[Dshield] Cisco log question

Jeff Kell jeff-kell at utc.edu
Wed Feb 25 19:44:48 GMT 2004


Jon R. Kibler wrote:

> Hello,
> 
> We have been seeing some unusual log entries originating from the
> inbound ACL list on a Cisco (827) router:
> 
>> Feb 25 00:34:05.005 EST: %SEC-6-IPACCESSLOGS: list 110 denied
>> w.x.y.66 1 packet 
 >> Feb 25 00:39:06.381 EST: %SEC-6-IPACCESSLOGS:
>> list 110 denied w.x.y.66 135 packets
> 
> What is "strange" about these entries are that they contain only a
> single IP address and no protocol information. The IP in these
> entries is always an internal IP. As we block inbound packets from
> the Internet that claim to originate from one of our IP addresses, we
> suspect that the following ACL is causing these messages to be
> generated:
> 
>> access-list 110 remark keep any incoming from spoofing local
>> netblocks access-list 110 deny ip w.x.y.n 0.0.0.b any log

If you "deny IP" and it starts your access list, that's all you're going 
to get.  You have to get it to split "deny tcp" and "deny udp" to get 
what you want, and to be sure you get port numbers, you should start 
with a dummy like "deny tcp any eq 0 any eq 0" which will make it parse 
out the protocol, address, and port.

ACLs only look as far into the packet as necessary and log only what 
they examine.

Jeff




More information about the list mailing list