nmap -sS -p80-85 134.x.x.1
I would expect to see the following syslog statements:
...%PIX-4-106023: Deny tcp src outside:<attacker>/23177 dst inside:134.x.x.1/81 by access-group "INBOUND"
...%PIX-4-106023: Deny tcp src outside:<attacker>/23177 dst inside:134.x.x.1/82 by access-group "INBOUND"
...%PIX-4-106023: Deny tcp src outside:<attacker>/23177 dst inside:134.x.x.1/83 by access-group "INBOUND"
...%PIX-4-106023: Deny tcp src outside:<attacker>/23177 dst inside:134.x.x.1/84 by access-group "INBOUND"
...%PIX-4-106023: Deny tcp src outside:<attacker>/23177 dst inside:134.x.x.1/85 by access-group "INBOUND"
...%PIX-4-400028: IDS:XXXX Port scan from <attacker> to 134.x.x.1 on interface outside
- Dave
Michael Janke wrote:
[EMAIL PROTECTED]">David Ishmael wrote:
<snip>
ports that were not opened on the PIX. Assuming this functionality isn't there, I was hoping that the PIX would at the very least send a syslog message stating that a port scan had been done for logging purposes.<snip>
- Dave
I've done a bit of playing with nmap & a PIX. The PIX if v6.1(1) & is set up to allow only TCP 80 to a test host.
I'm scanning port 80 & 81 to see which nmap switches will produce results & see what the PIX will log.
Scanning with:
root@bog# nmap -sS -T 5 -p80-81 134.x.x.1
Starting nmap V. 2.54BETA28 ( www.insecure.org/nmap/ )
Interesting ports on target.host (134.x.x.1):
Port State Service
80/tcp open http
81/tcp filtered hosts2-ns
Shows correct status & Generates syslog logs like:
...%PIX-4-106023: Deny tcp src outside:<attacker>/23177 dst inside:134.x.x.1/81 by access-group "INBOUND"
Scanning with:
root@bog# nmap -sF -T 5 -p80-81 134.x.x.1
Starting nmap V. 2.54BETA28 ( www.insecure.org/nmap/ )
Interesting ports on target.host (134.x.x.1):
Port State Service
80/tcp open http
81/tcp open hosts2-ns
Shows both open & Generates syslogs of:
...%PIX-4-400028: IDS:3042 TCP FIN only flags from <attacker> to 134.x.x.1 on interface outside
...%PIX-6-106015: Deny TCP (no connection) from <attacker>/43814 to 134.x.x.1/81 flags FIN on interface outside
Tcpdump on the NMAP host shows that no packets have been returned to NMAP,
yet NMAP concludes that the ports are open. Nmap generates a false positive?
Scanning with:
root@bog# nmap -sN -T 5 -p80-81 134.x.x.1
Starting nmap V. 2.54BETA28 ( www.insecure.org/nmap/ )
Interesting ports on target.host (134.x.x.1):
Port State Service
80/tcp open http
81/tcp open hosts2-ns
Generates syslogs of:
...%PIX-4-400026: IDS:3040 TCP NULL flags from <attacker> to 134.x.x.1 on interface outside
...%PIX-6-106015: Deny TCP (no connection) from <attacker>/55006 to 134.x.x.1/81 flags on interface outside
And incorrectly show both ports open in NMAP. Again, no packets were
returned to the NMAP host.
Scanning with:
root@bog# nmap -sX -T 5 -p80-81 134.x.x.1
Starting nmap V. 2.54BETA28 ( www.insecure.org/nmap/ )
Interesting ports on target.host (134.x.x.1):
Port State Service
80/tcp open http
81/tcp open hosts2-ns
Generates:
...%PIX-6-106015: Deny TCP (no connection) from <attacker>/51748 to 134.x.x.1/80 flags FIN PSH URG on interface outside
This is again a false positive from NMAP.
It looks to me like the PIX is logging as it should.
David Ishmael, CCNA/IVCP
Sr. Engineer, Windward Consulting Group
2300 Corporate Park Drive
Suite 400
Herndon, VA 20171
[EMAIL PROTECTED]
(571) 332-6234
"Engineers don't think outside the box, they redesign it"
The information contained in this message, and any attachment, is confidential
and proprietary information, and may be legally privileged. It is intended
for the above named recipient(s) only and is transmitted in confidence. It
should be safeguarded to prevent unauthorized, negligent, or inadvertent
use or disclosure.
This message is proprietary to Windward Consulting Group, Inc. and may
not be disclosed, forwarded, distributed, or reproduced, without the express
permission of Windward.
If this message is received in error, the sender should be notified and
the message and any attachments deleted.
Email transmission cannot be guaranteed to be secure or error free as information
could be intercepted, corrupted, lost, destroyed, arrive late or incomplete,
or contain viruses. The sender therefore does not accept liability for any
errors or omissions in the contents of this message which arise as a result
of email transmission.
©2002 Windward Consulting Group, Inc
_______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
