Analyzing Cisco Pix firewall logs with FireGen Log Analyzer - A firewall administrator diary
Send your comments!
All the notes on this page are
derived from our daily analysis of our Cisco Pix firewall logs using
FireGen for
Pix Log Analyzer, Version 2.0. To cross-reference the report sections
mentioned in these articles, see the
sample report.
As a demo, you may
send
us one of your logs, and we will analyze it with FireGen and send you back
the report along with a short analysis from our consultants.
See the Summary of the recommendations.
June 30, 2004
The "Denied connections" sections shows a large number of attempts from
various worms to connect to NetBIOS ports (i.e. TCP/455, TCP/135), most of the
connections coming from the "neighborhood" (IP addresses from the same ISP). If
your ISP will try to charge you extra for increased traffic, you can always show
them that their lack of security policies are one reason for the increased
traffic. Some ISPs shut down the Internet link of the infected computers. Having
access to the routers, the ISP should be able to detect such hosts.
June 12-13, 2004
June 10, 2004
We noticed in the "Severity Level 5 (Notifications) Messages" section an URL
request like "scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir".
This is a typical vulnerability scan that many script kiddies use to deface IIS
web servers. We put the source IP address (80.232.139.120
- apparently located in Riga, Latvia) in the IP Forensics analyzer and generated
a report on its activity. We noticed that it scanned all our public IP addresses
for port 80 (http) and once it found our public web server it tried that URL to
see if we are vulnerable.
The "Severity Level 4 (Warning) Messages" was showing several "Invalid
transport field for protocol=6, from ..." messages, from different IP addresses
but all within the same subnet: 210.23.172.168, 210.23.172.61, 210.23.172.242.
We investigated this type of warning before and concluded that it represents a
port scan, typically performed by a single computer. Having this recorded from
several computers might indicate some sort of denial of service attack. However,
doing a reverse-name resolution for these IP address through
www.eventid.net links we noticed that their
names resolves to "PROXY". So most probably, this port scan is done from a
single computer but there is a proxy server in between with several IP addresses
(most probably the proxy belongs to the ISP and it may be configured in a
cluster, with several IP addresses). So it is not a DoS.
Pix Analysis Archives:
May 17 - June 1 2004
May 1 - May 10 2004
April 21 - April 29 2004
April 13 - April 16 2004
April 2 - April 6 2004
March 29 - March 31 2004
March 25 - March 26 2004
March 20 - March 23 2004
March 12 - March 19 2004
March 8 - March 11 2004