Analyzing Cisco Pix firewall logs with FireGen Log Analyzer - A firewall administrator diary
Send your comments!

All the notes on this page are derived from our daily analysis of our Cisco Pix firewall logs using FireGen for Pix Log Analyzer, Version 2.0. To cross-reference the report sections mentioned in these articles, see the sample report.

April 6, 2004
The first thing we read in the daily report is the "Message types distribution" section. This gives a quick view of the types of messages recorded by the firewall. If something unusual happened, you will see it there right away. In a matter of days, one can get used with what is "normal" for their firewall. In the protocols section we noticed traffic towards newsgroups servers. One has to pay attention to what people post as they may affect the company. You do not want them to make public sensitive information or engage in private conversations while "representing" your company.
The "Denied connections" sections has shown today even more infected computers within the network of our ISP. Hopefully they won't give up in tracking down and isolating the infected customers.

April 5, 2004
The "Severity level 4 (Warning) details" shown today several port scans from IPs in the 67.234.73.x network (an UUNET user as per the www.eventid.net whois engine). The warning was recorded because the "source" port for these connections was "0", an invalid one and a footprint for port scans. Just to keep an eye on it we have added the 67.234.73. subnet to the Monitored IP List.
The "Denied connections" section is indicating an increased number of connection attempts from computers infected with the Bagle worm. Through the whois engine we noticed that most of these IP addresses have the same ISP like us and this explains why we see an increased number - the worm is scanning the IP addresses in the "neighborhood" (we are in the same B class). In such situation, you might want to call your ISP. Our ISP is quite proactive on such issues and quick in taking the offending systems offline or at least warning the owners.

April 2, 2004
Looking over some of the hosts listed in the report, we noticed that some of them reveal the operating system or the hardware they are running. For example owa.acme.com or checkpoint.company.com. In principle, you don't want to make the job of a potential intruder easier. You don't want to rely on obscurity for security but that doesn't mean that you have to make public the type of software or hardware that you use. With the owa.acme.com for example, one can easily guess that they are running Web Outlook (and we tested it by connecting to http://owa.acme.com/exchange and we got the login prompt) - note, we just made up acme.com, the real domain is different. If someone discovers a vulnerability in OWA you don't want your site to be a prime target but letting everyone now you are running it. We recommend that any host facing the internet should have its IP resolved to something generic like mail.acme.com or firewall.acme.com. It is true, there are tools to identify the "footprint" of your gateway but the harder it is to guess, the better. More than that, you may put them offtrack but having your system display a misleading banner. Few years ago, as a joke, we configured a Linux server to report "Welcome to Windows NT Telnet services" to people connecting to it via telnet (some friends of ours). All of them (that paid attention to what the banner said) believed that we indeed were running some sort of Linux emulation (by the name of the directories and tools available) on a Windows server! And these were senior-level IT consultants...

In the "Denied connections" section we noticed an IP that tried 6 times some of the known Trojan programs ports. Besides these it also tried a TCP port that we did not know about it - TCP/2745. By extrapolation, we realized that this must be for another Trojan and after a short research via the www.eventid.net TCP/IP protocols database (and through that to the Internet Storm Center) we found that it was used as a backdoor for the Bagle worm.

Pix Analysis Archives:
March 29 - March 31 2004
March 25 - March 26 2004
March 20 - March 23 2004
March 12 - March 19 2004
March 8 - March 11 2004
   

Featured Links GFI EventsManager - Network-wide event log management - Download free 30-day trial! Free Online Event Scanner - Scan your pc for high security events with GFI's free online service. EventID.Net Subscription - So much information for so little!

Legal - EventID.Net © 2001-2008 Altair Technologies Ltd., All rights reserved - Sign up for our Email Newsletter