Analyzing Cisco Pix firewall logs with FireGen Log Analyzer - A firewall administrator diary
Send your comments!

All the notes on this page are derived from our daily analysis of our Cisco Pix firewall logs using FireGen for Pix Log Analyzer, Version 2.0.

March 23, 2004
We noticed today that for some reason, no spoofing attempts were recorded (using the 127.0.0.1 ip address). We will try to see any other traffic patterns that may have had an effect on this (presuming that it was not an attack but rather some misconfigured servers).
The "Web traffic - Top visited web sites" indicated a certain site in Top 3, based on the number of connections. We knew about that site and that has only been visited once. The conclusion from that the number of connections is not always a good indicator as what is the most visited site but rather what site has the most "components" (i.e. images and various pages). Accessing a web page with let's say 3 images, will cause 4 connections: one for the page itself and 3 connections for the image.

In the Email (SMTP) - Top outbound connections section we noticed that our email server had over 50 connections to 66.7.128.123. For our company it is not typical to have that many connections to a single server. The IP address would not resolve to a name. We tried to telnet to it on port 25 (SMTP) but we got no response. The conclusion was that the IP points to the MX record for some domain but the server is not running. Our email server probably had an email to deliver and it tried several times (hence the large number of connections). These connections were not in fact successful connections...

March 22, 2004
The SMTP inbound connections report section is showing several connections from 216.5.163.55 (data1.exhedra.com). We do not have any particular relations with this company so most probably is used by a spammer. We put this IP address on the Monitor IP Addresses list. In the future, if this ip appears again in the reports, it will be highlighted. We plan to create an access-list to deny access from known spammers.
The "Denied protocols" list was showing quite a few denied connections for TCP/55728. We researched this through the protocols links at www.eventid.net but we couldn't find any references. We cross-referenced this with the "Denied connections" section and we found that this protocol was used by sites.techtarget.com, a site hosting technical documentation. We are subscribed to a couple of their security-related mailing lists. So most probably, this is not a scan for Trojans but connections denied due to Internet latency.

March 20, 2004
Today we analyzed the "Protocols - ordered by connections" and "Protocols - ordered by traffic". One thing that one can see is that Pix does not record the UDP traffic (the number of bytes). That's why, one can see some protocols as having "connections" but they do not show up in the "traffic" list. For example, DNS requests (UDP/53), syslog (UDP/514), SNMP (UDP/161) and so on. That does not mean that these protocols do not generate traffic. Logs can be deceiving and one cannot rely just on one set of data. In a similar fashion, PIX may be "missing" other type of data. Another aspect of the protocol statistics, is that the protocol generating most of the connections is not necessarily the same as the one generating the most traffic. It is interesting to investigate what takes more resources from the firewall and your Internet pipe. One interesting analogy is with a project we managed for a large retailer - the implementation of an enterprise-level backup system. We would use the latest 9840 StorageTek tape drives, with a capacity (at that time) of 10 Mb/s "head-to-tape". The tests that we performed with a small amount of data did not impress us at all, was actually worse than the good old DLT. It turned out that it was the fact that did not feed it enough data. The tape drive would write some data on the tape, stop and wait for more, write again, and so on. Once we started feeding it GBs of data from several systems, the drive would "fly" at 1 GB/minute (this was back in 1999!). In similar way, the firewall may be more affected by many short connection rather than by a large download. This may affect as who do you see as the main users of your Internet resources.

Pix Analysis Archives:
March 12 - March 19 2004
March 8 - March 11 2004
   

Featured Links GFI EventsManager - Network-wide event log management - Download free 30-day trial! Free Online Event Scanner - Scan your pc for high security events with GFI's free online service. EventID.Net Subscription - So much information for so little!

Legal - EventID.Net © 2001-2008 Altair Technologies Ltd., All rights reserved - Sign up for our Email Newsletter