Analyzing Cisco Pix firewall logs with FireGen Log Analyzer - A firewall administrator diary
Send your comments!

All the notes on this page are derived from our daily analysis of our Cisco Pix firewall logs using FireGen for Pix Log Analyzer, Version 2.0. To cross-reference the report sections mentioned in these articles, see the sample report. As a demo, you may send us one of your logs, and we will analyze it with FireGen and send you back the report along with a short analysis from our consultants.

See the Summary of the recommendations.

May 10, 2004
We noticed a large number of "outbound" SMTP connections from our Exchange server to 2 hosts that did not look familiar to our business (we would not send them that many messages). Most probably they are messages rejected by our Exchange. We connected to our Exchange server and cleared the outbound queue (after confirming that they are in fact just NDR "responses" to junk emails).
In comparison with last week, the Sasser worm is not that active anymore.

May 8, 2004
The "Severity level 5 (Notification) details" section has shown a large number of http requests against one of our public web sites containing data like "/scripts/..%c1%af../winnt/system32/cmd.exe?/c+dir+c:", "/msdac/shell.exe?/c+dir+c:" and other similar ones. This indicates a vulnerability scan done probably with a tool like Nessus (www.nessus.org) by a "script kiddie", hopping to find an un-patched IIS server. Querying the IP address (218.189.197.42) through the Whois hyperlink has shown that the attacker was connecting from Hong Kong. We put the IP address on the Monitored IPs list, for future reference in case the attacker insists in scanning our servers.

May 4-7, 2004
The "Denied connections" section shows in increased number of hosts infected with the Sasser worm testing the TCP/445 port. There were 20 times more connections from Sasser in comparison to the next "most popular" worm. Each infected host seems to make between 10 and 50 connection against the same IP address. It is surely "hot" out there!

May 4, 2004
If you see in the Protocols section several UDP protocols like UDP/542, UDP/834, UDP/599 that do not really match to a common protocol, it is possible that they are in fact DNS requests. In the "Other protocols" section you will probably find these protocols as being used by your DNS server to contact remote DNS servers (their names typically start with ns... ). This happens because the log entries contain no information that would help to identify that connection as being a DNS request (that normally is using TCP/53 and UDP/53). During the analysis, FireGen is doing some "guess" work in order to match these requests to DNS requests but for ports under 1024 you will see the kind of entries mentioned above.

In the "Denied connections" section we are starting to see the effects of the Sasser worm (port scans on TCP/445 - netbios).

May 3, 2004
Today we have been asked by the management to identify users of FrontPage that connected through the firewall during the weekend. With some research we found that the "footprint" of FrontPage is the access of "_vti_inf.html" as URL. We added this as "Include keyword" and we identified the IP address of the FrontPage user.

May 1, 2004
Since we added a couple of site-to-site VPN tunnels in our firewall, we started to get various probes on port UDP/500, normally used by ISAKMP for the key exchange. So one has to be aware that every time you open a port, someone will be there to attack it if possible! A probe on UDP/500 may be recorded as Pix code 4-402106, i.e. "Rec'd packet not an IPSEC packet. (ip) dest_addr= 209.161.200.226, src_addr= 211.162.191.5, prot= tcp". Being just a probe and not an actual IPSEC packet, the firewall rejects it but the attacker knows that you use this port. It may not be able to actually intercept or decrypt the traffic but it may launch a DoS attack.

Pix Analysis Archives:
April 21 - April 29 2004
April 13 - April 16 2004
April 2 - April 6 2004
March 29 - March 31 2004
March 25 - March 26 2004
March 20 - March 23 2004
March 12 - March 19 2004
March 8 - March 11 2004
   

Featured Links GFI EventsManager - Network-wide event log management - Download free 30-day trial! Free Online Event Scanner - Scan your pc for high security events with GFI's free online service. EventID.Net Subscription - So much information for so little!

Legal - EventID.Net © 2001-2008 Altair Technologies Ltd., All rights reserved - Sign up for our Email Newsletter