RE: [logs] Cisco PIX logs

From: Rainer Gerhards (rgerhardsat_private)
Date: Fri Jan 31 2003 - 13:27:11 PST

  • Next message: Carroll, Shawn: "RE: [logs] Reliably detecting things like the SQL worm...."

    Shawn,
    
    > Don't want to sound pedantic, but how are you sure the packet 
    > you captured is the same one that generated the log message?  
    > What device/program did you do the capture with?
    
    It's not pedantic. I should have supplied the information firsthand.
    
    Firstly, this is not a single instance. I see a larger number of these
    packets during the past days. *Just* the past few days, not before.
    
    The packet capture was taken on the machine in question itself. It is a
    Windows 2000 Server acting as a DNS server. I took the capture with the
    Microsoft network monitor that comes with the OS.
    
    Whenever I try to correlate what I see in the PIX logs with what I see
    in the packet capture I end up with proper DNS queries/responses in the
    capture and those other ports in the PIX log. It is not always the same
    port in the PIX log, but always way above 1024.
    
    From the packet capture, it looks like the system is doing valid DNS
    queries, and as of my testing, it actually is.
    
    Does this make more sense?
    
    Rainer
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysisat_private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Fri Jan 31 2003 - 15:30:46 PST