IP Access Log 4

[Ostuni]

One of our LANs is getting bombed by what is probably a sasser variant that jams the router (a 7-year-old 2524 w/T1 DSU/CSU)....

Port 445 was closed on the router, so we can see which workstation ip's are spewing the garbage that is trying to get out on port 445...

problem: this is a large lan, and many ip's are showing up when we do a sho log to see which workstations are hitting the port.... by tedious process of elimination we have gotten two wings of the building back up, but one very large wing with many workstations still bogs down the router when we plug in its idf to the core switch, and we're having a hard time identifying the workstation(s) that is causing the router to clog up...

3 questions: 1. how do you CLEAR on the fly the ipaccesslog that is being referred to on sho log? (other than rebooting the router)... 2. on the following log line: %SEC-6-IPACCESSLOGP: list 102 denied tcp 10.20.100.178(4406) -> 10.20.10.1(445) 1 packet WHAT is the value in parens after the workstation ip? (the other ip is the router followed by the port that is closed).... 3. will the workstation(s) that are jamming the router stand out among the others that show up that apparently are not doing harm?

mtia!

 

[wybnormal]

Honestly, a sniffer is a better tool then trying to do this on a router. Build or download a filter ( you can adapt Snort's rules to build Sniffer or Etherpeek filters) and then set up a hub or build a passive tap (takes 30 bucks and about 15 minutes). This will allow you to filter precisely on the payload to map it to the IPs carring it. Once you have the IPs and /or the MACs, you can search the switch CAM tables to find out where it is and what port it is plugged into. Now, if you have hubs feeding switch ports, it gets messy.

MikeS


Find me at

http://www.packetattack.com

"Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots."
Sun Tzu

 

[Ostuni]

thanks for the info and will look into that for future reference. as for now, still looking at the router's ipaccess log.....

 

[vipergg]

If you have a lot of people hitting that access list and you have logging turned on this will put a considerable load on the router . Also make sure you have no logging console as this will put a load on it also if a lot of messages are hitting the screen . Another option if your router supports it would be to implement ip route-cache flow on each interface you are looking for infected users. This starts a flow caching list of who is talking to who and you can then look at it by doing a "show ip cache flow " and this will show you who is doing the talking , we found this to be very effective in finding infected users with some of the big viruses that were out there awhile back .

 

[MTandSAV]

Thanks for the tip vipergg...gonna try that soon.

CCNA, CCNP..partly

 

[rcasta]

My comments in between lines:

problem: this is a large lan, and many ip's are showing up when we do a sho log to see which workstations are hitting the port....

--> I went sometime ago thru the same thing as you and segmenting the LAN was the way to go. It will make it easier for you to troubleshoot.

1. how do you CLEAR on the fly the ipaccesslog that is being referred to on sho log?

--> "Router#clear logging" will do (as for the console goes)

2. on the following log line: %SEC-6-IPACCESSLOGP: list 102 denied tcp 10.20.100.178(4406) -> 10.20.10.1(445) 1 packet WHAT is the value in parens after the workstation ip? (the other ip is the router followed by the port that is closed)....

--> 4406 is a random source port used by the workstation.

3. will the workstation(s) that are jamming the router stand out among the others that show up that apparently are not doing harm?

--> If your access-list 102 is logging packets destined to port tcp/udp 445 alone, I would say yes, unhealthy workstations will stand out.


Still I would recommend, as being said in previous posts, using a sniffer. There's tons of free software you could use (Ethereal, Packetizer).

Another thing that worked pretty good was me asking users to issue the "netstat -n" DOS command, which resulted in several lines towards random IP addresses with port 445 as destination. I did it because users complained over slow workstation performance.

CCNA

 

[Ostuni]

thanks fellas.... rcasta, i failed to mention this old router is 11.0...

clear logging ain't working, nor do any of the listed options seem to do what i want, which is to clear the log of the access-list's denied packet lines....

here's a sample of the lines i'm trying to clear when i do 'sho log':

%SEC-6-IPACCESSLOGP: list 102 denied tcp 10.120.100.26(4890) -> 10.120.10.1(445), 1 packet
%SEC-6-IPACCESSLOGP: list 102 denied tcp 10.120.100.26(4890) -> 10.120.10.1(445), 1 packet


here's the 'clear' options the router gives, but none of which seem to do the trick:

access-list Clear access list statistical information
access-template Access-template
arp-cache Clear the entire ARP cache
bridge Reset bridge forwarding cache
cdp Reset cdp information
counters Clear counters on one or all interfaces
dialer Clear dialer statistics
dlsw Data Link Switching (DLSw)
frame-relay-inarp Clear inverse ARP entries from the map table
host Delete host table entries
interface Clear the hardware logic on an interface
ip IP
ipx Reset Novell/IPX information
line Reset a terminal line
netbios-cache Clear the entire NetBIOS name cache
rif-cache Clear the entire RIF cache
service-module Service module
snapshot Clear Snapshot timers
source-bridge Clear counters displayed in "show source-bridge"
tcp Clear a TCP connection or statistics
x25-vc Clear X.25 virtual circuits on an interface