Re: [logs] Cisco PIX message documentation

From: Jian Zhen (jlzat_private)
Date: Mon Jul 08 2002 - 22:49:58 PDT

Next message: Tina Bird: "[logs] Archived FW and IDS logs on line"

Previous message: Alexandre Dulaunoy: "Re: AW: [logs] About log files forensics"
In reply to: Tina Bird: "[logs] Cisco PIX message documentation"
Next in thread: Terje Bless: "[logs] Re: Cisco PIX message documentation"
Reply: Terje Bless: "[logs] Re: Cisco PIX message documentation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Has ne1 actually done any parsing with the pix logs? I am finding
some of the log msgs are very confusing as they do not clearly
show the src and dst of the connection..

e.g. 

%pix-6-302005: built udp connection for faddr 10.10.10.10/12215 gaddr 11.11.11.11/55224 laddr 11.11.11.11/55224

(IPs mangled for security purposes)

this shows the ip of the host outside of the firewall, the global ip 
of the host inside of the firewall, and the local ip of the host inside 
the firewall..

but it has no indication of inbound or outbound...

has anyone thought of how to decipher this? 

this is the same with the tear down msgs, e.g.

%pix-6-302002: teardown tcp connection 16087 faddr 10.10.10.10/25 gaddr 11.11.11.11/38952 laddr 11.11.11.11/38952 duration 0:00:01 bytes 4223 (tcp fins)

Looking at  the log, you can probably guess the this was a outbound 
connection since the external port is 25, and i can apply some logic
to the parsing code to check for that..o

but u can see how that could be confusing when the ports are not so
obvious..

another thing i could do is look back in the logs for connection id 16087
and figure out what's the src and what's the dst...but when i am trying
to parse this on the fly to insert into db...it gets a bit difficult..

any thoughts?

thx...


Tina Bird (tbird@precision-guesswork.com) [020703 04:26]:
> http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v53/syslog/pixemsgs.htm
> 
> on the outside chance you've not seen this.
> 
> cheers -- tbird
> 
> "The road of excess leads to the palace of wisdom."
>                                   William Blake, "Proverbs of Hell"
> 
> http://www.shmoo.com/~tbird
> Log Analysis http://www.counterpane.com/log-analysis.html
> VPN http://vpn.shmoo.com
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: loganalysis-unsubscribeat_private
> For additional commands, e-mail: loganalysis-helpat_private

---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private

Next message: Tina Bird: "[logs] Archived FW and IDS logs on line"
Previous message: Alexandre Dulaunoy: "Re: AW: [logs] About log files forensics"
In reply to: Tina Bird: "[logs] Cisco PIX message documentation"
Next in thread: Terje Bless: "[logs] Re: Cisco PIX message documentation"
Reply: Terje Bless: "[logs] Re: Cisco PIX message documentation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jul 08 2002 - 22:50:45 PDT