Altair Technologies - "sample" firewall log analysis for the period
Thu Mar 11 00:00:00 2004 to Thu Mar 11 23:59:59 2004
| Firewall | Sections | First message | Last message| 172.17.1.15 |
Summary |
Message types |
Message Details |
Protocols |
Traffic |
Denials |
VPN,IDS,Management |
03/11/04 00:00:31 |
03/11/04 18:01:05 |
| ||||||
| Keywords to include | Not configured |
| Keywords to exclude | 6-106015 |
| Analyzed log(s) | Log size (kb) | Log entries | Log type |
| C:\Docs\Projects\Pix\2.0\syslog-2004-03-11.log | 1,889.86 | 10,784 | WinSyslog with PIX time stamp |
| Level | Severity | Description | Total |
| 1 | Alert | Immediate action needed | 0 |
| 2 | Critical | Critical condition | 1 |
| 3 | Error | Error condition | 365 |
| 4 | Warning | Warning condition | 4 |
| 5 | Notification | Normal but significant condition | 754 |
| 6 | Informational | Informational message only | 9,409 |
| 7 | Debugging | Appears during debugging only | 1 |
| Total | 10,534 |
| No | Code | Total | Example |
| 1 | 2-106017 | 1 | Deny IP due to Land Attack from 64.53.150.209 to 209.161.200.227 |
| 2 | 3-106011 | 363 | Deny inbound (No xlate) udp src outside:61.221.171.82/3273 dst outside:209.161.200.230/1434 |
| 3 | 3-315004 | 2 | Fail to establish SSH session because PIX RSA host key retrieval failed. |
| 4 | 4-106023 | 2 | Deny tcp src inside:172.17.1.102/4177 dst outside:69.6.57.7/80 by access-group "acl_inbound" |
| 5 | 4-400013 | 1 | IDS:2003 ICMP redirect from 64.53.150.209 to 192.168.1.1 on interface outside |
| 6 | 4-400032 | 1 | IDS:4051 UDP Snork attack from 64.53.150.209 to 192.168.1.1 on interface outside |
| 7 | 5-111001 | 2 | Begin configuration: 172.17.1.102 writing to memory |
| 8 | 5-111004 | 2 | 172.17.1.102 end configuration: OK |
| 9 | 5-111005 | 2 | console end configuration: OK |
| 10 | 5-111007 | 8 | Begin configuration: console reading from terminal |
| 11 | 5-304001 | 740 | 172.17.1.70 Accessed URL 65.54.194.117:/ADSAdClient31.dll?GetAd?PG=NBCHIA?AP=?TF=_blank |
| 12 | 6-109005 | 1 | Authentication succeeded for user 'jmoore' from 209.161.200.235/0 to 0.0.0.0/0 on interface IKE-XAUTH |
| 13 | 6-109011 | 1 | Authen Session Start: user 'jmoore', sid 3 |
| 14 | 6-302001 | 1,645 | Built outbound TCP connection 364050 for faddr 65.54.194.117/80 gaddr 209.161.200.226/42445 laddr 172.17.1.70/2722 |
| 15 | 6-302002 | 1,646 | Teardown TCP connection 364041 faddr 64.14.131.71/80 gaddr 209.161.200.226/42439 laddr 172.17.1.70/2711 duration 0:00:51 bytes 6842 (TCP Reset-I) |
| 16 | 6-302005 | 1,194 | Built UDP connection for faddr 207.136.100.40/7097 gaddr 209.161.200.226/37745 laddr 172.17.1.40/1035 |
| 17 | 6-302006 | 1,186 | Teardown UDP connection for faddr 207.136.100.40/7097 gaddr 209.161.200.226/37745 laddr 172.17.1.40/1035 |
| 18 | 6-302010 | 107 | 6 in use, 114 most used |
| 19 | 6-303002 | 39 | 172.17.1.102 Retrieved 205.227.137.57:delta.ini |
| 20 | 6-305001 | 1,792 | Portmapped translation built for gaddr 209.161.200.226/42447 laddr 172.17.1.70/2731 |
| 21 | 6-305004 | 1,779 | Teardown portmap translation for global 209.161.200.226/42445 local 172.17.1.70/2722 |
| 22 | 6-307002 | 6 | Permitted Telnet login session from 172.17.1.102 |
| 23 | 6-315002 | 1 | Permitted SSH session from 172.17.1.102 on interface inside for user "pix" |
| 24 | 6-315003 | 2 | SSH login session failed from 172.17.1.102 (3 attempts) on interface inside by user "" |
| 25 | 6-315011 | 5 | SSH session from 172.17.1.102 on interface inside for user "pix" terminated normally |
| 26 | 6-602301 | 2 | sa created, (sa) sa_dest= 209.161.200.235, sa_prot= 50, sa_spi= 0xa6afc495(2796536981), sa_trans= esp-des esp-md5-hmac , sa_conn_id= 9 |
| 27 | 6-602302 | 3 | deleting SA, (sa) sa_dest= 209.161.200.235, sa_prot= 50, sa_spi= 0x3de88ffc(1038651388), sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2 |
| 28 | 7-702301 | 1 | lifetime expiring, (sa) sa_dest= 209.161.200.226, sa_prot= 50, sa_spi= 0x21a09f69(564174697), sa_trans= esp-des esp-md5-hmac , sa_conn_id= 1, (identity) local= 209.161.200.226, remote= 209.161.200.235, local_proxy |
| No | First Message | Last Message | Code | Message | Count |
| No messages with severity level 1 were recorded. | |||||
| No | First Message | Last Message | Code | Message | Count |
| 1 | 03/11/04 12:49:20 | 03/11/04 17:40:15 | 2-106017 | Deny IP due to Land Attack from 64.53.150.209 to 209.161.200.227 | 1 |
| No | First Message | Last Message | Code | Message | Count |
| 1 | 03/11/04 08:32:08 | 03/11/04 17:40:15 | 3-106011 | Deny inbound (No xlate) tcp src outside:83.157.142.37/nnnn dst outside:209.161.200.227/135 | 6 |
| 2 | 03/11/04 08:40:54 | 03/11/04 17:40:15 | 3-106011 | Deny inbound (No xlate) icmp src outside:209.161.230.194 dst outside:209.161.200.227 (type 8, code 0) | 5 |
| 3 | 03/11/04 04:39:37 | 03/11/04 17:40:15 | 3-106011 | Deny inbound (No xlate) icmp src outside:209.163.187.3 dst outside:209.161.200.227 (type 8, code 0) | 5 |
| 4 | 03/11/04 08:32:08 | 03/11/04 17:40:15 | 3-106011 | Deny inbound (No xlate) tcp src outside:83.157.142.37/nnnn dst outside:209.161.200.228/135 | 4 |
| 5 | 03/11/04 12:38:04 | 03/11/04 17:40:15 | 3-106011 | Deny inbound (No xlate) tcp src outside:209.162.130.14/nnnn dst outside:209.161.200.227/445 | 3 |
| 6 | 03/11/04 15:08:07 | 03/11/04 17:40:15 | 3-106011 | Deny inbound (No xlate) tcp src outside:172.142.34.19/nnnn dst outside:209.161.200.227/135 | 3 |
| 7 | 03/11/04 08:40:54 | 03/11/04 17:40:15 | 3-106011 | Deny inbound (No xlate) icmp src outside:209.161.230.194 dst outside:209.161.200.230 (type 8, code 0) | 3 |
| 8 | 03/11/04 07:05:51 | 03/11/04 17:40:15 | 3-106011 | Deny inbound (No xlate) tcp src outside:65.69.126.157/nnnn dst outside:209.161.200.227/135 | 3 |
| 9 | 03/11/04 14:20:52 | 03/11/04 17:40:15 | 3-106011 | Deny inbound (No xlate) tcp src outside:209.86.0.224/nnnn dst outside:209.161.200.227/135 | 3 |
| 10 | 03/11/04 02:20:17 | 03/11/04 17:40:15 | 3-106011 | Deny inbound (No xlate) tcp src outside:209.161.171.38/nnnn dst outside:209.161.200.230/135 | 3 |
| 11 | 03/11/04 04:39:37 | 03/11/04 17:40:15 | 3-106011 | Deny inbound (No xlate) icmp src outside:209.163.187.3 dst outside:209.161.200.230 (type 8, code 0) | 3 |
| 12 | 03/11/04 09:47:58 | 03/11/04 17:40:15 | 3-106011 | Deny inbound (No xlate) tcp src outside:203.146.193.136/nnnn dst outside:209.161.200.227/135 | 3 |
| 13 | 03/11/04 08:42:24 | 03/11/04 17:40:15 | 3-106011 | Deny inbound (No xlate) tcp src outside:212.126.218.124/nnnn dst outside:209.161.200.227/21 | 3 |
| 14 | 03/11/04 02:20:17 | 03/11/04 17:40:15 | 3-106011 | Deny inbound (No xlate) tcp src outside:209.161.171.38/nnnn dst outside:209.161.200.227/135 | 3 |
| 15 | 03/11/04 08:27:52 | 03/11/04 17:40:15 | 3-106011 | Deny inbound (No xlate) tcp src outside:81.33.7.251/nnnn dst outside:209.161.200.227/135 | 3 |
| 16 | 03/11/04 13:10:35 | 03/11/04 17:40:15 | 3-106011 | Deny inbound (No xlate) tcp src outside:69.19.18.104/nnnn dst outside:209.161.200.227/135 | 3 |
| 17 | 03/11/04 05:27:21 | 03/11/04 17:40:15 | 3-106011 | Deny inbound (No xlate) tcp src outside:63.90.3.55/nnnn dst outside:209.161.200.227/135 | 3 |
| 18 | 03/11/04 06:54:16 | 03/11/04 17:40:15 | 3-106011 | Deny inbound (No xlate) tcp src outside:64.164.53.2/nnnn dst outside:209.161.200.227/135 | 3 |
| 19 | 03/11/04 05:21:14 | 03/11/04 17:40:15 | 3-106011 | Deny inbound (No xlate) tcp src outside:209.139.2.21/nnnn dst outside:209.161.200.227/135 | 3 |
| 20 | 03/11/04 01:10:51 | 03/11/04 17:40:15 | 3-106011 | Deny inbound (No xlate) tcp src outside:216.209.93.71/nnnn dst outside:209.161.200.227/135 | 3 |
| 21 | 03/11/04 03:01:31 | 03/11/04 17:40:15 | 3-106011 | Deny inbound (No xlate) tcp src outside:24.93.30.147/nnnn dst outside:209.161.200.227/135 | 3 |
| 22 | 03/11/04 15:58:02 | 03/11/04 17:40:15 | 3-106011 | Deny inbound (No xlate) tcp src outside:217.34.66.13/nnnn dst outside:209.161.200.228/139 | 3 |
| 23 | 03/11/04 07:44:02 | 03/11/04 17:40:15 | 3-106011 | Deny inbound (No xlate) tcp src outside:218.144.184.36/nnnn dst outside:209.161.200.228/445 | 3 |
| 24 | 03/11/04 02:20:23 | 03/11/04 17:40:15 | 3-106011 | Deny inbound (No xlate) tcp src outside:208.186.151.157/nnnn dst outside:209.161.200.227/443 | 3 |
| 25 | 03/11/04 07:06:12 | 03/11/04 17:40:15 | 3-106011 | Deny inbound (No xlate) tcp src outside:65.69.126.157/nnnn dst outside:209.161.200.227/445 | 3 |
| There were more messages to be reported but the listing is limited to 25!!! | |||||
| No | First Message | Last Message | Code | Message | Count |
| 1 | 03/11/04 13:47:40 | 03/11/04 17:40:15 | 4-106023 | Deny tcp src inside:172.17.1.102/nnnn dst outside:69.6.57.7/80 by access-group "acl_inbound" | 2 |
| 2 | 03/11/04 13:34:36 | 03/11/04 17:40:15 | 4-400013 | IDS:2003 ICMP redirect from 64.53.150.209 to 192.168.1.1 on interface outside | 1 |
| 3 | 03/11/04 13:13:40 | 03/11/04 17:40:15 | 4-400032 | IDS:4051 UDP Snork attack from 64.53.150.209 to 192.168.1.1 on interface outside | 1 |
| No | First Message | Last Message | Code | Message | Count |
| 1 | 03/11/04 11:26:46 | 03/11/04 17:40:15 | 5-304001 | 172.17.1.102 Accessed URL 64.235.234.140:/ac/acmelogo.jpg | 13 |
| 2 | 03/11/04 10:41:15 | 03/11/04 17:40:15 | 5-304001 | 172.17.1.102 Accessed URL 66.163.175.128:/feed/pg4?s=quotes | 10 |
| 3 | 03/11/04 10:54:26 | 03/11/04 17:40:15 | 5-111007 | Begin configuration: 172.17.1.102 reading from terminal | 7 |
| 4 | 03/11/04 13:34:42 | 03/11/04 17:40:15 | 5-304001 | 172.17.1.102 Accessed URL 69.28.159.140:/mm_cdn/01068ABAASAAAAAsDq0mG.Pth3YbANncOnzAvOaXPiWXbxImylXyL5JzhApAtK6k27bxNA6FFoVAkCsUvcLKYtO7ilT2u_.DAhmtra1IxvQ--/album_image/amg/drd400/d485/d48583l9l32.jpg | 6 |
| 5 | 03/11/04 13:34:36 | 03/11/04 17:40:15 | 5-304001 | 172.17.1.102 Accessed URL 63.236.14.37:/nova/images/small-play-button.gif | 4 |
| 6 | 03/11/04 17:46:56 | 03/11/04 17:40:15 | 5-304001 | 172.17.1.70 Accessed URL 63.146.96.171:/wst/images/2314369.JPG | 3 |
| 7 | 03/11/04 13:34:09 | 03/11/04 17:40:15 | 5-304001 | 172.17.1.102 Accessed URL 63.236.14.26:/mmjb/check.cgi | 3 |
| 8 | 03/11/04 17:52:38 | 03/11/04 17:40:15 | 5-304001 | 172.17.1.70 Accessed URL 63.215.124.60:/i/msnbc/Components/Art/SITEWIDE/Marquee/bn_marquee2.gif | 3 |
| 9 | 03/11/04 10:55:47 | 03/11/04 17:40:15 | 5-111005 | 172.17.1.102 end configuration: OK | 3 |
| 10 | 03/11/04 10:47:05 | 03/11/04 17:40:15 | 5-304001 | 172.17.1.102 Accessed URL 64.236.16.246:/ | 3 |
| 11 | 03/11/04 17:46:56 | 03/11/04 17:40:15 | 5-304001 | 172.17.1.70 Accessed URL 63.146.96.171:/wst/images/2402631.JPG | 3 |
| 12 | 03/11/04 10:47:05 | 03/11/04 17:40:15 | 5-304001 | 172.17.1.102 Accessed URL 64.236.24.28:/ | 3 |
| 13 | 03/11/04 17:47:10 | 03/11/04 17:40:15 | 5-304001 | 172.17.1.70 Accessed URL 65.18.223.30:/images/citysites-cp-nytimes.jpg | 3 |
| 14 | 03/11/04 17:31:39 | 03/11/04 17:40:15 | 5-304001 | 172.17.1.70 Accessed URL 212.58.240.131:/nol/shared/img/branded_puffs/line_prog.gif | 2 |
| 15 | 03/11/04 12:47:04 | 03/11/04 17:40:15 | 5-304001 | 172.17.1.102 Accessed URL 64.233.161.104:/ | 2 |
| 16 | 03/11/04 17:57:25 | 03/11/04 17:40:15 | 5-304001 | 172.17.1.70 Accessed URL 207.46.245.33:/css/html40.css | 2 |
| 17 | 03/11/04 17:06:39 | 03/11/04 17:40:15 | 5-304001 | 172.17.1.70 Accessed URL 212.58.240.38:/media/images/39876000/jpg/_39876654_apbahrain300.jpg | 2 |
| 18 | 03/11/04 14:43:44 | 03/11/04 17:40:15 | 5-304001 | 172.17.1.102 Accessed URL 63.236.14.21:/mmjb/ev/mx?EVENT=MXTrackDone&VER=8%2E20%2E0107MMD&OS=WinXPSP1&MMUID=957308CF%2DD475%2D4261%2DAC46%2D21A5D52566AD&SEQ=1&TRACKPOS=5&STATION%5FID=artistMatch%253a300%253a%253a | 2 |
| 19 | 03/11/04 17:34:04 | 03/11/04 17:40:15 | 5-304001 | 172.17.1.70 Accessed URL 206.112.74.4:/images/pixel.gif | 2 |
| 20 | 03/11/04 17:18:27 | 03/11/04 17:40:15 | 5-304001 | 172.17.1.70 Accessed URL 216.239.41.104:/pagead/show_ads.js | 2 |
| 21 | 03/11/04 11:37:41 | 03/11/04 17:40:15 | 5-304001 | 172.17.1.102 Accessed URL 207.46.248.244:/library/images/support/emailicon.gif | 2 |
| 22 | 03/11/04 17:31:40 | 03/11/04 17:40:15 | 5-304001 | 172.17.1.70 Accessed URL 212.58.240.131:/media/images/39870000/jpg/_39870384_obese_66.jpg | 2 |
| 23 | 03/11/04 17:37:05 | 03/11/04 17:40:15 | 5-304001 | 172.17.1.70 Accessed URL 207.61.132.8:/images/2004/03/11/international/040312_web_MADRIDmap.gif | 2 |
| 24 | 03/11/04 17:47:08 | 03/11/04 17:40:15 | 5-304001 | 172.17.1.70 Accessed URL 209.11.106.40:/sales/listingJS.asp | 2 |
| 25 | 03/11/04 17:37:04 | 03/11/04 17:40:15 | 5-304001 | 172.17.1.70 Accessed URL 207.61.132.8:/images/2004/03/11/international/11cnd-blast.10.184.jpg | 2 |
| There were more messages to be reported but the listing is limited to 25!!! | |||||
| No | First Message | Last Message | Code | Message | Count |
| 1 | 03/11/04 12:22:56 | 03/11/04 17:40:15 | 6-305001 | Portmapped translation built for gaddr 209.161.200.226/nnnn laddr 172.17.1.102/nnnn | 636 |
| 2 | 03/11/04 12:23:41 | 03/11/04 17:40:15 | 6-305004 | Teardown portmap translation for global 209.161.200.226/nnnn local 172.17.1.102/nnnn | 612 |
| 3 | 03/11/04 00:20:07 | 03/11/04 17:40:15 | 6-302006 | Teardown UDP connection for faddr 207.136.100.40/nnnn gaddr 209.161.200.226/nnnn laddr 172.17.1.40/nnnn | 337 |
| 4 | 03/11/04 00:19:51 | 03/11/04 17:40:15 | 6-302005 | Built UDP connection for faddr 207.136.100.40/nnnn gaddr 209.161.200.226/nnnn laddr 172.17.1.40/nnnn | 337 |
| 5 | 03/11/04 12:24:01 | 03/11/04 17:40:15 | 6-302005 | Built UDP connection for faddr 207.136.100.40/nnnn gaddr 209.161.200.226/nnnn laddr 172.17.1.40/nnnn | 282 |
| 6 | 03/11/04 12:24:12 | 03/11/04 17:40:15 | 6-302006 | Teardown UDP connection for faddr 207.136.100.40/nnnn gaddr 209.161.200.226/nnnn laddr 172.17.1.40/nnnn | 271 |
| 7 | 03/11/04 10:39:42 | 03/11/04 17:40:15 | 6-305001 | Portmapped translation built for gaddr 209.161.200.226/nnnn laddr 172.17.1.102/nnnn | 209 |
| 8 | 03/11/04 10:42:07 | 03/11/04 17:40:15 | 6-305004 | Teardown portmap translation for global 209.161.200.226/nnnn local 172.17.1.102/nnnn | 206 |
| 9 | 03/11/04 16:42:25 | 03/11/04 17:40:15 | 6-305001 | Portmapped translation built for gaddr 209.161.200.226/nnnn laddr 172.17.1.70/nnnn | 204 |
| 10 | 03/11/04 16:43:09 | 03/11/04 17:40:15 | 6-305004 | Teardown portmap translation for global 209.161.200.226/nnnn local 172.17.1.70/nnnn | 193 |
| 11 | 03/11/04 17:39:58 | 03/11/04 17:40:15 | 6-305004 | Teardown portmap translation for global 209.161.200.226/nnnn local 172.17.1.70/nnnn | 190 |
| 12 | 03/11/04 17:39:27 | 03/11/04 17:40:15 | 6-305001 | Portmapped translation built for gaddr 209.161.200.226/nnnn laddr 172.17.1.70/nnnn | 183 |
| 13 | 03/11/04 00:09:04 | 03/11/04 17:40:15 | 6-305004 | Teardown portmap translation for global 209.161.200.226/nnnn local 172.17.1.40/nnnn | 135 |
| 14 | 03/11/04 00:06:39 | 03/11/04 17:40:15 | 6-305001 | Portmapped translation built for gaddr 209.161.200.226/nnnn laddr 172.17.1.40/nnnn | 135 |
| 15 | 03/11/04 17:39:28 | 03/11/04 17:40:15 | 6-302006 | Teardown UDP connection for faddr 207.136.100.40/nnnn gaddr 209.161.200.226/nnnn laddr 172.17.1.40/nnnn | 88 |
| 16 | 03/11/04 17:39:28 | 03/11/04 17:40:15 | 6-302005 | Built UDP connection for faddr 207.136.100.40/nnnn gaddr 209.161.200.226/nnnn laddr 172.17.1.40/nnnn | 85 |
| 17 | 03/11/04 12:24:01 | 03/11/04 17:40:15 | 6-305001 | Portmapped translation built for gaddr 209.161.200.226/nnnn laddr 172.17.1.40/nnnn | 75 |
| 18 | 03/11/04 12:24:42 | 03/11/04 17:40:15 | 6-305004 | Teardown portmap translation for global 209.161.200.226/nnnn local 172.17.1.40/nnnn | 74 |
| 19 | 03/11/04 00:09:04 | 03/11/04 17:40:15 | 6-302006 | Teardown UDP connection for faddr 209.161.200.227/514 gaddr 209.161.200.226/nnnn laddr 172.17.1.10/nnnn | 71 |
| 20 | 03/11/04 00:09:04 | 03/11/04 17:40:15 | 6-305004 | Teardown portmap translation for global 209.161.200.226/nnnn local 172.17.1.10/nnnn | 71 |
| 21 | 03/11/04 00:06:47 | 03/11/04 17:40:15 | 6-302005 | Built UDP connection for faddr 209.161.200.227/514 gaddr 209.161.200.226/nnnn laddr 172.17.1.10/nnnn | 71 |
| 22 | 03/11/04 00:06:47 | 03/11/04 17:40:15 | 6-305001 | Portmapped translation built for gaddr 209.161.200.226/nnnn laddr 172.17.1.10/nnnn | 71 |
| 23 | 03/11/04 16:58:40 | 03/11/04 17:40:15 | 6-302001 | Built outbound TCP connection nnnnn for faddr 212.58.240.142/80 gaddr 209.161.200.226/nnnn laddr 172.17.1.70/nnnn | 64 |
| 24 | 03/11/04 16:58:41 | 03/11/04 17:40:15 | 6-302002 | Teardown TCP connection nnnnn faddr 212.58.240.142/80 gaddr 209.161.200.226/nnnn laddr 172.17.1.70/nnnn duration 0:00:01 bytes nnnnn (TCP FINs) | 62 |
| 25 | 03/11/04 17:39:28 | 03/11/04 17:40:15 | 6-305004 | Teardown portmap translation for global 209.161.200.226/nnnn local 172.17.1.102/nnnn | 59 |
| There were more messages to be reported but the listing is limited to 25!!! | |||||
| No | First Message | Last Message | Code | Message | Count |
| 1 | 03/11/04 13:50:41 | 03/11/04 17:40:15 | 7-702301 | lifetime expiring, (sa) sa_dest= 209.161.200.226, sa_prot= 50, sa_spi= 0x21a09f69(564174697), sa_trans= esp-des esp-md5-hmac , sa_conn_id= 1, (identity) local= 209.161.200.226, remote= 209.161.200.235, local_proxy | 1 |
| No | Source IP | Source Host | Destination IP | Destination Host | Connections | Comments |
| 1 | 66.194.6.70 | 66-194-6-70.gen.twtelecom.net | 172.17.1.40 | public.acme.local | 1 | |
| 2 | 210.117.67.213 | 172.17.1.40 | public.acme.local | 1 | ||
| 3 | 209.164.24.114 | 209.164.24.114.ptr.us.xo.net | 172.17.1.40 | public.acme.local | 1 |
| No | Source IP | Source Host | Destination IP | Destination Host | Protocol | Connections | Direction | Comments |
| 1 | 172.17.1.102 | dell3943.acme.local | 64.235.234.140 | europa.lunarpages.com | TCP/110 - pop3 | 51 | out | |
| 2 | 80.97.48.21 | dev21.histria.ro | 172.17.1.40 | public.acme.local | TCP/143 - imap | 37 | in | |
| 3 | 69.19.34.66 | dpc691934066.direcpc.com | 172.17.1.40 | public.acme.local | TCP/143 - imap | 35 | in | |
| 4 | 64.228.41.54 | toronto-ppp226571.sympatico.ca | 172.17.1.40 | public.acme.local | TCP/143 - imap | 12 | in | |
| 5 | 195.20.106.85 | 172.17.1.40 | public.acme.local | TCP/110 - pop3 | 11 | in | Sorin | |
| 6 | 80.97.89.49 | 172.17.1.40 | public.acme.local | TCP/143 - imap | 10 | in | ||
| 7 | 217.19.7.89 | net2-89.seanet.ro | 172.17.1.40 | public.acme.local | TCP/143 - imap | 3 | in | |
| 8 | 172.17.1.102 | dell3943.acme.local | 209.161.200.227 | mx1.altairtech.ca | TCP/143 - imap | 1 | out |
| No | Source IP | Source Host | Destination IP | Destination Host | Connections | Direction | Comments |
| No MS RPC connections recorded. Logging level 6 required for this type of information. | |||||||
| No | Source IP | Source Host | Destination IP | Destination Host | Connections | Direction | Comments |
| No RDP connections recorded. Logging level 6 required for this type of information. | |||||||
| No | Source IP | Source Host | Destination IP | Destination Host | Connections | Direction | Comments |
| No NetBIOS connections recorded. Logging level 6 required for this type of information. | |||||||
| No | Source IP | Source Host | Destination IP | Destination Host | Protocol | Connections | Direction | Comments |
| No SSH,Telnet connections. Logging level 6 required for this type of information. | ||||||||
| No | Protocol | Connections | % | |
| 1 | UDP/1024+ - dns | 1,132 | 39.87 | |
| 2 | TCP/80 - http | 914 | 32.19 | |
| 3 | TCP/25 - smtp | 367 | 12.92 | |
| 4 | TCP/443 - ssl-https | 121 | 4.26 | |
| 5 | TCP/143 - imap | 98 | 3.45 | |
| 6 | TCP/21 - ftp | 78 | 2.74 | |
| 7 | TCP/110 - pop3 | 62 | 2.18 | |
| 8 | UDP/514 - syslog | 39 | 1.37 | |
| 9 | UDP/138 - netbios | 16 | 0.56 | |
| 10 | UDP/428 | 5 | 0.17 | |
| 11 | TCP/5050 - yahoo messenger | 2 | 0.07 | |
| 12 | TCP/5190 - icq | 2 | 0.07 | |
| 13 | UDP/370 - nai-antivirus-securecast | 1 | 0.03 | |
| 14 | UDP/123 - ntp | 1 | 0.03 | |
| 15 | TCP/389 - ldap | 1 | 0.03 |
| No | Protocol | Total Traffic | % | Bytes In | Bytes Out | |
| 1 | TCP/80 - http | 48,944,886 | 86.97 | 2,860 | 48,942,026 | |
| 2 | TCP/21 - ftp | 3,929,829 | 6.98 | 0 | 3,929,829 | |
| 3 | TCP/25 - smtp | 1,748,621 | 3.11 | 1,600,946 | 147,675 | |
| 4 | TCP/443 - ssl-https | 1,040,378 | 1.85 | 0 | 1,040,378 | |
| 5 | TCP/143 - imap | 572,488 | 1.02 | 572,488 | 0 | |
| 6 | TCP/110 - pop3 | 27,467 | 0.05 | 15,002 | 12,465 | |
| 7 | TCP/5050 - yahoo messenger | 6,236 | 0.01 | 0 | 6,236 | |
| 8 | TCP/5190 - icq | 5,971 | 0.01 | 0 | 5,971 | |
| Total | 0 | 2,191,296 | 54,084,580 | |||
| Unknown | 0 | Traffic that could not be mapped to a specific protocol or as inbound/outbound | ||||
| No | FTP client IP | FTP client host | FTP server IP | FTP server host | File | Count | Comments |
| 1 | 172.17.1.40 | public.acme.local | 216.218.202.31 | nvc5.txt | 11 | ||
| 2 | 172.17.1.40 | public.acme.local | 216.218.202.31 | bitdefender.txt | 10 | ||
| 3 | 172.17.1.40 | public.acme.local | 216.218.202.31 | eed.txt | 10 | ||
| 4 | 172.17.1.102 | dell3943.acme.local | 205.227.137.57 | ftpdal.nai.com | delta.ini | 1 | |
| 5 | 172.17.1.102 | dell3943.acme.local | 205.227.137.57 | ftpdal.nai.com | update.ini | 1 | |
| 6 | 172.17.1.40 | public.acme.local | 216.218.202.31 | nvc5.zip | 1 | ||
| 7 | 172.17.1.40 | public.acme.local | 216.218.202.31 | bitdefender.zip | 1 | ||
| 8 | 172.17.1.40 | public.acme.local | 209.61.184.105 | server1.gfi.com | eed.txt | 1 | |
| 9 | 172.17.1.40 | public.acme.local | 216.218.202.31 | eed.zip | 1 | ||
| 10 | 172.17.1.40 | public.acme.local | 209.61.184.105 | server1.gfi.com | bitdefender.txt | 1 | |
| 11 | 172.17.1.40 | public.acme.local | 209.61.184.105 | server1.gfi.com | nvc5.txt | 1 |
| No | FTP client IP | FTP client host | FTP server IP | FTP server host | File | Count | Comments |
| No FTP Uploads recorded - Level 5 (Notification) logging is required to capture FTP uploads. | |||||||
| No | Source IP | Source Host | Connections | Protocols | Traffic (kb) | Comments |
| 1 | 172.17.1.102 | dell3943.acme.local | 712 | TCP/143 - imap, TCP/80 - http, TCP/5050 - yahoo messenger, TCP/389 - ldap, TCP/21 - ftp, TCP/110 - pop3, TCP/443 - ssl-https, TCP/25 - smtp, TCP/5190 - icq | 41,925 | |
| 2 | 172.17.1.40 | public.acme.local | 551 | TCP/80 - http, TCP/21 - ftp, TCP/25 - smtp | 6,116 | |
| 3 | 172.17.1.70 | dell4323.acme.local | 382 | TCP/80 - http, TCP/443 - ssl-https | 8,757 |
| Hours | Bytes Inbound | Bytes Outbound | Bytes Unknown | Bytes Total | % | |
| 00 - 01 | 33,273 | 5,156 | 0 | 38,429 | 0.07 | |
| 01 - 02 | 169,945 | 1,342 | 0 | 171,287 | 0.29 | |
| 02 - 03 | 26,852 | 1,341 | 0 | 28,193 | 0.05 | |
| 03 - 04 | 187,595 | 19,082 | 0 | 206,677 | 0.36 | |
| 04 - 05 | 65,054 | 1,341 | 0 | 66,395 | 0.11 | |
| 05 - 06 | 47,302 | 2,517,485 | 0 | 2,564,787 | 4.41 | |
| 06 - 07 | 47,479 | 1,340 | 0 | 48,819 | 0.08 | |
| 07 - 08 | 91,452 | 45,456 | 0 | 136,908 | 0.24 | |
| 08 - 09 | 342,454 | 1,338 | 0 | 343,792 | 0.59 | |
| 09 - 10 | 131,021 | 1,353,340 | 0 | 1,484,361 | 2.55 | |
| 10 - 11 | 156,091 | 256,784 | 0 | 412,875 | 0.71 | |
| 11 - 12 | 31,001 | 830,613 | 47,416 | 909,030 | 1.56 | |
| 12 - 13 | 171,914 | 456,605 | 0 | 628,519 | 1.08 | |
| 13 - 14 | 37,390 | 859,558 | 1,837,790 | 2,734,738 | 4.70 | |
| 14 - 15 | 114,875 | 9,688,110 | 0 | 9,802,985 | 16.85 | |
| 15 - 16 | 27,803 | 26,946 | 0 | 54,749 | 0.09 | |
| 16 - 17 | 472,914 | 8,462,245 | 0 | 8,935,159 | 15.36 | |
| 17 - 18 | 36,881 | 29,313,505 | 0 | 29,350,386 | 50.46 | |
| 18 - 19 | 0 | 242,993 | 0 | 242,993 | 0.42 | |
| 19 - 20 | 0 | 0 | 0 | 0 | 0 | |
| 20 - 21 | 0 | 0 | 0 | 0 | 0 | |
| 21 - 22 | 0 | 0 | 0 | 0 | 0 | |
| 22 - 23 | 0 | 0 | 0 | 0 | 0 | |
| 23 - 24 | 0 | 0 | 0 | 0 | 0 | |
| Total | 2,191,296 | 54,084,580 | 1,885,206 | 58,161,082 | ||
| Total | 2,140 kb | 52,817 kb | 1,841 kb | 56,798 kb |
| Hours | Bytes Inbound | % | |
| 00 - 01 | 33,273 | 1.52 | |
| 01 - 02 | 169,945 | 7.76 | |
| 02 - 03 | 26,852 | 1.23 | |
| 03 - 04 | 187,595 | 8.56 | |
| 04 - 05 | 65,054 | 2.97 | |
| 05 - 06 | 47,302 | 2.16 | |
| 06 - 07 | 47,479 | 2.17 | |
| 07 - 08 | 91,452 | 4.17 | |
| 08 - 09 | 342,454 | 15.63 | |
| 09 - 10 | 131,021 | 5.98 | |
| 10 - 11 | 156,091 | 7.12 | |
| 11 - 12 | 31,001 | 1.41 | |
| 12 - 13 | 171,914 | 7.85 | |
| 13 - 14 | 37,390 | 1.71 | |
| 14 - 15 | 114,875 | 5.24 | |
| 15 - 16 | 27,803 | 1.27 | |
| 16 - 17 | 472,914 | 21.58 | |
| 17 - 18 | 36,881 | 1.68 | |
| 18 - 19 | 0 | 0 | |
| 19 - 20 | 0 | 0 | |
| 20 - 21 | 0 | 0 | |
| 21 - 22 | 0 | 0 | |
| 22 - 23 | 0 | 0 | |
| 23 - 24 | 0 | 0 | |
| Total | 2,191,296 | ||
| Total | 2,140 kb |
| Hours | Bytes Outbound | % | |
| 00 - 01 | 5,156 | 0.01 | |
| 01 - 02 | 1,342 | 0.00 | |
| 02 - 03 | 1,341 | 0.00 | |
| 03 - 04 | 19,082 | 0.04 | |
| 04 - 05 | 1,341 | 0.00 | |
| 05 - 06 | 2,517,485 | 4.65 | |
| 06 - 07 | 1,340 | 0.00 | |
| 07 - 08 | 45,456 | 0.08 | |
| 08 - 09 | 1,338 | 0.00 | |
| 09 - 10 | 1,353,340 | 2.50 | |
| 10 - 11 | 256,784 | 0.47 | |
| 11 - 12 | 830,613 | 1.54 | |
| 12 - 13 | 456,605 | 0.84 | |
| 13 - 14 | 859,558 | 1.59 | |
| 14 - 15 | 9,688,110 | 17.91 | |
| 15 - 16 | 26,946 | 0.05 | |
| 16 - 17 | 8,462,245 | 15.65 | |
| 17 - 18 | 29,313,505 | 54.20 | |
| 18 - 19 | 242,993 | 0.45 | |
| 19 - 20 | 0 | 0 | |
| 20 - 21 | 0 | 0 | |
| 21 - 22 | 0 | 0 | |
| 22 - 23 | 0 | 0 | |
| 23 - 24 | 0 | 0 | |
| Total | 54,084,580 | ||
| Total | 52,817 kb |
| No | Protocol | Reason | Count |
| 1 | TCP/135 - ms rpc | No xlate | 53 |
| 2 | ICMP/8 - echo | No xlate | 16 |
| 3 | TCP/445 - netbios | No xlate | 11 |
| 4 | TCP/1433 - ms sql | No xlate | 4 |
| 5 | TCP/443 - ssl-https | No xlate | 3 |
| 6 | TCP/21 - ftp | No xlate | 3 |
| 7 | TCP/139 - netbios | No xlate | 3 |
| No | Destination IP | Destination Host | Count | Comments |
| 1 | 209.161.200.227 | mx1.altairtech.ca | 183 | |
| 2 | 209.161.200.230 | 91 | ||
| 3 | 209.161.200.228 | mx2.altairtech.ca | 90 | |
| 4 | 69.6.57.7 | 2 |
| No | Operation | Source IP | Source host | Destination IP | Destination host | Count | Comments |
| 1 | Tunnel deleted | 209.161.200.226 | mail.altairtech.ca | 2 | Used protocol number 50 - SA parameters: esp-des esp-md5-hmac | ||
| 2 | Tunnel established | 209.161.200.226 | mail.altairtech.ca | 1 | Using protocol number 50 - SA parameters: esp-des esp-md5-hmac | ||
| 3 | Tunnel established | 209.161.200.235 | 1 | Using protocol number 50 - SA parameters: esp-des esp-md5-hmac | |||
| 4 | User authentication initiated | - | 1 | User jmoore | |||
| 5 | Tunnel terminated | 209.161.200.226 | mail.altairtech.ca | 209.161.200.235 | 1 | Reason: Lifetime expired | |
| 6 | Tunnel deleted | 209.161.200.235 | 1 | Used protocol number 50 - SA parameters: esp-des esp-md5-hmac | |||
| 7 | Authentication success | 209.161.200.235 | 0.0.0.0 | 1 | User jmoore via IKE-XAUTH |
| No | Source IP | Source host | Destination IP | Destination host | Interface | IDS Event | Count | Comments |
| 1 | 64.53.150.209 | d53-64-209-150.nap.wideopenwest.com | 192.168.1.1 | dmzbastion.acme.local | outside | ICMP redirect (IDS signature: 2003) | 1 | Scanned the firewall on March 2 |
| 2 | 64.53.150.209 | d53-64-209-150.nap.wideopenwest.com | 192.168.1.1 | dmzbastion.acme.local | outside | UDP Snork attack (IDS signature: 4051) | 1 | Scanned the firewall on March 2 |
| No | Client IP | Client host | Protocol | Count | Operation | Comments |
| 1 | 172.17.1.102 | dell3943.acme.local | Terminal | 7 | Listed configuration | |
| 2 | 172.17.1.102 | dell3943.acme.local | Telnet | 6 | Successful login | |
| 3 | 172.17.1.102 | dell3943.acme.local | Console | 2 | Finished configuration - OK | |
| 4 | 172.17.1.102 | dell3943.acme.local | Console | 2 | Saved configuration to memory | |
| 5 | console | Terminal | 1 | Listed configuration | ||
| 6 | 172.17.1.102 | dell3943.acme.local | SSH | 1 | Failed login | (3 attempts) on interface inside by user "" |
| 7 | 172.17.1.102 | dell3943.acme.local | SSH | 1 | Failed login | (3 attempts) on interface inside by user "telnet" |
| * * * |
| None |
| No | Term | Explanation |
| 1 | Addresses generating denial messages | IP addresses that caused the firewall to generate a deny message (see "Denial messages"). It helps in identifying potential intruders or abusers. |
| 2 | Bytes in Bytes out |
Cisco defines the traffic "in" or "out" based on how a connection was initiated. If an HTTP connection is initiated by an internal IP address (i.e. a typical web browsing) all the traffic generated is labeled as "out" even though in fact, most of the traffic is coming from the web server |
| 3 | Denial messages | Messages recorded by the firewall when a connection is denied. Connections can be denied by the lack of access list for the protocol or source/destination IPs or for their lack of validity. |
| 4 | Denied protocols | Protocols used in various deny messages recorded by the firewall (see "Denial messages") |
| 5 | Message types distribution | Offers a quick overview of the type of messages found in the analyzed logs. An example of each type of message is given. |
| 6 | Severity level | Cisco PIX messages category based on their criticality for the functionality of the firewall and their security implications. |
| 7 | Internal IP addresses | Hosts considered "internal" by the PIX firewall. |
| 8 | Unknown traffic | When they are initiated, the firewall assigns to each connection a connection id and labels it as "inbound" or "outbound" When the connection is terminated the firewall records the number of bytes that were transferred but the "direction" of this traffic can be identified only by matching the connection IDs. If the initial message is missing from the log, no connection matching can be done and the "direction" of the traffic cannot be established. This typically happens when a connection is initiated shortly before midnight and it is terminated after 12:00 pm. This way, the connection information lies in 2 logs. |