Syslog messages from Pix 515

[Zelandakh]

What messages should I be aware of in the syslog and which ones are "safe"?

Examples of entries from syslog:
Inbound TCP connection denied from 64.124.45.233/3280 to <outside ip>/113 flags SYN on interface outside
Deny inbound UDP from 195.213.49.100/137 to <outside ip>/137 on interface outside
No translation group found for udp src inside:192.168.1.9/53 dst outside:198.41.0.4/53
Deny inbound icmp src outside:163.166.156.89 dst inside:<inside ip> (type 8, code 0)

Are there particular entries I should be looking for? What does everyone else do with their syslogs?

 

[Yates76]

Hi Zel!

Taking a stab at it...

Seems to me that you are safe with those messages. The UDP may be pings headed out. Nothing there seemed (in my mind) as ones to worry about.

This one:

Inbound TCP connection denied from 64.124.45.233/3280 to <outside ip>/113 flags SYN on interface outside

Seems to be some sort of Ip attack, which could mean either a port scan (maybe) or advertisements trying to come through a closed port. Nothing serious.

Deny inbound UDP from 195.213.49.100/137 to <outside ip>/137 on interface outside

Port scan, or maybe a ping. Do you have NAT on?

No translation group found for udp src inside:192.168.1.9/53 dst outside:198.41.0.4/53

Someone doing a ping from inside, I would guess. You may want to look into this one if you see this one a LOT. Find out what that UDP is, and see if you have your PIX setup to allow that type of UDP. UDP is fire and forget, so you may only see it when a user/software asks for it.

Deny inbound icmp src outside:163.166.156.89 dst inside:<inside ip> (type 8, code 0)

Fairly common message.

None of these throw up a red flag, unless you get repeated messages from one source. That is when you are getting a flood attack.

I apologize if I am saying something you may already know.

Good luck!

J.

 

[Zelandakh]

I don't know nothing me...

The /53 ping is from one of my servers which is slightly worrying - I don't touch the console of that.

Other than that, thanks for putting my mind at rest.

 

[Yates76]

Hey Zel!

Then that might be a NAT issue, which may be the PIX config.

Maybe one of the true Gurus here can help with NAT. It's got me confused to no end. Can you post your config? Make sure your password (while encrypted) is x'd out, some people can crack it.

And maybe xxx'ing out the first octect off all IP addresses?

Anyway, won't hurt to try!

G'luck!

J.

 

[yizhar]

HI.

I would also not worry too much, about those messages.
I have not much experience viewing those syslog messages, but I know that there are some 3rd party log analysers.
One of the principles is - try to look at those logs every day/week on a regular basis.
You will then be able to learn what is normal and what is not by your experience.
In many cases, syslog is usefull for troubleshooting rather for intrusion detection.

Here are my comments to your messages:

* Inbound TCP connection denied from 64.124.45.233/3280 to <outside ip>/113 flags SYN on interface outside
Don't know - maybe port scan

* Deny inbound UDP from 195.213.49.100/137 to <outside ip>/137 on interface outside
Scanning for open NETBIOS ports.
You will get this many times.

No translation group found for udp src
inside:192.168.1.9/53 dst outside:198.41.0.4/53
Check your PIX and DNS configuration -
Do you have an internal DNS server (recommended!)?
Is 198.41.0.4 your ISP DNS server?
If you are using your ISP DNS servers, this message is expected because the pix blocks DNS replies after the first one.
Using an internal DNS server can improve DNS and is recommended by me (which is also used by many MS clients like OUTLOOK 2000 and WIN2000 for internal network use)

Deny inbound icmp src outside:163.166.156.89 dst inside:<inside ip> (type 8, code 0)
Seems to me like someone is trying to scan using ICMP.
However there is a document at CISCO web site about ICMP codes (I don't remember exactly where) so you can learn more about what type 8 code 0 means.

Bye




Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[Zelandakh]

Thanks for that.

Yes, I have an internal DNS server but not the one listed above. My ISP DNS is not the one listed above either.

The Cisco Pix was put in by an expert and then checked fully several times by one of the head Cisco guys in Belgium (who is a complete star). I use NAT to get my staff to the Net and PAT to get the world into my company (like mail servers, web servers, conferencing servers etc). I understand about the bulk of it, but knowing that the code is right and that my site is secure is a different matter.

Looks like I'm ok then. Will post a suitably doctored config file when I get a moment.

 

[berford]

Zelandakh,

The thing I do first is to develop a profile.

How many messages do you get in the syslog server in a 24 hours period? What is the breakdown of those messages? If the number of messages goes up or down I try and correlate that to the throughput to/from the Internet (was it busy?).

You then might want to break them down by message number. How many of the messages include internal addresses versus external addresses?

I go further by looking at messsages based on the interface. You can break the messages into two groups (on my firewall); those about the inside interface and those about the outside interface.

I try and make it so that at the end of the day (or the start of the next) I can look at one page (screen) of information from each firewall that tells me if I have to look closer.

Liberty for All,

Brian

 

[Zelandakh]

Brian,

Do you have a little app that can summarise my daily syslog file then?

That'd come in handy.

I think it is fairly static and I'm not overly concerned that I'm being hacked (cos it was config'd by what I think is the top Cisco guy in Europe), I just wanted to be sure.