Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Cisco PIX 515 UR - From where comes the traffic??

Reply
Thread Tools

Cisco PIX 515 UR - From where comes the traffic??

 
 
Tobias Korb
Guest
Posts: n/a
 
      12-14-2004
Hello together,

I have a PIX 515 UR and I have a lot of traffic on the outside interface.
How can I check:
- where is the traffic from
- what kind of traffic ist ist (ports for example 25 = smtp)

best regards,
Tobi


 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      12-14-2004
In article <cpn3g4$eto$03$(E-Mail Removed)-online.com>,
Tobias Korb <(E-Mail Removed)> wrote:
:I have a PIX 515 UR and I have a lot of traffic on the outside interface.
:How can I check:
:- where is the traffic from
:- what kind of traffic ist ist (ports for example 25 = smtp)

There is no summary accounting available in the PIX itself, so you
will have to use one of the other possibilities:

1) debug packet outside and watch the packets to see what's flowing
through. This is not recommended on a production system!!!

2) In PIX 6.3, you can set up a 'capture' to keep a copy of
a representative set of packets, and then examine the packets
afterwards. This would normally be used for debugging tricky
issues. It isn't as hard on the PIX as using the 'debug' command,
but it isn't designed for what you are looking for either.

3) Turn your logging level up to 6 and examine the logs.
logging buffered will keep roughly the last 40 syslog messages,
which usually isn't enough to really get a feel for what the traffic
is. You would thus normally turn on syslog on a host, configure
the PIX with logging host to tell it to send logs to that host,
and then configure logging trap 6 to tell it to send severity 6
and more important messages to the syslog server. Then on the
syslog server, examine the log produced. The log will have
IP addresses and ports.


If you are running a PIX for a corporate IP block, likely
a *lot* of the traffic is automated (and random) attempts to
take over your computers by using known exploits (e.g.,
"malformed packet to any of half a dozen ports will allow
an intruder to take control of your Windows machine"). These packets
will seldom be "personal" attacks: they just scan -everything-
and hope to get lucky.

A noticable number of the packets (but far less than the above)
will be scans looking for open smtp ports that can be used either
to relay spam to other services, or to just send spam to a dictionary
of possible usernames at the host in hopes that the spam will get
read by -someone-.

One problem that is on the increase is that there are automated
tools that scan for ssh ports and then try dictionary attacks
against known usernames and potential passwords. If you are running
an ssh server, make sure that your users have good passwords,
especially if their name happens to be 'root' or 'guest'.
--
Oh, to be a Blobel!
 
Reply With Quote
 
 
 
 
jarcar
Guest
Posts: n/a
 
      12-15-2004
Tobias Korb napisaƂ(a):
> Hello together,
>
> I have a PIX 515 UR and I have a lot of traffic on the outside interface.
> How can I check:
> - where is the traffic from
> - what kind of traffic ist ist (ports for example 25 = smtp)
>

show conn

regards
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
PIX 515 - can Use VPN300 Client and PIX-to-PIX VPN at the same time? Stephen M Cisco 1 11-14-2006 02:03 PM
PIX 515 to PIX 515 via Internet & IPSec, should I get a VAC? Scott Townsend Cisco 8 02-22-2006 09:59 PM
[newbie]Pix 515 - How to recognize Pix version : failover or restricted or UR officemicro1999@yahoo.fr Cisco 1 09-11-2005 10:21 PM
PIX 515 'PIX-1FE=' Problems Michael Kiessling Cisco 4 07-13-2004 06:42 AM
pix 515 to pix 501 Cisco 2 02-05-2004 01:55 AM



Advertisments