RE: Help me interpret these log entries....

["Mathew Want" <mathew.want () ac3 com au>]

Bob,

I have seen traffic like this as well. I thought (based on best guess) it
was a scan that tried to pierce non-stateful firewalls such as ipchains
where the rule for the outbound packet is a separate rule to the return
packet (and visa versa). Any other opinions? 

Some legit (non malicious) traffic can appear like this just because the
service you are connecting to has taken too long to respond and the
connection has fallen out of the firewalls state table (more prevalent in
systems that have a pseudo state for UDP). The firewall will drop it anyway.
If you !LOG this traffic then you may have difficulties tracking these types
of issues, but it's the same with any decision to LOG or !LOG. 

If the firewall is denying the traffic anyway, the only benefit I can see in
!LOG is a reduction in log volume. I would put it just above the last DENY
rule in the chain if it were me so as not to hamper any of the rules above
it.

Hope this helps and is close....
--
Regards,
Mathew Want
ac3
Network and Security Engineer
Phone:      +61 2 9209 4600
Email:      mathew.want () ac3 com au 
URL:        http://www.ac3.com.au
------------------------------------
"Some things are eternal by nature,
others by consequence"
------------------------------------

-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Bob
Sent: Wednesday, 8 March 2006 1:22 AM
To: firewall-wizards () honor icsalabs com
Subject: [fw-wiz] Help me interpret these log entries....

I have looked, and I am either not phrasing my searches correctly on the 
search engines or there is not a great deal of information on this.

I am seeing many of the following lines in the logs from my PIX:

%PIX-4-106100: access-list 101 denied tcp outside/s.s.s.s(80) ->
inside/d.d.d.d(xxx)

where 1024 < xxx < 65535

And also, I have seen other ports other than 80 used as the source port 
(eg: 443, 25)

The closest thing I can think of is that this is some sort of TCP reset 
attack. Is this correct?

The next questions are should I be worried and what should I do about it?

I am thinking of adding a rule to explicitly block inbound traffic from 
the internet on these source ports and not bother logging it. That 
shouldn't affect traffic from these ports for outbound established 
connections (right?) and cut down the noise in my logs. I don't want to 
kill any functionality from inside->out and I also don't want to blind 
myself to a real threat.

Anybody care to share an opinion on this?

Bob.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards