Jason, I totally agree. In v6.3 we added the capability to log individual ACEs in a way that is similar to IOS. For everyone else an ACL = Access Control List, ACE = Access Control Element or one statement or line in an ACL. An IOS or PIX ACL can have lots of ACEs (the limit is configuration size or memory in the device; whichever comes first). The default ACL logging behavior is that if a packet is denied, then a 106023 message is generated. If a packet is permitted, then no log message is generated. Using the new "log" option a 106100 message is generated for every matching permit or deny ACE flow that passes through the PIX. The team added an interval and "hitcnt" variable to summarize if an ACE gets hit time and time again within the interval. This keeps the log from exploding. The default interval is 600 seconds. Using this you really need to do off box analysis to figure out what is going on. Scanning the actual log file if you see 106100 with an interval of 600 seconds it's easy to see if a particular ACE is getting hit often; the "hitcnt" would be a higher number (of course your mileage may vary but it gives you something else to tell folks to look for over time). The 6.3 command reference is here: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/ab.htm Liberty for All, Brian At 04:29 PM 10/23/2003 +1300, Jason Haar wrote: >On Wed, Oct 22, 2003 at 05:22:16PM -0400, Brian Ford wrote: > > The other thing we did is to allow the suppression of messages based on > the > > ID. So if you don't like the "Built Dynamic Translation" message you can > > make it so your PIX never emits that message again. And when I say > never I > > mean until you take that line out of the configuration. But it does > >I don't want to turn this into a PIX-thread - but I will :-) > >This feature isn't as great as it seems. To be honest, the PIX still has a >ways to go before its ACL support is as good as IOS. Why? Because under IOS >you can tell an *individual* ACL whether it's going to log or not. Under the >PIX, all you can do is log, or block logging on a "message number" - you >can't get any finer grained. > >e.g. our PIX blocks TONNES of outgoing TCP port 137,139 connections: Windows >is TERRIBLE at promiscuously throwing packets about. There is so much that >it is causing nothing but grief on our security loggers - so I want to >disable them. They come under rule %PIX-4-106023 - but if I disable that, I >also lose logging of internal hosts connecting to anything else - >such as port 135 - which implies BLASTER. > >I don't want to miss seeing that, so I can't block %PIX-4-106023... :-( Brian Ford Consulting Engineer, Security & Integrity Specialist Office of Strategic Technology Planning Cisco Systems Inc. http://www.cisco.com/go/safe/ The opinions expressed in this message are those of the author and not necessarily those of Cisco Systems, Inc. _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Thu Oct 23 2003 - 10:23:36 PDT