David Ishmael wrote:
<snip>
> ports that were not opened on the PIX. Assuming this functionality
> isn't there, I was hoping that the PIX would at the very least send a
> syslog message stating that a port scan had been done for logging purposes.
>
> - Dave
>
<snip>
I've done a bit of playing with nmap & a PIX. The PIX if v6.1(1) & is
set up to allow only TCP 80 to a test host.
I'm scanning port 80 & 81 to see which nmap switches will produce
results & see what the PIX will log.
Scanning with:
root@bog# nmap -sS -T 5 -p80-81 134.x.x.1
Starting nmap V. 2.54BETA28 ( www.insecure.org/nmap/ )
Interesting ports on target.host (134.x.x.1):
Port State Service
80/tcp open http
81/tcp filtered hosts2-ns
Shows correct status & Generates syslog logs like:
...%PIX-4-106023: Deny tcp src outside:<attacker>/23177 dst
inside:134.x.x.1/81 by access-group "INBOUND"
Scanning with:
root@bog# nmap -sF -T 5 -p80-81 134.x.x.1
Starting nmap V. 2.54BETA28 ( www.insecure.org/nmap/ )
Interesting ports on target.host (134.x.x.1):
Port State Service
80/tcp open http
81/tcp open hosts2-ns
Shows both open & Generates syslogs of:
...%PIX-4-400028: IDS:3042 TCP FIN only flags from <attacker> to
134.x.x.1 on interface outside
...%PIX-6-106015: Deny TCP (no connection) from <attacker>/43814 to
134.x.x.1/81 flags FIN on interface outside
Tcpdump on the NMAP host shows that no packets have been returned to NMAP,
yet NMAP concludes that the ports are open. Nmap generates a false positive?
Scanning with:
root@bog# nmap -sN -T 5 -p80-81 134.x.x.1
Starting nmap V. 2.54BETA28 ( www.insecure.org/nmap/ )
Interesting ports on target.host (134.x.x.1):
Port State Service
80/tcp open http
81/tcp open hosts2-ns
Generates syslogs of:
...%PIX-4-400026: IDS:3040 TCP NULL flags from <attacker> to 134.x.x.1
on interface outside
...%PIX-6-106015: Deny TCP (no connection) from <attacker>/55006 to
134.x.x.1/81 flags on interface outside
And incorrectly show both ports open in NMAP. Again, no packets were
returned to the NMAP host.
Scanning with:
root@bog# nmap -sX -T 5 -p80-81 134.x.x.1
Starting nmap V. 2.54BETA28 ( www.insecure.org/nmap/ )
Interesting ports on target.host (134.x.x.1):
Port State Service
80/tcp open http
81/tcp open hosts2-ns
Generates:
...%PIX-6-106015: Deny TCP (no connection) from <attacker>/51748 to
134.x.x.1/80 flags FIN PSH URG on interface outside
This is again a false positive from NMAP.
It looks to me like the PIX is logging as it should.
--
-----------------------------------------
Michael Janke
Director, Network Services
Minnesota State Colleges and Universities
-----------------------------------------
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
