cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


93
Views
0
Helpful
0
Replies
Highlighted
Beginner

Incoming TCP connection

Hi,

I come with one incident in which one outside attacker has successfully compromised my organization user's mail id and when I checked the logs of ASA (as ASA comes first then mail server) I am not seeing any successful traffic from Source then how it could possible that attacker traffic entered to my organization and compromise one user mail id.

When I checked ASA logs in SIEM then there is no successful traffic, but there is stop traffic logs which includes the details like TCP Teardown connection, Time 00:01:00, Bytes : 51247, Reset-I.

 

So from the above packet logs details I am assuming that attacker has successfully established TCP connection for 1 min and in this time frame he sent/receive 51247 bytes data, that's why this compromise happens.

 

Please guide me on this issue or suggest me that my assumption is right or not. Thanks in advance