But of course you can use the log buffer command and watch what shows up in the buffer to determine where the ACL is dropping the packets and what the port # is. Ron Russell - MCSE, CCNA, CNE 480-6-Buddha Silicon Buddha LLC Enlightened Network Services www.siliconbuddha.com ----- Original Message ----- From: "Erik Nodland" <erik.nodlandat_private> To: <pen-testat_private> Sent: Tuesday, July 10, 2001 11:27 AM Subject: RE: Re: spoofing 255.255.255.255 techniques Version 6.0 of the PIX software will give you port information when blocked by ACL's. I have used this image a number of times and have no problems with it. Getting information on what ports were being blocked on an ACL's was a god send in certain ISP environments I was installing and in most cases was expected/taken for granted by the customer!! regards, Erik -----Original Message----- From: MIKE.DONOFRIOat_private [mailto:MIKE.DONOFRIOat_private] Sent: 06 July 2001 21:14 To: erik.nodlandat_private Subject: Fwd: Re: spoofing 255.255.255.255 techniques Just FYI Using ACL's does limit the information you get to the Syslog server compared to what you would get using Conduits. Cisco was supposed to be working on a fix for it. On Revisions of code before 5.3.1 you would just get Protocol XX (ie 6,17,1) and no port.. At least after 5.3.1 you get TCP,UDP... I have contacted Cisco several times on this issue and I get the "Next Release" responce :) Anyone know if this is fixed in 6.0? Regards, Mike D'Onofrio > Our PIX does not indicate source or destination ports > perhaps because the "IP spoof" criteria was already > triggered in its logic chain, denying the packet and > making a syslog entry. It's been my experience that the PIX will not provide port information if the packet is blocked by an ACL. However, it *will* provide port information if the packet is blocked because there is no "conduit" allowing the traffic. I'm not sure if the spoof detection mechanism supercedes this. Hope this helps. -Blake ---------------------------------------------------------------------------- ---------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- ---------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ To: pen-testat_private This e-mail is confidential and may be privileged. It may be read, copied and used only by the intended recipient. If you have received it in error, please contact the sender immediately by return e-mail or by telephoning +44 (0)1691 663000. Please then delete the e-mail and do not disclose its contents to any person. We believe, but do not warrant, that this e-mail and any attachments are virus free. You should take full responsibility for virus checking. Total Network Solutions Ltd reserve the right to monitor all e-mail communications through their internal and external networks. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Thu Jul 12 2001 - 12:10:46 PDT