cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Verifying Security Intelligence Feed on Cisco Secure Firewall

437
Views
10
Helpful
0
Comments

Introduction

This article describes the set of logs that can be verified related to SI feeds, starting from configuring to periodic updates.

The information in this document is based on Cisco FMC and FTD that runs software Version 6.6.5 or later.

 

Verification

1. The logs shown below can be found in usmsharedsvcs.log upon configuring a new SI feed. Here we've created IP List Feed with name BANLIST.

Path on FMC /opt/CSCOpx/MDC/log/operation/usmsharedsvcs.log

USMS: 12-29 16:50:39 ** URL: POST https://localhost6/csm/api/object/IPListObject
USMS: 12-29 16:50:39 {
USMS: 12-29 16:50:39   "data": {
USMS: 12-29 16:50:39     "attributes": {
USMS: 12-29 16:50:39       "domain": {
USMS: 12-29 16:50:39         "uuid": "e276abec-e0f2-11e3-8169-6d9ed49b625f"
USMS: 12-29 16:50:39       }
USMS: 12-29 16:50:39     },
USMS: 12-29 16:50:39     "data": {
USMS: 12-29 16:50:39       "listType": 2,
USMS: 12-29 16:50:39       "name": "BANLIST",
USMS: 12-29 16:50:39       "needUpdate": 1,
USMS: 12-29 16:50:39       "numOfIPv4": 0,
USMS: 12-29 16:50:39       "numOfIPv6": 0,
USMS: 12-29 16:50:39       "source": {
USMS: 12-29 16:50:39         "listURL": "https://www.binarydefense.com/banlist.txt",
USMS: 12-29 16:50:39         "updateFreq": 120,
USMS: 12-29 16:50:39         "verifyMethod": "MD5SUM"
USMS: 12-29 16:50:39       }
USMS: 12-29 16:50:39     },
USMS: 12-29 16:50:39     "isGroup": "false",
USMS: 12-29 16:50:39     "name": "BANLIST",
USMS: 12-29 16:50:39     "revision": 0,
USMS: 12-29 16:50:39     "tstamp": 1640796638994,
USMS: 12-29 16:50:39     "type": "IPListObject",
USMS: 12-29 16:50:39     "uuid": "73a9b852-68c7-11ec-b80e-b8a88d9a9218"
USMS: 12-29 16:50:39   },
USMS: 12-29 16:50:39   "requestID": "73b15abc68c711ecb80eb8a88d9a9218",
USMS: 12-29 16:50:39   "version": "6.6.5"
USMS: 12-29 16:50:39 }


2. The Name and the unique Identifier (UUID) of the configured SI Feed can be found in the FMC's database. The output shown below is example of IP List, similarly we can check URL and DNS Feed  using "eo_tool list URLListObject" and "eo_tool listDNSListObject" respectively. You can see the BANLIST and associated UUID.

root@FMC-SEVEN-HILLS:/var/log# eo_tool list IPListObject
  0. 8527413e-6167-11e1-a8bf-e99ce99bfdf1 (Cisco-Intelligence-Feed)
  1. d8eea83e-6167-11e1-a154-589de99bfdf1 (Global-Whitelist)
  2. c76556bc-6167-11e1-88e8-479de99bfdf1 (Global-Blacklist)
  3. 64ba6dde-ff4f-11e4-bd1f-94b1fb0f5dcb (Descendant-Whitelists_-_Global)
  4. fe771d90-ff55-11e4-add5-f249fb0f5dcb (Descendant-Blacklists_-_Global)
  5. abbaf1fa-6161-11e1-a1b1-e99ce9f1f2f3 (Cisco-TID-Feed)
  6. 73a9b852-68c7-11ec-b80e-b8a88d9a9218 (BANLIST)   <<----
  7. 03709ed4-faab-47af-bade-4435f8daee27 (Spyware)
  8. 937cf5e8-76d1-4ba2-a83c-475dc80c3845 (Ioc)
  9. A27C6AAE-8E52-4174-A81A-47C59FECC092 (Exploitkit)
 10. 5f8148f1-e5e4-427a-aa3b-ee1c2745c350 (Bogon)
 11. 1b117672-7453-478c-be31-b72e89ca1acb (Open_proxy)
 12. 8af156ca-8020-4608-9278-01b87458ea46 (Newly_seen)
 13. 3e2af68e-5fc8-4b1c-b5bc-b4e7cab598ba (Spam)
 14. d3899830-d481-4773-b4e2-7daa7acf5e44 (Link_sharing)
 15. 6ba968f4-7a25-4793-a2c8-7cc77f1ff437 (Bots)
 16. abdc925f-4f85-4504-90a7-c891979ac517 (Cryptomining)
 17. 8c3e31be-ca41-43c8-87cb-82a35b0f20e2 (Malicious)
 18. 5a0b6d6b-e2c3-436f-b4a1-48248b330a26 (Attackers)
 19. 032ba433-c295-11e4-a919-d4ae5275a468 (Response)
 20. 23f2a124-8278-4c03-8c9d-d28fe08b5e98 (Malware)
 21. 60f4e2ab-d96c-44a0-bd38-830252b63f46 (CnC)
 22. 2CCDA18E-DDFF-4F5C-AF9A-F009852183F4 (Suspicious)
 23. b1df3aa8-2841-4c88-8e64-bfaacec7fedd (Dga)
 24. 02213098-6d94-4680-8ce8-2d0816389f56 (High_risk)
 25. 30f9e69c-d64c-479c-821d-0e4edab8217a (Open_relay)
 26. 2b15cb6f-a3fc-4e0e-a342-ccc5e5803263 (Tor_exit_node)
 27. d7d996a6-6b92-4a56-8f10-e8506e431ca5 (Phishing)
 28. bde824fd-36dd-4a7c-9cc1-80e40ac7aa35 (Banking_fraud)
 29. 14c19bfa-3188-11ec-b568-c54e4c4aa3d0 (TID IPv4 Block)
 30. 14c31a0c-3188-11ec-b568-c54e4c4aa3d0 (TID IPv4 Monitor)
 31. 14c45e26-3188-11ec-b568-c54e4c4aa3d0 (TID IPv6 Block)
 32. 14c577ca-3188-11ec-b568-c54e4c4aa3d0 (TID IPv6 Monitor)

 

3. Now check the feed download status on FMC, grepping the UUID of BANLIST from the above output.

root@FMC-SEVEN-HILLS:/var/log# grep 73a9b852-68c7-11ec-b80e-b8a88d9a9218 messages | grep "Successfully downloaded" | tail
Dec 31 08:52:29 FMC-SEVEN-HILLS SF-IMS[7498]: [9565] CloudAgent:IPReputation [INFO] Successfully downloaded 73a9b852-68c7-11ec-b80e-b8a88d9a9218
Dec 31 10:52:29 FMC-SEVEN-HILLS SF-IMS[7498]: [9565] CloudAgent:IPReputation [INFO] Successfully downloaded 73a9b852-68c7-11ec-b80e-b8a88d9a9218
Dec 31 12:52:31 FMC-SEVEN-HILLS SF-IMS[7498]: [9565] CloudAgent:IPReputation [INFO] Successfully downloaded 73a9b852-68c7-11ec-b80e-b8a88d9a9218
Dec 31 14:52:32 FMC-SEVEN-HILLS SF-IMS[7498]: [9565] CloudAgent:IPReputation [INFO] Successfully downloaded 73a9b852-68c7-11ec-b80e-b8a88d9a9218
Dec 31 16:52:32 FMC-SEVEN-HILLS SF-IMS[7498]: [9565] CloudAgent:IPReputation [INFO] Successfully downloaded 73a9b852-68c7-11ec-b80e-b8a88d9a9218
Dec 31 18:52:33 FMC-SEVEN-HILLS SF-IMS[7498]: [9565] CloudAgent:IPReputation [INFO] Successfully downloaded 73a9b852-68c7-11ec-b80e-b8a88d9a9218
Dec 31 20:52:34 FMC-SEVEN-HILLS SF-IMS[7498]: [9565] CloudAgent:IPReputation [INFO] Successfully downloaded 73a9b852-68c7-11ec-b80e-b8a88d9a9218
Dec 31 22:52:36 FMC-SEVEN-HILLS SF-IMS[7498]: [9565] CloudAgent:IPReputation [INFO] Successfully downloaded 73a9b852-68c7-11ec-b80e-b8a88d9a9218
Jan  1 00:52:31 FMC-SEVEN-HILLS SF-IMS[7498]: [9565] CloudAgent:IPReputation [INFO] Successfully downloaded 73a9b852-68c7-11ec-b80e-b8a88d9a9218
Jan  1 02:52:34 FMC-SEVEN-HILLS SF-IMS[7498]: [9565] CloudAgent:IPReputation [INFO] Successfully downloaded 73a9b852-68c7-11ec-b80e-b8a88d9a9218

 

4. From the managed FTD, first check the type of list.

root@FPR-1140-2:/ngfw/var/log# eo_tool list IPListObject
 0. 8527413e-6167-11e1-a8bf-e99ce99bfdf1 (Cisco-Intelligence-Feed)
 1. c76556bc-6167-11e1-88e8-479de99bfdf1 (Global-Blacklist)
 2. d8eea83e-6167-11e1-a154-589de99bfdf1 (Global-Whitelist)

 

5. Lastly check the blacklist feed status. If the feed has any new addition, the "entries loaded" counter will increase.

root@FPR-1140-2:/ngfw/var/log# grep c76556bc-6167-11e1-88e8-479de99bfdf1 messages | tail
Dec 31 18:57:04 firepower-1140 SF-IMS[8670]:     Processing blacklist file /ngfw/var/sf/iprep_download/c76556bc-6167-11e1-88e8-479de99bfdf1.blf
Dec 31 18:57:04 firepower-1140 SF-IMS[8670]:     Reputation entries loaded: 0, invalid: 0, re-defined: 0 (from file /ngfw/var/sf/iprep_download/c76556bc-6167-11e1-88e8-479de99bfdf1.blf)
Dec 31 20:58:15 firepower-1140 SF-IMS[8670]:     Processing blacklist file /ngfw/var/sf/iprep_download/c76556bc-6167-11e1-88e8-479de99bfdf1.blf
Dec 31 20:58:15 firepower-1140 SF-IMS[8670]:     Reputation entries loaded: 0, invalid: 0, re-defined: 0 (from file /ngfw/var/sf/iprep_download/c76556bc-6167-11e1-88e8-479de99bfdf1.blf)
Dec 31 22:55:17 firepower-1140 SF-IMS[8670]:     Processing blacklist file /ngfw/var/sf/iprep_download/c76556bc-6167-11e1-88e8-479de99bfdf1.blf
Dec 31 22:55:17 firepower-1140 SF-IMS[8670]:     Reputation entries loaded: 0, invalid: 0, re-defined: 0 (from file /ngfw/var/sf/iprep_download/c76556bc-6167-11e1-88e8-479de99bfdf1.blf)
Jan  1 00:54:20 firepower-1140 SF-IMS[8670]:     Processing blacklist file /ngfw/var/sf/iprep_download/c76556bc-6167-11e1-88e8-479de99bfdf1.blf
Jan  1 00:54:20 firepower-1140 SF-IMS[8670]:     Reputation entries loaded: 0, invalid: 0, re-defined: 0 (from file /ngfw/var/sf/iprep_download/c76556bc-6167-11e1-88e8-479de99bfdf1.blf)
Jan  1 02:54:24 firepower-1140 SF-IMS[8670]:     Processing blacklist file /ngfw/var/sf/iprep_download/c76556bc-6167-11e1-88e8-479de99bfdf1.blf
Jan  1 02:54:24 firepower-1140 SF-IMS[8670]:     Reputation entries loaded: 0, invalid: 0, re-defined: 0 (from file /ngfw/var/sf/iprep_download/c76556bc-6167-11e1-88e8-479de99bfdf1.blf)

 

Create
Recognize Your Peers
Content for Community-Ad