[fwAnalog] Cisco PIX issues

From: Ajit Kunjal (akunjal~AT~rci.rutgers.edu)
Date: Wed Nov 26 2003 - 19:04:36 CET


   I am rather new to the "report generation" world. So, kindly excuse my ignorance in some matters. We are using logs from our Cisco PIX firewall to generate the reports. My experiences are listed below. If you can help me to get on the right track, I would really appreciate it. The versions of Analog and Fwanalog are 5.32 and 0.6.3 respectively.

  1. The PIX logs that I possess consist of the following types of entries.

Nov 18 07:10:17 xyz.rutgers.edu Nov 18 2003 08:05:06: %PIX-4-106023: Deny udp src outside: dst inside:xxx. xxx.99.74/67 by access-group "inbound"

Nov 18 07:10:15 xyz.rutgers.edu Nov 18 2003 08:05:04: %PIX-3-106010: Deny inbound udp src outside: dst in side:xxx.xxx.99.127/138

The PIX-4 entries work fine, however, all of the PIX-3 entries are ignored and marked as erroneous by Analog. Is it because the formats are of a different type? Is there any way to fix this within Fwanalog or would I have to "sanitise" the logs before I give it to Fwanalog for processing?

2) The Blocked Packet Report gives the list of "Destination" hosts and the Packet Source Host Report gives a list of the "Source" hosts. Is this observation correct?

3) Is there any way that I can get a listing of the Class C addresses of the intruding source hosts? The Organization Report seems to give the Class B addresses.

4) Is it possible to get a report with the Source and Destination hosts together? Or is this option limited by Analog's definition of it's input?

5) Is it possible to sort the Blocked Packet Report based on the port numbers rather than the number of blocks? This is useful when you would want to see which hosts are exhibiting a particular vulnerability.


Ajit Kunjal
Information Protection and Security
Rutgers University Computing Services
ASB Annexe 1, Busch Campus
Tel: (732)445-8731

This archive was generated by hypermail 2.1.5 : Wed Nov 26 2003 - 19:22:03 CET