One of the things that always annoyed me about Syslog and PIX Firewalls is how I knew I wanted and needed to implement Syslog but I was never sure what messages I should really care about. I mean, do I need to worry about message 611318 and 614002 or not? In researching for the syslog section of my book I put together a list of syslog messages that I thought deserved extra attention. In my mind, these are the messages that, given a blank slate to start from, I would consider configuring some sort of alerting mechanism for when they occur. Now, this list is by no means exhaustive, and in your environment you may need to add/remove some of them, but it's a good place to start.
For the complete list of Cisco PIX Firewall Syslog messages check out http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63syslog/index.htm for PIX Firewall OS Version 6.3.
| Message ID | Description | Why monitor it? |
| All Severity Level 1 messages | (use the string “%PIX-1” for the filter) | Because these are all severity level 1 messages and generally indicate some sort of critical failure |
| %PIX-2-106016 | Deny IP spoof from (IP_address) to IP_address on interface interface_name. | Indicates a potential spoof attack |
| %PIX-2-106017 | Deny IP due to Land Attack from IP_address to IP_address | Indicates a potential LAND attack |
| %PIX-2-106018 | ICMP packet type ICMP_type denied by outbound list acl_ID src inside_address dest outside_address | Indicates a potential ICMP attack (though it is susceptible to false positives if you are filtering ICMP approriately) |
| %PIX-2-106020 | Deny IP teardrop fragment (size = number, offset = number) from IP_address to IP_address | Indicates a potential teardrop attack |
| %PIX-2-304007 | URL Server IP_address not responding, ENTERING ALLOW mode. | Indicates that your content filtering server may be down |
| %PIX-2-304009 | Ran out of buffer blocks specified by url-block command | Indicates that your content filtering may not be functioning properly due to memory starvation. Change the buffer block size by entering the url-block block block_size command. |
| %PIX-2-316001 | Denied new tunnel to IP_address. VPN peer limit (platform_vpn_peer_limit) exceeded | Indicates that you may need to upgrade your PIX or VPN licenses |
| %PIX-3-201008 | The PIX is disallowing new connections. | Indicates that the PIX may be configured with TCP logging and can't communicate with the syslog server |
| %PIX-3-211001 | Memory allocation Error | Indicates a potential memory failure that requires hardware replacement |
| %PIX-3-211003 | CPU utilization for number seconds = percent | Indicates that CPU utilization has been at 100% for a number of seconds. If you see this frequently it could indicate a DoS attack or the need for a hardware replacement |
| %PIX-3-302302 | ACL = deny; no sa created | Indicates an improper IPsec configuration or an unauthorized IPsec connection attempt |
| %PIX-3-304003 | URL Server IP_address timed out URL url | Indicates that the content filtering server may not be responding |
| %PIX-3-304006 | URL Server IP_address not responding | Indicates that the content filtering server may not be responding |
| %PIX-3-315004 | Fail to establish SSH session because PIX RSA host key retrieval failed. | Indicates that the firewall host key has been lost, perhaps due to not running the command ca save all before a reboot |
| %PIX-3-710003 | {TCP|UDP} access denied by ACL from source_address/source_port to interface_name:dest_address/service | Indicates that the firewall has blocked traffic due to an ACL. This can lead to false positives depending on how your ACLs are configured. If messages persist from the same source address, messages could indicate a foot printing or port scanning attempt. Contact the remote host administrators. |
| %PIX-4-106023 | Deny protocol src [interface_name:source_address/source_port] dst interface_name:dest_address/dest_port [type {string}, code {code}] by access_group acl_ID | Indicates that the firewall has blocked traffic due to an ACL. This can lead to false positives depending on how your ACLs are configured. If messages persist from the same source address, messages could indicate a foot printing or port scanning attempt. Contact the remote host administrators. |
| %PIX-4-209003 | Fragment database limit of number exceeded: src = IP_address,dest = IP_address, proto = protocol, id = number | Indicates that a denial of service attack may be underway if you see it frequently |
| %PIX-4-209004 | Invalid IP fragment, size = bytes exceeds maximum size = bytes: src = IP_address, dest = IP_address, proto = protocol, id = number | Indicates that an intrusion attempt may be underway if you see it frequently |
| %PIX-4-209005 | Discard IP fragment set with more than number elements: src = IP_address, dest = IP_address, proto = protocol, id = number | Indicates that an intrusion attempt may be underway if you see it frequently |
| %PIX-4-401004 | Shunned packet: IP_address ==> IP_address on interface interface_name | Indicates that the PIX has shunned packets due to an IDS instruction. Monitor to see if a potential attack is underway |
| %PIX-4-402103 | identity doesn’t match negotiated identity (ip) dest_address= dest_address, src_addr= source_address, prot= protocol, (ident) local=inside_address, remote=remote_address, local_proxy=IP_address/IP_address/port/port, remote_proxy=IP_address/IP_address/port/port | Indicates that the IPsec policy of the two systems do not match. This could be due to a misconfiguration or an attempt to establish an unauthorized connection. |
| %PIX-4-407001 | Deny traffic for local-host interface_name:inside_address, license limit of number exceeded | Indicates that you need to upgrade your PIX Firewall license |
| %PIX-5-111001 | Begin configuration: IP_address writing to device | Indicates that someone has written the configuration. If this is during an unscheduled time period it should be investigated. |
| %PIX-5-111003 | IP_address Erase configuration | Indicates that the configuration has been erased by someone. If this is during an unscheduled time period it should be investigated. |
| %PIX-5-111004 | IP_address end configuration: {FAILED|OK} | Indicates that the configuration has been written. If it shows as failed, you should investigate for a memory problem. If this is during an unscheduled period it should be investigated |
| %PIX-5-111005 | IP_address end configuration: OK | Indicates that someone has exited the configuration mode of execution. If this is during an unscheduled time period it should be investigated. |
| %PIX-5-111007 | Begin configuration: IP_address reading from device. | Indicates that someone has entered the configuration mode of execution. If this is during an unscheduled time period it should be investigated. |
| %PIX-5-111008 | User user executed the command string | Indicates that someone has entered a command specified for accounting purposes. If this is during an unscheduled time period it should be investigated. |
| %PIX-5-199001 | PIX reload command executed from telnet (remote IP_address). | Indicates that the PIX was rebooted for some reason. If this is during an unscheduled time period it should be investigated. |
| %PIX-5-304001 | user source_address Accessed {JAVA URL|URL} dest_address: url. | Indicates that JAVA content has been accessed. If you are trying to prevent JAVA content from being accessed this could signify a violation of the AUP |
| %PIX-5-304002 | Access denied URL url SRC IP_address DEST IP_address: url | Indicates that someone attempted to access a blocked URL/Website |
| %PIX-5-500001 | ActiveX content modified src IP_address dest IP_address on interface interface_name. | Indicates that ActiveX content was accessed. |
| %PIX-5-500002 | Java content modified src IP_address dest IP_address on interface interface_name. | Indicates that JAVA content was accessed. |
| %PIX-5-501101 | User transitioning priv level | Indicates that a user has changed the privilege level required to run a command |
| %PIX-5-502101 | New user added to local dbase: Uname: user Priv: privilege_level Encpass: string | Indicates that a new local user has been added to the database. If this is during an unscheduled time period it should be investigated. |
| %PIX-5-502102 | User deleted from local dbase: Uname: user Priv: privilege_level Encpass: string | Indicates that a local user has been deleted from the database. If this is during an unscheduled time period it should be investigated. |
| %PIX-5-502103 | User priv level changed: Uname: user From: privilege_level To: privilege_level | Indicates that the privilege of a user has changed. If this is during an unscheduled time period it should be investigated. |
| %PIX-5-612001 | Auto Update succeeded:filename, version:number | Indicates that an auto-update was successful. If this is during an unscheduled time period it should be investigated. |
| %PIX-6-109006 | Authentication failed for user user from inside_address/inside_port to outside_address/outside_port on interface interface_name. | Indicates a failed login attempt. If you see repeated failed attempts it could indicate someone is attempting a brute force password attack. |
| %PIX-6-109008 | Authorization denied for user user from source_address/source_port to destination_address/destination_port on interface interface_name. | Indicates a failed access attempt. If you see repeated failed attempts it could indicate someone is attempting a brute force password attack. |
| %PIX-6-109009 | Authorization denied from inside_address/inside_port to outside_address/outside_port (not authenticated) on interface interface_name. | Indicates a failed access attempt. If you see repeated failed attempts it could indicate someone is attempting a brute force password attack. |
| %PIX-6-109015 | Authorization denied (acl=acl_ID) for user ‘user’ from source_address/source_port to dest_address/dest_port on interface interface_name | Indicates a failed access attempt. If you see repeated failed attempts it could indicate someone is attempting a brute force password attack. |
| %PIX-6-308001 | PIX console enable password incorrect for number tries (from IP_address) | Indicates a failed login attempt. If you see repeated failed attempts it could indicate someone is attempting a brute force password attack. |
| %PIX-6-309002 | Permitted manager connection from IP_address. | Indicates a successful management connection. If this is unscheduled it should be investigated for cause. |
| %PIX-6-315011 | SSH session from IP_address on interface interface_name for user user disconnected by SSH server, reason: reason | Indicates that an SSH session has been ended. If this is unscheduled it should be investigated for cause. |
| %PIX-6-605004 | Login denied from {source_address/source_port | serial} to {interface_name:dest_address/service | console} for user “user” | Indicates a failed login attempt. If you see repeated failed attempts it could indicate someone is attempting a brute force password attack. |
| %PIX-6-605005 | Login permitted from {source_address/source_port | serial} to {interface_name:dest_address/service | console} for user “user” | Indicates a successful login attempt. If this is unscheduled it should be investigated for cause. |
| %PIX-6-606001 | PDM session number number from IP_address started | Indicates that a PDM session has been successfully started. If this is unscheduled it should be investigated for cause. |
| %PIX-6-606002 | PDM session number number from IP_address ended | Indicates that a PDM session has been ended. If this is unscheduled it should be investigated for cause. |
| %PIX-6-610101 | Authorization failed: Cmd: command Cmdtype: command_modifier | Indicates that someone attempted to run a command that they are not authorized to run. If you see repeated attempts it could indicate a potential attack. |
| %PIX-6-611101 | User authentication succeeded: Uname: user | Indicates a successful login attempt. If this is unscheduled it should be investigated for cause. |
| %PIX-6-611102 | User authentication failed: Uname: user | Indicates a failed login attempt. If you see repeated failed attempts it could indicate someone is attempting a brute force password attack. |
| %PIX-6-611311 | VPNClient: XAUTH Failed: Peer: IP_address | Indicates that a VPN client failed to authenticate using XAUTH authentication. If you see repeated failed attempts it could indicate someone is attempting a brute force password attack. |
| %PIX-7-111009 | User user executed cmd:string | Indicates that a user executed to specified command. If this is unscheduled it should be investigated for cause. |
| %PIX-4-411002 | Line protocol on interface interface_name changed to down | Indicates that the network link failed for some reason. If this is unscheduled it should be investigated for cause. |