PIX/ASA false alarms
|
Logged in as: Guest
|
|
Users viewing this topic:
none
|
|
Login  | |
|
PIX/ASA false alarms - 28.Sep.2009 9:33:31 AM
|
|
|
g33kfu
Posts: 6
Score: 0
Joined: 28.Sep.2009
Status: offline
|
We have been receiving PIX/ASA Attack false alarms. It is due to the syslog message containing part of the error string within either the URL or connection number of the syslog message. For example an IP Fragment attack has the filter string "%PIX%400007%,%ASA%400007%" so when a syslog message comes in and says "connection 11400000789" then it triggers the event. Has anyone worked around this issue? I'm wondering if I can add a "-" in the filter string so its similar to "%PIX%400007%,%ASA%-400007%" since that's how the original syslog message comes through. I'm not sure how the different variables affect the "Raw Message" field and I don't want to make it so it doesn't work when there actually is an attack.
Thanks
|
|
|
|
|
RE: PIX/ASA false alarms - 28.Sep.2009 9:40:14 AM
|
|
|
g33kfu
Posts: 6
Score: 0
Joined: 28.Sep.2009
Status: offline
|
So what is the workaround for this issue. I've received 250 false alarm emails since 7:00 this morning.
|
|
|
|
|
RE: PIX/ASA false alarms - 28.Sep.2009 9:41:26 AM
|
|
|
DrewE
Posts: 1246
Score: 0
Joined: 28.Apr.2008
From: Cary, NC
Status: offline
|
Can you copy and paste the details of one of the false alarms? We need to see how that are different from the real errors you are seeing. You could create a Sys Log processing rule ABOVE the existing one and filter these events out as noise if you can determine what the differentiating factors between the messages are.
_____________________________
Drew Easley
GFI Software
Talk Tech To Me (GFI Blog) – Follow Us (Twitter) - Watch Us (YouTube) - Join us (Facebook)
|
|
|
|
|
RE: PIX/ASA false alarms - 28.Sep.2009 9:48:15 AM
|
|
|
g33kfu
Posts: 6
Score: 0
Joined: 28.Sep.2009
Status: offline
|
Sure. Here are a couple. I xxx'd out the internal IPs.
Possible attack - Received MAC mismatch collision - 10.xxx.xxx.xxx - 20 - Local use 4 - 6 - Informational
Teardown TCP connection 114050024 for outside:74.125.19.148/80 to inside:10.xxx.xxx.xxx/3605 duration 0:01:34 bytes 2069 TCP Reset-I
Possible attack - Received ARP collision - 10.xxx.xxx.xxx - 20 - Local use 4 - 6 - Informational
Built outbound TCP connection 114050015 for outside:216.38.169.106/80 (216.38.169.106/80) to inside:10.xxx.xxx.xxx/3807
Attack - UDP Bomb attack - 10.xxx.xxx.xxx - 20 - Local use 4 - 6 - Informational
Teardown TCP connection 114000312 for outside:216.246.122.50/80 to inside:10.xxx.xxx.xxx/4588 duration 0:01:05 bytes 11289 TCP Reset-I
|
|
|
|
|
RE: PIX/ASA false alarms - 28.Sep.2009 10:18:46 AM
|
|
|
g33kfu
Posts: 6
Score: 0
Joined: 28.Sep.2009
Status: offline
|
Here is another example:
TCP connection limit exceeded - 10.xxx.xxx.xxx - 20 - Local use 4 - 5 - Notice
10.xxx.xxx.xxx Accessed URL 206.190.52.34:/ws/mail/v2.0/formrpc?m=ListFolders&appid=YahooMailRC&resetMessengerUnseen=true&wssid=K/9F&r=0.7971000458321971
< Message edited by g33kfu -- 28.Sep.2009 10:23:51 AM >
|
|
|
|
|
RE: PIX/ASA false alarms - 28.Sep.2009 11:04:45 AM
|
|
|
DrewE
Posts: 1246
Score: 0
Joined: 28.Apr.2008
From: Cary, NC
Status: offline
|
You could create some noise filtering rules that ran above the existing SysLog rules to filter out phrases such as:
%ARP collision%
or %MAC mismatch collision%
This would prevent this type of message from ever being archived / alerted on within GFI EventsManager. Just remember, the order in which the rules are applied are important. After creating this new rule, right click on it and select "Move Up" until it is above all other existing Syslog rules.
_____________________________
Drew Easley
GFI Software
Talk Tech To Me (GFI Blog) – Follow Us (Twitter) - Watch Us (YouTube) - Join us (Facebook)
|
|
|
|
|
RE: PIX/ASA false alarms - 28.Sep.2009 11:33:57 AM
|
|
|
g33kfu
Posts: 6
Score: 0
Joined: 28.Sep.2009
Status: offline
|
Those phrases are the subject field of the email notifications that come out after EM has already run it's filters. It's not that I don't want to be notified about those types of events it just that i only want to be when they are real. I would have to create a new rule at the top that is somehow able to decipher whether the ASA code in legit or if the string is just contained in another part of the message such as url or connection number. I can't believe that nobody else has come across this problem.
|
|
|
|
|
RE: PIX/ASA false alarms - 16.Oct.2009 11:45:57 AM
|
|
|
miniman
Posts: 4
Score: 0
Joined: 16.Oct.2009
Status: offline
|
I've just realised whats been happening thanks to your post.
I’m getting 100’s of false alerts due to the text contained in the raw message like you suggested - here is an example - this generated a critical TCP Connection Limit Exceed which is code 201009.
Message Origin Details:
Message: Teardown ICMP connection for faddr XXXXX/0 gaddr XXXXXX/0 laddr XXXXXX/3389
to inside:XXXXXXX/3708 (XXXXXX/3708)
)
65)
2110995loadScriptCbs.c0&a125569774243732248
107&cjsid=1255697703&cjvf=1&tid=9&cm_sp=Save_up_to_half_price_on_selected_Philips_shavers-_-230909_201009-_-C9094_Link1&cm_re=Product-_-230909_201009-_-C9094_Link1&tid=9&cm_sp=Half_price_Braun_Series_3_340_wet_dry_shaver-_-230909_201009-_-C9094_Link2&cm_re=Product-_-230909_201009-_-C9094_
Date: 10/16/2009
Time: 1:58:42 PM
Source computer: XXXXX
Source PID: -1
Source Process: ra-nth-rub-fw2 %ASA-6-302021
Facility: 20 - Local use 4
Severity: 6 - Informational
Rule Name: TCP connection limit exceeded
Internal Event ID: A5D62269D1D342BAACC208F1EEA0C239
In Work Hours: Yes
|
|
|
|
|
RE: PIX/ASA false alarms - 16.Oct.2009 12:05:13 PM
|
|
|
g33kfu
Posts: 6
Score: 0
Joined: 28.Sep.2009
Status: offline
|
I actually ended up turning down the syslog severity levels so i wasn't getting "informational" messages from the ASA since there isn't any real easy solution
|
|
|
|
|
RE: PIX/ASA false alarms - 19.Oct.2009 8:36:37 AM
|
|
|
miniman
Posts: 4
Score: 0
Joined: 16.Oct.2009
Status: offline
|
I'm not a Cisco expert, but it appears that Cisco codes do not vary in severity
If you were to modify the filter so that the severity code was also included in the text.
e.g. Inbound TCP connection denied filter would be %PIX-2-106001%,%ASA-2-106001%
Anyone from GFI wish to comment?
|
|
|
|
|
RE: PIX/ASA false alarms - 23.Nov.2009 12:26:59 AM
|
|
|
mvirgilio
Posts: 4
Score: 0
Joined: 15.Dec.2008
Status: offline
|
I have the exact same problems you are speaking about. See my old post: http://forums.gfi.com/m_900771944/mpage_1/key_/tm.htm#900771944
I never was given a good answer to resolve this issue. I remember the "fix" being something like tweaking each of the rules which are firing incorrectly. Not a good solution. when new updates come out and random new rules are added, I'd have to search for each of them and tweak so I don't get false alarms? yeeahh.
Basically I disabled sending syslog to eventsmanager. No I don't get active alerting at this point and I'll probably come back to this at some point, but if you figure out anything, please post back to this forum.
I am using an ASA 5520.
Thanks.
|
|
|
|
|
RE: PIX/ASA false alarms - 24.Nov.2009 5:47:10 PM
|
|
|
miniman
Posts: 4
Score: 0
Joined: 16.Oct.2009
Status: offline
|
I had an update from a member of the support team and there is no fix. My workaround is working well, by modifying the event processing rules for ASA/PIX devices to include the severity code in the filter eliminated all the false alarms. The severity codes can be extracted from this Cisco document
http://www.cisco.com/en/us/docs/security/asa/asa72/system/message/72_log.pdf
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
|
Printable Version
