Help with log entries

[Bill Pennington <billp () rocketcash com>]

I am getting some confusing log entries from my Cisco Pix firewall. At
first I thought that it was a network problem but I don't have any other
evidence to support that assumption. The box is co-lo'ed and I have not
had a chance to run down and hook-up a sniffer.

The log entries look like this. Destination IP addresses changed....

Jan 18 12:43:50 192.168.1.1 %PIX-6-106015: Deny TCP (no connection) from
208.58.193.69/1062 to a.b.c.d/443 flags ACK
Jan 18 12:43:50 192.168.1.1 %PIX-6-106015: Deny TCP (no connection) from
208.58.193.69/1062 to a.b.c.d/443 flags ACK
Jan 18 12:43:50 192.168.1.1 %PIX-6-106015: Deny TCP (no connection) from
208.58.193.69/1062 to a.b.c.d/443 flags ACK
Jan 18 12:43:51 192.168.1.1 %PIX-6-106015: Deny TCP (no connection) from
208.58.193.69/1064 to a.b.c.d/80 flags RST
Jan 18 12:43:52 192.168.1.1 %PIX-6-106015: Deny TCP (no connection) from
208.58.193.69/1061 to a.b.c.d/80 flags RST
Jan 18 12:43:52 192.168.1.1 %PIX-6-106015: Deny TCP (no connection) from
24.188.77.55/1684 to 1.2.3.4/80 flags RST ACK
Jan 18 12:43:53 192.168.1.1 %PIX-6-106015: Deny TCP (no connection) from
206.28.32.70/2907 to a.b.c.d/80 flags PSH ACK
Jan 18 12:43:54 192.168.1.1 %PIX-6-106015: Deny TCP (no connection) from
206.10.105.113/1302 to a.b.c.d/80 flags FIN ACK

At first I thought it might be a RST scan or some other "stealth" scan
but generally the destination ports are ports that services are running
on. I "normal" nmap stealth scan produces Deny messages to a lot of
ports not just 80 and 443. I am getting a ton of these and generally I
get a bunch from one IP address at a time. AOL proxy servers also show
up a lot.

If anyone has any clues or suggestions I would be most grateful!


--

Bill Pennington