I need to review and analyze connections which are maintained over a certain time period. I cannot get this in a legible format from the PIX/ASA directly during the activity with scalability, so the best I think I can do is look at it after the fact.
So what I have are the teardown messages from the PIX/ASA products in our MARS appliance.
Messages which have this info are like these 302016 and 302014.
May 29 2009 10:43:37: %PIX-6-302014: Teardown TCP connection 543470 for outside:184.108.40.206/3136 to inside:220.127.116.11/80 duration 0:02:04 bytes 1121 TCP FINs
May 29 2009 10:43:33: %PIX-6-302016: Teardown UDP connection 543463 for outside:18.104.22.168/1079 to inside:22.214.171.124/80 duration 0:02:01 bytes 454
Note: Addresses and/or ports listed above may have been changed.
Sometimes we have TCP and UDP connections which last for days. I have no real good way to report on the lengthy ones. Yet.
Can MARS analyze the PIX/ASA 302016 and 302014 messages for values after the âdurationâ string which may be greater than say 10 hours and create an event, another event for durations greater than say 5 days? Can some be created into low incidents?
If so, can you give me the keywords necessary to look this up in the MARS manuals myself? Also, I am not a coder/scripter and if good regex ability is needed, if you know of a good self help tutorial on the web you can refer me to, that would be good as well.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...