Events of Interest to monitor in Cisco ASA Firewall/IPS
Every time I get a requirement to monitor critical events from a vendor, I have to go through multiple documents to understand and collate information about the vendor, the log schema and the types of events. This information is hard to Google and gather straightaway. So here I’m posting some Cisco ASA events of interest for your SIEM. These events are really important to monitor threats and anomalies and can be used to create reports and alert rules. I have added message IDs and the event description. Events categories include threats, bandwidth/protocol usage, authentication, user audit and traffic.
Cisco ASA Syslogs reference guide
External Threats/Attacks
| Message ID | Signature |
| 400007 | IP Fragment Attack |
| 400008 | IP Impossible Packet |
| 400009 | IP Fragments Overlap |
| 400023 | Fragmented ICMP Traffic |
| 400024 | Large ICMP Traffic |
| 400025 | Ping of Death Attack |
| 400026 | TCP NULL flags |
| 400027 | TCP SYN+FIN flags |
| 400028 | TCP FIN only flags |
| 400031 | UDP Bomb attack |
| 400032 | UDP Snork attack |
| 400033 | UDP Chargen DoS attack |
| 400041 | Proxied RPC Request |
| 400050 | statd Buffer Overflow |
| 106016 | IP Spoof |
| 106017 | Land Attack |
| 106021 | Revers Path |
| 106022 | Connection Spoof |
| 201003 | SYN Attack |
| 407002 | DoS |
| 209003 | DoS |
| 405001 | ARP Poisoning |
| 106023 | Foot-printing or port-scanning attempt. |
| 302014 (only with teardown reason as “SYN Timeout”) | SYN Attack |
| 733100 – Check the string – Object | Values for Object – Firewall – Bad pkts – Rate limit – DoS attck – ACL drop – Conn limit – ICMP attk – Scanning – SYN attck – Inspect – Interface |
| 733101 | Scanning threat detected |
| 733102 | Host has been shunned by the threat detection engine. |
| 733103 | Host is removed by threat detection engine |
Bandwidth and Protocol usage
| Event | Message ID |
| High CPU utilization (more than 100%) | 211003 |
| TCP Connection limit exceeded | 710004 |
| Embryonic limit exceeded | 201003 |
| Embryonic connection limit exceeded | 201010 |
| Connection limit exceeded for “static” command, or to those configured using Cisco Modular Policy Framework | 201011 |
| An attempt to establish a TCP connection failed because the per-client embryonic connection limit was exceeded. | 201012 |
| Per-client connection limit exceeded | 201013 |
| Connection limit exceeded econns | 202011 |
| Connection limit exceeded – Possible DoS attack | 210011 |
| IP routing table limit exceeded | 317005 |
| IP_address tunnel limit exceeded | 324006 |
| K8 SRTP crypto session of limit exceeded | 448001 |
User account Change
| Event | Message ID |
| User Added | 502101 |
| User Deleted | 502102 |
| User privilege changed | 502103 |
Authentication
| Event | Message ID |
| AAA Auth Success | 113004 |
| AAA Auth Rejected | 113005 |
| AAA Auth Success in IPSEC or WEBVPN connection to local user DB | 113012 |
| User locked out | 113006 |
| User Unlocked | 113006 |
| Login failed | 113021 |
Traffic Denied events
| Event | Message ID |
| IPSec proxy mismatches | 302302 |
| ICMP Deny traffic | 313001 |
| ICMP Deny traffic | 313004 |
| ICMPv6 Deny traffic | 313008 |
| received a packet from the offending MAC address | 322001 |
| Deny traffic due to host license limit exceeds | 407001,450001 |
| WebVPN access deny | 716004 |
| ICMP, TCP, or UDP | 106002 |
| Deny inbound UDP | 106006 |
| Inbound UDP packet containing a DNS query or response is denied | 106007 |
| inbound connection is denied by security policy. | 106010 |
| Packed integrity check. Deny due to bad IP | 106012 |
| Deny inbound ICMP | 106014 |
| Deny inbound TCP | 106015 |
| URL Filter Deny (valid only if the log contains the reason as “Unauth Deny”) | 302014 |
CyberSec Talk 
1 Comment »