Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: Syslog message from pix

Syslog message from pix 10 years 1 month ago #17506

  • psiclonius
  • psiclonius's Avatar
  • Offline
  • Frequent Member
  • Posts: 34
  • Karma: 0
Hey Everyone,

I'm seeing alot of this message on my pix, but can't find a good explanation:

Is this a possible port scan?? Also is it more important to look at the src port or the dst port when looking at syslog files?
[code:1]
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9661
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9662
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9680
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9682
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9731
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9732
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9733
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9734
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9737
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9738
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9739
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9740
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9741
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9742
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9746
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9747
PiX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9748
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9750
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9751
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9743
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9744
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9745
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9752
PIX-7-710005: TCP request discarded from 61.200.81.135/80 to outside:72.149.x.x/9753
[/code:1]

I'm seeing a bunch of these messages during off hr. Is this a possible DoS attack?

[code:1]
PIX-4-106023: Deny icmp src outside:207.203.159.65 dst inside:72.149.x.x (type 11, code 0) by access-group "outside_in"
PIX-4-106023: Deny icmp src outside:207.203.159.65 dst inside:72.149.x.x (type 11, code 0) by access-group "outside_i
[/code:1]

So far I looked the IP's up in DNSSTUFF.com and added a shun command to the pix for the address. ...am I over reacting, because the traffic is being blocked by the pix
The administrator has disabled public write access.

Re: Syslog message from pix 10 years 1 month ago #17522

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Posts: 1390
  • Karma: 1
I'm seeing a bunch of these messages during off hr. Is this a possible DoS attack?

PIX-4-106023: Deny icmp src outside:207.203.159.65 dst inside:72.149.x.x (type 11, code 0) by access-group "outside_in"
PIX-4-106023: Deny icmp src outside:207.203.159.65 dst inside:72.149.x.x (type 11, code 0) by access-group "outside_i

Sorry, not done much with SYSLOG on the pix (its one of my next jobs to configure it all). Anyhow, not sure about the first part of the question without researching it which unfortunatley i aint got time at the mo as i am onsite fixing an AD Replication issue.

The second bit is the ICMP code for Time Exceeded.

If you take a look at this article it tells ya what can cause this situatation so its probably ok traffic.

http://www.tcpipguide.com/free/t_ICMPv4TimeExceededMessages.htm

Cheers
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
The administrator has disabled public write access.
Time to create page: 0.076 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup