Mark Minasi's Tech Forum
Register Calendar Latest Topics
 
 
 


Reply
  Author   Comment  
Jon_AK

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 71
Reply with quote  #1 
Am woking to try isolating an outsider from my internal computer systems at home.  I currently use an ASA-5505 as my firewall appliance and want to pull the syslog entries as they are generated in hopes of finding the IP address of the person or persons who keep attempting to break in through my firewall.  I have tried wireshark but the log files are so huge and is difficult to monitor and piece out the various parts of the log it generates.

On program I have just installed and started using yesterday is a program named Syslog Watcher https://syslogwatcher.com/downloads/.  It seems to keep a farily low size log file and for viewing in realtime, has color settings for each different level of alert which I found to be easier to view.  Has anyone else used this?  Is there a recommendation for getting the results I'm after?
0
donoli

Senior Member
Registered:
Posts: 598
Reply with quote  #2 
What happened to the ASA logs? Did you enable logging? Try that first.

If that doesn't work, there are many filters that can be used with Wireshark which keep the size of the logs to a minimum. Do you know what type of attack is being used & maybe the port? Don't forget that the attacker can be using a proxy or a VPN.
0
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 883
Reply with quote  #3 
Anything that works is good.

I've used Kiwi Syslog server and Splunk on occasions when there is too much info and I would like quicker answers.

We use OMS internally to monitor infrastructure and deploy it to some customers.
I have not configured a Cisco to OMS, but had a quick look and found this - Track Cisco Logs in OMS 
Detailed info to deploy

Please let me know if you try it.

__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
Jon_AK

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 71
Reply with quote  #4 
Quote:
What happened to the ASA logs? Did you enable logging? Try that first.

If that doesn't work, there are many filters that can be used with Wireshark which keep the size of the logs to a minimum. Do you know what type of attack is being used & maybe the port? Don't forget that the attacker can be using a proxy or a VPN.


The ASA has logging on by default but it does not store very much... can't remember the exact amount any longer.  Watching the connection attempts scroll by happens very quickly and only way to view is to stop the logging with Cisco's big red button (temporary of course).  As for what the traffic is, I am seeing what appears to be many attempts to gain access through ports 22 & 23 which by default are FTP ports.  I do not use nor do I have those open.  I tried Kiwi and then Syslog Watcher and the Syslog Watcher program gave a much better review of port activity.
0
Jon_AK

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 71
Reply with quote  #5 
Quote:
We use OMS internally to monitor infrastructure and deploy it to some customers.
I have not configured a Cisco to OMS, but had a quick look and found this - Track Cisco Logs in OMS 
Detailed info to deploy

Please let me know if you try it.


Am looking into this, thanks for the heads up.  While the Syslog Watcher program seems to be pretty good, there is a hefty fee.
0
donoli

Senior Member
Registered:
Posts: 598
Reply with quote  #6 
Quote:
I am seeing what appears to be many attempts to gain access through ports 22 & 23 which by default are FTP ports.


No, port 22 is SSH not FTP & port 23 is telnet not used anymore because of vulnerabilities. SSH took it's place. They aren't very good hackers if they think that telnet is still running. It sounds like they are running the same script repeatedly.

Start wireshark again & use the filter Port 22 only or SSH only, whichever wireshark accepts. That way the logs won't be the size of the Empire State Building. Finally, post the IP here.
0
Jon_AK

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 71
Reply with quote  #7 
Interesting...  I made the mistake of stating FTP for those ports since that was the first thing that came to my head.  21 is the port I should have stated for FTP (default port anyway) and didn't realize the uses for 22 & 23 but on my home pc looking at the syslog file, it does appear to be a robot script.  ASA kicks it out but is irritating.
0
donoli

Senior Member
Registered:
Posts: 598
Reply with quote  #8 
Forget about the mistake on the ports. That's not important. It's definitely a script & an old script at that. Do you want to continue to track it? If the answer is yes, either enable logging on ASA or use the filters that I suggested on Wireshark.
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.