Hi Chirag,

Thanks for you support.........

We can check for any attacks using syslog messages, right???

Thanks,

Vipin

Hello Vipin,

Yes, we can mitigate attacks by evaluating information in the syslogs.

Regards,
Chirag
P.S.: Please mark this thread as answered if you feel your query is answered. Do rate helpful posts.

Hi,

In reading these forums previously, I came to understand that not all drops are found in syslog entries. To see everything that is getting dropped, you must use a capture command.

cap alldrops type asp-drop all
sh cap alldrops

Since some attacks or portions of them will be dropped, you cannot rely entirely upon syslog entries.

After coming from competing products, I was very disappointed to learn about this unexpected feature of the ASA platform.

Hi,

We were discussing here ways to backup the logs for future analysis and determine if there was a attack.

Regards,

Chirag

We can check for any attacks using syslog messages, right???

So an "Attack Pattern" would be a restricted defintion here: only packets that make to the ASA ruleset?

Some firewall admins like to know who is knocking on their door even if the packets never make it to the device's ruleset.

Hi,

ASA device is different from an IPS device. ASA syslogs are set pre-defined messages to report few aspects while in production. Logs suggest severity of the alert and can help in detecting only few kinds of attacks. For eg., ASA can detect IP spoof and SYN attacks but can't detect Day Zero attacks.

You are right, to see details of all packets hitting ASA, best is to use a packet capture. For detailed messages, you can also use capture in pcap format on the interface.

Regards,

Chirag

ASA device is different from an IPS device

I guess the title of the ASA book (below) made me think it was an IPS, but maybe you mean it's not as complete as a dedicated IPS (I agree). The reason I noticed some drops not being in the syslog was I replaced a CheckPoint firewall with an ASA at my own site and wondered what happened to all of the probes I normally see. After reading these forums, I found the answer.

There's nothing wrong with using a capture to see all drops and then looking at them with WireShark. It just means you have to realize the syslog doesn't have every single event that is seen on the outside interface. That was my original point.

ASA book I mentioned (would not allow me to upload image in previous post)

Hi,

Firstly this a very nice book to read if you are new to Cisco ASA. Yes, ASA is not an IPS device. We have IPS  available as an appliance, as a module and IOS based. The book talks about  the module available for ASA.

Hope this helps.

Regards,

Chirag

3 Intrusion Detection / Prevention

3.1 ASA and Intrusion Prevention Systems

The Cisco ASA code allows for two ways to block malicious traffic. All ASA models
have a built-in rule set, and various application inspection protocols. 

ASA models 5510 and up, however, offer the option of installing and using a separate intrusion prevention system (IPS) blade – the AIP-SSM module. The AIP-SSM works exactly like any other Cisco networkbased IPS (NIPS), with the exception that, instead of requiring that SPAN ports be configured,
or a device be placed in the physical path of the network, the AIP-SSM inspects traffic on the
backplane of the firewall while the traffic is still traversing it, giving faster response, and the
ability to filter traffic on all networks with a single device. 

Since tuning the IPS is beyond the scope of this document, focus will remain on the application inspection and smaller database of signature-based rules in the standard ASA code

Hi,

Yep, ASA has a feature called Theat Detection and we can also customize a few features by Modular Policy Framework(MPF) available on ASA.

Cisco ASA 8.2 or higher also supports BotNet  traffic detection

Regards,
Chirag

hi,

it really depends on how you have setup your firewall, you can choose to try and make the most of a particular hardware but then it would just leed to eating up more memory and cpu

you can use features like threat detection and botnet but that will come with a price of increased memory usage and if your firewall is already running with good amount of mem utlization you might not want to enable everything, also we need to understand that fact that most of the modern day attacks are so clever that they look like perfect traffic at layer 3/4 and that is when we need some special devices meant for this purpose like IPS and some other solutions

Now coming to how useful the syslogs are to detect data, well as you know syslogs are mainly for historical data, the affects of attack would be felt almost immediate in the form of increased amount of connections or traffic than usual, so you know the whole idea of learning about an attack becomes useless. And also the syslogs do show inconsistencies in connections but it is upto the network admin to look at them and differentiate between attack and normal behaviour which usually takes time and hence if you are looking for mitigating advanced attacks you should look at devices which are meant for this like IPS