topic Re: ASA email alerting in Network Security

ASA email alerting

Andy White — Mon, 11 Mar 2019 17:30:47 GMT

Hello,

I have been asked to provide a method of being emailed should a persistant public IP be trying to access out external IP of our ASA, are their anyways of doig this? I don't want to get an email if one or 2 hits form the same IP are "seen" but if there are 40-50 from the same suggesting some sort of penetration activity?

I've got some of the alerts going to my syslog server (solarwinds) but it can't do anything clever.

Re: ASA email alerting

Jennifer Halim — Fri, 09 Apr 2010 08:59:20 GMT

Unfortunately not a supported feature on ASA.

ASA can only send email notifications for syslog messages on specific syslog severity.

Re: ASA email alerting

Andy White — Fri, 09 Apr 2010 09:26:16 GMT

Looks like my syslog viewer can do some sort of email alerting, I can see message type "ASA-1-710003" appear and I now get an email, but I need to suppress it somehow.

What I don't understand is I get syslog alerts for denied access to our ASA, but we have other devices with public IP's that are NAT'd to their private addresses that I don't get denies from, it this down tot he device behind the NAT or shoudl the firewall also pickup these denies?

Re: ASA email alerting

Jennifer Halim — Fri, 09 Apr 2010 09:47:53 GMT

I assume the deny access would be syslog from access-list on interfaces.

Re: ASA email alerting

Andy White — Fri, 09 Apr 2010 09:57:52 GMT

That is correct.

Re: ASA email alerting

Andy White — Fri, 09 Apr 2010 12:07:28 GMT

For example we have a few public IP addresses going to web servers behind the firewall, I need a deny message to be sent our syslog server should the attempt be anything other that port 80. How can I achieve this?

What is strange also if I try and telnet to our ASA over the internet on port 80 or 23 I get a deny message sent to the syslog server but if I telnet on any other random port I don't get a deny log, it gets blocked but that's it I need to record this and for the other servers.

Thanks

Re: ASA email alerting

Kureli Sankar — Sat, 10 Apr 2010 03:59:25 GMT

This is not possible. These will be dropped by the firewall. You can see these in the asp drop captures.

cap capasp type asp-drop all

sh cap capasp

What is configured to be alllowed - will send syslogs if tried to be accessed by some IP that is not allowed.

What is not even configured when tried to be accessed - the firewall just drops these packets and not log.

-KS

Re: ASA email alerting

Andy White — Sat, 10 Apr 2010 06:58:29 GMT

Thanks, how can I tell if we are being targeted from an external IP on the outside interface lots of the time?

If I run your capture command will it show all drops from all interfaces or just the outside interface?

Re: ASA email alerting

Kureli Sankar — Sat, 10 Apr 2010 12:27:29 GMT

That is correct. ASP drop will show all drops - all interfaces.

for example.

I have asdm/443, telnet and ssh allowed on my firewall. I tried a telnet to port 556 from the outside and the asp drop captures shows below:

ASA# sh cap capasp | i 556
2: 23:16:44.371425 802.1Q vlan#10 P0 10.117.14.69.58538 > 172.18.254.34.556: S 3707472990:3707472990(0) win 65535 Drop-reason: (acl-drop) Flow is denied by configured rule
21: 23:16:54.769003 802.1Q vlan#10 P0 10.117.14.69.58543 > 172.18.254.34.556: S 185959746:185959746(0) win 65535 Drop-reason: (acl-drop) Flow is denied by configured rule
23: 23:16:55.677500 802.1Q vlan#10 P0 10.117.14.69.58543 > 172.18.254.34.556: S 185959746:185959746(0) win 65535 Drop-reason: (acl-drop) Flow is denied by configured rule
26: 23:16:56.680323 802.1Q vlan#10 P0 10.117.14.69.58543 > 172.18.254.34.556: S 185959746:185959746(0) win 65535

All SYNs from my outside client are dropped.

-KS

Re: ASA email alerting

Andy White — Sun, 11 Apr 2010 07:01:54 GMT

Anyway this can be outputted to a syslog server?

How would a company know if they are being hacked, I know the firewall is dropping the packets, but somebody could be trying for weeks and I wouldn't even know?

Re: ASA email alerting

Kureli Sankar — Sun, 11 Apr 2010 13:09:39 GMT

No. ASP drops cannot be sent to syslog server. Unfortunately not. Threat Detection feature will help you: http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_threat.html#wp1088111

Besides this you need an IPS/IDS device.

-KS

Re: ASA email alerting

Andy White — Sun, 11 Apr 2010 15:56:28 GMT

Thanks. I do have the IPS module installed but again I think it only logs on allowed traffic passing through the firewall.

Re: ASA email alerting

Kureli Sankar — Sun, 11 Apr 2010 21:11:35 GMT

NO. You can do a few things with an IPS/IDS device

a. Deny Attacker Inline - Create an ACL that denies all traffic from the suspected source IP address

b. Deny connection Inline - Send resets to terminate the TCP flow

c. Deny packet Inline - Do not transmit the packet (inline only)

d. Produce Alert - Generate an alarm message

e. Reset TCP connection - Drop the packet and all future packets from the TCP flow

Read about it here: http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ips.html

Figure 59-1 shows the traffic flow when running the AIP SSM/SSC in inline mode. In this example, the AIP SSM/SSC automatically blocks traffic that it identified as an attack. All other traffic is forwarded through the adaptive security appliance.

-KS

Re: ASA email alerting

Andy White — Mon, 12 Apr 2010 09:30:43 GMT

This is what we have configured.

policy-map global_policy
class myipsclass
ips inline fail-open sensor vs0

I asked TAC about the report and they also say I can't do it. Is this do to me using "ips inline fail-open" and not one of the other options you mentioned?