topic Re: Attack Pattern in Network Security

Attack Pattern

vipinrajrc — Mon, 11 Mar 2019 19:57:52 GMT

Hi Experts,

I am going to implement Syslog server in my environment.. how can we check any attack pattern in that logs???

One more doubt... do i need to configure in the severity-level???? which is the best??? is there any problem happen if i give debug in severity-level???

Please guide me... I need it so badly... Please reply ASAP...........

Thanks

Vipin

Re: Attack Pattern

csaxena — Mon, 28 Feb 2011 08:52:32 GMT

Hello Vipin,

As such there is no harm in using level 7 logging(debugging) but please ensure you are not running on high CPU. Here is guide which talks about all the syslogging security levels and its description.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/monitor_syslog.html#wp1082848

Using an ASA, you can mitigate SYN attacks, IP spoofing attacks and duplicate packets due to faulty NIC card in the network. Here is a nice document which talks about the same & syslog ids:

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml

Here is a document which can be refered to understand the syslog message using its id :

http://www.cisco.com/en/US/partner/docs/security/asa/asa80/system/message/logmsgs.html#wp4768722

All these documents will require login using your CCO id.

Hope this helps. Please reply back if you need any further assistance.

Regards,
Chirag
P.S.: Please mark this thread as answered if you feel your query is answered. Do rate helpful posts.

is thread as answered if you feel your query is answered. Do rate helpful posts.

Re: Attack Pattern

vipinrajrc — Tue, 01 Mar 2011 09:37:18 GMT

Hi Chirag,

Thanks for you support.........

We can check for any attacks using syslog messages, right???

Thanks,

Vipin

Re: Attack Pattern

csaxena — Wed, 02 Mar 2011 02:14:58 GMT

Hello Vipin,

Yes, we can mitigate attacks by evaluating information in the syslogs.

Regards,
Chirag
P.S.: Please mark this thread as answered if you feel your query is answered. Do rate helpful posts.

Re: Attack Pattern

lcaruso — Wed, 02 Mar 2011 03:23:10 GMT

Hi,

In reading these forums previously, I came to understand that not all drops are found in syslog entries. To see everything that is getting dropped, you must use a capture command.

cap alldrops type asp-drop all

sh cap alldrops

Since some attacks or portions of them will be dropped, you cannot rely entirely upon syslog entries.

After coming from competing products, I was very disappointed to learn about this unexpected feature of the ASA platform.

Re: Attack Pattern

csaxena — Wed, 02 Mar 2011 03:57:37 GMT

Hi,

We were discussing here ways to backup the logs for future analysis and determine if there was a attack.

Regards,

Chirag

Re: Attack Pattern

lcaruso — Wed, 02 Mar 2011 04:16:06 GMT

We can check for any attacks using syslog messages, right???

So an "Attack Pattern" would be a restricted defintion here: only packets that make to the ASA ruleset?

Some firewall admins like to know who is knocking on their door even if the packets never make it to the device's ruleset.

Re: Attack Pattern

csaxena — Wed, 02 Mar 2011 08:37:27 GMT

Hi,

ASA device is different from an IPS device. ASA syslogs are set pre-defined messages to report few aspects while in production. Logs suggest severity of the alert and can help in detecting only few kinds of attacks. For eg., ASA can detect IP spoof and SYN attacks but can't detect Day Zero attacks.

You are right, to see details of all packets hitting ASA, best is to use a packet capture. For detailed messages, you can also use capture in pcap format on the interface.

Regards,

Chirag

Re: Attack Pattern

lcaruso — Wed, 02 Mar 2011 09:22:49 GMT

ASA device is different from an IPS device

I guess the title of the ASA book (below) made me think it was an IPS, but maybe you mean it's not as complete as a dedicated IPS (I agree). The reason I noticed some drops not being in the syslog was I replaced a CheckPoint firewall with an ASA at my own site and wondered what happened to all of the probes I normally see. After reading these forums, I found the answer.

There's nothing wrong with using a capture to see all drops and then looking at them with WireShark. It just means you have to realize the syslog doesn't have every single event that is seen on the outside interface. That was my original point.

Re: Attack Pattern

lcaruso — Wed, 02 Mar 2011 09:28:29 GMT

ASA book I mentioned (would not allow me to upload image in previous post)

Re: Attack Pattern

csaxena — Thu, 03 Mar 2011 01:41:52 GMT

Hi,

Firstly this a very nice book to read if you are new to Cisco ASA. Yes, ASA is not an IPS device. We have IPS available as an appliance, as a module and IOS based. The book talks about the module available for ASA.

Hope this helps.

Regards,

Chirag

Re: Attack Pattern

lcaruso — Thu, 03 Mar 2011 02:13:14 GMT

3 Intrusion Detection / Prevention

3.1 ASA and Intrusion Prevention Systems

The Cisco ASA code allows for two ways to block malicious traffic. All ASA models

have a built-in rule set, and various application inspection protocols.

ASA models 5510 and up, however, offer the option of installing and using a separate intrusion prevention system (IPS) blade – the AIP-SSM module. The AIP-SSM works exactly like any other Cisco networkbased IPS (NIPS), with the exception that, instead of requiring that SPAN ports be configured,

or a device be placed in the physical path of the network, the AIP-SSM inspects traffic on the

backplane of the firewall while the traffic is still traversing it, giving faster response, and the

ability to filter traffic on all networks with a single device.

Since tuning the IPS is beyond the scope of this document, focus will remain on the application inspection and smaller database of signature-based rules in the standard ASA code

Re: Attack Pattern

csaxena — Fri, 04 Mar 2011 02:16:28 GMT

Hi,

Yep, ASA has a feature called Theat Detection and we can also customize a few features by Modular Policy Framework(MPF) available on ASA.

Cisco ASA 8.2 or higher also supports BotNet traffic detection

Regards,
Chirag

Re: Attack Pattern

Jitendriya Athavale — Fri, 04 Mar 2011 16:52:17 GMT

hi,

it really depends on how you have setup your firewall, you can choose to try and make the most of a particular hardware but then it would just leed to eating up more memory and cpu

you can use features like threat detection and botnet but that will come with a price of increased memory usage and if your firewall is already running with good amount of mem utlization you might not want to enable everything, also we need to understand that fact that most of the modern day attacks are so clever that they look like perfect traffic at layer 3/4 and that is when we need some special devices meant for this purpose like IPS and some other solutions

Now coming to how useful the syslogs are to detect data, well as you know syslogs are mainly for historical data, the affects of attack would be felt almost immediate in the form of increased amount of connections or traffic than usual, so you know the whole idea of learning about an attack becomes useless. And also the syslogs do show inconsistencies in connections but it is upto the network admin to look at them and differentiate between attack and normal behaviour which usually takes time and hence if you are looking for mitigating advanced attacks you should look at devices which are meant for this like IPS