DComTalk.com

Tobias Korb · Guest

Hello together,

I have a PIX 515 UR and I have a lot of traffic on the outside interface.
How can I check:
- where is the traffic from
- what kind of traffic ist ist (ports for example 25 = smtp)

best regards,
Tobi

Walter Roberson · Guest

In article <cpn3g4$eto$03$1@news.t-online.com>,
Tobias Korb <milla.killa@gmx.de> wrote:
:I have a PIX 515 UR and I have a lot of traffic on the outside interface.
:How can I check:
:- where is the traffic from
:- what kind of traffic ist ist (ports for example 25 = smtp)

There is no summary accounting available in the PIX itself, so you
will have to use one of the other possibilities:

1) debug packet outside and watch the packets to see what's flowing
through. This is not recommended on a production system!!!

2) In PIX 6.3, you can set up a 'capture' to keep a copy of
a representative set of packets, and then examine the packets
afterwards. This would normally be used for debugging tricky
issues. It isn't as hard on the PIX as using the 'debug' command,
but it isn't designed for what you are looking for either.

3) Turn your logging level up to 6 and examine the logs.
logging buffered will keep roughly the last 40 syslog messages,
which usually isn't enough to really get a feel for what the traffic
is. You would thus normally turn on syslog on a host, configure
the PIX with logging host to tell it to send logs to that host,
and then configure logging trap 6 to tell it to send severity 6
and more important messages to the syslog server. Then on the
syslog server, examine the log produced. The log will have
IP addresses and ports.

If you are running a PIX for a corporate IP block, likely
a *lot* of the traffic is automated (and random) attempts to
take over your computers by using known exploits (e.g.,
"malformed packet to any of half a dozen ports will allow
an intruder to take control of your Windows machine"). These packets
will seldom be "personal" attacks: they just scan -everything-
and hope to get lucky.

A noticable number of the packets (but far less than the above)
will be scans looking for open smtp ports that can be used either
to relay spam to other services, or to just send spam to a dictionary
of possible usernames at the host in hopes that the spam will get
read by -someone-.

One problem that is on the increase is that there are automated
tools that scan for ssh ports and then try dictionary attacks
against known usernames and potential passwords. If you are running
an ssh server, make sure that your users have good passwords,
especially if their name happens to be 'root' or 'guest'.
--
Oh, to be a Blobel!

jarcar · Guest

Tobias Korb napisał(a):

	DComTalk.com Forum Index -> Cisco	All times are GMT
Page 1 of 1