Analyzing Cisco Pix firewall logs with FireGen Log Analyzer - A firewall administrator diary
Send your comments!

All the notes on this page are derived from our daily analysis of our Cisco Pix firewall logs using FireGen for Pix Log Analyzer, Version 2.0. To cross-reference the report sections mentioned in these articles, see the sample report. As a demo, you may send us one of your logs, and we will analyze it with FireGen and send you back the report along with a short analysis from our consultants.

See the Summary of the recommendations.

June 1, 2004
A quick look at the today's report indicated 15 types of messages instead of the usual 12. Further analysis shown a series of probes (having TCP/0 as source port) and some firewall management sessions (performed by our admins). Again, we reemphasize the recommendation to "remember" what is the usual number of message types that your firewall typically reports. Different versions of the Pix firmware generate a different number of distinct messages for the same type of traffic. In our case, a Pix 6.1.x generates 12 while a Pix with 6.3.x generates 16. The 6.3.x reports more details.

May 23-25, 2004
The "Message types distribution" section would indicate the 12 types of messages we learned to expect for "normal" days. The reports shown the regular spammers, worms, trojans and other critters affecting the Internet. The "incoming" SMTP connections section indicated a large file transfer from one host. We advised the users to avoid sending large files via email, instead we would post them on our secure downloads web site.

May 21, 2004
Today we noticed "Message types distribution" section that there were more type of messages than we usually see. We found that a new message "Invalid transport field for protocol=6, from 210.23.172.135/0 to 209.161.200.228/1080" was recorded. Protocol number 6 is "TCP" and this request was considered invalid because it specified "0" as the source port (not a valid option). The destination port was 1080, typically used by SOCKS proxies. Most probably then, this was a scan for open proxies.
In the "Email (SMTP) Inbound connections" we found some of the spammers that we tagged for monitoring. We may deny their access through access-lists.
The "Denied connections" section shown the usual cohort of worms trying to use NetBIOS, MS RPC and various backdoors installed by worms. The top offenders (obtained via the "Denied IP Addresses" section) were IP addresses belonging to customers of our ISP. Practically, any public address that we own is targeted on hourly basis.

May 18, 2004
The worm using TCP/5000 seems to be the Kibuv worm, trying to use a vulnerability in UPnP (Universal Plug and Play) implementation in Windows systems. Having the latest hotfixes from Microsoft should protect an exposed system. Of course, with a firewall in place blocking this port there is no danger but people that take their systems at home (i.e. laptop users), might get infected and bring the worm behind the firewall).

May 17, 2004
Most of the entries in the denied protocols section in the last report were for TCP/5000, a backdoor port used by the AgoBot worm. It is possible that it is just a new flavor of Sasser but the major antivirus websites did not provide any information about this. We noticed an spike in port scans for this protocol on the Internet Storm Center site.

Pix Analysis Archives:
May 1 - May 10 2004
April 21 - April 29 2004
April 13 - April 16 2004
April 2 - April 6 2004
March 29 - March 31 2004
March 25 - March 26 2004
March 20 - March 23 2004
March 12 - March 19 2004
March 8 - March 11 2004
   

Featured Links GFI EventsManager - Network-wide event log management - Download free 30-day trial! Free Online Event Scanner - Scan your pc for high security events with GFI's free online service. EventID.Net Subscription - So much information for so little!

Legal - EventID.Net © 2001-2008 Altair Technologies Ltd., All rights reserved - Sign up for our Email Newsletter