Hi All,
I have events for Cisco ASA where I have 2 kinds of connections being built.
Case 1: Genuine Connections:
The genuine connection will only have one entry which will be as follows.
name | deviceEventClassId |
Built inbound TCP connection | 302013 |
Case 2: Teardown Connections:
The teardown connection will have the following 3 entries in succession till it reaches teardown.
name | deviceEventClassId |
Built inbound TCP connection | 302013 |
Packet permitted by Access List | 106100 |
Teardown TCP connection | 302014 |
Query:
How will you check for a teardown v/s a genuine connection that has been allowed?
Thanks.