Cisco PIX Firewall CPU %95'lere Çıkıyor - Sayfa 2
CLI Guru - Cisco Eğitim ve Danışmanlık Merkezi |

+ Konuyu Cevapla
Toplam 2 Sayfadan 2. Sayfa BirinciBirinci 12
Toplam 14 sonuçtan 11 ile 14 arasındakiler gösteriliyor.
Cisco PIX Firewall CPU %95'lere Çıkıyor

"compromised" demek host'da virus var demektir. INterface trafiginde hangi subnet/host lardan cok fazla trafik geldigine bakarak yada pix'e gelen butun trafigi IDS'e yollayarak (windows yada Linux uzerinde) anormal trafik olup

  1. #11
    Serhat Uslay Guest

    Standart re: Cisco PIX Firewall CPU %95'lere Çıkıyor


    "compromised" demek host'da virus var demektir. INterface trafiginde hangi
    subnet/host lardan cok fazla trafik geldigine bakarak yada pix'e gelen
    butun trafigi IDS'e yollayarak (windows yada Linux uzerinde) anormal
    trafik olup olmadigina bakabilirsin. Eger bu trafik fazlasi durup durup
    dururken yani ogrenci trafigi sayisi fazla artmadan oldu ise o zaman
    suphelenmek lazim.
    RIP V1 her 30 saniyede routing table'i komsularina yollar. RIP V2 eger
    routing table'da degisiklik varsa yollar.

    serhat


    Please respond to [email][email protected][/email]

    To: [email][email protected][/email]
    cc:
    Subject: Re: [cisco-ttl] PIX'de cpu %95'lere cikiyor


    Verdiginiz adresi gormemistim, iyi oldu.
    show xlate bolumunde soyle bir not var;

    Note: A single host can have multiple connections to various destinations,
    but only
    one translation. If the xlate count is much larger than the number of
    hosts on your
    internal network, it is possible that one of your internal hosts has been
    compromised and is spoofing its source address and sending packets out the
    PIX.

    Sanirim sorunun karsiligi burada. Bahsedilen "compromised" kavramini her
    ne kadar
    uzlasmak olarak algiladiysam da, pixdeki karsiligini anlayamadim. Internal
    hostlardan hangisinin compromised oldugunu ve spoofing yaptigini nasil
    anlayacagiz?

    Bir de Rip V2 kullanmak gerekiyor mu?

    [color=blue]
    >
    > Bunu daha once gordunuz mu bilmiyorum, degilse bir okuyun derim..
    >
    [/color]
    [url]http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008009491c.shtml[/url]
    [color=blue]
    > Interface traffiklerine baktinizmi ?
    > birde RIP V1 calistirmak icin bir sebep varmi ?
    >
    > serhat
    >
    >[/color]





    Bu listenin Cisco Systems ile herhangi bir baglantisi bulunmamaktadir.

    Listeden cikmak için [email][email protected][/email] adresine bir
    e-posta gönderebilirsiniz.
    Yahoo! Groups Links










    ----
    This email is intended for the named recipient only. It may contain information which is confidential, commercially sensitive, or copyright. If you are not the intended recipient you must not reproduce or distribute any part of the email, disclose its contents, or take any action in reliance. If youhave received this email in error, please contact the sender and delete the message. It is your responsibility to scan this email and any attachmentsfor viruses and other defects.
    To the extent permitted by law, Zurich and its associates will not be liable for any loss or damage arising in any way from this communication including any file attachments. We may monitor email you send to us, either as a reply to this email or any email you send to us, to confirm our systems are protected and for compliance with company policies. Although we take reasonable precautions to protect the confidentiality of our email systems, we donot warrant the confidentiality or security of email or attachments we receive.

  2. #12
    Lutfi Tekin Guest

    Standart re: Cisco PIX Firewall CPU %95'lere Çıkıyor

    Arkadaslar
    Cisco pix506 kuracak bir arkadasa ihtiyacimiz var
    Bu konuda bize yardimci olabilecek varsa
    beni telefon ile veya mail ile acil arayabilirmi
    saat mühim degil her an arayabilir.
    Saygilarimla

    M.Lütfi TEKİN
    Dbs Net
    Dijital Bilgi Sistemleri
    [email][email protected][/email]
    <www.dbs.net.tr>
    0(212)5202035
    0(212)5136688 Fax
    Çatalcesme Sok No 56
    Cagaloglu
    İstanbul

    -----Original Message-----
    From: Serhat Uslay [mailto:[email protected]]
    Sent: Per 16 Eylül 2004 01:33
    To: [email][email protected][/email]
    Subject: Re: [cisco-ttl] PIX'de cpu %95'lere cikiyor



    "compromised" demek host'da virus var demektir. INterface trafiginde hangi
    subnet/host lardan cok fazla trafik geldigine bakarak yada pix'e gelen butun
    trafigi IDS'e yollayarak (windows yada Linux uzerinde) anormal trafik olup
    olmadigina bakabilirsin. Eger bu trafik fazlasi durup durup dururken yani
    ogrenci trafigi sayisi fazla artmadan oldu ise o zaman suphelenmek lazim.
    RIP V1 her 30 saniyede routing table'i komsularina yollar. RIP V2 eger
    routing table'da degisiklik varsa yollar.

    serhat


    Please respond to [email][email protected][/email]


    To: [email][email protected][/email]
    cc:
    Subject: Re: [cisco-ttl] PIX'de cpu %95'lere cikiyor


    Verdiginiz adresi gormemistim, iyi oldu.
    show xlate bolumunde soyle bir not var;

    Note: A single host can have multiple connections to various destinations,
    but only
    one translation. If the xlate count is much larger than the number of hosts
    on your
    internal network, it is possible that one of your internal hosts has been
    compromised and is spoofing its source address and sending packets out the
    PIX.

    Sanirim sorunun karsiligi burada. Bahsedilen "compromised" kavramini her ne
    kadar
    uzlasmak olarak algiladiysam da, pixdeki karsiligini anlayamadim. Internal
    hostlardan hangisinin compromised oldugunu ve spoofing yaptigini nasil
    anlayacagiz?

    Bir de Rip V2 kullanmak gerekiyor mu?

    [color=blue]
    >
    > Bunu daha once gordunuz mu bilmiyorum, degilse bir okuyun derim..
    >[/color]
    [url]http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note0918[/url]
    6a008009491c.shtml[color=blue]
    > Interface traffiklerine baktinizmi ?
    > birde RIP V1 calistirmak icin bir sebep varmi ?
    >
    > serhat
    >
    >[/color]





    Bu listenin Cisco Systems ile herhangi bir baglantisi bulunmamaktadir.

    Listeden cikmak için [email][email protected][/email] adresine bir
    e-posta gönderebilirsiniz.
    Yahoo! Groups Links







    ---- This email is intended for the named recipient only. It may
    contain information which is confidential, commercially sensitive, or
    copyright. If you are not the intended recipient you must not reproduce or
    distribute any part of the email, disclose its contents, or take any action
    in reliance. If you have received this email in error, please contact the
    sender and delete the message. It is your responsibility to scan this email
    and any attachments for viruses and other defects. To the extent permitted
    by law, Zurich and its associates will not be liable for any loss or damage
    arising in any way from this communication including any file attachments.
    We may monitor email you send to us, either as a reply to this email or any
    email you send to us, to confirm our systems are protected and for
    compliance with company policies. Although we take reasonable precautions to
    protect the confidentiality of our email systems, we do not warrant the
    confidentiality or security of email or attachments we receive.


    Bu listenin Cisco Systems ile herhangi bir baglantisi bulunmamaktadir.

    Listeden cikmak için [email][email protected][/email] adresine bir
    e-posta gönderebilirsiniz.


    Yahoo! Groups Sponsor
    ADVERTISEMENT







    ----------------------------------------------------------------------------
    ----
    Yahoo! Groups Links

    a.. To visit your group on the web, go to:
    [url]http://groups.yahoo.com/group/cisco-ttl/[/url]

    b.. To unsubscribe from this group, send an email to:
    [email][email protected][/email]

    c.. Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.



  3. #13
    Ali KAPTAN Guest

    Standart re: Cisco PIX Firewall CPU %95'lere Çıkıyor

    0 533 472 41 13



    Beni ararsanız size yardımcı olabilirim.





    Kolay gelsin



    _____

    From: Lutfi Tekin [mailto:[email protected]]
    Sent: Thursday, September 16, 2004 12:42 PM
    To: [email][email protected][/email]
    Subject: RE: [cisco-ttl] PIX'de cpu %95'lere cikiyor



    Arkada�lar

    Cisco pix506 kuracak bir arkada�a ihtiyacımız var

    Bu konuda bize yardımcı olabilecek varsa

    beni telefon ile veya mail ile acil arayabilirmi

    saat mühim de�il her an arayabilir.

    Saygılarımla



    M.Lütfi TEK�N
    Dbs Net
    Dijital Bilgi Sistemleri
    [email][email protected][/email]
    <www.dbs.net.tr>
    0(212)5202035
    0(212)5136688 Fax
    �atalcesme Sok No 56
    Cagaloglu
    �stanbul

    -----Original Message-----
    From: Serhat Uslay [mailto:[email protected]]
    Sent: Per 16 Eylül 2004 01:33
    To: [email][email protected][/email]
    Subject: Re: [cisco-ttl] PIX'de cpu %95'lere cikiyor


    "compromised" demek host'da virus var demektir. INterface trafiginde hangi subnet/host lardan cok fazla trafik geldigine bakarak yada pix'e gelen butun trafigi IDS'e yollayarak (windows yada Linux uzerinde) anormal trafik olup olmadigina bakabilirsin. Eger bu trafik fazlasi durup durup dururken yani ogrenci trafigi sayisi fazla artmadan oldu ise o zaman suphelenmek lazim..
    RIP V1 her 30 saniyede routing table'i komsularina yollar. RIP V2 eger routing table'da degisiklik varsa yollar.

    serhat

    Please respond to [email][email protected][/email]

    To: [email][email protected][/email]
    cc:
    Subject: Re: [cisco-ttl] PIX'de cpu %95'lere cikiyor


    Verdiginiz adresi gormemistim, iyi oldu.
    show xlate bolumunde soyle bir not var;

    Note: A single host can have multiple connections to various destinations, but only
    one translation. If the xlate count is much larger than the number of hostson your
    internal network, it is possible that one of your internal hosts has been
    compromised and is spoofing its source address and sending packets out the PIX.

    Sanirim sorunun karsiligi burada. Bahsedilen "compromised" kavramini her nekadar
    uzlasmak olarak algiladiysam da, pixdeki karsiligini anlayamadim. Internal
    hostlardan hangisinin compromised oldugunu ve spoofing yaptigini nasil anlayacagiz?

    Bir de Rip V2 kullanmak gerekiyor mu?

    [color=blue]
    >
    > Bunu daha once gordunuz mu bilmiyorum, degilse bir okuyun derim..
    > [url]http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008009491c.shtml[/url]
    > Interface traffiklerine baktinizmi ?
    > birde RIP V1 calistirmak icin bir sebep varmi ?
    >
    > serhat
    >
    >[/color]





    Bu listenin Cisco Systems ile herhangi bir baglantisi bulunmamaktadir.

    Listeden cikmak için [email][email protected][/email] adresine bir e-posta gönderebilirsiniz.
    Yahoo! Groups Links









    ---- This email is intended for the named recipient only. It may contain information which is confidential, commercially sensitive, or copyright. If you are not the intended recipient you must not reproduce or distribute any part of the email, disclose its contents, or take any action in reliance. If you have received this email in error, please contact the sender and delete the message. It is your responsibility to scan this email and any attachments for viruses and other defects. To the extent permitted by law, Zurichand its associates will not be liable for any loss or damage arising in any way from this communication including any file attachments. We may monitor email you send to us, either as a reply to this email or any email you send to us, to confirm our systems are protected and for compliance with company policies. Although we take reasonable precautions to protect the confidentiality of our email systems, we do not warrant the confidentiality or security of email or attachments we receive.



    Bu listenin Cisco Systems ile herhangi bir baglantisi bulunmamaktadir.

    Listeden cikmak için [email][email protected][/email] adresine bir e-posta gönderebilirsiniz.




    Bu listenin Cisco Systems ile herhangi bir baglantisi bulunmamaktadir.

    Listeden cikmak için [email][email protected][/email] adresine bir e-posta gönderebilirsiniz.






    Yahoo! Groups Sponsor



    ADVERTISEMENT
    <http://us.ard.yahoo.com/SIG=129piabop/M= 298184.5285298.6392945.3001176/D= groups/S=1705004726:HM/EXP=1095449622/A= 2319498/R=0/SIG=11thfntfp/* http:/www.netflix.com/Default?mqso= 60185352&partid=5285298> click here


    <http://us.adserver.yahoo.com/l?M=298184.5285298.6392945.3001176/D=groups/S= :HM/A=2319498/rand=876066293>



    _____

    Yahoo! Groups Links

    * To visit your group on the web, go to:
    [url]http://groups.yahoo.com/group/cisco-ttl/[/url]

    * To unsubscribe from this group, send an email to:
    [email][email protected][/email] <mailto:[email protected]?subject=Unsubscribe>

    * Your use of Yahoo! Groups is subject to the Yahoo! <http://docs.yahoo.com/info/terms/> Terms of Service.

  4. #14
    A.Murat BAYRAM Guest

    Standart re: Cisco PIX Firewall CPU %95'lere Çıkıyor

    Tekrar herkese merhaba

    Enis hocamin verdigi portlara ek olarak bir miktar daha portu Core switchte her
    vlan icin ayri ayri hem in hem out olarak kapattim. (Bunu cok daha onceden yapmak
    gerektigini anlamis oldum, 3 gunluk cikti asagida). Ama networkte pix uzerinden
    halen cok fazla connection yapan hostlar var. Bunlari nokta tespiti yaptim,
    gercekten de bu pclerde netstat yaptigimda yüzlerce rastgele baglanti yapmaya
    calistigini gordum ve portlar cok degisken. Bu pclerin sayisi gittikce artacak gibi
    gorunuyor.

    Pixde, cok baglanti yapan iplere;
    show local-host <ip-address> detail komutuyla baktigimda 900'den fazla max active
    connection yaptiklarini goruyorum. (bir ornek cikti asagida)

    Pixde baglanti sayisi sinirlandirmasi getirsem masum kisilere bir sakincasi dokunur
    mu? "Maximum connections" ve "Maximum embryonic connections" var. Embryonic
    conection; baslamis ancak henuz establish olmamis baglantilar anlaminda sanirim. Bu
    iki connectiondan hangisine sinirlama getirmeliyim, ikisine birden mi ve kac yapmam
    uygun olur? Yoksa sinirlandirma koymak sorunlara yol acar mi?

    Bir baska sorum; pixden gecen her trafigi snort'a (veya baska tavsiye
    edebileceginiz ids varsa ona) gondermek istiyorum. Pix'e bunun icin ne demem lazim?

    Tesekkurler
    --------------------------------

    Ornek Ciktilar;

    PixFirewall# sh local-host 10.160.0.239 detail
    Interface inside: 472 active, 952 maximum active, 0 denied
    local host: <10.160.0.239>,
    TCP connection count/limit = 9/unlimited
    TCP embryonic count = 9
    TCP intercept watermark = unlimited
    UDP connection count/limit = 2/unlimited
    AAA:
    Xlate(s):
    UDP PAT from inside:10.160.0.239/1058 to outside:193.255.143.55/42015 flags rD
    TCP PAT from inside:10.160.0.239/2453 to outside:193.255.143.55/53249 flags rD
    TCP PAT from inside:10.160.0.239/2515 to outside:193.255.143.55/53251 flags rD
    TCP PAT from inside:10.160.0.239/2726 to outside:193.255.143.55/53256 flags rD
    TCP PAT from inside:10.160.0.239/2748 to outside:193.255.143.55/53257 flags rD
    TCP PAT from inside:10.160.0.239/2979 to outside:193.255.143.55/53266 flags rD
    TCP PAT from inside:10.160.0.239/3004 to outside:193.255.143.55/53268 flags rD
    UDP PAT from inside:10.160.0.239/3171 to outside:193.255.143.55/43343 flags rD
    UDP PAT from inside:10.160.0.239/3172 to outside:193.255.143.55/43344 flags rD
    UDP PAT from inside:10.160.0.239/3173 to outside:193.255.143.55/43345 flags rD
    UDP PAT from inside:10.160.0.239/3174 to outside:193.255.143.55/43346 flags rD
    UDP PAT from inside:10.160.0.239/3175 to outside:193.255.143.55/43347 flags rD
    UDP PAT from inside:10.160.0.239/3176 to outside:193.255.143.55/43348 flags rD
    UDP PAT from inside:10.160.0.239/3177 to outside:193.255.143.55/43349 flags rD
    UDP PAT from inside:10.160.0.239/3179 to outside:193.255.143.55/43350 flags rD
    UDP PAT from inside:10.160.0.239/3180 to outside:193.255.143.55/43351 flags rD
    UDP PAT from inside:10.160.0.239/3181 to outside:193.255.143.55/43352 flags rD
    TCP PAT from inside:10.145.0.240/1360 to outside:193.255.143.59/1084 flags rD
    Conn(s):
    TCP outside:64.26.62.254/25 inside:10.160.0.239/2453 flags saA
    TCP outside:64.26.62.254/25 inside:10.160.0.239/2515 flags saA
    TCP outside:64.26.62.254/25 inside:10.160.0.239/2726 flags saA
    TCP outside:64.26.62.254/25 inside:10.160.0.239/2748 flags saA
    TCP outside:64.26.62.254/25 inside:10.160.0.239/2979 flags saA
    TCP outside:64.26.62.254/25 inside:10.160.0.239/3004 flags saA
    TCP outside:64.26.62.254/25 inside:10.160.0.239/3213 flags saA
    TCP outside:64.26.62.254/25 inside:10.160.0.239/3237 flags saA
    TCP outside:64.26.62.254/25 inside:10.160.0.239/3417 flags saA


    -------------------------
    VAN_MSFC1#sh access-lists 115
    Extended IP access list 115
    deny udp any any eq 135
    deny tcp any any eq 135 (4257 matches)
    deny tcp any any eq 445 (5254 matches)
    deny tcp any any eq 593 (1329 matches)
    deny tcp any any eq 4444 (1603 matches)
    deny tcp any any eq 1433 (7226 matches)
    deny tcp any any eq 1434 (6251 matches)
    deny tcp any any eq 1900 (4054 matches)
    deny udp any any eq 1433 (1901 matches)
    deny udp any any eq 1434 (1479 matches)
    deny udp any any eq 1900 (13904 matches)
    deny tcp any any eq 5554
    deny tcp any any eq 9996
    deny tcp any any eq 3127 (5638 matches)
    deny tcp any any eq 559 (1277 matches)
    deny tcp any any eq 1025 (3194 matches)
    deny udp any any eq 1026 (45647 matches)
    deny udp any any eq 1027 (24620 matches)
    deny tcp any any eq 2745 (10348 matches)
    deny tcp any any eq 2535 (2042 matches)
    deny tcp any any eq 5000 (268 matches)
    deny tcp any any eq 3410 (3399 matches)
    deny tcp any any eq 6129 (532 matches)
    deny tcp any any eq 65506 (16 matches)
    permit ip any any (7822160 matches)




    ------------------------ Yahoo! Groups Sponsor --------------------~-->
    Make a clean sweep of pop-up ads. Yahoo! Companion Toolbar.
    Now with Pop-Up Blocker. Get it for free!
    [url]http://us.click.yahoo.com/L5YrjA/eSIIAA/yQLSAA/26EolB/TM[/url]
    --------------------------------------------------------------------~->

    Bu listenin Cisco Systems ile herhangi bir baglantisi bulunmamaktadir.

    Listeden cikmak için [email][email protected][/email] adresine bir e-posta gönderebilirsiniz.
    Yahoo! Groups Links

    <*> To visit your group on the web, go to:
    [url]http://groups.yahoo.com/group/cisco-ttl/[/url]

    <*> To unsubscribe from this group, send an email to:
    [email][email protected][/email]

    <*> Your use of Yahoo! Groups is subject to:
    [url]http://docs.yahoo.com/info/terms/[/url]




+ Konuyu Cevapla

Bu Konuyu Paylaşın !

Bu Konuyu Paylaşın !

Yetkileriniz

  • Konu Acma Yetkiniz Yok
  • Cevap Yazma Yetkiniz Yok
  • Eklenti Yükleme Yetkiniz Yok
  • Mesajınızı Değiştirme Yetkiniz Yok