Firewall Wizards mailing list archives
RE: Help me interpret these log entries....
From: "Mathew Want" <mathew.want () ac3 com au>
Date: Wed, 8 Mar 2006 12:56:41 +1100
Bob, I have seen traffic like this as well. I thought (based on best guess) it was a scan that tried to pierce non-stateful firewalls such as ipchains where the rule for the outbound packet is a separate rule to the return packet (and visa versa). Any other opinions? Some legit (non malicious) traffic can appear like this just because the service you are connecting to has taken too long to respond and the connection has fallen out of the firewalls state table (more prevalent in systems that have a pseudo state for UDP). The firewall will drop it anyway. If you !LOG this traffic then you may have difficulties tracking these types of issues, but it's the same with any decision to LOG or !LOG. If the firewall is denying the traffic anyway, the only benefit I can see in !LOG is a reduction in log volume. I would put it just above the last DENY rule in the chain if it were me so as not to hamper any of the rules above it. Hope this helps and is close.... -- Regards, Mathew Want ac3 Network and Security Engineer Phone: +61 2 9209 4600 Email: mathew.want () ac3 com au URL: http://www.ac3.com.au ------------------------------------ "Some things are eternal by nature, others by consequence" ------------------------------------ -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Bob Sent: Wednesday, 8 March 2006 1:22 AM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] Help me interpret these log entries.... I have looked, and I am either not phrasing my searches correctly on the search engines or there is not a great deal of information on this. I am seeing many of the following lines in the logs from my PIX: %PIX-4-106100: access-list 101 denied tcp outside/s.s.s.s(80) -> inside/d.d.d.d(xxx) where 1024 < xxx < 65535 And also, I have seen other ports other than 80 used as the source port (eg: 443, 25) The closest thing I can think of is that this is some sort of TCP reset attack. Is this correct? The next questions are should I be worried and what should I do about it? I am thinking of adding a rule to explicitly block inbound traffic from the internet on these source ports and not bother logging it. That shouldn't affect traffic from these ports for outbound established connections (right?) and cut down the noise in my logs. I don't want to kill any functionality from inside->out and I also don't want to blind myself to a real threat. Anybody care to share an opinion on this? Bob. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Help me interpret these log entries.... Bob (Mar 07)
- RE: Help me interpret these log entries.... Matt Wagner (Mar 07)
- RE: Help me interpret these log entries.... Mathew Want (Mar 07)
- RE: Help me interpret these log entries.... Paul Melson (Mar 08)