Events of Interest to monitor in Cisco ASA Firewall/IPS
When I receive a request to monitor critical events from a vendor, it becomes a cumbersome task to gather information about the vendor, log schema, and event types. This information is not readily available through a simple online search. To simplify the process, I am providing a consolidated list of Cisco ASA events that are crucial for your SIEM. These events play a vital role in monitoring threats, detecting anomalies, and generating reports and alert rules. The list includes message IDs and event descriptions, covering categories such as threats, bandwidth/protocol usage, authentication, user audit, and traffic.
Cisco ASA Syslogs reference guide
External Threats/Attacks
| Message ID | Signature |
| 400007 | IP Fragment Attack |
| 400008 | IP Impossible Packet |
| 400009 | IP Fragments Overlap |
| 400023 | Fragmented ICMP Traffic |
| 400024 | Large ICMP Traffic |
| 400025 | Ping of Death Attack |
| 400026 | TCP NULL flags |
| 400027 | TCP SYN+FIN flags |
| 400028 | TCP FIN only flags |
| 400031 | UDP Bomb attack |
| 400032 | UDP Snork attack |
| 400033 | UDP Chargen DoS attack |
| 400041 | Proxied RPC Request |
| 400050 | statd Buffer Overflow |
| 106016 | IP Spoof |
| 106017 | Land Attack |
| 106021 | Revers Path |
| 106022 | Connection Spoof |
| 201003 | SYN Attack |
| 407002 | DoS |
| 209003 | DoS |
| 405001 | ARP Poisoning |
| 106023 | Foot-printing or port-scanning attempt. |
| 302014 (only with teardown reason as “SYN Timeout”) | SYN Attack |
| 733100 – Check the string – Object | Values for Object – Firewall – Bad pkts – Rate limit – DoS attck – ACL drop – Conn limit – ICMP attk – Scanning – SYN attck – Inspect – Interface |
| 733101 | Scanning threat detected |
| 733102 | Host has been shunned by the threat detection engine. |
| 733103 | Host is removed by threat detection engine |
Bandwidth and Protocol usage
| Event | Message ID |
| High CPU utilization (more than 100%) | 211003 |
| TCP Connection limit exceeded | 710004 |
| Embryonic limit exceeded | 201003 |
| Embryonic connection limit exceeded | 201010 |
| Connection limit exceeded for “static” command, or to those configured using Cisco Modular Policy Framework | 201011 |
| An attempt to establish a TCP connection failed because the per-client embryonic connection limit was exceeded. | 201012 |
| Per-client connection limit exceeded | 201013 |
| Connection limit exceeded econns | 202011 |
| Connection limit exceeded – Possible DoS attack | 210011 |
| IP routing table limit exceeded | 317005 |
| IP_address tunnel limit exceeded | 324006 |
| K8 SRTP crypto session of limit exceeded | 448001 |
User account Change
| Event | Message ID |
| User Added | 502101 |
| User Deleted | 502102 |
| User privilege changed | 502103 |
Authentication
| Event | Message ID |
| AAA Auth Success | 113004 |
| AAA Auth Rejected | 113005 |
| AAA Auth Success in IPSEC or WEBVPN connection to local user DB | 113012 |
| User locked out | 113006 |
| User Unlocked | 113006 |
| Login failed | 113021 |
Traffic Denied events
| Event | Message ID |
| IPSec proxy mismatches | 302302 |
| ICMP Deny traffic | 313001 |
| ICMP Deny traffic | 313004 |
| ICMPv6 Deny traffic | 313008 |
| received a packet from the offending MAC address | 322001 |
| Deny traffic due to host license limit exceeds | 407001,450001 |
| WebVPN access deny | 716004 |
| ICMP, TCP, or UDP | 106002 |
| Deny inbound UDP | 106006 |
| Inbound UDP packet containing a DNS query or response is denied | 106007 |
| inbound connection is denied by security policy. | 106010 |
| Packed integrity check. Deny due to bad IP | 106012 |
| Deny inbound ICMP | 106014 |
| Deny inbound TCP | 106015 |
| URL Filter Deny (valid only if the log contains the reason as “Unauth Deny”) | 302014 |
CyberSec Talk 
1 Comment »