RE: can someone interpret this log entry?

  • From: "Jim Harrison" <jim@xxxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Mon, 11 Mar 2002 15:33:44 -0800

According to those logs:
10.0.1.197, -, -, N, 3/10/2002, 20:29:12, fwsrv, -, -, -, 209.214.157.87,
1030, -, -, 0, 443, TCP, Accept, -, -, -, 0, -, -, -, -, -
    - this is a normal connection to port 443 (are you hosting an SSL-based
site?)
10.0.1.197, -, -, N, 3/10/2002, 20:29:12, fwsrv, -, -, -, 209.214.157.87,
1030, -, -, 0, 443, TCP, Accept, -, -, -, 20000, -, -, -, -, -
    - this is a normal disconnect event for the previous connection

Hi everybody!

Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/authors/harrison/
Read the books!

----- Original Message -----
From: "Jay J. Mobley" <jmobley@xxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Monday, March 11, 2002 15:17
Subject: [isalist] RE: can someone interpret this log entry?


http://www.ISAserver.org


Sorry to beat this dying horse, but what do you make of this, then?

10.0.1.197, -, -, N, 3/10/2002, 20:29:12, fwsrv, -, -, -, 209.214.157.87,
1030, -, -, 0, 443, TCP, Accept, -, -, -, 0, -, -, -, -, -
10.0.1.197, -, -, N, 3/10/2002, 20:29:12, fwsrv, -, -, -, 209.214.157.87,
1030, -, -, 0, 443, TCP, Accept, -, -, -, 20000, -, -, -, -, -
10.0.1.197, -, -, N, 3/10/2002, 20:29:13, fwsrv, -, -, -, 209.214.157.87,
1031, -, -, 0, 443, TCP, Accept, -, -, -, 0, -, -, -, -, -
10.0.1.197, -, -, N, 3/10/2002, 20:29:13, fwsrv, -, -, -, 209.214.157.87,
1031, -, -, 0, 443, TCP, Accept, -, -, -, 20000, -, -, -, -, -
10.0.1.197, -, -, N, 3/10/2002, 20:29:13, fwsrv, -, -, -, 209.214.157.87,
1032, -, -, 0, 443, TCP, Accept, -, -, -, 0, -, -, -, -, -
10.0.1.197, -, -, N, 3/10/2002, 20:29:13, fwsrv, -, -, -, 209.214.157.87,
1032, -, -, 0, 443, TCP, Accept, -, -, -, 20000, -, -, -, -, -
10.0.1.197, -, -, N, 3/10/2002, 20:29:14, fwsrv, -, -, -, 209.214.157.87,
1033, -, -, 0, 443, TCP, Accept, -, -, -, 0, -, -, -, -, -
10.0.1.197, -, -, N, 3/10/2002, 20:29:14, fwsrv, -, -, -, 209.214.157.87,
1033, -, -, 0, 443, TCP, Accept, -, -, -, 20000, -, -, -, -, -
10.0.1.197, -, -, N, 3/10/2002, 20:29:15, fwsrv, -, -, -, 209.214.157.87,
1034, -, -, 0, 443, TCP, Accept, -, -, -, 0, -, -, -, -, -
10.0.1.197, -, -, N, 3/10/2002, 20:29:15, fwsrv, -, -, -, 209.214.157.87,
1034, -, -, 0, 443, TCP, Accept, -, -, -, 20000, -, -, -, -, -
10.0.1.197, -, -, N, 3/10/2002, 20:29:16, fwsrv, -, -, -, 209.214.157.87,
1035, -, -, 0, 443, TCP, Accept, -, -, -, 0, -, -, -, -, -
10.0.1.197, -, -, N, 3/10/2002, 20:29:16, fwsrv, -, -, -, 209.214.157.87,
1035, -, -, 0, 443, TCP, Accept, -, -, -, 20000, -, -, -, -, -

-----Original Message-----
From: Thomas W. Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Monday, March 11, 2002 3:05 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: can someone interpret this log entry?


http://www.ISAserver.org


Hi Jay,

Good point. The "Accept" indicates that its an incoming request. If you
turn on Rule#1 and Rule#2, it'll make it a lot easier to analyze the
logs.

HTH,
Tom

-----Original Message-----
From: Jay J. Mobley [mailto:jmobley@xxxxxxxxxx]
Sent: Monday, March 11, 2002 4:41 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: can someone interpret this log entry?

http://www.ISAserver.org


Tom,


 So is there anyway to tell if this is an SSL request being made by the
internal server,
Or is this server responding to SSL requests?

-Jay

-----Original Message-----
From: Thomas W. Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Monday, March 11, 2002 2:30 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: can someone interpret this log entry?


http://www.ISAserver.org


Hi Jay,

How is connecting to SSL port 443 considered a port scan?

Thanks!

Tom

-----Original Message-----
From: Jay J. Mobley [mailto:jmobley@xxxxxxxxxx]
Sent: Monday, March 11, 2002 4:24 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] can someone interpret this log entry?

http://www.ISAserver.org


So I got a message from our ISP today telling me that my server is
hacked because they got a complaint from a user who siad I am scanning
his ports. infering from the time of day, and the ports that he said
were scanned, I must assume the below are the firewall entries that
corrospond to this event, but before I go back to my ISP with what looks
to me like routine HTTPS traffic I want to submit to y'all to see if you
agree.




10.0.1.197, -, -, N, 3/10/2002, 19:21:30, fwsrv, -, -, -,
207.225.29.119, 1509, -, -, 0, 443, TCP, Accept, -, -, -, 20000, -, -,
-, -, -

10.0.1.197, -, -, N, 3/10/2002, 19:21:31, fwsrv, -, -, -,
207.225.29.119, 1510, -, -, 0, 443, TCP, Accept, -, -, -, 0, -, -, -, -,
-

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jmobley@xxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jmobley@xxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 03-2002