443 port monitoring

Unanswered Question
Jun 24th, 2007

Hi,

How can I monitor any out going connection to internet on interface Ethernet using port 443.

I have router 1841.

Please help

I did the following rule

access-list 106 permit tcp any eq 443 any established log

then on the proper interface

ip access-group 106 out

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Richard Burts Sun, 06/24/2007 - 17:40

Barry

Your access list as posted should write to syslog a log message for all data packets whose source port is TCP 443. If that is your objective then this should work. But I question whether this is really the optimum way to do it. For one thng this will not record the beginning of the TCP 3 way handshake, but will record all of the data packets in the data stream with an individual log record of each packet. I would suggest that a more efficient way to identify that traffic occurred without the volume of log records would be like this:

access-list 106 permit tcp any eq 443 any established

access-list 106 permit tcp any eq 443 any log

this will permit the data traffic without creating log records for each packet and will create a log record for the beginning of the TCP session.

I would also suggest that you might be more interested in outbound traffic where the destination port was 443. Adding these lines to the access list would do this:

access-list 106 permit tcp any any eq 443 established

access-list 106 permit tcp any any eq 443 log

this will permit data traffic to destination port TCP 443 without log records for each data packet and will permit establishment of the TCP session and log the event.

HTH

Rick

barry-goldberg Sun, 06/24/2007 - 19:09

Hi Rick,

Thank you very much for your prompt response.

You said that this should write the message into syslog but how can make sure the event records under sh log command as well.

The thing is that i don't have reliable syslog server yet

Thanks again

Pavel Bykov Mon, 06/25/2007 - 00:39

you should issue "logging buffered 256000 6" command. This will log up to 256 KB of log messages into router buffer. You can increase the size of log, if you have enough memory. E.G. 512000 for 512KB.

Access List log is Level 6 - Informational, that's why you should enter 6 at the end of command.

But beware as to not make you log useless by having too much of access list data in there.

Richard Burts Mon, 06/25/2007 - 02:18

Barry

Pavlo is pointing you in the right direction. The access list will write records into syslog. It then becomes a question of which destinations you send syslog to. You can send syslog to one or several destinations (and there is not any destination to which you are required to send syslog). So if you do not have a reliable syslog server do not activate syslog to a remote host. You would want to send syslog to the logging buffer as Pavlo suggests (and you probably want to make the logging buffer larger than the default 4K). You could also send syslog to the console or to terminal monitor. But your request to see it with show log would be looking at logging buffered.

HTH

Rick

Actions

This Discussion