RE: [fw-wiz] Help me interpret these log entries....
- From: "Paul Melson" <pmelson@xxxxxxxxx>
- Date: Wed, 8 Mar 2006 09:40:57 -0500
-----Original Message-----
Subject: [fw-wiz] Help me interpret these log entries....
I am seeing many of the following lines in the logs from my PIX:inside/d.d.d.d(xxx)
%PIX-4-106100: access-list 101 denied tcp outside/s.s.s.s(80) ->
attack. Is this
where 1024 < xxx < 65535
The closest thing I can think of is that this is some sort of TCP reset
correct?
Actually, it's probably not an attack at all. It's a common symptom of TCP
connections over stateful firewalls. Look through your log and you will
probably see within close proximity a permit entry (Built TCP ...) from
d.d.d.d to s.s.s.s. Although if d.d.d.d is a global NAT address, you will
probably see the original client address and a source port that doesn't
match (because source ports change with global NAT / PAT).
What happens is that the firewall has already seen the client close the
connection (either via RST or FIN) and has deleted the entry from the state
table. The server tries to send FIN+ACK like it's supposed to, but isn't
fast enough and the firewall drops the packet because it doesn't match
anything in the state table.
More here:
http://seclists.org/lists/firewall-wizards/2005/Jun/0054.html
PaulM
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- References:
- Prev by Date: [fw-wiz] Call for Papers: NSPW Deadline Extended
- Next by Date: [fw-wiz] General guideline for embryonic vs. max connections?
- Previous by thread: RE: [fw-wiz] Help me interpret these log entries....
- Next by thread: [fw-wiz] PIX debug packet not honoring proto
- Index(es):
Relevant Pages
|
|
