[New Rules] Cisco ASA

[leweafan]

Description

Cisco ASA has security event ids and there are several event id that should be used by SIEM. Cisco Secure Firewall ASA Series Syslog Messages - has events' format descritpion. If someone is interested in this issue I will try to provide more info.

Example Message ID 106021:

Suggested events:

Type	Message ID	Event
External Threats/Attacks	400007	IP Fragment Attack
External Threats/Attacks	400008	IP Impossible Packet
External Threats/Attacks	400009	IP Fragments Overlap
External Threats/Attacks	400023	Fragmented ICMP Traffic
External Threats/Attacks	400024	Large ICMP Traffic
External Threats/Attacks	400025	Ping of Death Attack
External Threats/Attacks	400026	TCP NULL flags
External Threats/Attacks	400027	TCP SYN+FIN flags
External Threats/Attacks	400028	TCP FIN only flags
External Threats/Attacks	400031	UDP Bomb attack
External Threats/Attacks	400032	UDP Snork attack
External Threats/Attacks	400033	UDP Chargen DoS attack
External Threats/Attacks	400041	Proxied RPC Request
External Threats/Attacks	400050	statd Buffer Overflow
External Threats/Attacks	106016	IP Spoof
External Threats/Attacks	106017	Land Attack
External Threats/Attacks	106021	Revers Path
External Threats/Attacks	106022	Connection Spoof
External Threats/Attacks	201003	SYN Attack
External Threats/Attacks	407002	DoS
External Threats/Attacks	209003	DoS
External Threats/Attacks	405001	ARP Poisoning
External Threats/Attacks	106023	Foot-printing or port-scanning attempt.
External Threats/Attacks	302014 (only with teardown reason as “SYN Timeout”)	SYN Attack
External Threats/Attacks	733101	Scanning threat detected
External Threats/Attacks	733102	Host has been shunned by the threat detection engine.
External Threats/Attacks	733103	Host is removed by threat detection engine
External Threats/Attacks	733100 – Check the string – Object	Values for Object Firewall Bad pkts Rate limit DoS attck ACL drop Conn limit ICMP attk SYN attck Inspect Interface
Bandwidth and Protocol usage	211003	High CPU utilization (more than 100%)
Bandwidth and Protocol usage	710004	TCP Connection limit exceeded
Bandwidth and Protocol usage	201003	Embryonic limit exceeded
Bandwidth and Protocol usage	201010	Embryonic connection limit exceeded
Bandwidth and Protocol usage	201011	Connection limit exceeded for “static” command, or to those configured using Cisco Modular Policy Framework
Bandwidth and Protocol usage	201012	An attempt to establish a TCP connection failed because the per-client embryonic connection limit was exceeded.
Bandwidth and Protocol usage	201013	Per-client connection limit exceeded
Bandwidth and Protocol usage	202011	Connection limit exceeded econns
Bandwidth and Protocol usage	210011	Connection limit exceeded  – Possible DoS attack
Bandwidth and Protocol usage	317005	IP routing table limit exceeded
Bandwidth and Protocol usage	324006	IP_address tunnel limit exceeded
Bandwidth and Protocol usage	448001	K8 SRTP crypto session of limit exceeded
User account Change	502101	User Added
User account Change	502102	User Deleted
User account Change	502103	User privilege changed
Authentication	113004	AAA Auth Success
Authentication	113005	AAA Auth Rejected
Authentication	113012	AAA Auth Success in IPSEC or WEBVPN connection to local user DB
Authentication	113006	User locked out
Authentication	113006	User Unlocked
Authentication	113021	Login failed
Traffic Denied events	302302	IPSec proxy mismatches
Traffic Denied events	313001	ICMP Deny traffic
Traffic Denied events	313004	ICMP Deny traffic
Traffic Denied events	313008	ICMPv6 Deny traffic
Traffic Denied events	322001	Received a packet from the offending MAC address
Traffic Denied events	407001,450001	Deny traffic due to host license limit exceeds
Traffic Denied events	716004	WebVPN access deny
Traffic Denied events	106002	ICMP, TCP, or UDP
Traffic Denied events	106006	Deny inbound UDP
Traffic Denied events	106007	Inbound UDP packet containing a DNS query or response is denied
Traffic Denied events	106010	Inbound connection is denied by security policy.
Traffic Denied events	106012	Packed integrity check. Deny due to bad IP
Traffic Denied events	106014	Deny inbound ICMP
Traffic Denied events	106015	Deny inbound TCP
Traffic Denied events	302014	URL Filter Deny (valid only if the log contains the reason as “Unauth Deny”)
Additional events	111008	The user entered any command, with the exception of a show command
Additional events	111009	User entered a command that does not modify the configuration. This message appears only for show commands.
Additional events	111010	A user made a configuration change
Additional events	605004	Console login failed - If this message appears infrequently, no action is required. If this message appears frequently, it may indicate an attack.
Additional events	611101	User authentication succeeded when accessing the Secure Firewall ASA. The username is hidden when invalid or unknown, but appears when valid or the no logging hide username command has been configured
Additional events	611102	User authentication failed when attempting to access the Secure Firewall ASA. The username is hidden when invalid or unknown, but appears when valid or the no logging hide username command has been configured
Additional events	611103	The specified user logged out
Additional events	716039	Before a WebVPN session starts, the user must be authenticated successfully by a local or remote server (for example, RADIUS or TACACS+). In this case, the user credentials (username and password) either did not match, or the user does not have permission to start a WebVPN session. The username is hidden when invalid or unknown, but appears when valid or the no logging hide username command has been configured
Additional events	734001	The DAP records that were selected for the connection are listed

[botelastic[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[botelastic[bot]]

This has been closed due to inactivity. If you feel this is an error, please re-open and include a justifying comment.