:209.161.200.227/445 3
There were more messages to be reported but the listing is limited to 25!!!

-
Severity level 4 (Warning) details for the 172.17.1.15 firewall. : - Go to top
No First Message Last Message Code Message Count
1 03/11/04 13:47:40 03/11/04 17:40:15 4-106023 Deny tcp src inside:172.17.1.102/nnnn dst outside:69.6.57.7/80 by access-group "acl_inbound" 2
2 03/11/04 13:34:36 03/11/04 17:40:15 4-400013 IDS:2003 ICMP redirect from 64.53.150.209 to 192.168.1.1 on interface outside 1
3 03/11/04 13:13:40 03/11/04 17:40:15 4-400032 IDS:4051 UDP Snork attack from 64.53.150.209 to 192.168.1.1 on interface outside 1

-
Severity level 5 (Notification) details for the 172.17.1.15 firewall. : - Go to top
No First Message Last Message Code Message Count
1 03/11/04 11:26:46 03/11/04 17:40:15 5-304001 172.17.1.102 Accessed URL 64.235.234.140:/ac/acmelogo.jpg 13
2 03/11/04 10:41:15 03/11/04 17:40:15 5-304001 172.17.1.102 Accessed URL 66.163.175.128:/feed/pg4?s=quotes 10
3 03/11/04 10:54:26 03/11/04 17:40:15 5-111007 Begin configuration: 172.17.1.102 reading from terminal 7
4 03/11/04 13:34:42 03/11/04 17:40:15 5-304001 172.17.1.102 Accessed URL 69.28.159.140:/mm_cdn/01068ABAASAAAAAsDq0mG.Pth3YbANncOnzAvOaXPiWXbxImylXyL5JzhApAtK6k27bxNA6FFoVAkCsUvcLKYtO7ilT2u_.DAhmtra1IxvQ--/album_image/amg/drd400/d485/d48583l9l32.jpg 6
5 03/11/04 13:34:36 03/11/04 17:40:15 5-304001 172.17.1.102 Accessed URL 63.236.14.37:/nova/images/small-play-button.gif 4
6 03/11/04 17:46:56 03/11/04 17:40:15 5-304001 172.17.1.70 Accessed URL 63.146.96.171:/wst/images/2314369.JPG 3
7 03/11/04 13:34:09 03/11/04 17:40:15 5-304001 172.17.1.102 Accessed URL 63.236.14.26:/mmjb/check.cgi 3
8 03/11/04 17:52:38 03/11/04 17:40:15 5-304001 172.17.1.70 Accessed URL 63.215.124.60:/i/msnbc/Components/Art/SITEWIDE/Marquee/bn_marquee2.gif 3
9 03/11/04 10:55:47 03/11/04 17:40:15 5-111005 172.17.1.102 end configuration: OK 3
10 03/11/04 10:47:05 03/11/04 17:40:15 5-304001 172.17.1.102 Accessed URL 64.236.16.246:/ 3
11 03/11/04 17:46:56 03/11/04 17:40:15 5-304001 172.17.1.70 Accessed URL 63.146.96.171:/wst/images/2402631.JPG 3
12 03/11/04 10:47:05 03/11/04 17:40:15 5-304001 172.17.1.102 Accessed URL 64.236.24.28:/ 3
13 03/11/04 17:47:10 03/11/04 17:40:15 5-304001 172.17.1.70 Accessed URL 65.18.223.30:/images/citysites-cp-nytimes.jpg 3
14 03/11/04 17:31:39 03/11/04 17:40:15 5-304001 172.17.1.70 Accessed URL 212.58.240.131:/nol/shared/img/branded_puffs/line_prog.gif 2
15 03/11/04 12:47:04 03/11/04 17:40:15 5-304001 172.17.1.102 Accessed URL 64.233.161.104:/ 2
16 03/11/04 17:57:25 03/11/04 17:40:15 5-304001 172.17.1.70 Accessed URL 207.46.245.33:/css/html40.css 2
17 03/11/04 17:06:39 03/11/04 17:40:15 5-304001 172.17.1.70 Accessed URL 212.58.240.38:/media/images/39876000/jpg/_39876654_apbahrain300.jpg 2
18 03/11/04 14:43:44 03/11/04 17:40:15 5-304001 172.17.1.102 Accessed URL 63.236.14.21:/mmjb/ev/mx?EVENT=MXTrackDone&VER=8%2E20%2E0107MMD&OS=WinXPSP1&MMUID=957308CF%2DD475%2D4261%2DAC46%2D21A5D52566AD&SEQ=1&TRACKPOS=5&STATION%5FID=artistMatch%253a300%253a%253a 2
19 03/11/04 17:34:04 03/11/04 17:40:15 5-304001 172.17.1.70 Accessed URL 206.112.74.4:/images/pixel.gif 2
20 03/11/04 17:18:27 03/11/04 17:40:15 5-304001 172.17.1.70 Accessed URL 216.239.41.104:/pagead/show_ads.js 2
21 03/11/04 11:37:41 03/11/04 17:40:15 5-304001 172.17.1.102 Accessed URL 207.46.248.244:/library/images/support/emailicon.gif 2
22 03/11/04 17:31:40 03/11/04 17:40:15 5-304001 172.17.1.70 Accessed URL 212.58.240.131:/media/images/39870000/jpg/_39870384_obese_66.jpg 2
23 03/11/04 17:37:05 03/11/04 17:40:15 5-304001 172.17.1.70 Accessed URL 207.61.132.8:/images/2004/03/11/international/040312_web_MADRIDmap.gif 2
24 03/11/04 17:47:08 03/11/04 17:40:15 5-304001 172.17.1.70 Accessed URL 209.11.106.40:/sales/listingJS.asp 2
25 03/11/04 17:37:04 03/11/04 17:40:15 5-304001 172.17.1.70 Accessed URL 207.61.132.8:/images/2004/03/11/international/11cnd-blast.10.184.jpg 2
There were more messages to be reported but the listing is limited to 25!!!

-
Severity level 6 (Informational) details for the 172.17.1.15 firewall. : - Go to top
No First Message Last Message Code Message Count
1 03/11/04 12:22:56 03/11/04 17:40:15 6-305001 Portmapped translation built for gaddr 209.161.200.226/nnnn laddr 172.17.1.102/nnnn 636
2 03/11/04 12:23:41 03/11/04 17:40:15 6-305004 Teardown portmap translation for global 209.161.200.226/nnnn local 172.17.1.102/nnnn 612
3 03/11/04 00:20:07 03/11/04 17:40:15 6-302006 Teardown UDP connection for faddr 207.136.100.40/nnnn gaddr 209.161.200.226/nnnn laddr 172.17.1.40/nnnn 337
4 03/11/04 00:19:51 03/11/04 17:40:15 6-302005 Built UDP connection for faddr 207.136.100.40/nnnn gaddr 209.161.200.226/nnnn laddr 172.17.1.40/nnnn 337
5 03/11/04 12:24:01 03/11/04 17:40:15 6-302005 Built UDP connection for faddr 207.136.100.40/nnnn gaddr 209.161.200.226/nnnn laddr 172.17.1.40/nnnn 282
6 03/11/04 12:24:12 03/11/04 17:40:15 6-302006 Teardown UDP connection for faddr 207.136.100.40/nnnn gaddr 209.161.200.226/nnnn laddr 172.17.1.40/nnnn 271
7 03/11/04 10:39:42 03/11/04 17:40:15 6-305001 Portmapped translation built for gaddr 209.161.200.226/nnnn laddr 172.17.1.102/nnnn 209
8 03/11/04 10:42:07 03/11/04 17:40:15 6-305004 Teardown portmap translation for global 209.161.200.226/nnnn local 172.17.1.102/nnnn 206
9 03/11/04 16:42:25 03/11/04 17:40:15 6-305001 Portmapped translation built for gaddr 209.161.200.226/nnnn laddr 172.17.1.70/nnnn 204
10 03/11/04 16:43:09 03/11/04 17:40:15 6-305004 Teardown portmap translation for global 209.161.200.226/nnnn local 172.17.1.70/nnnn 193
11 03/11/04 17:39:58 03/11/04 17:40:15 6-305004 Teardown portmap translation for global 209.161.200.226/nnnn local 172.17.1.70/nnnn 190
12 03/11/04 17:39:27 03/11/04 17:40:15 6-305001 Portmapped translation built for gaddr 209.161.200.226/nnnn laddr 172.17.1.70/nnnn 183
13 03/11/04 00:09:04 03/11/04 17:40:15 6-305004 Teardown portmap translation for global 209.161.200.226/nnnn local 172.17.1.40/nnnn 135
14 03/11/04 00:06:39 03/11/04 17:40:15 6-305001 Portmapped translation built for gaddr 209.161.200.226/nnnn laddr 172.17.1.40/nnnn 135
15 03/11/04 17:39:28 03/11/04 17:40:15 6-302006 Teardown UDP connection for faddr 207.136.100.40/nnnn gaddr 209.161.200.226/nnnn laddr 172.17.1.40/nnnn 88
16 03/11/04 17:39:28 03/11/04 17:40:15 6-302005 Built UDP connection for faddr 207.136.100.40/nnnn gaddr 209.161.200.226/nnnn laddr 172.17.1.40/nnnn 85
17 03/11/04 12:24:01 03/11/04 17:40:15 6-305001 Portmapped translation built for gaddr 209.161.200.226/nnnn laddr 172.17.1.40/nnnn 75
18 03/11/04 12:24:42 03/11/04 17:40:15 6-305004 Teardown portmap translation for global 209.161.200.226/nnnn local 172.17.1.40/nnnn 74
19 03/11/04 00:09:04 03/11/04 17:40:15 6-302006 Teardown UDP connection for faddr 209.161.200.227/514 gaddr 209.161.200.226/nnnn laddr 172.17.1.10/nnnn 71
20 03/11/04 00:09:04 03/11/04 17:40:15 6-305004 Teardown portmap translation for global 209.161.200.226/nnnn local 172.17.1.10/nnnn 71
21 03/11/04 00:06:47 03/11/04 17:40:15 6-302005 Built UDP connection for faddr 209.161.200.227/514 gaddr 209.161.200.226/nnnn laddr 172.17.1.10/nnnn 71
22 03/11/04 00:06:47 03/11/04 17:40:15 6-305001 Portmapped translation built for gaddr 209.161.200.226/nnnn laddr 172.17.1.10/nnnn 71
23 03/11/04 16:58:40 03/11/04 17:40:15 6-302001 Built outbound TCP connection nnnnn for faddr 212.58.240.142/80 gaddr 209.161.200.226/nnnn laddr 172.17.1.70/nnnn 64
24 03/11/04 16:58:41 03/11/04 17:40:15 6-302002 Teardown TCP connection nnnnn faddr 212.58.240.142/80 gaddr 209.161.200.226/nnnn laddr 172.17.1.70/nnnn duration 0:00:01 bytes nnnnn (TCP FINs) 62
25 03/11/04 17:39:28 03/11/04 17:40:15 6-305004 Teardown portmap translation for global 209.161.200.226/nnnn local 172.17.1.102/nnnn 59
There were more messages to be reported but the listing is limited to 25!!!

-
Severity level 7 (Debugging) details for the 172.17.1.15 firewall. : - Go to top
No First Message Last Message Code Message Count
1 03/11/04 13:50:41 03/11/04 17:40:15 7-702301 lifetime expiring, (sa) sa_dest= 209.161.200.226, sa_prot= 50, sa_spi= 0x21a09f69(564174697), sa_trans= esp-des esp-md5-hmac , sa_conn_id= 1, (identity) local= 209.161.200.226, remote= 209.161.200.235, local_proxy 1

-
Protocol statistics for the 172.17.1.15 firewall: - Go to top
-
Web traffic (HTTP/HTTPS) - Top 50 internal users (outbound connections) for the 172.17.1.15 firewall: - Go to top
No Source IP Source Host Destination IP Destination Host Connections Comments
1 172.17.1.102 dell3943.acme.local 65.54.244.253 hotmail.com 85  
2 172.17.1.70 dell4323.acme.local 212.58.240.142 www.bbc.co.uk 64  
3 172.17.1.102 dell3943.acme.local 64.4.241.32 paypal.com 55 HTTPS 
4 172.17.1.102 dell3943.acme.local 63.236.14.21 musicmatch.com 42  
5 172.17.1.102 dell3943.acme.local 208.223.219.206 www.charter.com 37  
6 172.17.1.102 dell3943.acme.local 216.220.63.73 moneris.com 34 HTTPS 
7 172.17.1.102 dell3943.acme.local 69.28.154.140 limelightnetworks.com 29  
8 172.17.1.70 dell4323.acme.local 212.58.240.131 www.bbc.co.uk 29  
9 172.17.1.70 dell4323.acme.local 212.58.240.38 www.bbc.co.uk 25  
10 172.17.1.102 dell3943.acme.local 63.236.14.37 musicmatch.com 24  
11 172.17.1.102 dell3943.acme.local 64.4.60.7 dav.bay0.hotmail.com 23  
12 172.17.1.102 dell3943.acme.local 212.58.240.144 www.bbc.co.uk 23  
13 172.17.1.70 dell4323.acme.local 62.189.244.254   22  
14 172.17.1.70 dell4323.acme.local 207.61.132.8   19  
15 172.17.1.70 dell4323.acme.local 199.246.67.114 www.globeandmail.com 16  
16 172.17.1.102 dell3943.acme.local 65.54.229.253 hotmail.com 15  
17 172.17.1.102 dell3943.acme.local 207.69.130.52 webmail.atl.earthlink.net 15 HTTPS 
18 172.17.1.70 dell4323.acme.local 199.246.67.210 www.globeandmail.com 14  
19 172.17.1.102 dell3943.acme.local 207.46.248.244 support.microsoft.com 13  
20 172.17.1.102 dell3943.acme.local 64.235.234.140 europa.lunarpages.com 13  
21 172.17.1.70 dell4323.acme.local 199.239.137.245   11  
22 172.17.1.102 dell3943.acme.local 216.239.37.99   10  
23 172.17.1.102 dell3943.acme.local 66.163.175.128 data1.my.vip.sc5.yahoo.com 10  
24 172.17.1.70