302013 - built inbound connection
302014 - teardown TCP connection
725012 - Device chooses cipher for the SSL session with peer interface
725008 - ssl client propose cipher
725007 - teardown new ssl connection / terminated
725001 - starting ssl handsharek
725002 - ssl handsake completed
725003 - request to resume
113005 - AAA user authentication rejected
http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4776913
Each connection that passes through the ASA is 9 syslogs so that will be a lot of logs
Old TAC sec pod cast
https://community.cisco.com/t5/security-knowledge-base/tac-security-podcast-show-information-and-episode-listing/ta-p/3126414
General syslog tips
Text zip's up well so you can zip before sending
Knowing the time frame of the issue helps any source / destination IPs
Notepad++ / sublime are good for working with big files
For really big files we really want a linux box
For windows users you can run a VM as well or install cygwin
User grep to look for sev1 events
grep "ASA-1-" ASASYSLOG.txt
Looks for sev 6 and pipe to head
grep "ASA-6" ASAlogs.txt | head -n 3
-v can be used to remove items from the log
grep "ASA-6" ASAlogs.txt | grep -v "ASA-6-302011" | grep -v "ASA-6-302015" | head -n 3
We can build up our command adding more -v items
grep "ASA-6" ASAlogs.txt | grep -v "ASA-6-302011" | grep -v "ASA-6-302015" | grep -v "ASA-6-305011" | head -n 3
Other linux CLI tools that are very useful
count / sed / awk / uniq / sort / bc
To remove all the charactors on the line leading up to "Mar 28", use the sed program to find and replace that text with "nothing":
cat ASAlogs.txt | sed 's/^.*Mar 28/Mar 28/g' | head -n 4
cut can be used to display something specific from each line:
grep "ASA-6-305011" ASAlogs.txt | cut -f 13 -d ' '
<166>Mar 28 2013 08:22:50: %ASA-6-305011: Built dynamic TCP translation from inside:10.10.103.38/63894 to outside:192.168.124.149/63894
becomes
outside:192.168.124.149/61128
Now lets say you wanted to get rid of the 'outside' text at the start of each line. Use sed to replace that text with nothing:
grep "ASA-6-305011" ASAlogs.txt | cut -f 13 -d ' ' | sed 's/outside://g'
When connection is torn down (teardown event) there is a byte count included
You could look for the initiator and the byte count
IP and how many bytes transfer
Then sort that based on byte count
This would give you talker
Sort by IP addresses
Use bc to sum up all the ip and sort on byte counts and see which IP was the top talker over all
You could also work on top number of connections. Look for usernames instead of IP's etc. A ddos may make a lot of connections but small amount of data transfered
You could look at denied connections
No comments:
Post a Comment