Re: ip audit - ASA 7.2

giuseppe parlato · ‎07-16-2012

Hello,

I've been reading http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/i3_72.html#wp1718159 but I'm still a little bit confused about ip audit on Cisco ASA. I'm not sure traffic is denied based on my ip audit configuration as regard signature 6053. I have the following configuration, as it is in the example ..

hostname(config)# ip audit name insidepolicy1 attack action alarm

hostname(config)# ip audit name insidepolicy2 info action alarm

hostname(config)# ip audit name outsidepolicy1 attack action reset

hostname(config)# ip audit name outsidepolicy2 info action alarm

hostname(config)# ip audit interface inside insidepolicy1

hostname(config)# ip audit interface inside insidepolicy2

hostname(config)# ip audit interface outside outsidepolicy1

hostname(config)# ip audit interface outside outsidepolicy2

.. but I do not have any action defined with ..

ip audit info (or) attack action ..

I got many warnings regarding signature 6053 and it seems to be traffic is denied cause I have a reset action applied on

outsidepolicy1. Can someone confirrm it is correct? Mostly is confusing because document above says that in ASA 7.2 6053 is A(attack) but checking the firewall ..

hostname# sh ip audit count interface outside

IP AUDIT INTERFACE COUNTERS: outside

6053 I DNS All Records 55402

.. 6053 is I(info)

Thanks

Ramraj Sivagnanam Sivajanam · ‎07-17-2012

Hi Bro

You've defined your basic IPS features in your Cisco ASA FW correctly. The actions are alarm, reset and drop. In your case, you've defined insidepolicy1 attack action alarm & outsidepolicy1 attack action reset. Alarm here means the Cisco ASA FW will generate a syslog message stating that a packet matched a signature (total is 59 signatures only).

Besides the above mentioned configuration, you may want to disable some of the default Cisco ASA FW signatures to reduce high FALSE POSITIVE alarms as shown below;

! Timestamp considered DOS but needed for RFC1323 support
ip audit signature 1002 disable

! ICMP echo reply
ip audit signature 2000 disable

! ICMP unreachable
ip audit signature 2001 disable

! ICMP echo request
ip audit signature 2004 disable

! ICMP time exceeded
ip audit signature 2005 disable

! DNS zone transfer - we are likely doing these and do not want to drop
ip audit signature 6051 disable

! DNS All Records - we are likely doing these and do not want to drop

ip audit signature 6053 disable

Warm regards,
Ramraj Sivagnanam Sivajanam

giuseppe parlato · ‎07-17-2012

Thanks for your answer, actually I'm not sure traffic matching outsidepolicy1 is going to really drop and reset connection, surely

outsidepolicy2 is sending a warning log (%ASA-4-400037: IDS:6053 DNS all records request from **) but I do not have a reset or something else log message.

DNS All Records signature through ASDM is (A) so why a show ip audit count interface outside command gives me the following output ?

6053 I DNS All Records 55402

Should'nt it be ..

6053 A DNS All Records 55402

???

ps. I cannot disable DNS All Records signature

Ramraj Sivagnanam Sivajanam · ‎07-17-2012

Hi Bro

Yes, the outsidepolicy2 behavior is correct. It sends you log messages because the action has been set to alarm.

You’re correct, in my lab Cisco ASA FW v8.0.2, the 6053 DNS All Records signature should be A, I’m surprised you’re seeing it as I. Can you paste here your "show ip audit count" output?

By the way, when you disable a signature in your Cisco ASA FW IP AUDIT, what it means is, you’re not inspecting the packets that matches the signature. It was pass through, permitted.

Warm regards,
Ramraj Sivagnanam Sivajanam