09-28-2018 07:25 AM - edited 02-21-2020 08:17 AM
i guys.
History:
I got notification from IT security team that one computer in subnet 10.244.244.0/26 has a malware on it (it's opening multiple connections to 192.42.119.41 detected by IPS as malware). I need find out that computer private IP.
Subnet 10.244.244.0/26 PATing to public IP x.x.x.x
firewall logging looks like:
logging enable
logging buffer-size 1048576
logging monitor notifications
logging buffered notifications
logging trap notifications
logging history notifications
logging from-address di@di.di
logging recipient-address netops@ar.ar level emergencies
logging facility 18
logging queue 0
logging device-id ipaddress inside
logging host inside 172.16.63.145
logging message 304001 level informational
access-list name data_access_in assigned to interface where ip from subnet 10.244.244.0/26 is.
I added wery first ACE permitting any connections from 10.244.244.0/26 to 192.42.119.41:80/tcp
access-list data_access_in line 1 extended permit tcp object data-network host 192.42.119.41 eq www log debugging
Whenever I run test by packet-tracer:
TDI04-DI0-FW01(config)# packet-tracer input data tcp 10.244.244.30 4455 192.42.119.41 www det
ACE hits increased (red bellow):
TDI04-DI0-FW01(config)# sh access-list data_access_in | i 192.42.119.41
access-list data_access_in line 1 extended permit tcp object data-network host 192.42.119.41 eq www log debugging interval 300 (hitcnt=2) 0xfd11a8a6
access-list data_access_in line 1 extended permit tcp 10.244.244.0 255.255.255.192 host 192.42.119.41 eq www log debugging interval 300 (hitcnt=2) 0xfd11a8a6
TDI04-DI0-FW01(config)#
but I don't see packet registered by syslog @ 172.16.63.145 (greed above).
Syslog consists only this:
Sep 28 09:54:52 10.4.4.3 10.4.4.3 %ASA-5-111008: User 'as-admin' executed the 'packet-tracer input data tcp 10.244.244.30 4455 192.42.119.41 www detailed' command.
Sep 28 09:54:52 10.4.4.3 10.4.4.3 %ASA-5-111010: User 'as-admin', running 'CLI' from IP snoopy, executed 'packet-tracer input data tcp 10.244.244.30 4455 192.42.119.41 www detailed'
Could you help me out?
Thank you.
Solved! Go to Solution.
09-28-2018 08:05 AM
Change logging level on the ACL to informational and same with logging trap
i.e.
access-list data_access_in line 1 extended permit tcp object data-network host 192.42.119.41 eq www log debugging
to
access-list data_access_in line 1 extended permit tcp object data-network host 192.42.119.41 eq www log informational
Also
logging trap x.x.x.x informational
Here's the log level description:
Joel
09-28-2018 08:05 AM
Change logging level on the ACL to informational and same with logging trap
i.e.
access-list data_access_in line 1 extended permit tcp object data-network host 192.42.119.41 eq www log debugging
to
access-list data_access_in line 1 extended permit tcp object data-network host 192.42.119.41 eq www log informational
Also
logging trap x.x.x.x informational
Here's the log level description:
Joel
09-28-2018 08:15 AM
Thank you Joel.
commands bellow made the trick:
no access-list data_access_in extended permit tcp object data-network host 192.42.119.41 eq www log debugging
access-list data_access_in lin 1 extended permit tcp object data-network host 192.42.119.41 eq www log info
no logging trap notifications
logging trap informational
I see logs now:
Sep 28 11:10:37 10.4.4.3 10.4.4.3 %ASA-6-106100: access-list data_access_in permitted tcp data/10.244.244.30(4455) -> inside/192.42.119.41(80) hit-cnt 1 first hit [0xfd11a8a6, 0x0]
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide