cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
549
Views
0
Helpful
2
Replies

Sourcefire Logs

sambillings459
Level 1
Level 1

Hello Experts,

 

can any one please explain me, what does deleting session and new session means in below logs from source fire appliance. Though the rules are allowed on firewall , only one way traffic is seen, I cannot see bi-directional traffic.  does it something to do with that deleting session line in bottom of my logs.
Appreciate any quick response

 

10.10.10.10-60494 > 20.20.20.20-4353 6 AS 1 I 16 New session
10.10.10.10-60494 > 20.20.20.20-4353 6 AS 1 I 16 Starting with minimum 0, id 0 and SrcZone first with zones 10 -> 5, geo 0 -> 0, vlan 0, sgt tag: untagged, svc 0, payload 0, client 0, misc 0, user 9999997, icmpType 0, icmpCode 0
10.10.10.10-60494 > 20.20.20.20-4353 6 AS 1 I 16 match rule order 1, 'Log All Connections', action Audit
10.10.10.10-60494 > 20.20.20.20-4353 6 AS 1 I 16 match rule order 34, 'companyA-companyB', action Allow
10.10.10.10-60494 > 20.20.20.20-4353 6 AS 1 I 16 allow action
10.10.10.10-50019 > 30.30.30.30-4353 6 AS 1 I 7 New session
10.10.10.10-50019 > 30.30.30.30-4353 6 AS 1 I 7 Starting with minimum 0, id 0 and SrcZone first with zones 10 -> 5, geo 0 -> 0, vlan 0, sgt tag: untagged, svc 0, payload 0, client 0, misc 0, user 9999997, icmpType 0, icmpCode 0
10.10.10.10-50019 > 30.30.30.30-4353 6 AS 1 I 7 match rule order 1, 'Log All Connections', action Audit
10.10.10.10-50019 > 30.30.30.30-4353 6 AS 1 I 7 match rule order 34, 'companyA-companyB', action Allow
10.10.10.10-50019 > 30.30.30.30-4353 6 AS 1 I 7 allow action
10.10.10.10-58072 > 20.20.20.20-4353 6 AS 1 I 16 Deleting session
10.10.10.10-58085 > 20.20.20.20-4353 6 AS 1 I 16 Deleting session
10.10.10.10-50040 > 30.30.30.30-4353 6 AS 1 I 7 New session

 

Thanks

Sam

2 Replies 2

sambillings459
Level 1
Level 1

Hello experts,

 

can anyone one please help me with above posts.. appreciate any quick response

denilson.mota
Level 1
Level 1

Hi sam,

 

As per my understand the new session is the traffic allowed on this session:

10.10.10.10-50019 > 30.30.30.30-4353 6 AS 1 I 7 match rule order 34, 'companyA-companyB', action Allow
10.10.10.10-50019 > 30.30.30.30-4353 6 AS 1 I 7 allow action

 

Same scenario for the traffic allowed on this new session:

10.10.10.10-60494 > 20.20.20.20-4353 6 AS 1 I 16 match rule order 34, 'companyA-companyB', action Allow
10.10.10.10-60494 > 20.20.20.20-4353 6 AS 1 I 16 allow action

10.10.10.10-60494 > 20.20.20.20-4353 6 AS 1 I 16 New session

 

The delete session mean the traffic expires from the earlier session allowed for the same traffic.

 

Can you please from the logs verify if the old allowed session also have deleted after some time?

 

Thank you,

Review Cisco Networking for a $25 gift card