System log messages from pass network devices can ply discernment into and discourse for safeguard events that may not be ready from new sources. This understanding aids in determining the credibleness and extent of an incident.
Within the circumstance of a warranty incident, analysts can use the firewall syslog messages to interpret the act relationships, timing, and, sometimes, the assailant’s motives and/or tools.
The firewall logs should be utilized with otherwise forms of network safeguard monitorings that are in site.
Firewalls ACL denied log messages are oft of diversion because they may present potential wildcat attempts to reach the textile.
In the Cisco ASA syslog example that is shown below, the 209.165.200.233 outside host attempts to connect to the different dmz hosts over different ports, and was denied by the ACL named “outside_access_in.” The log messages have the same source address and are destined to different destination ports, which could indicate a footprinting or port scanning attempt from the 209.165.200.233 outside host to the hosts in the dmz. And, if an IPS is placed behind the firewall, then the IPS will not be able to see this port scanning traffic.
Aug 13 2016 11:00:11: %ASA-4-106100: access-list outside_access_in denied tcp outside/209.165.200.233(23000) -> dmz/192.168.1.1(22) hit-cnt 1 ...... Aug 13 2016 11:00:12: %ASA-4-106100: access-list outside_access_in denied tcp outside/209.165.200.233(23001) -> dmz/192.168.1.1(23) hit-cnt 1 ...... Aug 13 2016 11:00:13: %ASA-4-106100: access-list outside_access_in denied tcp outside/209.165.200.233(23002) -> dmz/192.168.1.1(53) hit-cnt 1 ...... Aug 13 2016 11:00:14: %ASA-4-106100: access-list outside_access_in denied tcp outside/209.165.200.233(23003) -> dmz/192.168.1.1(80) hit-cnt 1 ...... <etc> Aug 13 2016 11:02:51: %ASA-4-106100: access-list outside_access_in denied tcp outside/209.165.200.233(24000) -> dmz/192.168.1.2(22) hit-cnt 1 ...... Aug 13 2016 11:02:52: %ASA-4-106100: access-list outside_access_in denied tcp outside/209.165.200.233(24001) -> dmz/192.168.1.2(23) hit-cnt 1 ...... Aug 13 2016 11:02:53: %ASA-4-106100: access-list outside_access_in denied tcp outside/209.165.200.233(24002) -> dmz/192.168.1.2(53) hit-cnt 1 ...... Aug 13 2016 11:02:54: %ASA-4-106100: access-list outside_access_in denied tcp outside/209.165.200.233(24003) -> dmz/192.168.1.2(80) hit-cnt 1 ...... <etc>
Other common firewall log messages include the tracking of NATs and connection events through the firewall.
In the Cisco ASA appliance syslog example that is shown below, the 209.165.200.236 outside host initiated a TCP connection to the 10.1.1.1 dmz host port 80.
Aug 14 2016 12:38:51 %ASA-6-302013: Built inbound TCP connection 855 for outside:209.165.200.236/1107 (209.165.200.236/1107) to dmz:10.1.1.1/80 (10.1.1.1/80)
In the Cisco ASA appliance syslog example that is shown below, the 172.16.1.1 inside host private source IP address is dynamically translated to the public IP address of 198.51.100.1 on the outside interface.
%ASA-6-305009: Built dynamic translation from inside:172.16.1.1 to outside:198.51.100.1
Although all firewall log messages can be useful in certain circumstances, generally a small subset of log messages will initially provide the most benefit. After these events have been examined, administrators can expand the scope of their analysis by searching for additional details. The following table summarizes a few of the other common Cisco ASA log messages and their severity level. For example, for the %ASA-3-106014 log, 3 is the severity level.
| Syslog Mnemonic | Description |
| %ASA-3-106014 | Deny inbound icmp src interface_name: IP_address dst interface_name: IP_address (type dec, code dec) The ASA denied any inbound ICMP packet access. |
| %ASA-6-106015 | Deny TCP (no connection) from IP_address/port to IP_address/port flags tcp_flags on interface interface_name The ASA discarded a TCP packet that has no associated connection in the ASA connection table. The ASA looks for a SYN flag in the packet, which indicates a request to establish a new connection. If the SYN flag is not set, and there is no existing connection, the ASA discards the packet. |
| %ASA-1-106021 | Deny protocol reverse path check from source_address to dest_address on interface interface_name Someone is attempting to spoof an IP address on an inbound connection. Unicast RPF, also known as reverse route lookup, detected a packet that does not have a source address that is represented by a route in the ASA routing table. |
| %ASA-6-302014 | Teardown TCP connection id for interface : real-address / real-port [(idfw_user)] to interface : real-address / real-port [(idfw_user)] durationhh:mm:ss bytes bytes [ reason ] [( user )]A TCP connection between two hosts was deleted.
The reasons for the deleted connection include:
|
| %ASA-6-302016 | Teardown UDP connection number for interface : real-address / real-port [(idfw_user)] to interface : real-address / real-port [(idfw_user)] durationhh:mm:ss bytes bytes [(user)] A UDP connection between two hosts was deleted. |
| %ASA-6-302021 | Teardown ICMP connection for faddr { faddr | icmp_seq_num} [(idfw_user)] gaddr { gaddr | cmp_type } laddr laddr [(idfw_user)] An ICMP session is removed in the fast-path when stateful ICMP is enabled using the inspect icmp command. |
Leave a Reply