[Dshield] Cisco log question
Jon R. Kibler
Jon.Kibler at aset.com
Wed Feb 25 18:48:00 GMT 2004
We have been seeing some unusual log entries originating from the inbound ACL list on a Cisco (827) router:
> Feb 25 00:34:05.005 EST: %SEC-6-IPACCESSLOGS: list 110 denied w.x.y.66 1 packet
> Feb 25 00:39:06.381 EST: %SEC-6-IPACCESSLOGS: list 110 denied w.x.y.66 135 packets
What is "strange" about these entries are that they contain only a single IP address and no protocol information. The IP in these entries is always an internal IP. As we block inbound packets from the Internet that claim to originate from one of our IP addresses, we suspect that the following ACL is causing these messages to be generated:
> access-list 110 remark keep any incoming from spoofing local netblocks
> access-list 110 deny ip w.x.y.n 0.0.0.b any log
What we don't understand is why so little information is logged. For example, our ACLs that block other bogus source IP addresses, such as:
> access-list 110 deny ip 10.0.0.0 0.255.255.255 any log
generate "normal" log entries, such as:
> Feb 23 06:29:51.523 EST: %SEC-6-IPACCESSLOGP: list 110 denied tcp 10.20.101.192(4614) -> 184.108.40.206(80), 2 packets
Anyone know why we are seeing the highly truncate log entry and how to capture more data about what is going on here?
We just started seeing these about 2 days ago and they are getting to be much more frequent.
TIA for any expert explanation!
Jon R. Kibler
Chief Technical Officer
Charleston, SC USA
Filtered by: TRUSTEM.COM's Email Filtering Service
No Spam. No Viruses. Just Good Clean Email.
More information about the list