Categories
Level-Advanced

Events of Interest to monitor in Cisco ASA Firewall/IPS

Every time I get a requirement to monitor critical events from a vendor, I have to go through multiple documents to understand and collate information about the vendor, the log schema and the types of events. This information is hard to Google and gather straightaway. So here I’m posting some Cisco ASA events of interest for your SIEM. These events are really important to monitor threats and anomalies and can be used to create reports and alert rules. I have added message IDs and the event description. Events categories include threats, bandwidth/protocol usage, authentication, user audit and traffic.

Cisco ASA Syslogs reference guide

External Threats/Attacks

Message IDSignature
400007IP Fragment Attack
400008IP Impossible Packet
400009IP Fragments Overlap
400023Fragmented ICMP Traffic
400024Large ICMP Traffic
400025Ping of Death Attack
400026TCP NULL flags
400027TCP SYN+FIN flags
400028TCP FIN only flags
400031UDP Bomb attack
400032UDP Snork attack
400033UDP Chargen DoS attack
400041Proxied RPC Request
400050statd Buffer Overflow
106016IP Spoof
106017Land Attack
106021Revers Path
106022Connection Spoof
201003SYN Attack
407002DoS
209003DoS
405001ARP Poisoning
106023Foot-printing or port-scanning attempt.
302014 (only with teardown reason as “SYN Timeout”)SYN Attack
733100 – Check the string – ObjectValues for Object
– Firewall 
– Bad pkts 
– Rate limit 
– DoS attck 
– ACL drop 
– Conn limit 
– ICMP attk 
– Scanning 
– SYN attck 
– Inspect 
– Interface
733101Scanning threat detected
733102Host has been shunned by the threat detection engine.
733103 Host is removed by threat detection engine

Bandwidth and Protocol usage

EventMessage ID
High CPU utilization (more than 100%)211003
TCP Connection limit exceeded710004
Embryonic limit exceeded201003
Embryonic connection limit exceeded201010
Connection limit exceeded for “static” command, or to those configured using Cisco Modular Policy Framework201011
An attempt to establish a TCP connection failed because the per-client embryonic connection limit was exceeded. 201012
Per-client connection limit exceeded201013
Connection limit exceeded econns202011
Connection limit exceeded  – Possible DoS attack210011
IP routing table limit exceeded317005
IP_address tunnel limit exceeded324006
K8 SRTP crypto session of limit exceeded448001


User account Change

EventMessage ID
User Added502101
User Deleted502102
User privilege changed502103

Authentication

EventMessage ID
AAA Auth Success113004
AAA Auth Rejected113005
AAA Auth Success in IPSEC or WEBVPN connection to local user DB113012
User locked out113006
User Unlocked113006
Login failed113021

Traffic Denied events

EventMessage ID
IPSec proxy mismatches302302
ICMP Deny traffic313001
ICMP Deny traffic313004
ICMPv6 Deny traffic313008
received a packet from the offending MAC address322001
Deny traffic due to host license limit exceeds407001,450001
WebVPN access deny716004
 ICMP, TCP, or UDP106002
Deny inbound UDP106006
Inbound UDP packet containing a DNS query or response is denied106007
inbound connection is denied by security policy.106010
Packed integrity check. Deny due to bad IP106012
Deny inbound ICMP106014
Deny inbound TCP106015
URL Filter Deny (valid only if the log contains the reason as “Unauth Deny”)302014

1 reply on “Events of Interest to monitor in Cisco ASA Firewall/IPS”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s