The connection table is a great way to find any6 entries to see the who/what is connecting to a f5. It will also show or demonstrate connections that are not decided on and show you what TMM has that connection.
e.g ( a typical f5 conn output )
show sys connection | grep any6
10.75.2.69:56138 198.209.23.11:443 any6.any any6.any tcp 48 (tmm: 1) none
23.115.26.28:61190 198.209.23.11:443 any6.any any6.any tcp 1 (tmm: 1) none
69.132.155.53:53284 198.209.23.11:443 any6.any any6.any tcp 0 (tmm: 1) none
174.193.128.25:9744 198.209.23.11:443 any6.any any6.any tcp 59 (tmm: 1) none
98.216.118.29:62514 198.209.23.11:443 any6.any any6.any tcp 5 (tmm: 1) none
108.26.230.54:61928 198.209.23.11:443 any6.any any6.any tcp 0 (tmm: 1) none
show the above output shows numerous connection lated as "any6.any" and they are all TCP.
You could get creative and do a geoip lookup by using maxmind or unix geoip-bin and look for location and client types for trending.
e.g
ISP name, Continnet, Country,etc...
So armed with geoip database details you could now investigate as security analyst if these address are repetitional bad or known bot or C&Cs,etc...
Keep in mind, connections that are no authenticated or have a final disposition could trigger a any6.any connection state and it's not always a sign of something "bad"
NOTE: These connections are also show as no handler in the show sys tmp-traffic details if they are actually drop.
Finally,
With in the APM sessions, until a user has started the authentication process, you will not known the "username" for obvious reasons.
examples ( unknown username and geo & no geo-info )
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
No comments:
Post a Comment