Firewall log verbage?
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Firewall log verbage?

  1. #1
    Senior Member
    Join Date
    May 2004
    Posts
    140

    Firewall log verbage?

    What should I be searching for?
    I have a pix firewall and am using Kiwi sys logger and Kiwi viewer to read my firewall logs. I am looking for the guys that are doing pen testing on my firewall. what type of verbage should i search for?
    %PIX-3-106011: Deny inbound (No xlate) tcp src outside:64.233.161.99/80 dst outside:208.243.37.132/1592
    or maybe?
    Deny tcp src outside:65.114.202.18/80 dst inside:208.243.37.132/2616 by access-group "inbound"
    please help?
    Romans 7:14-20
    14 We know that the law is spiritual; but I am unspiritual, sold as a slave to sin. 15 I do not understand what I do. For what I want to do I do not do, but what I hate I do. 16 And if I do what I do not want to do, I agree that the law is good. 17 As it is, it is no longer I myself who do it, but it is sin living in me. 18 I know that nothing good lives in me, that is, in my sinful nature. For I have the desire to do what is good, but I cannot carry it out.

  2. #2
    Senior Member
    Join Date
    May 2004
    Posts
    140
    anyone?
    Romans 7:14-20
    14 We know that the law is spiritual; but I am unspiritual, sold as a slave to sin. 15 I do not understand what I do. For what I want to do I do not do, but what I hate I do. 16 And if I do what I do not want to do, I agree that the law is good. 17 As it is, it is no longer I myself who do it, but it is sin living in me. 18 I know that nothing good lives in me, that is, in my sinful nature. For I have the desire to do what is good, but I cannot carry it out.

  3. #3
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    What do you want to find.... The question is sort of vague..... If you want to watch what they do ask them for the IP address(s) they will be carrying out the pen test from. If you want more then you'll need to be a little more precise.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #4
    I'm still learning this as well, so don't take my advice as the final authority on the matter, but...

    Yes, words like "inbound connection" and connections from the "outside" are what you're looking for. Keep all that on record and look for repeating connections, especially connections that seem to follow a patter (always attempted at 1:00a.m., etc.). That'll help you on your way to tracking down your "intruder".

    By the way, use the "Bump Up" button when you're not getting any replies, as opposed to adding another post. You can use it once every five hours. I've gotten very acquainted with it.

    //edit -- Oh, well, Tiger beat me to it. Listen to that guy.

  5. #5
    Senior Member
    Join Date
    Mar 2004
    Location
    Colorado
    Posts
    421
    If its anything like my links, you will see hundreds or thousands of DENY entries per hour.

    If you don't have any reporting tools and dont have programming skill with PERL or similar to create a report, you can import kiwi file(s) into a spreadsheet and play with the different sorting options which may help you determine worm activity from portscans or other.

  6. #6
    Senior Member
    Join Date
    May 2004
    Posts
    140
    My boss wants me to come to him and say i see such and such activity that looks suspicious. and he will tell me if its their IP or not. He wants me to catch them after the fact. but i dont know how ill do that with the tens of thousands of lines to go through.
    Romans 7:14-20
    14 We know that the law is spiritual; but I am unspiritual, sold as a slave to sin. 15 I do not understand what I do. For what I want to do I do not do, but what I hate I do. 16 And if I do what I do not want to do, I agree that the law is good. 17 As it is, it is no longer I myself who do it, but it is sin living in me. 18 I know that nothing good lives in me, that is, in my sinful nature. For I have the desire to do what is good, but I cannot carry it out.

  7. #7
    Again, look for patterns. "Such-and-such IP always tries to connect at x:xx a.m. in the morning." or "This address attempts connections every X hours", etc.

  8. #8
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Ahhhh.... I see..... Said the blind man......

    How long do they have to do the pen test... Couple of days or a couple of weeks? What are they authorized to do. An audit or a full pen test. Are they allowed to simply identify vunlerabilities or can they exploit them?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  9. #9
    Senior Member
    Join Date
    May 2004
    Posts
    140
    Originally posted here by Tiger Shark
    Ahhhh.... I see..... Said the blind man......

    How long do they have to do the pen test... Couple of days or a couple of weeks? What are they authorized to do. An audit or a full pen test. Are they allowed to simply identify vunlerabilities or can they exploit them?
    they have the whole month and they are allowed to do a full pen testand attempt to exploit
    Romans 7:14-20
    14 We know that the law is spiritual; but I am unspiritual, sold as a slave to sin. 15 I do not understand what I do. For what I want to do I do not do, but what I hate I do. 16 And if I do what I do not want to do, I agree that the law is good. 17 As it is, it is no longer I myself who do it, but it is sin living in me. 18 I know that nothing good lives in me, that is, in my sinful nature. For I have the desire to do what is good, but I cannot carry it out.

  10. #10
    Senior Member
    Join Date
    Mar 2004
    Location
    Colorado
    Posts
    421
    If you are just using firewall logs, I doubt you will easily hammer it down to specifics.
    To an untrained eye, there may be just too much traffic. Add to that a MONTHS worth of
    traffic. What services do you open to the world? MAIL? WWW? FTP? If any, are they in a DMZ?
    What patch level and version is your PIX?
    Any IDS features turned on on the PIX? Have you used any of the monitoring in the http GUI?

    I'm really not understanding the value of telling you they are going to hit you..??
    Seems ripe for a trap and then game over. Why would he tell you?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •