Identification of Malicious Traffic Using Cisco Security Manager

Introduction

The Cisco Security Manager can provide visibility into the effectiveness of security configurations on various devices through incidents, queries, and event reporting. This document provides identification techniques that administrators can deploy on Cisco network devices to identify whether the prevention methods are having the desired effect.

Cisco Security Manager Event Viewer

Beginning in software version 4.0, Cisco Security Manager can collect syslogs (system logs) from Cisco firewalls and Cisco Intrusion Prevention System (IPS) devices and provides the Event Viewer, which monitors the network for syslog events from ASA and FWSM devices and security contexts and Security Device Event Exchange (SDEE) events from IPS devices and virtual sensors. Event Viewer collects these events and provides an interface by which administrators can view them, group them, and examine their details.

Using the IPS Alert Events predefined view in the Event Viewer, the user can enter the search string in the format XXXX/X in the event filter to return all captured events related to Cisco IPS signature xxxx/x.

Using the following filters in the Firewall Denied Events predefined view in the Event Viewer provides all captured Cisco firewall access list deny syslog messages that could indicate potential attempts to exploit security vulnerabilities:

  • Use the Destination event filter to filter network objects that contain the IP address space that is used by the devices to be monitored (for example, the trusted IP version 4 [IPv4] address range 192.168.60.0/24 and IP version 6 [IPv6] address range 2001:DB8:1:60::/64)
  • Use the Destination Service event filter to filter objects that contain specific protocols and ports

An Event Type ID filter can be used with the Firewall Denied Events predefined view in the Event Viewer to filter syslog IDs to provide all captured Cisco firewall deny syslog messages that could indicate potential attempts to exploit vulnerabilities. The following list provides an example:

  • ASA-4-106021 (uRPF spoofing)
  • ASA-4-106023 (ACL deny)
  • ASA-4-415006 (HTTP inspection)
  • ASA-4-415007 (HTTP inspection)
  • ASA-4-410003 (DNS inspection)
  • ASA-4-416001 (SNMP inspection)

For more information about Cisco Security Manager Events, see the Filtering and Querying Events section of the Cisco Security Manager User Guide.

Cisco Security Manager Report Manager

Beginning in software version 4.1, Cisco Security Manager supports the Report Manager, the Cisco IPS event reporting feature. This feature allows an administrator to define reports based on Cisco IPS events of interest. Reports can be scheduled or users can run ad hoc reports as required.

Using the Report Manager, the user can define an IPS Top Signatures report for Cisco IPS devices of interest based on time-range and signature characteristics.

Cisco Security Manager will generate a comprehensive report that ranks the count of the alerts fired for the signature of interest compared to the total of all signature alerts shown in the report.

Also in the Report Manager, the Top Services report can be used with the following configuration to generate a report of events that indicate potential attempts to exploit security vulnerabilities:

  • Use the Destination IP network filter to filter network objects that contain the IP address space that is used by the affected devices (for example, IPv4 address range 192.168.60.0/24 and IPv6 address range 2001:DB8:1:60::/64)
  • Set an action of Deny on the Criteria settings page

For more information about Cisco Security Manager IPS Event Reporting see the Understanding IPS Top Reports section of the Cisco Security Manager User Guide.

Event Management System Partner Events

Cisco works with industry-leading Security Information and Event Management (SIEM) companies through the Cisco Developer Network. This partnership helps Cisco deliver validated and tested SIEM systems that address business concerns such as long-term log archiving and forensics, heterogeneous event correlation, and advanced compliance reporting.

SIEM partner products can collect events from Cisco devices. Administrators can then query the collected events for the incidents created by a Cisco IPS signature or deny syslog messages from firewalls that could indicate potential attempts to exploit security vulnerabilities. The queries can be made by sig ID and syslog ID as shown in the following list:

  • XXXX/X (IPS Signature format XXXX/X)
  • ASA-4-106021 (uRPF spoofing)
  • ASA-4-106023 (ACL deny)
  • ASA-4-415006 (HTTP inspection)
  • ASA-4-415007 (HTTP inspection)
  • ASA-4-410003 (DNS inspection)
  • ASA-4-416001 (SNMP inspection)

For more information about SIEM partners, see the Security Management Developer Center.

Conclusion

In summary, the vulnerability exploit attempt identification techniques presented in this document can be used by network administrators and security engineers to identify other vulnerability exploit attempts. These techniques can be leveraged by using the attack vector characteristics of the vulnerability investigated in place of the example attack vectors used in the document. These techniques help administrators ensure that the exploit attempts do not have any impact on the network.

Resources

 


This document is part of Cisco Security Intelligence Operations.

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top

Cisco Security Intelligence Operations