RE: can someone interpret this log entry?

  • From: "Jay J. Mobley" <jmobley@xxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Mon, 11 Mar 2002 15:17:45 -0800

Sorry to beat this dying horse, but what do you make of this, then? 

10.0.1.197, -, -, N, 3/10/2002, 20:29:12, fwsrv, -, -, -, 209.214.157.87, 1030, 
-, -, 0, 443, TCP, Accept, -, -, -, 0, -, -, -, -, -
10.0.1.197, -, -, N, 3/10/2002, 20:29:12, fwsrv, -, -, -, 209.214.157.87, 1030, 
-, -, 0, 443, TCP, Accept, -, -, -, 20000, -, -, -, -, -
10.0.1.197, -, -, N, 3/10/2002, 20:29:13, fwsrv, -, -, -, 209.214.157.87, 1031, 
-, -, 0, 443, TCP, Accept, -, -, -, 0, -, -, -, -, -
10.0.1.197, -, -, N, 3/10/2002, 20:29:13, fwsrv, -, -, -, 209.214.157.87, 1031, 
-, -, 0, 443, TCP, Accept, -, -, -, 20000, -, -, -, -, -
10.0.1.197, -, -, N, 3/10/2002, 20:29:13, fwsrv, -, -, -, 209.214.157.87, 1032, 
-, -, 0, 443, TCP, Accept, -, -, -, 0, -, -, -, -, -
10.0.1.197, -, -, N, 3/10/2002, 20:29:13, fwsrv, -, -, -, 209.214.157.87, 1032, 
-, -, 0, 443, TCP, Accept, -, -, -, 20000, -, -, -, -, -
10.0.1.197, -, -, N, 3/10/2002, 20:29:14, fwsrv, -, -, -, 209.214.157.87, 1033, 
-, -, 0, 443, TCP, Accept, -, -, -, 0, -, -, -, -, -
10.0.1.197, -, -, N, 3/10/2002, 20:29:14, fwsrv, -, -, -, 209.214.157.87, 1033, 
-, -, 0, 443, TCP, Accept, -, -, -, 20000, -, -, -, -, -
10.0.1.197, -, -, N, 3/10/2002, 20:29:15, fwsrv, -, -, -, 209.214.157.87, 1034, 
-, -, 0, 443, TCP, Accept, -, -, -, 0, -, -, -, -, -
10.0.1.197, -, -, N, 3/10/2002, 20:29:15, fwsrv, -, -, -, 209.214.157.87, 1034, 
-, -, 0, 443, TCP, Accept, -, -, -, 20000, -, -, -, -, -
10.0.1.197, -, -, N, 3/10/2002, 20:29:16, fwsrv, -, -, -, 209.214.157.87, 1035, 
-, -, 0, 443, TCP, Accept, -, -, -, 0, -, -, -, -, -
10.0.1.197, -, -, N, 3/10/2002, 20:29:16, fwsrv, -, -, -, 209.214.157.87, 1035, 
-, -, 0, 443, TCP, Accept, -, -, -, 20000, -, -, -, -, -

-----Original Message-----
From: Thomas W. Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Monday, March 11, 2002 3:05 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: can someone interpret this log entry?


http://www.ISAserver.org


Hi Jay,

Good point. The "Accept" indicates that its an incoming request. If you
turn on Rule#1 and Rule#2, it'll make it a lot easier to analyze the
logs.

HTH,
Tom

-----Original Message-----
From: Jay J. Mobley [mailto:jmobley@xxxxxxxxxx] 
Sent: Monday, March 11, 2002 4:41 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: can someone interpret this log entry?

http://www.ISAserver.org


Tom, 


 So is there anyway to tell if this is an SSL request being made by the
internal server, 
Or is this server responding to SSL requests?

-Jay

-----Original Message-----
From: Thomas W. Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Monday, March 11, 2002 2:30 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: can someone interpret this log entry?


http://www.ISAserver.org


Hi Jay,

How is connecting to SSL port 443 considered a port scan?

Thanks!

Tom

-----Original Message-----
From: Jay J. Mobley [mailto:jmobley@xxxxxxxxxx] 
Sent: Monday, March 11, 2002 4:24 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] can someone interpret this log entry?

http://www.ISAserver.org


So I got a message from our ISP today telling me that my server is
hacked because they got a complaint from a user who siad I am scanning
his ports. infering from the time of day, and the ports that he said
were scanned, I must assume the below are the firewall entries that
corrospond to this event, but before I go back to my ISP with what looks
to me like routine HTTPS traffic I want to submit to y'all to see if you
agree. 




10.0.1.197, -, -, N, 3/10/2002, 19:21:30, fwsrv, -, -, -,
207.225.29.119, 1509, -, -, 0, 443, TCP, Accept, -, -, -, 20000, -, -,
-, -, -

10.0.1.197, -, -, N, 3/10/2002, 19:21:31, fwsrv, -, -, -,
207.225.29.119, 1510, -, -, 0, 443, TCP, Accept, -, -, -, 0, -, -, -, -,
-

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jmobley@xxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
jmobley@xxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 03-2002