cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


301
Views
0
Helpful
1
Replies
Beginner

Cisco ASA Log classification

Hello everybody!. Is there a site where I can obtain a classification for the different logs?

Depending on the event ID, I would like to know if a given log falls into a classification, such as: Attack, Denial of Service, Malware, Failed Attack, etc. 

 

I know LogRhythm does such a thing, but I cannot find anywhere the logic used to classify these logs into a specific category.

 

Any clues?

1 REPLY 1
Highlighted
Contributor

Re: Cisco ASA Log classification

The logs on the ASA can be looked up by searching Cisco syslog ID's.  The "classification" you speak of are a set of logic from LogRhythm that will look at a variety of patterns in order to that alert on things such as brute force, port scanning or DDoS.  Say you have logs in your ASA that shows denied connections on ports 21,22,23,25,80, 161,123 etc.  The firewall will log these connections (if logging is set up correctly to capture those syslog ID's) but your SIEM will then look at the rate of the packets, which ports are being hit and then creat an alert "Possible Port Scanning Activity"

 

I hope that helps -

 

Vince

LCSE