cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


638
Views
23
Helpful
13
Replies
Participant

Attack Pattern

Hi Experts,

I am going to implement Syslog server in my environment.. how can we check any attack pattern in that logs???

One more doubt... do i need to configure in the severity-level???? which is the best??? is there any problem happen if i give debug in severity-level???

Please guide me... I need it so badly... Please reply ASAP...........

Thanks

Vipin

Thanks and Regards, Vipin
13 REPLIES 13
Cisco Employee

Re: Attack Pattern

Hello Vipin,

As such there is no harm in using level 7 logging(debugging) but please ensure you are not running on high CPU. Here is guide which talks about all the syslogging security levels and its description.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/monitor_syslog.html#wp1082848

Using an ASA, you can mitigate SYN attacks, IP spoofing attacks and duplicate packets due to faulty NIC card in the network. Here is a nice document which talks about the same & syslog ids:

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml

Here is a document which can be refered to understand the syslog message using its id :

http://www.cisco.com/en/US/partner/docs/security/asa/asa80/system/message/logmsgs.html#wp4768722

All these documents will require login using your CCO id.

Hope this helps. Please reply back if you need any further assistance.

Regards,
Chirag
P.S.: Please mark this thread as answered if you feel your query is answered. Do rate helpful posts.

is thread as answered if you feel your query is answered. Do rate helpful posts.

Participant

Re: Attack Pattern

Hi Chirag,

Thanks for you support.........

We can check for any attacks using syslog messages, right???

Thanks,

Vipin

Thanks and Regards, Vipin
Cisco Employee

Re: Attack Pattern

Hello Vipin,

Yes, we can mitigate attacks by evaluating information in the syslogs.

Regards,
Chirag
P.S.: Please mark this thread as answered if you feel your query is answered. Do rate helpful posts.

Enthusiast

Re: Attack Pattern

Hi,

In reading these forums previously, I came to understand that not all drops are found in syslog entries. To see everything that is getting dropped, you must use a capture command.

cap alldrops type asp-drop all

sh cap alldrops

Since some attacks or portions of them will be dropped, you cannot rely entirely upon syslog entries.

After coming from competing products, I was very disappointed to learn about this unexpected feature of the ASA platform.

Cisco Employee

Re: Attack Pattern

Hi,

We were discussing here ways to backup the logs for future analysis and determine if there was a attack.

Regards,

Chirag

Enthusiast

Re: Attack Pattern

We can check for any attacks using syslog messages, right???

So an "Attack Pattern" would be a restricted defintion here: only packets that make to the ASA ruleset?

Some firewall admins like to know who is knocking on their door even if the packets never make it to the device's ruleset.

Cisco Employee

Re: Attack Pattern

Hi,

ASA device is different from an IPS device. ASA syslogs are set pre-defined messages to report few aspects while in production. Logs suggest severity of the alert and can help in detecting only few kinds of attacks. For eg., ASA can detect IP spoof and SYN attacks but can't detect Day Zero attacks.

You are right, to see details of all packets hitting ASA, best is to use a packet capture. For detailed messages, you can also use capture in pcap format on the interface.

Regards,

Chirag

Enthusiast

Re: Attack Pattern

ASA device is different from an IPS device

I guess the title of the ASA book (below) made me think it was an IPS, but maybe you mean it's not as complete as a dedicated IPS (I agree). The reason I noticed some drops not being in the syslog was I replaced a CheckPoint firewall with an ASA at my own site and wondered what happened to all of the probes I normally see. After reading these forums, I found the answer.

There's nothing wrong with using a capture to see all drops and then looking at them with WireShark. It just means you have to realize the syslog doesn't have every single event that is seen on the outside interface. That was my original point.

Enthusiast

Re: Attack Pattern

ASA book I mentioned (would not allow me to upload image in previous post)

Cisco Employee

Re: Attack Pattern

Hi,

Firstly this a very nice book to read if you are new to Cisco ASA. Yes, ASA is not an IPS device. We have IPS  available as an appliance, as a module and IOS based. The book talks about  the module available for ASA.

Hope this helps.

Regards,

Chirag

Enthusiast

Re: Attack Pattern

3 Intrusion Detection / Prevention


3.1 ASA and Intrusion Prevention Systems


The Cisco ASA code allows for two ways to block malicious traffic. All ASA models

have a built-in rule set, and various application inspection protocols.


ASA models 5510 and up, however, offer the option of installing and using a separate intrusion prevention system (IPS) blade – the AIP-SSM module. The AIP-SSM works exactly like any other Cisco networkbased IPS (NIPS), with the exception that, instead of requiring that SPAN ports be configured,

or a device be placed in the physical path of the network, the AIP-SSM inspects traffic on the

backplane of the firewall while the traffic is still traversing it, giving faster response, and the

ability to filter traffic on all networks with a single device.


Since tuning the IPS is beyond the scope of this document, focus will remain on the application inspection and smaller database of signature-based rules in the standard ASA code

Cisco Employee

Re: Attack Pattern

Hi,

Yep, ASA has a feature called Theat Detection and we can also customize a few features by Modular Policy Framework(MPF) available on ASA.

Cisco ASA 8.2 or higher also supports BotNet  traffic detection

Regards,
Chirag

Highlighted
Cisco Employee

Re: Attack Pattern

hi,

it really depends on how you have setup your firewall, you can choose to try and make the most of a particular hardware but then it would just leed to eating up more memory and cpu

you can use features like threat detection and botnet but that will come with a price of increased memory usage and if your firewall is already running with good amount of mem utlization you might not want to enable everything, also we need to understand that fact that most of the modern day attacks are so clever that they look like perfect traffic at layer 3/4 and that is when we need some special devices meant for this purpose like IPS and some other solutions

Now coming to how useful the syslogs are to detect data, well as you know syslogs are mainly for historical data, the affects of attack would be felt almost immediate in the form of increased amount of connections or traffic than usual, so you know the whole idea of learning about an attack becomes useless. And also the syslogs do show inconsistencies in connections but it is upto the network admin to look at them and differentiate between attack and normal behaviour which usually takes time and hence if you are looking for mitigating advanced attacks you should look at devices which are meant for this like IPS

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here