06-22-2021 11:31 PM
Need assistance in identifying logs on cisco FMC. we occasionally receive advisories for malicious dns communication from our network. for eg:
source ip dest ip app signature url
10.x.x.x 146.148.78.118 ssl C2 conn www.partsfastmiami.com/
now when i search in connection logs on FMC i do not see any traffic/ or any logs for the above mention ip for the timestamp.
Hw can i find these traffics traversing our firewall on FMC?
06-25-2021 03:36 AM
Logging on FMC really depends on the fact if you are logging this kind of traffic or not, which is configured per-rule.
Based on the description, it looks to me this is categorized as CnC communication, so I would expect this to be under Security Intelligence events, but only if you configured SI and enabled logging. Afterwards, you could see it Analysis / Connection Events / Security Intelligence Events.
BR,
Milos
06-26-2021 10:06 PM
Thanks Milos,
Yes you are right its a CnC. Can you guide me how do i check whether SI has been enabled?
I believe its been enabled thats y i see blocked ip under Analysis> connection> SI events.
However when i filter it with the concerned ip add or URL i do not see any logs.
Could you pls guide me.. am i missing something ?
06-27-2021 04:46 AM
Some form of Security Intelligence is always enabled as it includes Global Blacklist and Whitelist categories. What's optional is whether you have included additional categories (such as CnC as well as numerous others like Botnets, Cryptomining, Banking Fraud, etc.). Look under your associated Access Control Policy under the Security Intelligence tab.
As far as seeing the event, are you searching under Security Intelligence events? It may never show up as Connection Event if it was blocked by SI prior to even making a connection.
06-27-2021 09:55 PM
Thank Marvin...
Yes i see the SI is enabled along with default global black & whitelists, we apply additional malicious ip's and url's as we receive threat intelligence reports everyday from our ISP.
As you correctly said, am searching these so-called malicious C2 communication under SI events, however i do not find any logs here. Just FYI.. i saw the logging under the ACL was enabled for "log when connection ends", which i updated to "log when connection begins"
one such example:
6/27/21 src dest dest-port category dest-loc trnport sign url
8:36 x.x.x.x 136.243.10.27 80 malware Ger tcp C2C track.regaming.com
06-28-2021 09:04 AM
In general, you would rarelly want to use "log on begining" option for connections taht you are not blocking. Reason for that is that "log at the end" contains much more information about same connection.
Still, SI logging is not tied to these logs, but you have specific logging for each category - DNS, Network and URL. You can find more details about SI here.
I would assume if you don't see these in logs, then, most likely, your logging is not configured properly. It is expected to see blocked SI events in SI Connection Events, if you configured logging.
BR,
Milos
06-28-2021 08:34 PM
Thanks Milos
I will go through the document.
Just to reiterate, i can see SI logs for those ip addresses which i had added as blacklisted ip's. However for ip's in concern above is what not displayed when filtered.
Anyways thanks alot. I will get back to you post referring the document.
06-28-2021 09:57 PM
06-28-2021 11:59 PM
Your logging looks fine.
Have you enabled all categories that SI has (Attackers, Bots, Malware, etc.)? Have you enabled it for both Network and URL? An example is attached. Also, have you checked Lists and Feeds for SI (they can be found under Objects), and made sure they are getting updated?
If yes, then it could be that Cisco SI list and your ISP's are not same.
BR,
Milos
06-29-2021 12:09 AM
07-07-2021 04:06 AM
Hi Milos, Marvin
At last am able to see the logs under SI and Events.
The Database in FMC for connection events and SI event logs was set 1 million logs. I updated it to 10million.
Now am able to view the logs:)
Thanks for your insights
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide