[Dshield] Cisco log question

Jon R. Kibler Jon.Kibler at aset.com
Wed Feb 25 18:48:00 GMT 2004


Hello,

We have been seeing some unusual log entries originating from the inbound ACL list on a Cisco (827) router:

> Feb 25 00:34:05.005 EST: %SEC-6-IPACCESSLOGS: list 110 denied w.x.y.66 1 packet
> Feb 25 00:39:06.381 EST: %SEC-6-IPACCESSLOGS: list 110 denied w.x.y.66 135 packets

What is "strange" about these entries are that they contain only a single IP address and no protocol information. The IP in these entries is always an internal IP. As we block inbound packets from the Internet that claim to originate from one of our IP addresses, we suspect that the following ACL is causing these messages to be generated:

> access-list 110 remark keep any incoming from spoofing local netblocks
> access-list 110 deny ip w.x.y.n 0.0.0.b any log

What we don't understand is why so little information is logged. For example, our ACLs that block other bogus source IP addresses, such as:

> access-list 110 deny ip 10.0.0.0 0.255.255.255 any log

generate "normal" log entries, such as:

> Feb 23 06:29:51.523 EST: %SEC-6-IPACCESSLOGP: list 110 denied tcp 10.20.101.192(4614) -> 63.113.59.79(80), 2 packets

Anyone know why we are seeing the highly truncate log entry and how to capture more data about what is going on here?

We just started seeing these about 2 days ago and they are getting to be much more frequent.

TIA for any expert explanation!

Jon Kibler
-- 
Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.



More information about the list mailing list