Weird logging in my pix logs - not sure If this is a problem

rbinc · ‎02-27-2003

I get this error in my firewall logs:

Feb 26 15:32:49 firewall %PIX-6-106015: Deny TCP (no connection) from

161.58.238.151/110 to a.b.c.d/3782 flags RST ACK on interface outside

Is this telling me that my connection timeout or is someone trying to hack me?

thanks

Jenn

mostiguy · ‎02-27-2003

That looks like your user at a.b.c.d tried making a pop3 (tcp port 110 connection) to that server. That server, or its firewall replied that it doesn't offer that service, by ACKnologing the packet and ReSeTting the connection.

At syslog level 6 (i.e, PIX-6-xxxxxxx), you will see events for just about all connection attempts. The real security event stuff typically is at level 3 and 4. Critical pix system level stuff is at 1 and 2.

rbinc · ‎02-27-2003

Thanks. Do you know if there is a way to log 1, 2 and 4? I would like to see warnings so I know what's going on.

gfullage · ‎02-27-2003

You can't specfically log just levels 1, 2 and 4. If you log at level 4 then you'll get 1-4, that's the only way to do it.

chris.ames · ‎02-28-2003

If you run the full version of Kiwi syslog daemon, you can specify which level are to be displayed, logged to file etc.

steve.barlow · ‎02-28-2003

What you can do is set your logging to what ever level you want, then disable the logging for specific messages you don't want. Use the 'no logging message' command to suppress a syslog message. Use the 'clear logging disabled' command to reset the disallowed messages to the original set. Use the 'show message disabled' command to list the suppressed messages.

Downside is that the list of messages can get long.

eg.

logging trap informational

no logging message 106015

no logging message 105004

no logging message 309002

no logging message 305012

no logging message 303002

no logging message 302015

no logging message 111005

no logging message 609001

no logging message 302016

Hope it helps.

Steve