FireGen Report
| Info | Value |
|---|---|
| Log profile | Log profile Cisco IOS |
| Analyzed log(s) |
F:\Logs\Cisco Router\syslog-rtr-2006-11-13.txt (12.00 MB) |
| Firewall type | Cisco IOS |
| Analysis interval | All entries in the specified log |
Firewalls
| No | Firewall | Connections | Traffic (MB) | Denials | Warnings | URLs | 1 | 10.1.10.2 | 60,727 | 1,291.65 | 18 | 01 | 00 |
|---|
Message types
| No | Code | Message sample | Count | 2 | CRYPTO-3-QUERY_KEY | Querying key pair failed. | 2,779 | 3 | CRYPTO-4-IKMP_BAD_MESSAGE | IKE message from 217.118.237.6 failed its sanity check or is malformed | 1,375 | 4 | CRYPTO-4-IKMP_PKT_OVERFLOW | ISAKMP message from 216.153.137.34 larger (-308757567) than the UDP packet length (92) | 01 | 5 | DUAL-5-NBRCHANGE | IP-EIGRP(0) 10: Neighbor 10.255.1.202 (Tunnel106) is up: new adjacency | 02 | 6 | FW-2-BLOCK_HOST | Blocking new TCP connections to host 66.193.23.113 for 2 minutes (half-open count 50 exceeded). | 01 | 7 | FW-3-HTTP_JAVA_BLOCK | JAVA applet is blocked from (209.157.71.50:80) to (10.1.100.142:4416). | 16 | 8 | FW-3-RESPONDER_WND_SCALE_INI_NO_SCALE | Dropping packet - Invalid Window Scale option for session 10.1.100.149:3314 to 70.96.241.242:80 (Initiator scale 0 Responder scale 0) | 01 | 9 | FW-4-HOST_TCP_ALERT_ON | Max tcp half-open connections (50) exceeded for host 66.193.23.113. | 01 | 10 | FW-4-UNBLOCK_HOST | New TCP connections to host 66.193.23.113 no longer blocked | 01 | 11 | FW-6-SESS_AUDIT_TRAIL | udp session initiator (10.1.1.59:1349) sent 126 bytes -- responder (204.117.214.10:53) sent 797 bytes | 60,727 | 12 | VPN_HW-4-PACKET_ERROR | slot: 0 Packet Encryption/Decryption error, Output Authentication error:srcadr=211.75.163.90,dstadr=144.232.212.18,size=168,handle=0x59D5 | 04 |
|---|
Firewall: 10.1.10.2
10.1.10.2 - Traffic and denials per hour
| Hour | Traffic (MB) | % | Connections | % | Denials | % | |
|---|---|---|---|---|---|---|---|
| 00-01 | 00.00 | 0.04 | 699 | 1.15 | 00 | 0.00 | |
| 01-02 | 06.00 | 0.50 | 456 | 0.75 | 00 | 0.00 | |
| 02-03 | 08.00 | 0.63 | 596 | 0.98 | 00 | 0.00 | |
| 03-04 | 19.00 | 1.49 | 749 | 1.23 | 00 | 0.00 | |
| 04-05 | 07.00 | 0.59 | 880 | 1.45 | 00 | 0.00 | |
| 05-06 | 01.00 | 0.14 | 581 | 0.96 | 00 | 0.00 | |
| 06-07 | 02.00 | 0.18 | 549 | 0.90 | 00 | 0.00 | |
| 07-08 | 04.00 | 0.32 | 655 | 1.08 | 00 | 0.00 | |
| 08-09 | 94.00 | 7.30 | 5,527 | 9.10 | 00 | 0.00 | |
| 09-10 | 105.00 | 8.16 | 5,449 | 8.97 | 00 | 0.00 | |
| 10-11 | 181.00 | 14.07 | 6,489 | 10.68 | 08 | 44.44 | !!! |
| 11-12 | 128.00 | 9.95 | 6,072 | 10.00 | 01 | 5.56 | |
| 12-13 | 190.00 | 14.72 | 4,032 | 6.64 | 00 | 0.00 | |
| 13-14 | 98.00 | 7.61 | 4,987 | 8.21 | 00 | 0.00 | |
| 14-15 | 103.00 | 8.00 | 4,544 | 7.48 | 00 | 0.00 | |
| 15-16 | 82.00 | 6.42 | 4,389 | 7.23 | 08 | 44.44 | !!! |
| 16-17 | 91.00 | 7.10 | 4,474 | 7.37 | 01 | 5.56 | |
| 17-18 | 108.00 | 8.43 | 4,521 | 7.44 | 00 | 0.00 | |
| 18-19 | 29.00 | 2.28 | 1,720 | 2.83 | 00 | 0.00 | |
| 19-20 | 11.00 | 0.89 | 948 | 1.56 | 00 | 0.00 | |
| 20-21 | 03.00 | 0.29 | 534 | 0.88 | 00 | 0.00 | |
| 21-22 | 04.00 | 0.32 | 803 | 1.32 | 00 | 0.00 | |
| 22-23 | 03.00 | 0.30 | 509 | 0.84 | 00 | 0.00 | |
| 23-24 | 03.00 | 0.29 | 582 | 0.96 | 00 | 0.00 |
10.1.10.2 - Interfaces
| No | Interfaces | Connections | MB | % | Denials | Warnings |
|---|---|---|---|---|---|---|
| 1 | Not specified | 60,727 | 1,291.65 | 100.00 | 18 | 01 |
| Total | 60,727 | 1,291.65 | 18 | 01 |
Firewall: 10.1.10.2 - Interfaces: Not specified - Go to top
Top 10 sources
Top 10 destinations
Top 10 sources, protocols and bytes
Top 10 sources, destinations, protocols and bytes
Top 10 protocols
Top 10 denied sources
Top 10 destinations for denied connections
Top 10 denied protocols
Top 10 denial reasons
Top 10 denied sources, destinations, protocols and reasons
Top 10 denied protocols and reasons
Top 10 warning messages
| No | Source | Bytes | % | Comment |
|---|---|---|---|---|
| 1 | 10.1.1.19 | 288,917,789 | 21.33 | |
| 2 | 10.1.100.138 | 152,284,845 | 11.24 | |
| 3 | 10.1.100.159 | 82,145,840 | 6.07 | |
| 4 | 10.1.100.143 | 55,841,106 | 4.12 | |
| 5 | 10.1.100.144 | 52,618,012 | 3.88 | |
| 6 | 10.1.100.118 | 51,867,544 | 3.83 | |
| 7 | 10.1.100.149 | 51,274,997 | 3.79 | 1 denials recorded on 11/13/2006 4:32:48 PM |
| 8 | 10.1.100.103 | 47,923,769 | 3.54 | |
| 9 | 10.1.90.101 | 44,240,548 | 3.27 | |
| 10 | 10.1.100.142 | 39,627,745 | 2.93 |
Top 10 destinations
| No | Destination | Bytes | % | Comment |
|---|---|---|---|---|
| 1 | outbounds7.obsmtp.com (64.18.6.12) | 277,143,376 | 20.46 | |
| 2 | 216.183.239.101 | 57,584,026 | 4.25 | |
| 3 | www-vip10.dmz.fedex.com (199.81.204.50) | 38,929,209 | 2.87 | |
| 4 | www.bbhcsd.org (208.108.152.49) | 32,861,137 | 2.43 | |
| 5 | 66.184.207.181 | 30,694,244 | 2.27 | |
| 6 | 12.120.17.110 | 26,379,971 | 1.95 | |
| 7 | 12.120.109.110 | 25,176,381 | 1.86 | |
| 8 | host176.redtechnology.com (212.135.151.176) | 17,172,329 | 1.27 | |
| 9 | 205.177.95.27 | 15,452,719 | 1.14 | |
| 10 | 66.77.9.202 | 13,438,696 | 0.99 |
Top 10 sources, protocols and bytes
| No | Source | Protocol | Connections | Bytes | % | Comment |
|---|---|---|---|---|---|---|
| 1 | 10.1.1.19 | SMTP/25 | 7,459 | 277,143,376 | 20.46 | |
| 2 | 10.1.100.138 | HTTP/80 | 3,643 | 137,081,967 | 10.12 | |
| 3 | 10.1.100.159 | RTSP/554 | 02 | 57,584,026 | 4.25 | |
| 4 | 10.1.100.144 | HTTP/80 | 309 | 52,499,729 | 3.88 | |
| 5 | 10.1.100.149 | HTTP/80 | 2,128 | 49,297,451 | 3.64 | 1 denials recorded on 11/13/2006 4:32:48 PM |
| 6 | 10.1.100.143 | HTTP/80 | 1,755 | 47,831,323 | 3.53 | |
| 7 | 10.1.100.103 | HTTP/80 | 2,945 | 44,871,253 | 3.31 | |
| 8 | 10.1.90.101 | TCP/443 - ssl-https | 240 | 41,659,681 | 3.08 | |
| 9 | 10.1.100.142 | HTTP/80 | 1,603 | 38,723,814 | 2.86 | |
| 10 | 10.1.100.120 | HTTP/80 | 1,430 | 33,239,075 | 2.45 |
Top 10 sources, destinations, protocols and bytes
| No | Source | Destination | Protocol | Connections | Bytes | % | Comment |
|---|---|---|---|---|---|---|---|
| 1 | 10.1.1.19 | outbounds7.obsmtp.com (64.18.6.12) | SMTP/25 | 7,459 | 277,143,376 | 20.46 | |
| 2 | 10.1.100.159 | 216.183.239.101 | RTSP/554 | 02 | 57,584,026 | 4.25 | |
| 3 | 10.1.90.101 | www-vip10.dmz.fedex.com (199.81.204.50) | TCP/443 - ssl-https | 73 | 38,608,885 | 2.85 | |
| 4 | 10.1.100.138 | www.bbhcsd.org (208.108.152.49) | HTTP/80 | 82 | 32,861,137 | 2.43 | |
| 5 | 10.1.100.144 | 66.184.207.181 | HTTP/80 | 03 | 30,694,244 | 2.27 | |
| 6 | 10.1.100.138 | 12.120.17.110 | HTTP/80 | 06 | 25,150,498 | 1.86 | |
| 7 | 10.1.100.129 | 12.120.109.110 | HTTP/80 | 04 | 23,080,191 | 1.70 | |
| 8 | 10.1.100.118 | 205.177.95.27 | RTSP/554 | 01 | 15,452,719 | 1.14 | |
| 9 | 10.1.100.138 | host176.redtechnology.com (212.135.151.176) | TCP/443 - ssl-https | 30 | 12,969,122 | 0.96 | |
| 10 | 10.1.1.19 | 66.77.9.202 | HTTP/80 | 01 | 11,572,174 | 0.85 |
Top 10 protocols
| No | Protocol | Connections | Bytes | % | Comment |
|---|---|---|---|---|---|
| 1 | HTTP/80 | 39,308 | 816,457,389 | 60.28 | |
| 2 | SMTP/25 | 7,459 | 277,143,376 | 20.46 | |
| 3 | TCP/443 - ssl-https | 3,394 | 138,301,274 | 10.21 | |
| 4 | RTSP/554 | 07 | 74,527,150 | 5.50 | |
| 5 | TCP/1935 | 13 | 8,737,910 | 0.65 | |
| 6 | TCP/8080 - http proxy | 61 | 7,789,618 | 0.58 | |
| 7 | UDP/53 - dns | 7,297 | 6,146,904 | 0.45 | |
| 8 | NETSHOW/1755 | 01 | 4,440,602 | 0.33 | |
| 9 | TCP/8200 | 47 | 1,110,490 | 0.08 | |
| 10 | TCP/8801 | 39 | 811,317 | 0.06 |
Top 10 denied sources
| No | Source | Connections | First denial | % | Comment |
|---|---|---|---|---|---|
| 1 | 209.157.71.50 | 16 | 11/13/2006 10:48:16 AM | 88.89 | 48 denials recorded on 11/15/2006 3:20:29 PM |
| 2 | 10.1.10.2 | 01 | 11/13/2006 11:15:35 AM | 05.56 | 1 denials recorded on 11/14/2006 1:25:54 PM |
| 3 | 10.1.100.149 | 01 | 11/13/2006 4:32:48 PM | 05.56 | 1 denials recorded on 11/13/2006 4:32:48 PM |
Top 10 destinations for denied connections
| No | Destination | Connections | First denial | % | Comment |
|---|---|---|---|---|---|
| 1 | 0.0.0.80 (80) | 16 | 11/13/2006 10:48:16 AM | 88.89 | |
| 2 | 66.193.23.113 | 01 | 11/13/2006 11:15:35 AM | 05.56 | |
| 3 | web01-kly.opusnet.com (70.96.241.242) | 01 | 11/13/2006 4:32:48 PM | 05.56 |
Top 10 denied protocols
| No | Denied protocol | Connections | First denial | % | Comment |
|---|---|---|---|---|---|
| 1 | TCP/80 - http | 17 | 11/13/2006 10:48:16 AM | 94.44 | |
| 2 | TCP | 01 | 11/13/2006 11:15:35 AM | 05.56 |
Top 10 denial reasons
| No | Denial reason | Connections | First denial | % | Comment |
|---|---|---|---|---|---|
| 1 | Java applet blocked | 16 | 11/13/2006 10:48:16 AM | 88.89 | |
| 2 | TCP half-open count 50 exceeded | 01 | 11/13/2006 11:15:35 AM | 05.56 | |
| 3 | Invalid Window Scale option - Initiator scale 0 Responder scale 0 | 01 | 11/13/2006 4:32:48 PM | 05.56 |
Top 10 denied sources, destinations, protocols and reasons
| No | Source | Destination | Protocol | Reason | Connections | First denial | % | Comment |
|---|---|---|---|---|---|---|---|---|
| 1 | 209.157.71.50 | 0.0.0.80 (80) | TCP/80 - http | Java applet blocked | 16 | 11/13/2006 10:48:16 AM | 88.89 | 48 denials recorded on 11/15/2006 3:20:29 PM |
| 2 | 10.1.10.2 | 66.193.23.113 | TCP | TCP half-open count 50 exceeded | 01 | 11/13/2006 11:15:35 AM | 5.56 | 1 denials recorded on 11/14/2006 1:25:54 PM |
| 3 | 10.1.100.149 | web01-kly.opusnet.com (70.96.241.242) | TCP/80 - http | Invalid Window Scale option - Initiator scale 0 Responder scale 0 | 01 | 11/13/2006 4:32:48 PM | 5.56 | 1 denials recorded on 11/13/2006 4:32:48 PM 1 denials recorded on 11/13/2006 4:32:48 PM 1 denials recorded on 11/13/2006 4:32:48 PM |
Top 10 denied protocols and reasons
| No | Protocol | Reason | Denials | % | Comment |
|---|---|---|---|---|---|
| 1 | TCP/80 - http | Java applet blocked | 16 | 88.89 | |
| 2 | TCP | TCP half-open count 50 exceeded | 01 | 5.56 | |
| 3 | TCP/80 - http | Invalid Window Scale option - Initiator scale 0 Responder scale 0 | 01 | 5.56 | 1 denials recorded on 11/13/2006 4:32:48 PM |
Top 10 warning messages
| No | Source | Destination | Protocol | Warning | Count | First warning | % | Comment |
|---|---|---|---|---|---|---|---|---|
| 1 | 66.193.23.113 | 10.1.10.2 | TCP | Max tcp half-open connections (50) exceeded | 01 | 11/13/2006 11:15:34 AM | 100.00 | 1 denials recorded on 11/14/2006 1:25:54 PM |
| No | Code | Message sample | Count | Comment |
|---|---|---|---|---|
| 1 | CRYPTO-3-QUERY_KEY | Querying key pair failed. | 2779 | |
| 2 | CRYPTO-4-IKMP_BAD_MESSAGE | IKE message from 217.118.237.6 failed its sanity check or is malformed | 1375 | |
| 3 | VPN_HW-4-PACKET_ERROR | slot: 0 Packet Encryption/Decryption error, Output Authentication error:srcadr=211.75.163.90,dstadr=144.232.212.18,size=168,handle=0x59D5 | 4 | |
| 4 | FW-4-UNBLOCK_HOST | New TCP connections to host 66.193.23.113 no longer blocked | 1 | |
| 5 | CRYPTO-4-IKMP_PKT_OVERFLOW | ISAKMP message from 216.153.137.34 larger (-308757567) than the UDP packet length (92) | 1 | |
| To assist us in improving the analyzer, please send the messages above to support@firegen.com and they will be added to the next release of Firegen. | ||||
Analysis details
| Analysis start time | 11/15/2011 7:34:10 PM |
| Analysis duration | 0.38 minutes (22 seconds) |
| Analysis engine version | Cisco IOSlog parser version: 0.01 FireGen30Service.exe - FireGen scheduler service: 3.0.0.0 |
| Filtering criteria | All entries |
| Excluded keywords | None |
Glossary
| !!! | Indicates that a high denials:connections ration has been detected. The current configured ratio is 3. The !!! indicates that the percentage of denials for that hour is bigger than 3 x the connections percentage. This indicates some unusual denial activity that may have to be investigated. The ratio can be configured on the Report Formats interface. |
| Other messages | The Other messages represents a list of message not yet configured in the Firegen parser. Please send these messages to us (support@firegen.com) and we will add them in the next Firegen update. These messages are included in the list of message types but they are not yet fully understood by the analyzer. |