Re: [logs] firewall logging and rulesets

From: Brian Ford (brford@private)
Date: Thu Oct 23 2003 - 06:11:50 PDT

  • Next message: Hyndman, Scott: "RE: [logs] firewall logging and rulesets"

    I totally agree.
    In v6.3 we added the capability to log individual ACEs in a way that is 
    similar to IOS.
    For everyone else an ACL = Access Control List, ACE = Access Control 
    Element or one statement or line in an ACL.  An IOS or PIX ACL can have 
    lots of ACEs (the limit is configuration size or memory in the device; 
    whichever comes first).
    The default ACL logging behavior is that if a packet is denied, then a 
    106023 message is generated.  If a packet is permitted, then no log message 
    is generated.
    Using the new "log" option a 106100 message is generated for every matching 
    permit or deny ACE flow that passes through the PIX. The team added an 
    interval and "hitcnt" variable to summarize if an ACE gets hit time and 
    time again within the interval.  This keeps the log from exploding.  The 
    default interval is 600 seconds.   Using this you really need to do off box 
    analysis to figure out what is going on.  Scanning the actual log file if 
    you see 106100 with an interval of 600 seconds it's easy to see if a 
    particular ACE is getting hit often; the "hitcnt" would be a higher number 
    (of course your mileage may vary but it gives you something else to tell 
    folks to look for over time).
    The 6.3 command reference is here:
    Liberty for All,
    At 04:29 PM 10/23/2003 +1300, Jason Haar wrote:
    >On Wed, Oct 22, 2003 at 05:22:16PM -0400, Brian Ford wrote:
    > > The other thing we did is to allow the suppression of messages based on 
    > the
    > > ID.  So if you don't like the "Built Dynamic Translation" message you can
    > > make it so your PIX never emits that message again.  And when I say 
    > never I
    > > mean until you take that line out of the configuration.  But it does
    >I don't want to turn this into a PIX-thread - but I will :-)
    >This feature isn't as great as it seems. To be honest, the PIX still has a
    >ways to go before its ACL support is as good as IOS. Why? Because under IOS
    >you can tell an *individual* ACL whether it's going to log or not. Under the
    >PIX, all you can do is log, or block logging on a "message number" - you
    >can't get any finer grained.
    >e.g. our PIX blocks TONNES of outgoing TCP port 137,139 connections: Windows
    >is TERRIBLE at promiscuously throwing packets about. There is so much that
    >it is causing nothing but grief on our security loggers - so I want to
    >disable them. They come under rule %PIX-4-106023 - but if I disable that, I
    >also lose logging of internal hosts connecting to anything else -
    >such as port 135 - which implies BLASTER.
    >I don't want to miss seeing that, so I can't block %PIX-4-106023... :-(
    Brian Ford
    Consulting Engineer, Security & Integrity Specialist
    Office of Strategic Technology Planning
    Cisco Systems Inc.
    The opinions expressed in this message are those of the author and not 
    necessarily those of Cisco Systems, Inc.
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Thu Oct 23 2003 - 10:23:36 PDT