Mar 2, 2016

Analyzing logs to filter traffic that hits an access list entry

If you have a generic access rule and you want to make it more specific, you can use logs to help you on filtering sources, destinations and/or services that hit the rule.

By default, ASA only logs denied packets (message %ASA-4-106023), but we can use the log option to enable logging for specific rules.

Log messages %ASA-6-106100 and access list entries hash codes are helpful to find out what traffic matches an specific rule. Let's use the following ACL as an example:

asa# sh access-list
access-list inside line 1 extended permit tcp any any eq www log informational interval 300 (hitcnt=1) 0xaa22f669
access-list inside line 2 extended permit object-group services any any log informational interval 300 0x3d0397cc
 access-list inside line 2 extended permit icmp any any log informational interval 300 (hitcnt=0) 0x55873f33
 access-list inside line 2 extended permit tcp any any eq telnet log informational interval 300 (hitcnt=1) 0x44b661f2


The ACL has two rules and log option is enabled on both. One is a single rule and the other one uses an object-group for service definition. Note that we have a hash code for each rule, but we also have one hash code for every group member (expanded rule elements).

If we want to filter logs that match the first rule, we use the following command:

!access-list inside line 1 extended permit tcp any any eq www:
asa# sh log | i 106100.*0xaa22f669
Mar 03 2016 01:11:21: %ASA-6-106100: access-list inside permitted tcp inside/10.0.0.10(48338) -> outside/192.0.2.2(80) hit-cnt 1 first hit [0xaa22f669, 0x0]


This is a single rule, thus only one hash code is present in the log message.

If we want to find out what traffic matches the second rule, we can filter for one specific object member or the group ACE:

!access-list inside line 2 extended permit tcp any any eq telnet:
asa(config)# sh log | i 106100.*0x44b661f2
Mar 03 2016 01:12:09: %ASA-6-106100: access-list inside permitted tcp inside/10.0.0.10(44036) -> outside/192.0.2.2(23) hit-cnt 1 first hit [0x3d0397cc, 0x44b661f2]


!access-list inside line 2 extended permit object-group services any any:
asa# sh log | i 106100.*0x3d0397cc
Mar 03 2016 01:32:04: %ASA-6-106100: access-list inside permitted tcp inside/10.0.0.10(37284) -> outside/192.0.2.2(23) hit-cnt 1 first hit [0x3d0397cc, 0x44b661f2]
Mar 03 2016 01:32:54: %ASA-6-106100: access-list inside permitted tcp inside/10.0.0.10(64900) -> outside/192.0.2.2(21) hit-cnt 1 first hit [0x3d0397cc, 0x7a45343d]


Based on these log messages, we could replace the existing generic ACEs with more specific rules.

No comments:

Post a Comment