topic Re: Sourcefire Logs in Network Security

Sourcefire Logs

sambillings459 — Fri, 21 Feb 2020 15:05:33 GMT

Hello Experts,

can any one please explain me, what does deleting session and new session means in below logs from source fire appliance. Though the rules are allowed on firewall , only one way traffic is seen, I cannot see bi-directional traffic. does it something to do with that deleting session line in bottom of my logs.
Appreciate any quick response

10.10.10.10-60494 > 20.20.20.20-4353 6 AS 1 I 16 New session
10.10.10.10-60494 > 20.20.20.20-4353 6 AS 1 I 16 Starting with minimum 0, id 0 and SrcZone first with zones 10 -> 5, geo 0 -> 0, vlan 0, sgt tag: untagged, svc 0, payload 0, client 0, misc 0, user 9999997, icmpType 0, icmpCode 0
10.10.10.10-60494 > 20.20.20.20-4353 6 AS 1 I 16 match rule order 1, 'Log All Connections', action Audit
10.10.10.10-60494 > 20.20.20.20-4353 6 AS 1 I 16 match rule order 34, 'companyA-companyB', action Allow
10.10.10.10-60494 > 20.20.20.20-4353 6 AS 1 I 16 allow action
10.10.10.10-50019 > 30.30.30.30-4353 6 AS 1 I 7 New session
10.10.10.10-50019 > 30.30.30.30-4353 6 AS 1 I 7 Starting with minimum 0, id 0 and SrcZone first with zones 10 -> 5, geo 0 -> 0, vlan 0, sgt tag: untagged, svc 0, payload 0, client 0, misc 0, user 9999997, icmpType 0, icmpCode 0
10.10.10.10-50019 > 30.30.30.30-4353 6 AS 1 I 7 match rule order 1, 'Log All Connections', action Audit
10.10.10.10-50019 > 30.30.30.30-4353 6 AS 1 I 7 match rule order 34, 'companyA-companyB', action Allow
10.10.10.10-50019 > 30.30.30.30-4353 6 AS 1 I 7 allow action
10.10.10.10-58072 > 20.20.20.20-4353 6 AS 1 I 16 Deleting session
10.10.10.10-58085 > 20.20.20.20-4353 6 AS 1 I 16 Deleting session
10.10.10.10-50040 > 30.30.30.30-4353 6 AS 1 I 7 New session

Thanks

Sam

Re: Sourcefire Logs

sambillings459 — Tue, 09 Jan 2018 13:49:01 GMT

Hello experts,

can anyone one please help me with above posts.. appreciate any quick response

Re: Sourcefire Logs

denilson.mota — Tue, 09 Jan 2018 14:22:55 GMT

Hi sam,

As per my understand the new session is the traffic allowed on this session:

10.10.10.10-50019 > 30.30.30.30-4353 6 AS 1 I 7 match rule order 34, 'companyA-companyB', action Allow
10.10.10.10-50019 > 30.30.30.30-4353 6 AS 1 I 7 allow action

Same scenario for the traffic allowed on this new session:

10.10.10.10-60494 > 20.20.20.20-4353 6 AS 1 I 16 match rule order 34, 'companyA-companyB', action Allow
10.10.10.10-60494 > 20.20.20.20-4353 6 AS 1 I 16 allow action

10.10.10.10-60494 > 20.20.20.20-4353 6 AS 1 I 16 New session

The delete session mean the traffic expires from the earlier session allowed for the same traffic.

Can you please from the logs verify if the old allowed session also have deleted after some time?

Thank you,