07-22-2010 07:40 AM - edited 03-11-2019 11:15 AM
Hello,
I had received couple of notifications from ASA regarding IP spoof attempts:
:Jul 21 14:06:56 EDT: %ASA-session-2-106016: Deny IPspoof from (127.0.0.1) to 64.x.x.x on interface inside
I wanted to get some more info to eliminate any infected clients on my internal network. I research this forum and configured access list to capture suspicious traffic:
ciscoasa(config)#access-list incap permit ip host 127.0.0.1 any
ciscoasa(config)#access-list incap permit ip any host 127.0.0.1
ciscoasa(config)#capture incap access-list incap interface inside
Could somone tell me if I had done it correctly?
Here's the result of the "show capture incap":
6 packets captured
1: 12:13:25.984049 127.0.0.1.37948 > 65.x.x.x.80: S 662274405:662274405(0) win 5840 <mss 1460,sackOK,timestamp 191385139 0,nop,wscale 0>
2: 12:13:28.975047 127.0.0.1.37948 > 65.x.x.x.80: S 662274405:662274405(0) win 5840 <mss 1460,sackOK,timestamp 191385439 0,nop,wscale 0>
3: 12:16:45.147239 127.0.0.1.38511 > 65.x.x.x.80: S 850947795:850947795(0) win 5840 <mss 1460,sackOK,timestamp 191405056 0,nop,wscale 0>
4: 12:16:48.137764 127.0.0.1.38511 > 65.x.x.x.80: S 850947795:850947795(0) win 5840 <mss 1460,sackOK,timestamp 191405356 0,nop,wscale 0>
5: 14:06:53.636197 127.0.0.1.53661 > 64.x.x.x.80: S 984711035:984711035(0) win 5840 <mss 1460,sackOK,timestamp 243907855 0,nop,wscale 0>
6: 14:06:56.629789 127.0.0.1.53661 > 64.x.x.x.80: S 984711035:984711035(0) win 5840 <mss 1460,sackOK,timestamp 243908155 0,nop,wscale 0>
6 packets shown
How can I indentify the offending host on my inside network? Also the x-ed public IPs point to one of the local businesses and seems that it's their totally unsecured IIS server. Is it ok to contact the company's IT dept regarding this? or report it somewhre else?
Thank you,
forman
Solved! Go to Solution.
07-22-2010 08:32 AM
Hi Forman,
No worries. If the capture is still in the ASA's memory, take a look at 'show capture
-Mike
07-22-2010 08:49 AM
you can do show cap capname detail
07-22-2010 08:49 AM
You can either download the PCAP file of the capture, that would give you the full information, and you can view it with ethereal or wireshark. OR/ alternatively you can also do "show capture incap detail" and it will give you the mac address information as well.
07-22-2010 07:53 AM
Hi Forman,
You could try looking at the MAC address of the offender and tracing it back through your switch to find out what machine it is coming from. Depending on your environment though (for example, if the host is a wireless client), this might not be too helpful. If the attacker can spoof their IP address, they could also be spoofing their MAC address.
Hope that helps.
-Mike
07-22-2010 08:15 AM
Thanks Mike. I think I'm missing something obvious here... How can I find the MAC address of the offender?
Sorry if this sounds ignorant, but I don't have much experience with ASA.
thanks again
forman
07-22-2010 08:32 AM
Hi Forman,
No worries. If the capture is still in the ASA's memory, take a look at 'show capture
-Mike
07-22-2010 08:49 AM
you can do show cap capname detail
07-22-2010 08:56 AM
also i would not expect to see any traffic from this local loopback ip 127.0.0.1 on any interface of firewall
so i guess you should block this ip on all interfaces as many virus/scanning hosts use this ip as source and also i cannot think of any legitimate traffic using this ip
probably someone can confirm this
07-22-2010 08:49 AM
You can either download the PCAP file of the capture, that would give you the full information, and you can view it with ethereal or wireshark. OR/ alternatively you can also do "show capture incap detail" and it will give you the mac address information as well.
07-22-2010 09:28 AM
Thank you everyone for help!
07-22-2010 09:52 AM
1 more question: what's the interprentation of this line (sh capture incap detail):
1: 12:13:25.98404 MAC1 MAC2 0x0800 74: 127.0.0.1.37948 > 65.x.x.x.80: S [tcp sum ok] 662274405:662274405(0) win 5840 |
There are 2 MAC addresses involved: MAC2 is ASA Inside Int and MAC1 is web filter connected directly to ASA's Inside Int. What's exactly happaning here? I assume that the offending device is a web filter, correct? I don't think that there's anything I can do to eliminate this (other than completely blocking traffic to/from loopback int) ?
thanks
forman
07-22-2010 01:50 PM
127.0.0.1 is a loopback ip address. As you advised, that MAC 1 belongs to the web filtering server mac address, you might want to check why it's sending traffic sourcing from its loopback address (127.0.0.1)
Here is more information on what that particular syslog actually means:
http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4768961
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide