Events of Interest to monitor in Cisco ASA Firewall/IPS
When I receive a request to monitor critical events from a vendor, it becomes a cumbersome task to gather information about the vendor, log schema, and event types. This information is not readily available through a simple online search. To simplify the process, I am providing a consolidated list of Cisco ASA events that are crucial for your SIEM. These events play a vital role in monitoring threats, detecting anomalies, and generating reports and alert rules. The list includes message IDs and event descriptions, covering categories such as threats, bandwidth/protocol usage, authentication, user audit, and traffic.
Cisco ASA Syslogs reference guide
External Threats/Attacks
Message ID | Signature |
400007 | IP Fragment Attack |
400008 | IP Impossible Packet |
400009 | IP Fragments Overlap |
400023 | Fragmented ICMP Traffic |
400024 | Large ICMP Traffic |
400025 | Ping of Death Attack |
400026 | TCP NULL flags |
400027 | TCP SYN+FIN flags |
400028 | TCP FIN only flags |
400031 | UDP Bomb attack |
400032 | UDP Snork attack |
400033 | UDP Chargen DoS attack |
400041 | Proxied RPC Request |
400050 | statd Buffer Overflow |
106016 | IP Spoof |
106017 | Land Attack |
106021 | Revers Path |
106022 | Connection Spoof |
201003 | SYN Attack |
407002 | DoS |
209003 | DoS |
405001 | ARP Poisoning |
106023 | Foot-printing or port-scanning attempt. |
302014 (only with teardown reason as “SYN Timeout”) | SYN Attack |
733100 – Check the string – Object | Values for Object – Firewall – Bad pkts – Rate limit – DoS attck – ACL drop – Conn limit – ICMP attk – Scanning – SYN attck – Inspect – Interface |
733101 | Scanning threat detected |
733102 | Host has been shunned by the threat detection engine. |
733103 | Host is removed by threat detection engine |
Bandwidth and Protocol usage
Event | Message ID |
High CPU utilization (more than 100%) | 211003 |
TCP Connection limit exceeded | 710004 |
Embryonic limit exceeded | 201003 |
Embryonic connection limit exceeded | 201010 |
Connection limit exceeded for “static” command, or to those configured using Cisco Modular Policy Framework | 201011 |
An attempt to establish a TCP connection failed because the per-client embryonic connection limit was exceeded. | 201012 |
Per-client connection limit exceeded | 201013 |
Connection limit exceeded econns | 202011 |
Connection limit exceeded – Possible DoS attack | 210011 |
IP routing table limit exceeded | 317005 |
IP_address tunnel limit exceeded | 324006 |
K8 SRTP crypto session of limit exceeded | 448001 |
User account Change
Event | Message ID |
User Added | 502101 |
User Deleted | 502102 |
User privilege changed | 502103 |
Authentication
Event | Message ID |
AAA Auth Success | 113004 |
AAA Auth Rejected | 113005 |
AAA Auth Success in IPSEC or WEBVPN connection to local user DB | 113012 |
User locked out | 113006 |
User Unlocked | 113006 |
Login failed | 113021 |
Traffic Denied events
Event | Message ID |
IPSec proxy mismatches | 302302 |
ICMP Deny traffic | 313001 |
ICMP Deny traffic | 313004 |
ICMPv6 Deny traffic | 313008 |
received a packet from the offending MAC address | 322001 |
Deny traffic due to host license limit exceeds | 407001,450001 |
WebVPN access deny | 716004 |
ICMP, TCP, or UDP | 106002 |
Deny inbound UDP | 106006 |
Inbound UDP packet containing a DNS query or response is denied | 106007 |
inbound connection is denied by security policy. | 106010 |
Packed integrity check. Deny due to bad IP | 106012 |
Deny inbound ICMP | 106014 |
Deny inbound TCP | 106015 |
URL Filter Deny (valid only if the log contains the reason as “Unauth Deny”) | 302014 |
1 Comment »