Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
392
Views
0
Helpful
3
Replies

excessive smb deny logs in webhosting environment

fter
Level 1
Level 1

‎06-04-2002 03:10 AM - edited ‎03-08-2019 10:50 PM

We've deployed two pixes in a failover configuration and placed them in front of a farm of webservers. The servers generate some 20 Mbit of traffic at peak times, many different sites are hosted in this webfarm.

Pretty much all traffic that is allowed to go the farm of servers is port 80 traffic, with a number of exceptions. This works well.

Ever since the installation, we're seeing - a lot of - log messages like the following in our syslog (anonymized for privacy of end users):

Jun 4 13:01:16 inside.fw1.xxxxxxxx.net %PIX-4-106023: Deny udp src outside:xxx.xxx.95.103/137 dst inside:xxx/137 by access-group "acl-outside"

Jun 4 13:01:17 inside.fw1.xxxxxxxx.net %PIX-4-106023: Deny udp src outside:xxx.xxx.107.104/137 dst inside:xxx/137 by access-group "acl-outside"

We see approximately 3 of these messages every five seconds from totally random sources and we have seen them since months and months.

Obviously it is 'a good thing'(tm) that the PIXes are blocking this traffic. I'm still not too sure what is causing these messages. Possibly some webbrowser implementations send a netbios packet before opening a http connection or so... It would be nice if someone could comment on the cause.

Next question, is it possible to not log specific types of denied traffic ??

Many thanks for your help.

Frans

Labels:
0 Helpful
3 Replies 3

rsnider
Level 1
Level 1

‎06-04-2002 12:36 PM

PIX-4-106023 means "An IP packet was denied by the access-list " acl_outside.

"Change permission of access-list if a permit policy is desired. If the messages persist from the same source address, messages could indicate a foot printing or port scanning attempt. Contact the remote host administrator".

You can use the "no logging message 106023"command to suppress the above message (not advisable) or replace the number with one you like. You can input many.

You can download the Cisco PIX System Log Messageslist from .

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/syslog/

0 Helpful

fter
Level 1
Level 1
In response to rsnider

‎06-06-2002 02:31 AM

I'm not intending to disable loggin of the 106023 message completely. I was just hoping to be able to disable any udp port 137 logs, or to discover the cause of the udp port 137 messages.... this cannot be an attack as the messages keep coming in continually from random sources ever since the installation.

I'm assuming that some version of some web browser does a netbios connect before it tries to request a webpage, but I just can't get my hands on it. I'll be installing v6.2 in an upcoming maintenance window and hope to be able to use the new 'tcpdump' feature to find out what is in these packets...

thanks!

Frans

0 Helpful

rsnider
Level 1
Level 1

‎06-06-2002 06:44 AM

The requests to port 137 are used by netbios for name resolution. I have an application that processes syslogs and if DNS fails to resolve the host name of a remote device it will attempt to identify the host using netbios.

As far as I know you can only supress logging by message number.

Ron

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents