Analyzing Cisco Pix firewall logs with FireGen Log Analyzer - A firewall administrator diary
Send your comments!

All the notes on this page are derived from our daily analysis of our Cisco Pix firewall logs using FireGen for Pix Log Analyzer, Version 2.0. To cross-reference the report sections mentioned in these articles, see the sample report. As a demo, you may send us one of your logs, and we will analyze it with FireGen and send you back the report along with a short analysis from our consultants.

See the Summary of the recommendations.

June 30, 2004
The "Denied connections" sections shows a large number of attempts from various worms to connect to NetBIOS ports (i.e. TCP/455, TCP/135), most of the connections coming from the "neighborhood" (IP addresses from the same ISP). If your ISP will try to charge you extra for increased traffic, you can always show them that their lack of security policies are one reason for the increased traffic. Some ISPs shut down the Internet link of the infected computers. Having access to the routers, the ISP should be able to detect such hosts.

June 12-13, 2004
We noticed in the "Severity Level 5 (Notifications) Messages" section an URL request like "scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir". This is a typical vulnerability scan that many script kiddies use to deface IIS web servers. We put the source IP address (80.232.139.120 - apparently located in Riga, Latvia) in the IP Forensics analyzer and generated a report on its activity. We noticed that it scanned all our public IP addresses for port 80 (http) and once it found our public web server it tried that URL to see if we are vulnerable.

June 10, 2004
The "Severity Level 4 (Warning) Messages" was showing several "Invalid transport field for protocol=6, from ..." messages, from different IP addresses but all within the same subnet: 210.23.172.168, 210.23.172.61, 210.23.172.242. We investigated this type of warning before and concluded that it represents a port scan, typically performed by a single computer. Having this recorded from several computers might indicate some sort of denial of service attack. However, doing a reverse-name resolution for these IP address through www.eventid.net links we noticed that their names resolves to "PROXY". So most probably, this port scan is done from a single computer but there is a proxy server in between with several IP addresses (most probably the proxy belongs to the ISP and it may be configured in a cluster, with several IP addresses). So it is not a DoS.


Pix Analysis Archives:
May 17 - June 1 2004
May 1 - May 10 2004
April 21 - April 29 2004
April 13 - April 16 2004
April 2 - April 6 2004
March 29 - March 31 2004
March 25 - March 26 2004
March 20 - March 23 2004
March 12 - March 19 2004
March 8 - March 11 2004
   

Featured Links GFI EventsManager - Network-wide event log management - Download free 30-day trial! Free Online Event Scanner - Scan your pc for high security events with GFI's free online service. EventID.Net Subscription - So much information for so little!

Legal - EventID.Net © 2001-2008 Altair Technologies Ltd., All rights reserved - Sign up for our Email Newsletter