07-20-2009 12:32 AM
Hello,
Can u explain these logs, please?
1)Acl 104 is applied to my outside intrface Fast0 (face my ISP) on inbound direction. Is denying all inbount traffic from Internet to my network. I have an inspection rule (CBAC) on Fast0 outbound direction:
Inspection Rule Configuration
Inspection name SDM_HIGH
icmp alert is on audit-trail is off timeout 10
tcp alert is on audit-trail is off timeout 3600
udp alert is on audit-trail is off timeout 30
http alert is on audit-trail is off timeout 3600
https alert is on audit-trail is off timeout 3600
So, this means that http traffic form my network to Internet will be inspected and that http traffic returning to my network will be allowed becouse of the inspection rule. But my acl 104 is denying some of the returning http traffic. Why?
Web browsing is working fine. But why are those deny logs there. Is the temporary openings of CBAC expire too soon?
045478: Jul 20 09:31:36.142 Romania: %SEC-6-IPACCESSLOGP: list 104 denied tcp 213.143.91.137(80) -> 80.86.x.x(2366), 1 packet
045479: Jul 20 09:31:36.494 Romania: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 33 packets
045480: Jul 20 09:31:37.158 Romania: %SEC-6-IPACCESSLOGP: list 104 denied tcp 68.180.154.39(80) -> 80.86.x.x(4746), 1 packet
045483: Jul 20 09:31:43.326 Romania: %SEC-6-IPACCESSLOGP: list 104 denied tcp 216.73.86.152(80) -> 80.86.x.x(2372), 1 packet
045484: Jul 20 09:31:45.574 Romania: %SEC-6-IPACCESSLOGP: list 104 denied tcp 213.165.82.189(80) -> 80.86.x.x(2029), 1 packet
045485: Jul 20 09:31:46.614 Romania: %SEC-6-IPACCESSLOGP: list 104 denied tcp 64.74.98.80(80) -> 80.86.x.x(2373), 1 packet
2) What is this, "calming down, count (4/400)"?
045486: Jul 20 09:31:49.102 Romania: %FW-4-
ALERT_OFF: calming down, count (4/400) current 1-min rate: 358
3) "getting aggressiv" ?
045488: Jul 20 09:32:03.910 Romania: %FW-4-ALERT_ON: getting aggressive, count (11/500) current 1-min rate: 501
4) Acl 108 is applied on one of my subnets. Here are some VPN Software Clients. I don't see any port to these IP's. And, what 50 means? There should be tcp, udp ...
045493: Jul 20 09:32:36.494 Romania: %SEC-6-IPACCESSLOGNP: list 108 permitted 50 172.31.8.1 -> 217.x.x.x 12005 packets
thank U!
07-24-2009 02:54 PM
Error messages may indicate that a denial-of-service attack has occurred on a specific TCP host:
When %FW-4-ALERT_ON and %FW-4-ALERT_OFF error messages appear together, each "aggressive/calming" pair of messages indicates a separate attack.
07-26-2009 11:35 PM
Hello,
thank u for your time, but I still have a question. You say that here I have 2 attacks? Who is attaking? Here are so many IP's :
044219: Jul 27 09:14:17.912 Romania: %FW-4-ALERT_ON: getting aggressive, count (3/500) current 1-min rate: 501
044220: Jul 27 09:14:18.676 Romania: %SEC-6-IPACCESSLOGP: list 104 denied tcp 193.223.101.142(80) -> 80.x.x.x(24904), 1 packet
044221: Jul 27 09:14:20.144 Romania: %SEC-6-IPACCESSLOGP: list 104 denied tcp 193.223.101.142(80) -> 80.x.x.x(24941), 1 packet
044223: Jul 27 09:14:29.068 Romania: %FW-4-ALERT_OFF: calming down, count (3/400) current 1-min rate: 343
044226: Jul 27 09:14:51.353 Romania: %FW-4-ALERT_ON: getting aggressive, count (13/500) current 1-min rate: 501
044227: Jul 27 09:14:51.401 Romania: %SEC-6-IPACCESSLOGP: list 104 denied tcp 194.117.224.81(80) -> 80.x.x.x(55986), 1 packet
044228: Jul 27 09:14:52.109 Romania: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 4303 packets
044229: Jul 27 09:14:52.413 Romania: %SEC-6-IPACCESSLOGP: list 104 denied tcp 168.143.162.107(80) -> 80.x.x.x(25034), 1 packet
044231: Jul 27 09:14:55.461 Romania: %SEC-6-IPACCESSLOGP: list 104 denied tcp 208.81.233.58(80) -> 80.x.x.x(56007), 1 packet
044232: Jul 27 09:14:57.325 Romania: %SEC-6-IPACCESSLOGP: list 104 denied tcp 168.143.162.107(80) -> 80.x.x.x(25035), 1 packet
044233: Jul 27 09:14:59.301 Romania: %SEC-6-IPACCESSLOGP: list 104 denied tcp 74.125.242.196(80) -> 80.x.x.x(36546), 1 packet
044234: Jul 27 09:15:00.889 Romania: %SEC-6-IPACCESSLOGP: list 104 denied tcp 92.122.180.25(80) -> 80.x.x.x(1738), 1 packet
044235: Jul 27 09:15:02.365 Romania: %SEC-6-IPACCESSLOGP: list 104 denied tcp 168.143.162.107(80) -> 80.x.x.x(25037), 1 packet
044236: Jul 27 09:15:05.753 Romania: %SEC-6-IPACCESSLOGP: list 104 denied tcp 76.13.6.143(80) -> 80.x.x.x(1747), 1 packet
044237: Jul 27 09:15:09.273 Romania: %SEC-6-IPACCESSLOGP: list 104 denied tcp 74.125.43.106(443) -> 80.x.x.x(39087), 1 packet
044238: Jul 27 09:15:12.369 Romania: %SEC-6-IPACCESSLOGP: list 104 denied tcp 168.143.162.107(80) -> 80.x.x.x(25039), 1 packet
044239: Jul 27 09:15:13.393 Romania: %SEC-6-IPACCESSLOGP: list 104 denied tcp 194.126.157.12(80) -> 80.x.x.x(50451), 1 packet
044240: Jul 27 09:15:14.729 Romania: %SEC-6-IPACCESSLOGP: list 104 denied tcp 74.125.43.17(443) -> 80.x.x.x(35794), 1 packet
044241: Jul 27 09:15:17.381 Romania: %SEC-6-IPACCESSLOGP: list 104 denied udp 83.166.206.119(5678) -> 255.255.255.255(5678), 1 packet
044242: Jul 27 09:15:23.145 Romania: %SEC-6-IPACCESSLOGP: list 108 permitted udp 172.31.8.2(0) -> 172.31.8.255(0), 1 packet
044243: Jul 27 09:15:24.945 Romania: %SEC-6-IPACCESSLOGP: list 104 denied tcp 80.86.155.134(4516) -> 80.x.x.x(135), 1 packet
044244: Jul 27 09:15:27.149 Romania: %SEC-6-IPACCESSLOGP: list 104 denied tcp 74.125.43.189(443) -> 80.x.x.x(57900), 1 packet
044245: Jul 27 09:15:28.829 Romania: %SEC-6-IPACCESSLOGP: list 110 denied tcp 172.31.5.123(1753) -> 67.195.186.119(843), 1 packet
044246: Jul 27 09:15:32.390 Romania: %SEC-6-IPACCESSLOGP: list 104 denied tcp 168.143.162.107(80) -> 80.x.x.x(25048), 1 packet
044247: Jul 27 09:15:36.594 Romania: %SEC-6-IPACCESSLOGP: list 104 denied tcp 77.238.174.11(80) -> 80.x.x.x(1146), 1 packet
044249: Jul 27 09:15:39.658 Romania: %SEC-6-IPACCESSLOGP: list 104 denied tcp 74.125.43.99(80) -> 80.x.x.x(37959), 1 packet
044251: Jul 27 09:15:45.774 Romania: %SEC-6-IPACCESSLOGP: list 104 denied tcp 77.238.174.11(80) -> 80.x.x.x(1214), 1 packet
044252: Jul 27 09:15:45.874 Romania: %FW-4-ALERT_OFF: calming down, count (3/400) current 1-min rate: 315
Is there an attack on port 80 ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide