Analyzing Cisco Pix firewall logs with FireGen Log Analyzer - A firewall administrator diary
Send your comments!

All the notes on this page are derived from our daily analysis of our Cisco Pix firewall logs using FireGen for Pix Log Analyzer, Version 2.0. To cross-reference the report sections mentioned in these articles, see the sample report.

March 26, 2004
Today we identified a couple news sites (see the comments for yesterday) and updated our cache. From our point of view, it doesn't matter what section of the news web site is accessed (i.e. www.cnn.com vs. europe.cnn.com). Still, we would like to be able to differentiate between mail.cnn.com and www.cnn.com. We would like to clarify here that this approach is not necessarily the best but we prefer to sacrifice some granularity for increased report "readability".
We noticed an IP address, 67.80.10.246 that had a couple of attempts to access a web site that is only known to few internal employees. We added it on the "Monitored IP Addresses" list to keep an eye on it. If it will try something else in the future, FireGen will tag it.
Through the "Email (SMTP) - Top outbound connections we identified another domain that has problems receiving emails. Our Exchange server would keep trying, generating many connections, triggering the listing of that connection in the top of the section.
The "Email (SMTP) - Top incoming connections" identified a couple of spam servers, the most offensive being 212.162.76.47 (the www.eventid.net whois engine listed it as coming from Rome, Italy). We added it to the Monitored IP Addresses list.
The "Other protocols" section indicated a certain number of DNS requests from a desktop pc, DNS requests that went directly to the Internet root servers instead of our internal DNS. It turned out that the user had installed her own DNS server as being "more reliable". We asked her to remove it.

March 25, 2004
The "Internal IP addresses" sections indicated a large number of connections on various ports from one internal host. The report actually labeled it as potential port scan. We identified the user (a web developer) and asked him if he did a port scan. It turned out he wanted to verify how secure was one of our web servers located in a a data center. We asked him to leave the network-level security to us and concentrate on the application security for the web server.
In order to consolidate entries from several distinct IP addresses belonging to the same web cluster (i.e. www.yahoo.com) we modified the FireGen DNS cache so all all the host within those subnets will consolidate under one host name (i.e. instead of www2.cnn.com, www3.cnn.com, all the connections will be reported as going to www.cnn.com). In time we will have entries for most of the important web sites and the reports will look more coherent. This is a limitation of the way Cisco PIX logs the connection, by IP rather than host name (and each IP resolves back to a different host name - IF it resolves....). We identified hotmail.com, google.com, msn.com, yahoo.com, cnn.com... and many more. It is interesting to see how large these clusters are, some of them spanning across 15-20 servers.
The "Email (SMTP ) incoming connections" section was again full of clearly spam servers. While our content filtering server (using GFI's MailEssentials) does a good job in keeping the spam out of our mail boxes, that does not mean that these server do not connect and deliver their junk email. We may add an access-list to deal with these email servers. The reports will help us identify the most common offenders. We will add their IP addresses to the "Monitored IP addresses" list.

Pix Analysis Archives:
March 20 - March 23 2004
March 12 - March 19 2004
March 8 - March 11 2004
   

Featured Links GFI EventsManager - Network-wide event log management - Download free 30-day trial! Free Online Event Scanner - Scan your pc for high security events with GFI's free online service. EventID.Net Subscription - So much information for so little!

Legal - EventID.Net © 2001-2008 Altair Technologies Ltd., All rights reserved - Sign up for our Email Newsletter