Help on security logs|
|
|
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
|||||||||||||
|
Posted by on December 20, 2005, 11:22 am
Please log in for more thread options
somewhat confusing to us. Could anyone spread some light on these messages, like where an attack like this would be coming from? thanks Device NameInterfaceTimestampFacility[-Sub-facility]SeverityMnemonicDescriptionDetails 1.6509-1172.18.0.2Dec 16 2005 07:32:00SEC6IPACCESSLOGPlist net-equip-out denied tcp 217.81.250.217(1245) ->
0.0.0.0(23), 2
packets* 2.6509-1172.18.0.2Dec 16 2005 07:26:13SEC6IPACCESSLOGPlist net-equip-out denied tcp 217.81.250.217(1245) ->
0.0.0.0(23), 1
packet* 3.6509-1172.18.0.2Dec 16 2005 07:11:01SEC6IPACCESSLOGPlist net-equip-out denied tcp 201.3.147.64(2377) -> 0.0.0.0(23),
2
packets* 4.6509-1172.18.0.2Dec 16 2005 07:05:05SEC6IPACCESSLOGPlist net-equip-out denied tcp 201.3.147.64(2377) -> 0.0.0.0(23),
1
packet* 5.6509-2172.18.0.3Dec 16 2005 07:02:36SEC6IPACCESSLOGPlist net-equip-out denied tcp 84.100.208.139(1828) ->
0.0.0.0(23), 2
packets* 6.6509-1172.18.0.2Dec 16 2005 06:58:01SEC6IPACCESSLOGPlist net-equip-out denied tcp 61.223.230.121(4105) ->
0.0.0.0(23), 2
packets* 7.6509-2172.18.0.3Dec 16 2005 06:57:25SEC6IPACCESSLOGPlist net-equip-out denied tcp 84.100.208.139(1828) ->
0.0.0.0(23), 1
packet* 8.6509-1172.18.0.2Dec 16 2005 06:52:39SEC6IPACCESSLOGPlist net-equip-out denied tcp 61.223.230.121(4105) ->
0.0.0.0(23), 1
packet* 9.6509-1172.18.0.2Dec 16 2005 06:45:01SEC6IPACCESSLOGPlist net-equip-out denied tcp 62.183.157.7(1781) -> 0.0.0.0(23),
2
packets* 10.6509-1172.18.0.2Dec 16 2005 06:39:22SEC6IPACCESSLOGPlist net-equip-out denied tcp 62.183.157.7(1781) -> 0.0.0.0(23),
1
packet* 11.6509-1172.18.0.2Dec 16 2005 06:39:22SEC6IPACCESSLOGPlist net-equip-out denied tcp 84.103.225.112(4661) ->
0.0.0.0(23), 1
packet* 12.6509-2172.18.0.3Dec 16 2005 06:32:37SEC6IPACCESSLOGPlist net-equip-out denied tcp 82.172.127.123(3253) ->
0.0.0.0(23), 2
packets* 13.6509-2172.18.0.3Dec 16 2005 06:31:37SEC6IPACCESSLOGPlist net-equip-out denied tcp 200.181.113.209(2221) ->
0.0.0.0(23), 2
packets* 14.6509-2172.18.0.3Dec 16 2005 06:26:44SEC6IPACCESSLOGPlist net-equip-out denied tcp 82.172.127.123(3253) ->
0.0.0.0(23), 1
packet* 15.6509-2172.18.0.3Dec 16 2005 06:26:44SEC6IPACCESSLOGPlist net-equip-out denied tcp 61.216.0.47(4769) -> 0.0.0.0(23),
2
packets* 16.6509-2172.18.0.3Dec 16 2005 06:26:03SEC6IPACCESSLOGPlist net-equip-out denied tcp 200.181.113.209(2221) ->
0.0.0.0(23), 1
packet* 17.6509-1172.18.0.2Dec 16 2005 06:25:01SEC6IPACCESSLOGPlist net-equip-out denied tcp 82.76.88.114(4113) -> 0.0.0.0(23),
2
packets* 18.6509-2172.18.0.3Dec 16 2005 06:21:28SEC6IPACCESSLOGPlist net-equip-out denied tcp 61.216.0.47(4769) -> 0.0.0.0(23),
1 packet*
19.6509-1172.18.0.2Dec 16 2005 06:20:24SEC6IPACCESSLOGPlist net-equip-out denied tcp 82.76.88.114(4113) -> 0.0.0.0(23),
1
packet* 20.6509-1172.18.0.2Dec 16 2005 06:17:01SEC6IPACCESSLOGPlist net-equip-out denied tcp 83.100.150.149(2814) ->
0.0.0.0(23), 2
packets* 21.6509-1172.18.0.2Dec 16 2005 06:14:01SEC6IPACCESSLOGPlist net-equip-out denied tcp 213.73.185.91(4617) ->
0.0.0.0(23), 2
packets* 22.6509-2172.18.0.3Dec 16 2005 06:11:37SEC6IPACCESSLOGPlist net-equip-out denied tcp 219.86.166.237(3884) ->
0.0.0.0(23), 2
packets* 23.6509-1172.18.0.2Dec 16 2005 06:11:37SEC6IPACCESSLOGPlist net-equip-out denied tcp 83.100.150.149(2814) ->
0.0.0.0(23), 1
packet* 24.6509-1172.18.0.2Dec 16 2005 06:08:02SEC6IPACCESSLOGPlist net-equip-out denied tcp 213.73.185.91(4617) ->
0.0.0.0(23), 1
packet* 25.6509-2172.18.0.3Dec 16 2005 06:06:24SEC6IPACCESSLOGPlist net-equip-out denied tcp 219.86.166.237(3884) ->
0.0.0.0(23), 1
packet* 26.6509-2172.18.0.3Dec 15 2005 19:24:45SEC6IPACCESSLOGPlist net-equip-out denied tcp 200.162.211.32(3979) ->
0.0.0.0(23), 2
packets* 27.6509-2172.18.0.3Dec 15 2005 19:19:00SEC6IPACCESSLOGPlist net-equip-out denied tcp 200.162.211.32(3979) ->
0.0.0.0(23), 1
packet* 28.6509-1172.18.0.2Dec 15 2005 18:42:11SEC6IPACCESSLOGPlist net-equip-out denied tcp 200.117.234.113(46330) ->
0.0.0.0(23), 2
packets* 29.6509-2172.18.0.3Dec 15 2005 18:37:46SEC6IPACCESSLOGPlist net-equip-out denied tcp 201.24.15.92(3772) -> 0.0.0.0(23),
2
packets* 30.6509-1172.18.0.2Dec 15 2005 18:36:45SEC6IPACCESSLOGPlist net-equip-out denied tcp 200.117.234.113(46330) ->
0.0.0.0(23), 1
packet* 31.6509-2172.18.0.3Dec 15 2005 18:32:32SEC6IPACCESSLOGPlist net-equip-out denied tcp 201.24.15.92(3772) -> 0.0.0.0(23),
1
packet* 32.6509-1172.18.0.2Dec 15 2005 18:16:12SEC6IPACCESSLOGPlist net-equip-out denied tcp 61.216.101.159(4481) ->
0.0.0.0(23), 2
packets* 33.6509-1172.18.0.2Dec 15 2005 18:11:14SEC6IPACCESSLOGPlist net-equip-out denied tcp 61.216.101.159(4481) ->
0.0.0.0(23), 1
packet* 34.6509-2172.18.0.3Dec 15 2005 17:50:47SEC6IPACCESSLOGPlist net-equip-out denied tcp 200.147.49.160(4481) ->
0.0.0.0(23), 2
packets* 35.6509-2172.18.0.3Dec 15 2005 17:45:35SEC6IPACCESSLOGPlist net-equip-out denied tcp 200.147.49.160(4481) ->
0.0.0.0(23), 1
packet* 36.6509-2172.18.0.3Dec 15 2005 17:17:47SEC6IPACCESSLOGPlist net-equip-out denied tcp 213.47.105.217(4072) ->
0.0.0.0(23), 2
packets* 37.6509-2172.18.0.3Dec 15 2005 17:12:28SEC6IPACCESSLOGPlist net-equip-out denied tcp 213.47.105.217(4072) ->
0.0.0.0(23), 1
packet* 38.6509-1172.18.0.2Dec 15 2005 16:19:13SEC6IPACCESSLOGPlist net-equip-out denied tcp 148.244.130.96(1802) ->
0.0.0.0(23), 2
packets* 39.6509-1172.18.0.2Dec 15 2005 16:13:28SEC6IPACCESSLOGPlist net-equip-out denied tcp 148.244.130.96(1802) ->
0.0.0.0(23), 1
packet* 40.6509-1172.18.0.2Dec 15 2005 16:02:14SEC6IPACCESSLOGPlist net-equip-out denied tcp 200.162.232.58(2443) ->
0.0.0.0(23), 2
packets* 41.6509-1172.18.0.2Dec 15 2005 15:56:32SEC6IPACCESSLOGPlist net-equip-out denied tcp 200.162.232.58(2443) ->
0.0.0.0(23), 1
packet* 42.6509-1172.18.0.2Dec 15 2005 15:44:24SEC6IPACCESSLOGPlist net-equip-out denied tcp 62.175.169.8(1768) -> 0.0.0.0(23),
1
packet* 43.6509-2172.18.0.3Dec 15 2005 15:43:48SEC6IPACCESSLOGPlist net-equip-out denied tcp 200.180.146.123(2196) ->
0.0.0.0(23), 2
packets* 44.6509-2172.18.0.3Dec 15 2005 15:38:35SEC6IPACCESSLOGPlist net-equip-out denied tcp 200.180.146.123(2196) ->
0.0.0.0(23), 1
packet* 45.6509-1172.18.0.2Dec 15 2005 15:21:14SEC6IPACCESSLOGPlist net-equip-out denied tcp 200.63.12.194(3469) ->
0.0.0.0(23), 1
packet* 46.6509-1172.18.0.2Dec 15 2005 15:15:36SEC6IPACCESSLOGPlist net-equip-out denied tcp 200.63.12.194(3469) ->
0.0.0.0(23), 1
packet* 47.6509-2172.18.0.3Dec 15 2005 15:06:59SEC6IPACCESSLOGPlist net-equip-out denied tcp 83.144.133.87(4093) ->
0.0.0.0(23), 2
packets* 48.6509-2172.18.0.3Dec 15 2005 15:02:34SEC6IPACCESSLOGPlist net-equip-out denied tcp 83.144.133.87(4093) ->
0.0.0.0(23), 1
packet* | |||||||||||||
|
Posted by Walter Roberson on December 20, 2005, 1:07 pm
Please log in for more thread options >At my place of business, we have received these logs, which are
>somewhat confusing to us. Could anyone spread some light on these >messages, like where an attack like this would be coming from? thanks > Device
>NameInterfaceTimestampFacility[-Sub-facility]SeverityMnemonicDescriptionDetails > 1.6509-1172.18.0.2Dec 16 2005 07:32:00SEC6IPACCESSLOGPlist
> net-equip-out denied tcp 217.81.250.217(1245) -> >0.0.0.0(23), 2 > packets* What you have presented is likely not the original data. The original data probably has field delimiters, possibly binary. It looks to me that the items break down as: 1. => log entry number followed by period
6509-1 => device name 172.18.0.2 => interface IP on the 6509 Dec 16 2005 07:32:00 -> time stamp SEC => "facility" 6 => severity IPACCESSLOGP => Mnemonic list net-equip-out denied tcp 217.81.250.217(1245) -> 0.0.0.0(23) => Description 2 packets => details
SEC-6-IPACCESSLOGP is a standard IOS log message when an ACL entry has the 'log' keyword. There is another similar message without the 'P' but I do not recall at the moment what the difference between the two is. The entries are in reverse order by time. This particular faculty of IOS only gives one message per "flow" every few minutes, with the count reflecting the number of occurances within those minutes; they appear to have tweaked the default timing a bit. On the face of this, it appears that a large number of different IP addresses are attempting to start telnet connections from "inside" the 172.18.0.2 interface, each with the same reserved destination IP 0.0.0.0 . It is, though, rather uncommon for "random" hosts to repeatedly attempt to access IP address 0.0.0.0, so it is plausible that the original packets did not have 0.0.0.0 there: in IOS, if a portion of the source or destination has not yet been tested against in the ACL, then the log message may show 0 instead of real data. My take on what is happening, is that you may have one or more machines internally that are spewing out connection attempts using random IP addresses as the source, with some unknown address or addresses as the destination, and that your networking team is examining those packets going out by comparing the actual source IP addresses to the valid source IP addresses, finding that the sources are not registered as allowed internally, and so blocking the packets, and that this checking of sources is happening in the named access list net-equip-out before there are any tests against the destination IP. If I am correct, then there are very simple tweaks that your networking team could make to the ACL that would result in the real destination IP being filled in on the log messages. [I would never send such a partial log to a client!] Very likely you need to track down an internal system that is sending forged packets to outside. If there are no routers between you and the 6509-1 then your networking team could assist you in this by changing the "log" keyword to "log-input", which would result in the MAC (Media Access Control) address being logged. Some viruses or trojans will take the trouble to forge MACs as well, but your networking team can help you with that by turning on "MAC level security" if you have managed switches. I say "very likely" because there two alternate possibilities: 1) there might -somehow- be a method by which outside packets are able to enter your inside network without having gone through the official 6509-1; this could include a VPN concentrator or a modem or unsecured DSL connection or an insufficiently secured wireless device 2) there might -somehow- be a method by which outside packets are able to enter your inside network through the official 6509-1, but then get "reflected" back towards the outside; this could include some kind of packet encapsulation / decapsulation scheme, perhaps an unsecured PPTP server, possibly some kind of proxy. The people who sent you these logs should have provided you with a discussion of what the logs meant or implied! -- Okay, buzzwords only. Two syllables, tops. -- Laurie Anderson | |||||||||||||
| Similar Threads | Posted |
| Help on security logs | December 20, 2005, 11:22 am |
| Logs button not opening Logs GUI | June 29, 2009, 6:44 am |
| Re: IT Security news and information site for Security Professionals | August 7, 2008, 8:57 am |
| pix logs | May 16, 2006, 6:07 am |
| PIX, two weird logs | September 8, 2005, 8:48 am |
| Router logs | March 21, 2006, 2:58 pm |
| KIWI logs | September 18, 2009, 10:41 am |
| Re: Viewing Cisco ACL logs | August 29, 2006, 3:10 am |
| Viewing Cisco ACL logs | August 28, 2006, 5:58 pm |
| IOS and Rommon updates - change logs? | March 19, 2006, 10:00 am |
| Apache server behind PIX logs all incoming IPs as 0.0.0.0. | April 20, 2007, 10:52 am |
| NEWBIE- 800 Series / Soho 97 firewall logs - how do i see them? | February 11, 2005, 12:54 am |
| Monitoring Squid logs in Content Engine 511 | December 22, 2006, 1:18 am |
| cisco 4900 shows right time but not in sh logs | August 18, 2009, 9:48 am |
| VPN Concentrator 3000 - Send e-Mail when User logs in | November 14, 2005, 5:30 am |
|
Home Cabling GuideFinally, an instantly downloadable book that saves you thousands in home improvement dollars! Enjoy living in 21st century technology-advanced home while increasing its selling value and competitive advantage on the real estate market. Whether your cabling is for home office or high-tech leisure, you can wire your home yourself or learn "wirish" to speak with your cabling contractors in their language! Learn More |