cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
780
Views
0
Helpful
1
Replies

Cisco ASA Log classification

lucas.alvarez
Level 1
Level 1

Hello everybody!. Is there a site where I can obtain a classification for the different logs?

Depending on the event ID, I would like to know if a given log falls into a classification, such as: Attack, Denial of Service, Malware, Failed Attack, etc. 

 

I know LogRhythm does such a thing, but I cannot find anywhere the logic used to classify these logs into a specific category.

 

Any clues?

1 Reply 1

vrostowsky
Level 5
Level 5

The logs on the ASA can be looked up by searching Cisco syslog ID's.  The "classification" you speak of are a set of logic from LogRhythm that will look at a variety of patterns in order to that alert on things such as brute force, port scanning or DDoS.  Say you have logs in your ASA that shows denied connections on ports 21,22,23,25,80, 161,123 etc.  The firewall will log these connections (if logging is set up correctly to capture those syslog ID's) but your SIEM will then look at the rate of the packets, which ports are being hit and then creat an alert "Possible Port Scanning Activity"

 

I hope that helps -

 

Vince

LCSE

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: