[logs] Re: Granular Analysis of PIX syslogs

• Previous message: Garcia, Aaron: "[logs] Monitoring Windows Security Events"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Message PIX-5-304001 which is a part of a
"transaction" between 302013 and 302014 isnt
necessarily between the two messages.
Mar 29 2004 09:56:17: %PIX-5-304001: 192.168.0.2
Accessed URL 66.102.9.99

Sometimes I see a bunch of 302013's and 302014's
before I see a 304001. Can I assume that it is ordered
regardless?
Thanks!

--- Adrian Grigorof <adi@private> wrote:
> Hello,
> 
> For Pix v.6.1.x and I guess 6.2.x, each connection
> is recorded by Pix with 2 
> messages (referenced by the the connection number,
> 360478 for the example 
> below):
> %PIX-6-302001: Built inbound TCP connection 360478
> for faddr 
> 205.19.214.250/2277 gaddr 209.161.100.227/25 laddr
> 192.168.0.40/25
> %PIX-6-302002: Teardown TCP connection 360478 faddr
> 205.19.214.250/2277 
> gaddr 209.161.100.227/25 laddr 192.168.0.40/25
> duration 0:00:01 bytes 1643 
> (TCP FINs)
> The "Teardown" messages contains the number of
> bytes. From my expericence, 
> only the TCP connections have the number of bytes,
> the messages related to 
> UDP connections do not record it (and no connection
> number either):
> %PIX-6-302005: Built UDP connection for faddr
> 209.161.100.227/514 gaddr 
> 209.161.200.226/37435 laddr 192.168.0.10/1233
> %PIX-6-302006: Teardown UDP connection for faddr
> 209.161.100.227/514 gaddr 
> 209.161.200.226/37435 laddr 192.168.0.10/1233
> 
> Pix v. 6.3.x record the number of bytes for the UDP
> connections as well:
> %PIX-6-302015: Built outbound UDP connection 33 for
> outside:192.175.48.1/53 
> (192.175.48.1/53) to inside:192.168.5.20/1250
> (209.161.100.236/1250)
> %PIX-6-302016: Teardown UDP connection 33 for
> outside:192.175.48.1/53 to 
> inside:192.168.5.20/1250 duration 0:00:01 bytes 153
> 
> BTW, you need logging level 6 in order to record
> this type of information.
> 
> Regards,
> 
> Adrian Grigorof
> www.eventid.net
> www.firegen.com
> 
> ----- Original Message ----- 
> From: "Walter" <walter_100@private>
> To: <loganalysis@private>
> Sent: Monday, February 14, 2005 1:44 AM
> Subject: [logs] Re: Granular Analysis of PIX syslogs
> 
> 
> > Hello,
> >   I gleaned over PIX v6.2 messages and then looked
> at
> > some of the links that had some reports on
> Bandwidth
> > consumed by a Source IP Address. (I think it was
> from
> > eventid.net) Most of the PIX logs are really
> > permit/deny messages without any message really
> > mentioning bytes sent/recvd. I was wondering is
> then
> > the BW consumed calculated. Am I missing
> something?
> > Thanks!
> > Walter 
> 
> 


		
__________________________________ 
Yahoo! Mail 
Stay connected, organized, and protected. Take the tour: 
http://tour.mail.yahoo.com/mailtour.html 

_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Previous message: Garcia, Aaron: "[logs] Monitoring Windows Security Events"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Fri May 27 2005 - 13:49:18 PDT