Analyzing Cisco Pix firewall logs with FireGen Log Analyzer - A firewall administrator diary
Send your comments!

All the notes on this page are derived from our daily analysis of our Cisco Pix firewall logs using FireGen for Pix Log Analyzer, Version 2.0. To cross-reference the report sections mentioned in these articles, see the sample report. As a demo, you may send us one of your logs, and we will analyze it with FireGen and send you back the report along with a short analysis from our consultants.

See the Summary of the recommendations.

April 29, 2004
Analyzing the "Security Level 5 - Notification" section we noticed that most of the codes 5-304001 (ip accessed URL ...) contain links to .jpg, .gif or various advertising servlets embedded within public web sites. In order to "clean" the log from this type of URLs and have a better view of the most popular pages, we excluded the following keywords: .gif,.js,adlet,.jpg,ticker,servlet,.css. The drawback here is that the processing may take a bit longer (but not by much) and the log entries containing those keywords are excluded from the report potentially hiding certain problems. By choosing the keywords properly, one can limit this problem.

April 28, 2004
We noticed the the longer the reports get, the harder they are to read so in order to keep a vigilant eye on them one needs a good log reading method. The way we do it, we start from the top and once we read a section, we collapse it so it no longer clutters the screen. The sections that may require revisiting we keep them expanded.
Analyzing the VPN events section, we had problems quickly separating user-related VPN tunnels from the site-to-site ones as Cisco logs the same type of message when the security associations (SAs) get established. One work around this that we started to use is the put the ip addresses of the remote hosts used in site-to-site tunnels in the Monitored IPs list. This way, the connections related to site-to-site tunnels are tagged and we can easily identify them.

April 27, 2004
One problem with Cisco Pix logging is that it does not capture the names of the hosts that are accessed. This is particularly a problem if you need to see what sites are the most visited by your internal users. Since Pix only records the IP address, the only host name that can be obtained is the one the is the result of the reverse name resolution process. The problem is that a certain IP may hold several web sites or the the host name associated to that IP is not relevant to the actual web site. The way around this limitation would be the use of a proxy server for web traffic. A proxy server like ISA for example may save bandwidth and provide a better control over the "browsing" process and generate more useful logs. If the cost is a problem, then one may use the Apache proxy or Squid (on Linux).

April 21, 2004
On March 30th, we discussed about "spoofed" connections from "127.0.0.1" messages that the firewall was recording. One of the potential reasons that we identified was a "bug" in the firewall OS. Today we noticed this type of messages on another firewall with the latest firmware so the "firewall bug" scenario is no longer on the list. We still believe that it is coming from the ISP.
The "Denied connections" section indicated few thousands of SMTP connection attempts from a spam server (217.167.26.77) that we blocked through an access list. We blocked some before and kept them in the "Monitored IP List" and after few days they would stop trying and would not attempt to deliver mail again. We will see how this one goes.
Regarding the same section, "Denied connections", we noticed that most of the denials having "No connection" as reason are in fact legitimate request that got delayed (and then rejected by the firewall). These messages are cluttering the report, making it hard to read. As a consequence, we decided to exclude all these message by adding the "6-106015" message code in the "Exclude keywords" section of the analysis interface. This way, all the messages containing this code will be discarded. The only drawback is that if these type of messages really increase may indicate an attack or a serious deterioration of your Internet connectivity. If you discard them you will not notice this. Another drawback is that the analysis will take a bit longer as FireGen would have to test every log entry to see if it contains or not that code. However, there are more advantages to exclude them. Comparing the reports before and after excluding that code, one can have a better view of what protocols (read Trojans and worms) were denied by the firewall!

Pix Analysis Archives:
April 13 - April 16 2004
April 2 - April 6 2004
March 29 - March 31 2004
March 25 - March 26 2004
March 20 - March 23 2004
March 12 - March 19 2004
March 8 - March 11 2004
   

Featured Links GFI EventsManager - Network-wide event log management - Download free 30-day trial! Free Online Event Scanner - Scan your pc for high security events with GFI's free online service. EventID.Net Subscription - So much information for so little!

Legal - EventID.Net © 2001-2008 Altair Technologies Ltd., All rights reserved - Sign up for our Email Newsletter