RE: [logs] Cisco PIX logs

From: Carroll, Shawn (SCarrollat_private)
Date: Fri Jan 31 2003 - 14:08:29 PST

# -----Original Message-----
# From: Rainer Gerhards [mailto:rgerhardsat_private]
# Sent: Friday, January 31, 2003 4:27 PM
# To: Carroll, Shawn; loganalysisat_private
# Subject: RE: [logs] Cisco PIX logs
# Shawn,
# > Don't want to sound pedantic, but how are you sure the packet 
# > you captured is the same one that generated the log message?  
# > What device/program did you do the capture with?
# It's not pedantic. I should have supplied the information firsthand.
# Firstly, this is not a single instance. I see a larger number of these
# packets during the past days. *Just* the past few days, not before.
# The packet capture was taken on the machine in question 
# itself. It is a
# Windows 2000 Server acting as a DNS server. I took the 
# capture with the
# Microsoft network monitor that comes with the OS.
# Whenever I try to correlate what I see in the PIX logs with what I see
# in the packet capture I end up with proper DNS 
# queries/responses in the
# capture and those other ports in the PIX log. It is not 
# always the same
# port in the PIX log, but always way above 1024.
# From the packet capture, it looks like the system is doing valid DNS
# queries, and as of my testing, it actually is.
# Does this make more sense?

Yep.  Bizarre, though.  Could be a bug on the pix.  Putting a "disinterested
3rd party" (read: '*n?x box + tcpdump -s 1500 -w "dump.cap"') on the wire
would tell you if an outbound UDP 5780 packet is being generated by the
windows server, or both that AND the dns packet.  I feel like something's
missing.  That's why I usually do FULL packet captures, and display-filter
what's been captured.  You know that you've seen all the packets on the wire
during a certain time frame.

LogAnalysis mailing list

This archive was generated by hypermail 2b30 : Fri Jan 31 2003 - 15:39:52 PST