--------------5FF8FD833871A762220CDE87 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit I am getting some confusing log entries from my Cisco Pix firewall. At first I thought that it was a network problem but I don't have any other evidence to support that assumption. The box is co-lo'ed and I have not had a chance to run down and hook-up a sniffer. The log entries look like this. Destination IP addresses changed.... Jan 18 12:43:50 192.168.1.1 %PIX-6-106015: Deny TCP (no connection) from 208.58.193.69/1062 to a.b.c.d/443 flags ACK Jan 18 12:43:50 192.168.1.1 %PIX-6-106015: Deny TCP (no connection) from 208.58.193.69/1062 to a.b.c.d/443 flags ACK Jan 18 12:43:50 192.168.1.1 %PIX-6-106015: Deny TCP (no connection) from 208.58.193.69/1062 to a.b.c.d/443 flags ACK Jan 18 12:43:51 192.168.1.1 %PIX-6-106015: Deny TCP (no connection) from 208.58.193.69/1064 to a.b.c.d/80 flags RST Jan 18 12:43:52 192.168.1.1 %PIX-6-106015: Deny TCP (no connection) from 208.58.193.69/1061 to a.b.c.d/80 flags RST Jan 18 12:43:52 192.168.1.1 %PIX-6-106015: Deny TCP (no connection) from 24.188.77.55/1684 to 1.2.3.4/80 flags RST ACK Jan 18 12:43:53 192.168.1.1 %PIX-6-106015: Deny TCP (no connection) from 206.28.32.70/2907 to a.b.c.d/80 flags PSH ACK Jan 18 12:43:54 192.168.1.1 %PIX-6-106015: Deny TCP (no connection) from 206.10.105.113/1302 to a.b.c.d/80 flags FIN ACK At first I thought it might be a RST scan or some other "stealth" scan but generally the destination ports are ports that services are running on. I "normal" nmap stealth scan produces Deny messages to a lot of ports not just 80 and 443. I am getting a ton of these and generally I get a bunch from one IP address at a time. AOL proxy servers also show up a lot. If anyone has any clues or suggestions I would be most grateful! -- Bill Pennington --------------5FF8FD833871A762220CDE87 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit <!doctype html public "-//w3c//dtd html 4.0 transitional//en"> <html> I am getting some confusing log entries from my Cisco Pix firewall. At first I thought that it was a network problem but I don't have any other evidence to support that assumption. The box is co-lo'ed and I have not had a chance to run down and hook-up a sniffer. <p>The log entries look like this. Destination IP addresses changed.... <p>Jan 18 12:43:50 192.168.1.1 %PIX-6-106015: Deny TCP (no connection) from 208.58.193.69/1062 to a.b.c.d/443 flags ACK <br>Jan 18 12:43:50 192.168.1.1 %PIX-6-106015: Deny TCP (no connection) from 208.58.193.69/1062 to a.b.c.d/443 flags ACK <br>Jan 18 12:43:50 192.168.1.1 %PIX-6-106015: Deny TCP (no connection) from 208.58.193.69/1062 to a.b.c.d/443 flags ACK <br>Jan 18 12:43:51 192.168.1.1 %PIX-6-106015: Deny TCP (no connection) from 208.58.193.69/1064 to a.b.c.d/80 flags RST <br>Jan 18 12:43:52 192.168.1.1 %PIX-6-106015: Deny TCP (no connection) from 208.58.193.69/1061 to a.b.c.d/80 flags RST <br>Jan 18 12:43:52 192.168.1.1 %PIX-6-106015: Deny TCP (no connection) from 24.188.77.55/1684 to 1.2.3.4/80 flags RST ACK <br>Jan 18 12:43:53 192.168.1.1 %PIX-6-106015: Deny TCP (no connection) from 206.28.32.70/2907 to a.b.c.d/80 flags PSH ACK <br>Jan 18 12:43:54 192.168.1.1 %PIX-6-106015: Deny TCP (no connection) from 206.10.105.113/1302 to a.b.c.d/80 flags FIN ACK <p>At first I thought it might be a RST scan or some other "stealth" scan but generally the destination ports are ports that services are running on. I "normal" nmap stealth scan produces Deny messages to a lot of ports not just 80 and 443. I am getting a ton of these and generally I get a bunch from one IP address at a time. AOL proxy servers also show up a lot. <p>If anyone has any clues or suggestions I would be most grateful! <br> <pre>-- Bill Pennington </pre> </html> --------------5FF8FD833871A762220CDE87--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:58:22 PDT