RE: help with log entries

  Two clues:

1. Port 110 is used by the POP3 email protocol.
2. A normal shutdown of a TCP connection is for one side to send a packet with the FIN flag set, which the other side acknowledges, then the other side sends a FIN which the first side acknowledges. RST is generally sent as a signal that the sending side is giving up the connection, often because of a timeout. This may mean that a FIN was sent but not received, or received but ignored.

  The PIX is a "stateful inspection" firewall, which means that it checks that incoming packets are part of an established connection. The "(no connection)" indicates that this check has failed for the packet.   So what I expect you're seeing is that an internal client has been downloading mail from -- or port-scanning looking for a POP3 exploit -- 161.58.238.151 and 200.24.76.3 and 200.24.76.8, and has abandoned the connections (perhaps the exploit failed or their password was wrong).   For some reason, the PIX has seen them drop the connection, or (more likely) has timed it out. Finally the server has timed it out, and it's the server "hanging up the phone" that the PIX is seeing and logging.

  The packets from 66.35.250.206 are something else. I've seen a client use RST to hang up on a server, but never three times as seen here.

David Gillett

> -----Original Message-----
> From: aduenas@skytel.com.co [mailto:aduenas@skytel.com.co]
> Sent: February 26, 2003 12:53
> To: security-basics@securityfocus.com
> Subject: help with log entries
>
>
> Hi,
>
> I am getting some confusing log entries from my Cisco Pix firewall. At
Received on Fri Feb 28 13:46:24 2003