- Posts: 34
- Thank you received: 0
Syslog message from pix
- psiclonius
- Topic Author
- Offline
- Junior Member
-
Less
More
18 years 1 month ago #17506
by psiclonius
Syslog message from pix was created by psiclonius
Hey Everyone,
I'm seeing alot of this message on my pix, but can't find a good explanation:
Is this a possible port scan?? Also is it more important to look at the src port or the dst port when looking at syslog files?
[code:1]
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9661
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9662
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9680
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9682
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9731
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9732
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9733
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9734
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9737
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9738
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9739
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9740
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9741
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9742
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9746
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9747
PiX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9748
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9750
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9751
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9743
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9744
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9745
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9752
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9753
[/code:1]
I'm seeing a bunch of these messages during off hr. Is this a possible DoS attack?
[code:1]
PIX-4-106023: Deny icmp src outside:207.203.159.65 dst inside:72.149.x.x (type 11, code 0) by access-group "outside_in"
PIX-4-106023: Deny icmp src outside:207.203.159.65 dst inside:72.149.x.x (type 11, code 0) by access-group "outside_i
[/code:1]
So far I looked the IP's up in DNSSTUFF.com and added a shun command to the pix for the address. ...am I over reacting, because the traffic is being blocked by the pix
I'm seeing alot of this message on my pix, but can't find a good explanation:
Is this a possible port scan?? Also is it more important to look at the src port or the dst port when looking at syslog files?
[code:1]
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9661
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9662
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9680
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9682
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9731
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9732
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9733
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9734
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9737
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9738
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9739
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9740
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9741
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9742
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9746
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9747
PiX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9748
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9750
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9751
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9743
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9744
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9745
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9752
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9753
[/code:1]
I'm seeing a bunch of these messages during off hr. Is this a possible DoS attack?
[code:1]
PIX-4-106023: Deny icmp src outside:207.203.159.65 dst inside:72.149.x.x (type 11, code 0) by access-group "outside_in"
PIX-4-106023: Deny icmp src outside:207.203.159.65 dst inside:72.149.x.x (type 11, code 0) by access-group "outside_i
[/code:1]
So far I looked the IP's up in DNSSTUFF.com and added a shun command to the pix for the address. ...am I over reacting, because the traffic is being blocked by the pix
18 years 1 month ago #17522
by Smurf
Sorry, not done much with SYSLOG on the pix (its one of my next jobs to configure it all). Anyhow, not sure about the first part of the question without researching it which unfortunatley i aint got time at the mo as i am onsite fixing an AD Replication issue.
The second bit is the ICMP code for Time Exceeded.
If you take a look at this article it tells ya what can cause this situatation so its probably ok traffic.
www.tcpipguide.com/free/t_ICMPv4TimeExceededMessages.htm
Cheers
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Replied by Smurf on topic Re: Syslog message from pix
I'm seeing a bunch of these messages during off hr. Is this a possible DoS attack?
PIX-4-106023: Deny icmp src outside:207.203.159.65 dst inside:72.149.x.x (type 11, code 0) by access-group "outside_in"
PIX-4-106023: Deny icmp src outside:207.203.159.65 dst inside:72.149.x.x (type 11, code 0) by access-group "outside_i
Sorry, not done much with SYSLOG on the pix (its one of my next jobs to configure it all). Anyhow, not sure about the first part of the question without researching it which unfortunatley i aint got time at the mo as i am onsite fixing an AD Replication issue.
The second bit is the ICMP code for Time Exceeded.
If you take a look at this article it tells ya what can cause this situatation so its probably ok traffic.
www.tcpipguide.com/free/t_ICMPv4TimeExceededMessages.htm
Cheers
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Time to create page: 0.114 seconds