[fw-wiz] Help me interpret these log entries....



I have looked, and I am either not phrasing my searches correctly on the search engines or there is not a great deal of information on this.

I am seeing many of the following lines in the logs from my PIX:

%PIX-4-106100: access-list 101 denied tcp outside/s.s.s.s(80) -> inside/d.d.d.d(xxx)

where 1024 < xxx < 65535

And also, I have seen other ports other than 80 used as the source port (eg: 443, 25)

The closest thing I can think of is that this is some sort of TCP reset attack. Is this correct?

The next questions are should I be worried and what should I do about it?

I am thinking of adding a rule to explicitly block inbound traffic from the internet on these source ports and not bother logging it. That shouldn't affect traffic from these ports for outbound established connections (right?) and cut down the noise in my logs. I don't want to kill any functionality from inside->out and I also don't want to blind myself to a real threat.

Anybody care to share an opinion on this?

Bob.

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: Logs: Many hits with source port of 80
    ... I had checked my logs to see if there were any matching web sessions as ... usually these packets are a result of late packets arriving out of ... All hits have been from the same two hosts, ... > Subject: Logs: Many hits with source port of 80 ...
    (Incidents)
  • Re: [Full-disclosure] sshd logins without a source
    ... You realise there is an advanced rootkit wich 'makes' its own logs;) ... Unfortunately sshd logs an informational message when a connection is ... the source IP address, the destination IP address, the source port ... I am taking a look at a few different servers that have been rooted at ...
    (Full-Disclosure)
  • Re: Reading Watchguard Logs
    ... I'm trying to analyze some of our logs and not sure what to make of the ... My firebox units have a LOT more in the logs and the log viewer has a ... Source Port ...
    (comp.security.firewalls)
  • Re: Re: Tons of Source port 80 to random Dest Port Traffic
    ... They are simply port-scanning you. ... The source port of 80 is meant to deceive people who are looking at logs. ... These scans tend to get lost in the noise. ...
    (Security-Basics)