Cisco Secure PIX Firewall Syslog Event Baseline

The following syslog events constitute a good baseline of events that should be monitored and paid attention to in most environments. In essence, this list is here to answer this question: What specifi events should I look for? It is not meant to be an exhaustive list of all syslog message IDs or the on message IDs that you should be filtering for.

You can use this information to help build filtering rules for your particular logging softwarefor exam identify the messages that administrators should get a page or e-mail notification over (for instance %PIX-3-201008) versus messages that can just be logged without any special notification occurring done by using the message ID (for example, %PIX-3-201008) in your logging software's filtering sy strings.

In general, every time Cisco releases a new version of software, syslog events are added/deleted fro events. Therefore, your particular version of software may or may not include all of these events, or events that are not listed here.

Obviously, not all events are relevant for all environments, but this list provides a sound starting poi to be on the look out for, from which you can further customize to meet the logging requirements in environment. This list can be easily modified to cover both the Cisco Adaptive Security Appliance (A! Firewall Services Module (FWSM) by just replacing the %PIX syntax with either a %ASA or %FWS respectively (in fact, the log messages use %PIX|ASA to mean that either %PIX or %ASA can be i

• All severity level 1 messages (use the string %PIX|ASA-1 for the filter)

• %PIX|ASA-2-106016: Deny IP spoof from (IP_address) to IP_address on interface interfac

• %PIX|ASA-2-106017: Deny IP due to Land Attack from IP_address to IP_address

• %PIX|ASA-2-106018: ICMP packet type ICMP_type denied by outbound list acl_ID src insi dest outside_address

• %PIX|ASA-2-106020: Deny IP teardrop fragment (size = number, offset = number) from IP_address

• %PIX|ASA-2-201003: Embryonic limit exceeded nconns/elimit for outside_address/outside (global_address) inside_address/inside_port on interface interface_name

• %PIX|ASA-2-304007: URL Server IP_address not responding, ENTERING ALLOW mode.

• %PIX|ASA-3-316001: Denied new tunnel to IP_address. VPN peer limit (platform_vpn_pe< exceeded

• %PIX|ASA-3-201002: Too many TCP connections on {static|xlate} global_address! econns

• %PIX|ASA-3-201004: Too many UDP connections on {static|xlate} global_address! udp c< limit

• %PIX|ASA-3-201008: The PIX is disallowing new connections.

• %PIX|ASA-3-201009: TCP connection limit of number for host IP_address on interface_na

• %PIX|ASA-3-202001: Out of address translation slots!

• %PIX|ASA-3-211001: Memory allocation error

• %PIX|ASA-3-211003: CPU utilization for number seconds = percent

• %PIX|ASA-3-304003: URL Server IP_address timed out URL url

• %PIx|aSA-3-304006: URL Server IP_address not responding

• %PIx|ASA-3-315004: Fail to establish SSH session because PIX RSA host key retrieval fai

• %PIx|ASA-3-317004: IP routing table limit warning

• %PIX|ASA-3-322001: Deny MAC address MAC_address, possible spoof attempt on interfa(

• %PIX|ASA-3-322002: ARP inspection check failed for arp {request|response} received fro MAC_address on interface interface. This host is advertising MAC Address MAC_address_1 foi IP_address, which is {statically|dynamically} bound to MAC Address MAC_address_2.

• %PIX|ASA-3-404102: ISAKMP: Exceeded embryonic limit

• %PIX|ASA-3-407002: Embryonic limit nconns/elimit for through connections exceeded. outside_address/outside_port to global_address (inside_address)/inside_port on interface int

• %PIX|ASA-3-710003: {tCP|UDP} access denied by ACL from source_address/source_port interface_name:dest_address/service

• %PIX|ASA-4-106023: Deny protocol src [interface_name:source_address/source_port] ds interface_name:dest_address/dest_port [type {string}, code {code}] by access_group acl_II

• %PIX|ASA-4-209003: Fragment database limit of number exceeded: src = IP_address, de IP_address, proto = protocol, id = number

• %PIX|ASA-4-209004: Invalid IP fragment, size = bytes exceeds maximum size = bytes: s IP_address, dest = IP_address, proto = protocol, id = number

• %PIX|ASA-4-209005: Discard IP fragment set with more than number elements: src = IP_ = IP_address, proto = protocol, id = number

• %PIX|ASA-4-401004: Shunned packet: IP_address = = > IP_address on interface interface

• %PIX|ASA-4-402103: identity does not match negotiated identity (ip) dest_address= dest src_addr= source_address, prot= protocol, (ident) local=inside_address, remote=remote_ad local_proxy=IP_address/IP_address/port/port, remote_proxy=IP_address/IP_address/port/p

• %PIX|ASA-4-405001: Received ARP {request | response} collision from IP_address/MAC_ interface interface_name

• %PIX|ASA-4-405002: Received mac mismatch collision from IP_address/MAC_address for host

• %PIX|ASA-4-407001: Deny traffic for local-host interface_name:inside_address, license lii exceeded

• %PIX|ASA-4-415012: internal_sig_id HTTP Deobfuscation signature detected - action HTT deobfuscation detected IPS evasion technique from source_address to source_address

• %PIX|ASA-4-415014: internal_sig_id Maximum of 10 unanswered HTTP requests exceede source_address to dest_address

• %PIX|ASA-5-111001: Begin configuration: IP_address writing to device

• %PIX|ASA-5-111003: IP_address Erase configuration

• %PIX|ASA-5-111004: IP_address end configuration: {FAILED|OK}

• %PIX|ASA-5-111005: IP_address end configuration: OK

• %PIx|ASA-5-111007: Begin configuration: IP_address reading from device.

• %PIX|ASA-5-111008: User user executed the command string

• %PIX|ASA-5-199001: PIX reload command executed from Telnet (remote IP address)

• %PIx|ASA-5-199006: Orderly reload started at when by whom. Reload reason: reason

• %PIX|ASA-5-304001: User source address accessed {JAVA URL|URL} dest_address: url.

• %PIX|ASA-5-304002: Access denied URL url SRC IP_address DEST IP_address: url

• %PIX|ASA-5-415007: internal_sig_id HTTP Extension method illegal - action 'method_nam source_address to dest_address

• %PIX|ASA-5-415008: internal_sig_id HTTP RFC method illegal - action 'method_name' fro source_address to dest_address

• %PIX|ASA-5-415010: internal_sig_id HTTP protocol violation detected - action HTTP Proto detected from source_address to dest_address

• %PIX|ASA-5-415013: internal_sig_id HTTP Transfer encoding violation detected - action X Transfer encoding not allowed from source_address to dest_address

• %PIX|ASA-5-500001: ActiveX content modified src IP_address dest IP_address on interfac interface_name.

• %PIX|ASA-5-500002: Java content modified src IP_address dest IP_address on interface interface_name.

• %Pix|ASA-5-501101: User transitioning priv level

• %PIX|ASA-5-502101: New user added to local dbase: Uname: user Priv: privilege_level E

• %PIx|ASA-5-502102: User deleted from local dbase: Uname: user Priv: privilege_level En

• %PIX|ASA-5-502103: User priv level changed: Uname: user From: privilege_level To: priv

• %PIx|ASA-5-612001: Auto Update succeeded:filename, version:number

• %PIX|ASA-6-109006: Authentication failed for user user from inside_address/inside_port ■ outside_address/outside_port on interface interface_name.

• %PIX|ASA-6-106012: Deny IP from IP_address to IP_address, IP options hex

• %PIx|ASA-6-106015: Deny TCP (no connection) from IP_address/port to IP_address/port tcp_flags on interface interface_name.

• %PIX|ASA-6-109008: Authorization denied for user user from source_address/source_por destination_address/destination_port on interface interface_name.\

• %PIX|ASA-6-109024: Authorization denied from source_address/source_port to dest_add (not authenticated) on interface interface_name using protocol

• %PIX|ASA-6-109025: Authorization denied (acl=acl_ID) for user 'user' from source_address/source_port to dest_address/dest_port on interface interface_name using pr

• %PIX|ASA-6-113006: User user locked out on exceeding number successive failed authen attempts

• %PIX|ASA-6-302014: Teardown TCP connection id for interface:real-address/real-port to i address/real-port duration hh:mm:ss bytes bytes [reason] [(user)]

• %PIX|ASA-6-308001: PIX console enable password incorrect for number tries (from IP_ad

• %PIX|ASA-6-309002: Permitted manager connection from IP_address.

• %PIX|ASA-6-315011: SSH session from IP_address on interface interface_name for user u disconnected by SSH server, reason: reason

• %PIX|ASA-6-415009: internal_sig_id HTTP Header length exceeded. Received length byte action header length exceeded from source_address to dest_address

• %PIX|ASA-6-415011: internal_sig_id HTTP URL Length exceeded. Received size byte URL length exceeded from source_address to dest_address

• %PIX|ASA-6-605004: Login denied from {source_address/source_port | serial} to {interface_name:dest_address/service | console} for user "user"

• %PIX|ASA-6-605005: Login permitted from {source_address/source_port | serial} to {interface_name:dest_address/service | console} for user "user"

• %PIX|ASA-6-606001: ADSM session number number from IP_address started

• %PIX|ASA-6-606002: ADSM session number number from IP_address ended

• %PIX|ASA-6-610101: Authorization failed: Cmd: command Cmdtype: command_modifier

• %PIX|ASA-6-611101: User authentication succeeded: Uname: user

• %PIX|ASA-6-611102: User authentication failed: Uname: user

• %PIX|ASA-6-611311: VNPClient: XAUTH Failed: Peer: IP_address

• %PIX|ASA-7-111009: User user executed cmd:string

• %PIX|ASA-7-304009: Ran out of buffer blocks specified by url-block command

Was this article helpful?

0 0
Basic SEO Explained

Basic SEO Explained

Struggling to Optimize Your Site for the Search Engines? Uncover What You Need to Know to Perform Basic SEO on Your Site, and Help Get it Listed in the Powerful Search Engines. Are YOU Ready to Climb Your Way Up The Search Engine Rankings and Start Getting the FREE Traffic You're Looking For? Hundreds of places claim they can give you top rankings, but wouldn't you rather just learn how to do it on your own so you can repeat the process on any future site you build?

Get My Free Ebook


Post a comment