Forgive me if this was already sent, I had problems with the list.
> Hello,
>
> We have recently been seeing strange traffic in our firewall (Cisco PIX)
> logs. It appears from the logs that we are sending out small packets to
> another site to port 25, and they are then attempting to respond but are
> being denied. However, we're not aware as to why the web server would be
> sending out this mail, or why the other machine would try to respond. Is
> this indicative of any sort of attack, or am I just seeing the normal
> processing of mail, just a lot more of it? Below is a snippet of the log;
> any help would be grealy appreciated. The lines below of often repeated
> thousands of times in the logs.
>
> 7/16/00,9:44:26 PM,216.34.96.81,firewall,LOCAL4,INFO,Jul 16 2000 21:49:16:
> %PIX-6-302001: Built outbound TCP connection 12640410 for faddr
> 128.11.68.140/25 gaddr 216.34.96.83/46600 laddr 12.13.15.230/32467
> 7/16/00,9:44:26 PM,216.34.96.81,firewall,LOCAL4,INFO,Jul 16 2000 21:49:16:
> %PIX-6-302002: Teardown TCP connection 12640409 faddr 128.11.68.140/25
> gaddr 216.34.96.83/46599 laddr 12.13.15.230/32466 duration 0:00:01 bytes
> 67 (TCP Reset-O)
> 7/16/00,9:44:26 PM,216.34.96.81,firewall,LOCAL4,INFO,Jul 16 2000 21:49:16:
> %PIX-6-302001: Built outbound TCP connection 12640411 for faddr
> 128.11.68.140/25 gaddr 216.34.96.83/46601 laddr 12.13.15.230/32468
> 7/16/00,9:44:26 PM,216.34.96.81,firewall,LOCAL4,INFO,Jul 16 2000 21:49:16:
> %PIX-6-302002: Teardown TCP connection 12640410 faddr 128.11.68.140/25
> gaddr 216.34.96.83/46600 laddr 12.13.15.230/32467 duration 0:00:01 bytes
> 67 (TCP Reset-O)
> 7/16/00,9:44:26 PM,216.34.96.81,firewall,LOCAL4,INFO,Jul 16 2000 21:49:16:
> %PIX-6-106015: Deny TCP (no connection) from 128.11.68.140/25 to
> 12.13.15.230/32467 flags RST on interface outside
> 7/16/00,9:44:26 PM,216.34.96.81,firewall,LOCAL4,INFO,Jul 16 2000 21:49:16:
> %PIX-6-302001: Built outbound TCP connection 12640412 for faddr
> 128.11.68.140/25 gaddr 216.34.96.83/46602 laddr 12.13.15.230/32469
> 7/16/00,9:44:26 PM,216.34.96.81,firewall,LOCAL4,INFO,Jul 16 2000 21:49:17:
> %PIX-6-302002: Teardown TCP connection 12640411 faddr 128.11.68.140/25
> gaddr 216.34.96.83/46601 laddr 12.13.15.230/32468 duration 0:00:01 bytes
> 67 (TCP Reset-O)
> 7/16/00,9:44:26 PM,216.34.96.81,firewall,LOCAL4,INFO,Jul 16 2000 21:49:17:
> %PIX-6-106015: Deny TCP (no connection) from 128.11.68.140/25 to
> 12.13.15.230/32468 flags RST on interface outside
> 7/16/00,9:44:26 PM,216.34.96.81,firewall,LOCAL4,INFO,Jul 16 2000 21:49:17:
> %PIX-6-106015: Deny TCP (no connection) from 128.11.68.140/25 to
> 12.13.15.230/32468 flags RST on interface outside
> 7/16/00,9:44:26 PM,216.34.96.81,firewall,LOCAL4,INFO,Jul 16 2000 21:49:17:
> %PIX-6-302001: Built outbound TCP connection 12640413 for faddr
> 128.11.68.140/25 gaddr 216.34.96.83/46603 laddr 12.13.15.230/32470
> 7/16/00,9:44:26 PM,216.34.96.81,firewall,LOCAL4,INFO,Jul 16 2000 21:49:17:
> %PIX-6-302002: Teardown TCP connection 12640412 faddr 128.11.68.140/25
> gaddr 216.34.96.83/46602 laddr 12.13.15.230/32469 duration 0:00:01 bytes
> 67 (TCP Reset-O)
>
>
> Thanks for your help.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
