[Dshield] Differing Cisco PIX log format

Kelly Martin kmartin at pyrzqxgl.org
Tue Mar 26 20:41:59 GMT 2002


You're using access lists (per Cisco recommendation) instead of conduits,
and it looks like you have explicit deny statements in your access list,
too.  The PIX writes different log messages for a denied connection
depending on why the connection was denied (explicit deny in access list,
explicit deny in conduit statement, denied by security policy on static
mapping without matching conduit or access list, denied for no static
mapping, or denied for any of a number of other reasons).  The DShield PIX
parser does not translate all of the possible messages properly, in large
part because it appears to have been written for version 5 of the PIX
software (current is version 6).

I use my own script, which I would be happy to share with you.  It works
best on a Linux machine set up as a syslog server for the PIX, with syslogd
on the Linux box configured to send PIX log content to a named pipe, which
the program then sits on and parses the incoming messages in real-time.  The
script parses down and accumulates the log content and fires off a
submission to DShield when the accumulation exceeds a certain size.  (I may
change this to once an hour instead.)  I am working on adding a network scan
detector.

A complete list of PIX log messages (for 6.1) is at
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/syslog/pixe
mapa.htm

Kelly

----- Original Message -----
From: "Jason Baker" <jbaker at filonet.ca>
To: <list at dshield.org>
Sent: Tuesday, March 26, 2002 1:47 PM
Subject: [Dshield] Differing Cisco PIX log format


> Just wondering if anyone else has a PIX and sees the logging in a fairly
> different format than the pre-packaged dshield pix parser thinks it'll
be...
>
> My PIX is dumping the lines like this:
>
> Mar 26 11:38:49 gateway %PIX-4-106023: Deny tcp src
> outside:aaa.aaa.aaa.aaa/60014 dst inside:bbb.bbb.bbb.bbb/113 by
access-group
> "acl_out"
>
> The parser is expecting (according to the samples in it):
> # Dec 16 00:00:21 aaa.bbb.net %PIX-2-106007: Deny inbound UDP from
> 192.168.0.1/20854 to 10.253.83.126/53 due to DNS Query
> # Dec 16 00:00:26 aaa.bbb.net %PIX-2-106001: Inbound TCP connection denied
> from
> 198.0.0.1/48236 to 10.0.0.1/25 flags SYN on interface outside
>
> Before I munge together my own parser, I just wanted to see if anyone else
> already had, to avoid re-inventing the wheel.
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
>




More information about the list mailing list