Altair Technologies - "sample" firewall log analysis for the period
Thu Mar 11 00:00:00 2004 to Thu Mar 11 23:59:59 2004
| Firewall | Sections | First message | Last message| 172.17.1.15 |
Summary |
Message types |
Message Details |
Protocols |
Traffic |
Denials |
VPN,IDS,Management |
03/11/04 00:00:31 |
03/11/04 18:01:05 |
| ||||||
| Keywords to include |
| ||
| Keywords to exclude |
|
| Analyzed log(s) | Log size (kb) | Log entries | Log type |
| C:\Program Files\FireGenPix2\Sample\syslog-2004-03-11.log | 1,889.86 | 10,784 | Comma separated with no firewall time stamp (0) |
| Level | Severity | Description | Total |
| 1 | Alert | Immediate action needed | 0 |
| 2 | Critical | Critical condition | 1 |
| 3 | Error | Error condition | 365 |
| 4 | Warning | Warning condition | 4 |
| 5 | Notification | Normal but significant condition | 754 |
| 6 | Informational | Informational message only | 9,657 |
| 7 | Debugging | Appears during debugging only | 1 |
| Total | 10,782 |


| No | Code | Total | Example |
| 1 | 2-106017 | 1 | Deny IP due to Land Attack from 64.53.150.209 to 209.161.200.227 |
| 2 | 3-106011 | 363 | Deny inbound (No xlate) udp src outside:61.221.171.82/3273 dst outside:209.161.200.230/1434 |
| 3 | 3-315004 | 2 | Fail to establish SSH session because PIX RSA host key retrieval failed. |
| 4 | 4-106023 | 2 | Deny tcp src inside:172.17.1.102/4177 dst outside:69.6.57.7/80 by access-group "acl_inbound" |
| 5 | 4-400013 | 1 | IDS:2003 ICMP redirect from 64.53.150.209 to 192.168.1.1 on interface outside |
| 6 | 4-400032 | 1 | IDS:4051 UDP Snork attack from 64.53.150.209 to 192.168.1.1 on interface outside |
| 7 | 5-111001 | 2 | Begin configuration: 172.17.1.102 writing to memory |
| 8 | 5-111004 | 2 | 172.17.1.102 end configuration: OK |
| 9 | 5-111005 | 2 | console end configuration: OK |
| 10 | 5-111007 | 8 | Begin configuration: console reading from terminal |
| 11 | 5-304001 | 740 | 172.17.1.70 Accessed URL 65.54.194.117:/ADSAdClient31.dll?GetAd?PG=NBCHIA?AP=?TF=_blank |
| 12 | 6-106015 | 248 | Deny TCP (no connection) from 208.254.18.131/80 to 209.161.200.226/42436 flags ACK on interface outside |
| 13 | 6-109005 | 1 | Authentication succeeded for user 'jmoore' from 209.161.200.235/0 to 0.0.0.0/0 on interface IKE-XAUTH |
| 14 | 6-109011 | 1 | Authen Session Start: user 'jmoore', sid 3 |
| 15 | 6-302001 | 1,645 | Built outbound TCP connection 364050 for faddr 65.54.194.117/80 gaddr 209.161.200.226/42445 laddr 172.17.1.70/2722 |
| 16 | 6-302002 | 1,646 | Teardown TCP connection 364041 faddr 64.14.131.71/80 gaddr 209.161.200.226/42439 laddr 172.17.1.70/2711 duration 0:00:51 bytes 6842 (TCP Reset-I) |
| 17 | 6-302005 | 1,194 | Built UDP connection for faddr 207.136.100.40/7097 gaddr 209.161.200.226/37745 laddr 172.17.1.40/1035 |
| 18 | 6-302006 | 1,186 | Teardown UDP connection for faddr 207.136.100.40/7097 gaddr 209.161.200.226/37745 laddr 172.17.1.40/1035 |
| 19 | 6-302010 | 107 | 6 in use, 114 most used |
| 20 | 6-303002 | 39 | 172.17.1.102 Retrieved 205.227.137.57:delta.ini |
| 21 | 6-305001 | 1,792 | Portmapped translation built for gaddr 209.161.200.226/42447 laddr 172.17.1.70/2731 |
| 22 | 6-305004 | 1,779 | Teardown portmap translation for global 209.161.200.226/42445 local 172.17.1.70/2722 |
| 23 | 6-307002 | 6 | Permitted Telnet login session from 172.17.1.102 |
| 24 | 6-315002 | 1 | Permitted SSH session from 172.17.1.102 on interface inside for user "pix" |
| 25 | 6-315003 | 2 | SSH login session failed from 172.17.1.102 (3 attempts) on interface inside by user "" |
| 26 | 6-315011 | 5 | SSH session from 172.17.1.102 on interface inside for user "pix" terminated normally |
| 27 | 6-602301 | 2 | sa created, (sa) sa_dest= 209.161.200.235, sa_prot= 50, sa_spi= 0xa6afc495(2796536981), sa_trans= esp-des esp-md5-hmac , sa_conn_id= 9 |
| 28 | 6-602302 | 3 | deleting SA, (sa) sa_dest= 209.161.200.235, sa_prot= 50, sa_spi= 0x3de88ffc(1038651388), sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2 |
| 29 | 7-702301 | 1 | lifetime expiring, (sa) sa_dest= 209.161.200.226, sa_prot= 50, sa_spi= 0x21a09f69(564174697), sa_trans= esp-des esp-md5-hmac , sa_conn_id= 1, (identity) local= 209.161.200.226, remote= 209.161.200.235, local_proxy |



| No | Source IP | Source Host | Destination IP | Destination Host | Connections | Comments |
| 1 | 209.164.24.114 | 209.164.24.114.ptr.us.xo.net | 172.17.1.40 | 1 | ||
| 2 | 210.117.67.213 | 172.17.1.40 | 1 | |||
| 3 | 66.194.6.70 | 66-194-6-70.gen.twtelecom.net | 172.17.1.40 | 1 |
| No | Source IP | Source Host | Destination IP | Destination Host | Connections | Comments |
| 1 | 172.17.1.40 | 65.182.142.112 | cashrich.org | 20 | ||
| 2 | 172.17.1.40 | 69.50.208.107 | mymail.magi.net | 2 | ||
| 3 | 172.17.1.40 | 208.213.162.21 | office.net-works.com | 2 | ||
| 4 | 172.17.1.40 | 66.180.119.165 | 2 | |||
| 5 | 172.17.1.40 | 129.7.104.60 | uhdlx13.dt.uh.edu | 1 | ||
| 6 | 172.17.1.40 | 67.97.239.131 | mail.ryanco.com | 1 | ||
| 7 | 172.17.1.40 | 212.113.20.197 | 1 | |||
| 8 | 172.17.1.40 | 64.4.50.99 | mail.hotmail.com | 1 | ||
| 9 | 172.17.1.40 | 66.185.95.98 | esmtp-pre0707.bloor.is.net.cable.rogers.com | 1 | ||
| 10 | 172.17.1.40 | 216.200.145.35 | sitemail.everyone.net | 1 | ||
| 11 | 172.17.1.40 | 216.93.166.122 | 216.93.166.122.hera.net | 1 | ||
| 12 | 172.17.1.102 | 64.235.234.140 | europa.lunarpages.com | 1 | ||
| 13 | 172.17.1.40 | 216.92.192.163 | qs666.pair.com | 1 | ||
| 14 | 172.17.1.40 | 65.39.203.11 | mail.support1.net | 1 | ||
| 15 | 172.17.1.40 | 207.217.121.218 | pop08.earthlink.net | 1 | ||
| 16 | 172.17.1.102 | 66.30.36.214 | c-66-30-36-214.hsd1.ma.comcast.net | 1 | ||
| 17 | 172.17.1.40 | 199.181.134.14 | webmailmta.go.com | 1 |
| No | Source IP | Source Host | Destination IP | Destination Host | Protocol | Connections | Direction | Comments |
| 1 | 172.17.1.102 | 64.235.234.140 | europa.lunarpages.com | TCP/110 - pop3 | 51 | out | ||
| 2 | 80.97.48.21 | dev21.histria.ro | 172.17.1.40 | TCP/143 - imap | 37 | in | ||
| 3 | 69.19.34.66 | dpc691934066.direcpc.com | 172.17.1.40 | TCP/143 - imap | 35 | in | ||
| 4 | 64.228.41.54 | Toronto-ppp226571.sympatico.ca | 172.17.1.40 | TCP/143 - imap | 12 | in | ||
| 5 | 195.20.106.85 | 172.17.1.40 | TCP/110 - pop3 | 11 | in | |||
| 6 | 80.97.89.49 | 172.17.1.40 | TCP/143 - imap | 10 | in | |||
| 7 | 217.19.7.89 | net2-89.seanet.ro | 172.17.1.40 | TCP/143 - imap | 3 | in | ||
| 8 | 172.17.1.102 | 209.161.200.227 | mx1.altairtech.ca | TCP/143 - imap | 1 | out |
| No | Source IP | Source Host | Destination IP | Destination Host | Connections | Direction | Comments |
| No Gnutella connections recorded. Logging level 6 required for this type of information. | |||||||
| No | Source IP | Source Host | Destination IP | Destination Host | Connections | Direction | Comments |
| No RDP connections recorded. Logging level 6 required for this type of information. | |||||||
| No | Source IP | Source Host | Destination IP | Destination Host | Protocol | Connections | Direction | Comments |
| No SSH,Telnet connections. Logging level 6 required for this type of information. | ||||||||
| No | Protocol | Connections | % |
| 1 | UDP/1024+ - dns | 1,132 | 39.87 |
| 2 | TCP/80 - http | 914 | 32.19 |
| 3 | TCP/25 - smtp | 367 | 12.92 |
| 4 | TCP/443 - ssl-https | 121 | 4.26 |
| 5 | TCP/143 - imap | 98 | 3.45 |
| 6 | TCP/110 - pop3 | 62 | 2.18 |
| 7 | TCP/20 - ftp-data | 40 | 1.4 |
| 8 | UDP/514 - syslog | 39 | 1.37 |
| 9 | TCP/21 - ftp | 38 | 1.33 |
| 10 | UDP/138 - netbios-dgm | 16 | 0.56 |
| 11 | UDP/428 | 5 | 0.17 |
| 12 | TCP/5050 - yahoo messenger | 2 | 0.07 |
| 13 | TCP/5190 - icq | 2 | 0.07 |
| 14 | TCP/389 - ldap | 1 | 0.03 |
| 15 | UDP/370 - nai-antivirus-securecast | 1 | 0.03 |
| 16 | UDP/123 - ntp | 1 | 0.03 |

| No | Protocol | Total Traffic | % | Bytes In | Bytes Out | |
| 1 | TCP/80 - http | 48,944,886 | 86.97 | 2,860 | 48,942,026 | |
| 2 | TCP/20 - ftp-data | 3,913,608 | 6.95 | 0 | 3,913,608 | |
| 3 | TCP/25 - smtp | 1,748,621 | 3.11 | 1,600,946 | 147,675 | |
| 4 | TCP/443 - ssl-https | 1,040,378 | 1.85 | 0 | 1,040,378 | |
| 5 | TCP/143 - imap | 572,488 | 1.02 | 572,488 | 0 | |
| 6 | TCP/110 - pop3 | 27,467 | 0.05 | 15,002 | 12,465 | |
| 7 | TCP/21 - ftp | 16,221 | 0.03 | 0 | 16,221 | |
| 8 | TCP/5050 - yahoo messenger | 6,236 | 0.01 | 0 | 6,236 | |
| 9 | TCP/5190 - icq | 5,971 | 0.01 | 0 | 5,971 | |
| Total | 0 | 2,191,296 | 54,084,580 | |||
| Unknown | 1,885,206 | Traffic that could not be mapped to a specific protocol or as inbound/outbound | ||||


| No | FTP client IP | FTP client host | FTP server IP | FTP server host | File | Count | Comments |
| 1 | 172.17.1.40 | 216.218.202.31 | nvc5.txt | 11 | |||
| 2 | 172.17.1.40 | 216.218.202.31 | bitdefender.txt | 10 | |||
| 3 | 172.17.1.40 | 216.218.202.31 | eed.txt | 10 | |||
| 4 | 172.17.1.102 | 205.227.137.57 | delta.ini | 1 | |||
| 5 | 172.17.1.102 | 205.227.137.57 | update.ini | 1 | |||
| 6 | 172.17.1.40 | 216.218.202.31 | nvc5.zip | 1 | |||
| 7 | 172.17.1.40 | 216.218.202.31 | bitdefender.zip | 1 | |||
| 8 | 172.17.1.40 | 209.61.184.105 | server1.gfi.com | eed.txt | 1 | ||
| 9 | 172.17.1.40 | 216.218.202.31 | eed.zip | 1 | |||
| 10 | 172.17.1.40 | 209.61.184.105 | server1.gfi.com | bitdefender.txt | 1 | ||
| 11 | 172.17.1.40 | 209.61.184.105 | server1.gfi.com | nvc5.txt | 1 |
| No | FTP client IP | FTP client host | FTP server IP | FTP server host | File | Count | Comments |
| No FTP Uploads recorded - Level 5 (Notification) logging is required to capture FTP uploads. | |||||||
| No | Source IP | Source Host | Connections | Protocols | Traffic (kb) | Comments |
| 1 | 172.17.1.102 | 749 | TCP/143 - imap, TCP/80 - http, TCP/5050 - yahoo messenger, TCP/20 - ftp-data, TCP/389 - ldap, TCP/21 - ftp, TCP/110 - pop3, TCP/443 - ssl-https, TCP/25 - smtp, TCP/5190 - icq | 40,083.98 | Potentially performed a port scan or may be running many network-related applications. | |
| 2 | 172.17.1.70 | 387 | TCP/80 - http, TCP/443 - ssl-https | 8,756.90 | ||
| 3 | 172.17.1.40 | 129 | TCP/80 - http, TCP/20 - ftp-data, TCP/21 - ftp, TCP/25 - smtp | 3,976.09 |


| Hours | Bytes Inbound | Bytes Outbound | Bytes Unknown | Bytes Total | % | Denials |
| 00 - 01 | 33,273 | 5,156 | 0 | 38,429 | 0.07 | 15 |
| 01 - 02 | 169,945 | 1,342 | 0 | 171,287 | 0.29 | 19 |
| 02 - 03 | 26,852 | 1,341 | 0 | 28,193 | 0.05 | 32 |
| 03 - 04 | 187,595 | 19,082 | 0 | 206,677 | 0.36 | 31 |
| 04 - 05 | 65,054 | 1,341 | 0 | 66,395 | 0.11 | 18 |
| 05 - 06 | 47,302 | 2,517,485 | 0 | 2,564,787 | 4.41 | 37 |
| 06 - 07 | 47,479 | 1,340 | 0 | 48,819 | 0.08 | 26 |
| 07 - 08 | 91,452 | 45,456 | 0 | 136,908 | 0.24 | 39 |
| 08 - 09 | 342,454 | 1,338 | 0 | 343,792 | 0.59 | 46 |
| 09 - 10 | 131,021 | 1,353,340 | 0 | 1,484,361 | 2.55 | 23 |
| 10 - 11 | 156,091 | 256,784 | 0 | 412,875 | 0.71 | 17 |
| 11 - 12 | 31,001 | 830,613 | 47,416 | 909,030 | 1.56 | 52 |
| 12 - 13 | 171,914 | 456,605 | 0 | 628,519 | 1.08 | 26 |
| 13 - 14 | 37,390 | 859,558 | 1,837,790 | 2,734,738 | 4.70 | 41 |
| 14 - 15 | 114,875 | 9,688,110 | 0 | 9,802,985 | 16.85 | 55 |
| 15 - 16 | 27,803 | 26,946 | 0 | 54,749 | 0.09 | 39 |
| 16 - 17 | 472,914 | 8,462,245 | 0 | 8,935,159 | 15.36 | 45 |
| 17 - 18 | 36,881 | 29,313,505 | 0 | 29,350,386 | 50.46 | 53 |
| 18 - 19 | 0 | 242,993 | 0 | 242,993 | 0.42 | 0 |
| 19 - 20 | 0 | 0 | 0 | 0 | 0 | 0 |
| 20 - 21 | 0 | 0 | 0 | 0 | 0 | 0 |
| 21 - 22 | 0 | 0 | 0 | 0 | 0 | 0 |
| 22 - 23 | 0 | 0 | 0 | 0 | 0 | 0 |
| 23 - 24 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 2,191,296 | 54,084,580 | 1,885,206 | 58,161,082 | 614 | |
| Total | 2,140 kb | 52,817 kb | 1,841 kb | 56,798 kb |


| No | Protocol | Reason | Count |
| 1 | TCP/80 - http | No connection | 116 |
| 2 | TCP/135 - ms rpc | No xlate | 53 |
| 3 | TCP/25 - smtp | No connection | 22 |
| 4 | TCP/143 - imap | No connection | 22 |
| 5 | ICMP/8 - echo | No xlate | 16 |
| 6 | TCP/445 - netbios-ds | No xlate | 11 |
| 7 | TCP/443 - ssl-https | No connection | 10 |
| 8 | TCP/443 - ssl-https | No xlate | 3 |
| 9 | TCP/139 - netbios-ssn | No xlate | 3 |
| 10 | TCP/21 - ftp | No xlate | 3 |



| No | Destination IP | Destination Host | Count | Comments |
| 1 | 209.161.200.227 | mx1.altairtech.ca | 277 | |
| 2 | 209.161.200.226 | mail.altairtech.ca | 97 | |
| 3 | 209.161.200.230 | 91 | ||
| 4 | 209.161.200.228 | mx2.altairtech.ca | 90 | |
| 5 | 63.236.14.21 | h21.ip.musicmatch.com | 33 | |
| 6 | 64.4.240.67 | smtp-outbound.nix.paypal.com | 5 | |
| 7 | 199.246.67.210 | stewie.theglobeandmail.com | 3 | |
| 8 | 64.4.240.74 | smtp1.nix.paypal.com | 2 | |
| 9 | 64.4.240.75 | smtp2.nix.paypal.com | 2 | |
| 10 | 63.146.96.171 | www.homeseekers.com | 2 | |
| 11 | 69.6.57.7 | 2 | ||
| 12 | 216.218.202.31 | 1 | ||
| 13 | 216.239.51.5 | proxy.google.com | 1 | |
| 14 | 216.155.193.143 | cs16.msg.dcn.yahoo.com | 1 | |
| 15 | 217.19.7.89 | net2-89.seanet.ro | 1 | |
| 16 | 69.19.34.66 | dpc691934066.direcpc.com | 1 | |
| 17 | 217.156.36.6 | 1 | ||
| 18 | 69.60.104.201 | 1 | ||
| 19 | 172.17.1.40 | 1 | ||
| 20 | 207.149.237.213 | sodium.pdx.net | 1 | |
| 21 | 65.60.27.42 | 1 |

| No | Operation | Source IP | Source Host | Destination IP | Destination Host | Count | Comments |
| 1 | Tunnel deleted | - | 209.161.200.226 | mail.altairtech.ca | 2 | Used protocol number 50 - SA parameters: esp-des esp-md5-hmac | |
| 2 | Tunnel terminated | 209.161.200.226 | mail.altairtech.ca | 1 | Reason: Lifetime expired | ||
| 3 | Tunnel established | - | 209.161.200.235 | 1 | Using protocol number 50 - SA parameters: esp-des esp-md5-hmac | ||
| 4 | User authentication initiated | - | - | 1 | User jmoore | ||
| 5 | Tunnel established | - | 209.161.200.226 | mail.altairtech.ca | 1 | Using protocol number 50 - SA parameters: esp-des esp-md5-hmac | |
| 6 | Tunnel deleted | - | 209.161.200.235 | 1 | Used protocol number 50 - SA parameters: esp-des esp-md5-hmac | ||
| 7 | Authentication success | 209.161.200.235 | 0.0.0.0 | 1 | User jmoore via IKE-XAUTH |
| No | Source IP | Source Host | Destination IP | Destination Host | Interface | IDS Event | Count | Comments |
| 1 | 64.53.150.209 | d53-64-209-150.nap.wideopenwest.com | 192.168.1.1 | outside | ICMP redirect (IDS signature: 2003) | 1 | ||
| 2 | 64.53.150.209 | d53-64-209-150.nap.wideopenwest.com | 192.168.1.1 | outside | UDP Snork attack (IDS signature: 4051) | 1 |
| No | Client IP | Client host | Protocol | Count | Operation | Comments |
| 1 | 172.17.1.102 | Terminal | 7 | Listed configuration | ||
| 2 | 172.17.1.102 | Telnet | 6 | Successful login | ||
| 3 | 172.17.1.102 | Console | 2 | Saved configuration to memory | ||
| 4 | 172.17.1.102 | Console | 2 | Finished configuration - OK | ||
| 5 | console | console | Console | 1 | Ended configuration | |
| 6 | console | console | Terminal | 1 | Listed configuration | |
| 7 | 172.17.1.102 | SSH | 1 | Failed login | (3 attempts) on interface inside by user "telnet" | |
| 8 | 172.17.1.102 | SSH | 1 | Failed login | (3 attempts) on interface inside by user "" | |
| 9 | 172.17.1.102 | Console | 1 | Ended configuration |
| No | Operation | Count | Code |
| No warnings recorded. | |||