FireGen for Pix Log Analysis Report

Altair Technologies - "sample" firewall log analysis for the period
Thu Mar 11 00:00:00 2004 to Thu Mar 11 23:59:59 2004

FirewallSectionsFirst messageLast message
172.17.1.15  Summary Message types Message Details Protocols Traffic Denials VPN,IDS,Management 03/11/04 00:00:31 03/11/04 18:01:05

-
Research links: - Go to top
-
Keywords: - Go to top
Keywords to include
Not configured
Keywords to exclude
Not configured
-
Analyzed logs: - Go to top
Analyzed log(s) Log size (kb) Log entries Log type
C:\Program Files\FireGenPix2\Sample\syslog-2004-03-11.log 1,889.86 10,784 Comma separated with no firewall time stamp (0)
-
Level Severity Description Total
1 Alert Immediate action needed 0
2 Critical Critical condition 1
3 Error Error condition 365
4 Warning Warning condition 4
5 Notification Normal but significant condition 754
6 Informational Informational message only 9,657
7 Debugging Appears during debugging only 1
    Total 10,782

-
No Code Total Example
1 2-106017 1 Deny IP due to Land Attack from 64.53.150.209 to 209.161.200.227
2 3-106011 363 Deny inbound (No xlate) udp src outside:61.221.171.82/3273 dst outside:209.161.200.230/1434
3 3-315004 2 Fail to establish SSH session because PIX RSA host key retrieval failed.
4 4-106023 2 Deny tcp src inside:172.17.1.102/4177 dst outside:69.6.57.7/80 by access-group "acl_inbound"
5 4-400013 1 IDS:2003 ICMP redirect from 64.53.150.209 to 192.168.1.1 on interface outside
6 4-400032 1 IDS:4051 UDP Snork attack from 64.53.150.209 to 192.168.1.1 on interface outside
7 5-111001 2 Begin configuration: 172.17.1.102 writing to memory
8 5-111004 2 172.17.1.102 end configuration: OK
9 5-111005 2 console end configuration: OK
10 5-111007 8 Begin configuration: console reading from terminal
11 5-304001 740 172.17.1.70 Accessed URL 65.54.194.117:/ADSAdClient31.dll?GetAd?PG=NBCHIA?AP=?TF=_blank
12 6-106015 248 Deny TCP (no connection) from 208.254.18.131/80 to 209.161.200.226/42436 flags ACK on interface outside
13 6-109005 1 Authentication succeeded for user 'jmoore' from 209.161.200.235/0 to 0.0.0.0/0 on interface IKE-XAUTH
14 6-109011 1 Authen Session Start: user 'jmoore', sid 3
15 6-302001 1,645 Built outbound TCP connection 364050 for faddr 65.54.194.117/80 gaddr 209.161.200.226/42445 laddr 172.17.1.70/2722
16 6-302002 1,646 Teardown TCP connection 364041 faddr 64.14.131.71/80 gaddr 209.161.200.226/42439 laddr 172.17.1.70/2711 duration 0:00:51 bytes 6842 (TCP Reset-I)
17 6-302005 1,194 Built UDP connection for faddr 207.136.100.40/7097 gaddr 209.161.200.226/37745 laddr 172.17.1.40/1035
18 6-302006 1,186 Teardown UDP connection for faddr 207.136.100.40/7097 gaddr 209.161.200.226/37745 laddr 172.17.1.40/1035
19 6-302010 107 6 in use, 114 most used
20 6-303002 39 172.17.1.102 Retrieved 205.227.137.57:delta.ini
21 6-305001 1,792 Portmapped translation built for gaddr 209.161.200.226/42447 laddr 172.17.1.70/2731
22 6-305004 1,779 Teardown portmap translation for global 209.161.200.226/42445 local 172.17.1.70/2722
23 6-307002 6 Permitted Telnet login session from 172.17.1.102
24 6-315002 1 Permitted SSH session from 172.17.1.102 on interface inside for user "pix"
25 6-315003 2 SSH login session failed from 172.17.1.102 (3 attempts) on interface inside by user ""
26 6-315011 5 SSH session from 172.17.1.102 on interface inside for user "pix" terminated normally
27 6-602301 2 sa created, (sa) sa_dest= 209.161.200.235, sa_prot= 50, sa_spi= 0xa6afc495(2796536981), sa_trans= esp-des esp-md5-hmac , sa_conn_id= 9
28 6-602302 3 deleting SA, (sa) sa_dest= 209.161.200.235, sa_prot= 50, sa_spi= 0x3de88ffc(1038651388), sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2
29 7-702301 1 lifetime expiring, (sa) sa_dest= 209.161.200.226, sa_prot= 50, sa_spi= 0x21a09f69(564174697), sa_trans= esp-des esp-md5-hmac , sa_conn_id= 1, (identity) local= 209.161.200.226, remote= 209.161.200.235, local_proxy

-
-
Web traffic (HTTP/HTTPS) - Top 50 internal users (outbound connections) for the 172.17.1.15 firewall: - Go to top
No Source IP Source Host Destination IP Destination Host Connections Comments
1 172.17.1.102   65.54.244.253   85  
2 172.17.1.70   212.58.240.142 www42.thny.bbc.co.uk 64  
3 172.17.1.102   64.4.241.32 www.paypal.com 55 HTTPS 
4 172.17.1.102   63.236.14.21 h21.ip.musicmatch.com 42  
5 172.17.1.102   208.223.219.206 www.charter.com 37  
6 172.17.1.102   216.220.63.73 73.63.220-216.q9.net 34 HTTPS 
7 172.17.1.102   69.28.154.140   29  
8 172.17.1.70   212.58.240.131 www31.thny.bbc.co.uk 29  
9 172.17.1.70   212.58.240.38 www8.thny.bbc.co.uk 25  
10 172.17.1.102   63.236.14.37 h37.ip.musicmatch.com 24  
11 172.17.1.102   212.58.240.144 www44.thny.bbc.co.uk 23  
12 172.17.1.102   64.4.60.7 dav.bay0.hotmail.com 23  
13 172.17.1.70   62.189.244.254   22  
14 172.17.1.70   207.61.132.8   19  
15 172.17.1.70   199.246.67.114 adcounter.globeandmail.com 16  
16 172.17.1.102   207.69.130.52 webmail.atl.earthlink.net 15 HTTPS 
17 172.17.1.102   65.54.229.253 oe.bay110.hotmail.com 15  
18 172.17.1.70   199.246.67.210 stewie.theglobeandmail.com 14  
19 172.17.1.102   64.235.234.140 europa.lunarpages.com 13  
20 172.17.1.102   207.46.248.244 support2.microsoft.com 13  
21 172.17.1.70   199.239.137.245   11  
22 172.17.1.70   63.146.96.171 www.homeseekers.com 10  
23 172.17.1.70   216.52.17.116 112.2O7.net 10  
24 172.17.1.102   216.239.37.99   10  
25 172.17.1.102   66.163.175.128 data1.my.vip.sc5.yahoo.com 10  
26 172.17.1.102   216.52.17.118 102.112.2O7.net 9 HTTPS 
27 172.17.1.102   69.28.159.140 cdn-69-28-159-140.iad.llnw.net 9  
28 172.17.1.70   207.46.245.33 msnbcbusiness.com 9  
29 172.17.1.102   205.188.250.25 cb.icq.com 8  
30 172.17.1.102   207.68.172.249   7  
31 172.17.1.102   64.236.42.63   7  
32 172.17.1.70   12.130.12.31   6  
33 172.17.1.70   206.112.74.4   6  
34 172.17.1.102   64.236.40.55   6  
35 172.17.1.70   199.239.137.200   6  
36 172.17.1.70   209.68.10.225 masterview.ikonosnewmedia.com 6  
37 172.17.1.70   212.58.240.140 www40.thny.bbc.co.uk 6  
38 172.17.1.102   63.236.14.26 h26.ip.musicmatch.com 6  
39 172.17.1.102   63.236.14.12 h12.ip.musicmatch.com 6  
40 172.17.1.70   208.254.18.131   6  
41 172.17.1.102   207.68.173.243   5  
42 172.17.1.70   206.65.183.220   5  
43 172.17.1.102   64.12.174.121 ads.web.aol.com 5  
44 172.17.1.102   220.164.144.132   5  
45 172.17.1.70   63.215.124.60 unknown.Level3.net 5  
46 172.17.1.70   64.14.128.200   5  
47 172.17.1.102   64.236.16.246 edition2.cnn.com 5  
48 172.17.1.70   199.246.67.250 www.theglobeandmail.com 5  
49 172.17.1.70   209.11.106.40   5  
50 172.17.1.102   69.28.154.149   5  

-
Web traffic (HTTP/HTTPS) - Top 50 visited sites for the 172.17.1.15 firewall: - Go to top
No Web site IP Web site name HTTPS Count
1 65.54.244.253     85
2 212.58.240.142 www42.thny.bbc.co.uk   64
3 64.4.241.32 www.paypal.com Yes 55
4 63.236.14.21 h21.ip.musicmatch.com   42
5 208.223.219.206 www.charter.com   37
6 216.220.63.73 73.63.220-216.q9.net Yes 34
7 212.58.240.131 www31.thny.bbc.co.uk   29
8 69.28.154.140     29
9 62.189.244.254     25
10 212.58.240.38 www8.thny.bbc.co.uk   25
11 63.236.14.37 h37.ip.musicmatch.com   24
12 64.4.60.7 dav.bay0.hotmail.com   23
13 212.58.240.144 www44.thny.bbc.co.uk   23
14 207.61.132.8     19
15 199.246.67.114 adcounter.globeandmail.com   16
16 65.54.229.253 oe.bay110.hotmail.com   15
17 207.69.130.52 webmail.atl.earthlink.net Yes 15
18 199.246.67.210 stewie.theglobeandmail.com   14
19 64.235.234.140 europa.lunarpages.com   13
20 207.46.248.244 support2.microsoft.com   13
21 199.239.137.245     11
22 216.239.37.99     10
23 216.52.17.116 112.2O7.net   10
24 66.163.175.128 data1.my.vip.sc5.yahoo.com   10
25 63.146.96.171 www.homeseekers.com   10
26 69.28.159.140 cdn-69-28-159-140.iad.llnw.net   9
27 212.58.240.140 www40.thny.bbc.co.uk   9
28 207.46.245.33 msnbcbusiness.com   9
29 216.52.17.118 102.112.2O7.net Yes 9
30 205.188.250.25 cb.icq.com   8
31 207.68.172.249     7
32 64.236.42.63     7
33 199.239.137.200     6
34 208.254.18.131     6
35 63.236.14.12 h12.ip.musicmatch.com   6
36 63.236.14.26 h26.ip.musicmatch.com   6
37 64.236.40.55     6
38 12.130.12.31     6
39 209.68.10.225 masterview.ikonosnewmedia.com   6
40 206.112.74.4     6
41 220.164.144.132     5
42 199.246.67.250 www.theglobeandmail.com   5
43 207.68.173.243     5
44 63.215.124.60 unknown.Level3.net   5
45 64.14.128.200     5
46 206.65.183.220     5
47 64.12.174.121 ads.web.aol.com   5
48 69.28.154.149     5
49 209.11.106.40     5
50 64.236.16.246 edition2.cnn.com   5

-
Web traffic (HTTP/HTTPS) - Top 50 incoming connections for the 172.17.1.15 firewall: - Go to top
No Source IP Source Host Destination IP Destination Host Connections Comments
1 209.164.24.114 209.164.24.114.ptr.us.xo.net 172.17.1.40   1  
2 210.117.67.213   172.17.1.40   1  
3 66.194.6.70 66-194-6-70.gen.twtelecom.net 172.17.1.40   1  
-
Email (SMTP) - Top 50 outbound connections for the 172.17.1.15 firewall: - Go to top
-
Email (SMTP) - Top 50 inbound connections for the 172.17.1.15 firewall: - Go to top