RE: [fw-wiz] Help me interpret these log entries....



Bob,

I have seen traffic like this as well. I thought (based on best guess) it
was a scan that tried to pierce non-stateful firewalls such as ipchains
where the rule for the outbound packet is a separate rule to the return
packet (and visa versa). Any other opinions?

Some legit (non malicious) traffic can appear like this just because the
service you are connecting to has taken too long to respond and the
connection has fallen out of the firewalls state table (more prevalent in
systems that have a pseudo state for UDP). The firewall will drop it anyway.
If you !LOG this traffic then you may have difficulties tracking these types
of issues, but it's the same with any decision to LOG or !LOG.

If the firewall is denying the traffic anyway, the only benefit I can see in
!LOG is a reduction in log volume. I would put it just above the last DENY
rule in the chain if it were me so as not to hamper any of the rules above
it.

Hope this helps and is close....
--
Regards,
Mathew Want
ac3
Network and Security Engineer
Phone: +61 2 9209 4600
Email: mathew.want@xxxxxxxxxx
URL: http://www.ac3.com.au
------------------------------------
"Some things are eternal by nature,
others by consequence"
------------------------------------

-----Original Message-----
From: firewall-wizards-admin@xxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-admin@xxxxxxxxxxxxxxxxxx] On Behalf Of Bob
Sent: Wednesday, 8 March 2006 1:22 AM
To: firewall-wizards@xxxxxxxxxxxxxxxxxx
Subject: [fw-wiz] Help me interpret these log entries....

I have looked, and I am either not phrasing my searches correctly on the
search engines or there is not a great deal of information on this.

I am seeing many of the following lines in the logs from my PIX:

%PIX-4-106100: access-list 101 denied tcp outside/s.s.s.s(80) ->
inside/d.d.d.d(xxx)

where 1024 < xxx < 65535

And also, I have seen other ports other than 80 used as the source port
(eg: 443, 25)

The closest thing I can think of is that this is some sort of TCP reset
attack. Is this correct?

The next questions are should I be worried and what should I do about it?

I am thinking of adding a rule to explicitly block inbound traffic from
the internet on these source ports and not bother logging it. That
shouldn't affect traffic from these ports for outbound established
connections (right?) and cut down the noise in my logs. I don't want to
kill any functionality from inside->out and I also don't want to blind
myself to a real threat.

Anybody care to share an opinion on this?

Bob.

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • RE: Increase in TCP 6129 (Dameware) scans?
    ... I'm seeing similar scans on multiple firewalls. ... It's a slow scan (presumably due to a single source port and TCP ... This is certainly a scan and not improperly secured installations due to the ... which belongs to the Dameware Mini ...
    (Incidents)
  • Re: named.conf: query-source address
    ... The 'query-source' options don't have to be specified: ... It's not even particularly truthful that you need to fix the source port because of firewalling: nowadays most firewalls are stateful, ...
    (freebsd-stable)
  • Re: How to get through iptables/NAT, reality and risk calculation
    ... Every system indeed has a chance of being hacked sometime, Firewalls ... > have any open ports (or atleast, not on the internet side). ... > Now, to me, as starting security engineer (security-guru-wannabe or whatever ...
    (Security-Basics)
  • Re: ssh sessions
    ... I have noticed that some firewalls still block access even though they are "turned" off. ... I am having a problem with connecting through ssh to a remote server, every time I try to connect I get a connection timeout. ... There is a difference though, the one that works has Microsoft XP Professional as operating system, while the system that doesn't work uses Microsoft XP Home. ... Am hoping that there is a setting within Microsoft XP Home edition that I have to change to use ssh over the public internet, to connect to a remote system. ...
    (microsoft.public.windowsxp.general)
  • RE: Connection problem from Xbox 360 to Windows Premium PC
    ... "Iain Murray" wrote: ... immediately connecting. ... The PC and the Xbox are connected Via a Linksys ... and my PC based Firewalls are off. ...
    (microsoft.public.windows.mediacenter)