CISCO PIX reporting problems
I have a lot of problems with CISCO message parsing:
When I look at raw logs I can see eveything getting logged correctly. I haven't made a single change to default messages and/or whatever.
As far as I know I have newest version of enVision (4.1 patch 3 -> 4.1 build 370) and newest event saurces and VAM& signature updates.
The problem is as follows -> what is clearly logged as denyed traffic source Inside (aka outbound traffic) gets parsed as inbound whe source address not parsing correctly cause when I try to querry it with source adress I know from raw log it gets now data, and when I place source address from raw log to destination address in querry then I get the data I want.
Also in reports i can see only denied traffic in report Top 20 denied inbound by address with addresses from inside being shown as top 20 foreign addresses denied inbound access by PIX firewall.
PIX -Top 20 denied outbound by address shows no data
How can I further troubleshoot this, report and or fix the problem?
there has been further developement in this. I have recived and answer from SecurCare Online technical support that I have to define what networks are inside, outside in E:\nic\csd\ipaddr.tab.
So let's say now that it works halfway.
Since the good people from technical service don't reply often, maybee I will get some answers here:
Traffic from outside to inside is being recorded correctly. What does that mean? All traffic is correctly categorized as inbound and source addresse in top 20 denied inbound traffic by adress displays outside addresses as outside source addresses for that denied traffic.
On the other hand, Top 20 denied outbound traffic by address is displayed wrong in ad-hoc reoprts. Why and how you may ask? Well, same thing happens in querys - RSA enVision, for some reason unknown to me, parses the log messages wrong in a way that inside source address that is denied connection to some outside destination address is actually being parsed as destination address and outside destination address is being parsed as inside source address.
So in querys when I try and look for specific connection I have to inverse the addresses and put inside source address in destination address field, and outside destination address (am talking about outbound traffic ofc.) as source address and then I get the resault I want.
same thing in forementined report, top 20 outbound denied traffic by address shows destination addresses from outside as inside source addresses that were denied connctivity to outside.
Why is this happening? How can I fix it?
Also another issue I cannot figure out for myself. I have changed the ipaddr.tab file as mentined at the begining of this post. Those of you (and it rly shoud be all of you or you have the same issues I've had) who edited this file to configure the networks/hosts know how the file looks like and the logic behind it. My question is, if you define inside network as inside, you say that connection it will make are outbound. But what if it tries to communicate with some server in DMZ? Let's say that can still be outbound direction and not make the big deal out of it, but what of the other way arround? What networks that are in DMZ? Most of their traffic is outbound, but what of when they try and communicate with addresses i inside? Will that traffic be categorized as outbound also?
If I understand the logic behind that file it will. Or does it have the intelligence that if I have previously defined the network being inside, and DMZ is trying to communicate with address in that inside network, RSA will recognise it as inbound traffic, rather than outbound, although the note in ipaddr.tab file for that DMZ network is lets say: 192.168.5.0/24,DMZ,DMZ,outbound,outbound?