Firewall - Cisco PIX ASA
| LP_CiscoPixAsa RIP Authentication Failed | |
|---|---|
| Description | Is triggered when the ASA receives Routing Information Protocol authentication failed messages (event id 107001). This message indicates a failed attempt to attack the ASA's routing table. |
| Log source | Cisco PixASA |
| Value | The ASA routing table should be monitored because an intruder can try to identify the existing keys. |
| Rationale | This alert detects failed Routing Information Protocol (RIP) authentication attempts, which could indicate active reconnaissance or an attempt to manipulate routing behavior. Monitoring such events helps detect early-stage network mapping or spoofing attempts. It supports NIST 800-53 SI-4 (System Monitoring), AC-4 (Information Flow Enforcement), ISO 27001 A.13.1.1 (Network Controls), and CIS Control 13.1 (Network Monitoring). |
| Query |
Copy
|
| Comments | If the source IP address in the alarm message is not known, the RIP authentication key must be exchanged between two "trusted entities". |
| Type | Alert |
| MITRE ATT&CK | T1595.002 – Active Scanning: Network Service Scanning |
| LP_CiscoPixAsa Fragment Database Limit Exceeded | |
|---|---|
| Description | Triggered if the number of matching flows being cached on the ASA exceeds the configured limit - set with the 'access-list-deny-flow-max' command. |
| Log source | Firewall |
| Value | Can be used to detect Denial-of-Service(DoS) attacks. |
| Rationale | This alert identifies when the number of cached fragment flows exceeds configured limits, potentially indicating a Denial-of-Service (DoS) attack targeting the ASA firewall. Monitoring such conditions helps maintain availability and detect volumetric abuse. It supports NIST 800-53 SI-4 (System Monitoring), SC-5 (Denial of Service Protection), ISO 27001 A.12.1.3 (Capacity Management), and CIS Control 13.1 (Network Monitoring). |
| Query |
Copy
|
| Comments | Use the 'access-list-deny-flow-max' command to set a max to minimize false-positives but still detect a DoS attack. |
| Type | Alert |
| MITRE ATT&CK | T1499 – Endpoint Denial of Service |
| LP_CiscoPixAsa Deny Flow Limit Reached | |
|---|---|
| Description | Is triggered if a user exceeds the 'user authentication proxy limit' and has opened too many connections to the proxy (Event ID: 109017). |
| Log source | Cisco PixASA |
| Value | Can be used to detect Denial-of-Service(DoS) attacks. |
| Rationale | This alert detects when a user exceeds the authentication proxy connection limit, which may indicate a Denial-of-Service (DoS) attempt to exhaust firewall or proxy resources. Such attacks can disrupt services and evade detection. Monitoring this supports NIST 800-53 SI-4 (System Monitoring), SC-5 (Denial of Service Protection), ISO 27001 A.12.1.3 (Capacity Management), and CIS Control 13.1 (Network Monitoring). |
| Query |
Copy
|
| Comments | If this alarm is also triggered by normal user activity, it is recommended to increase the proxy limit. |
| Type | Alert |
| MITRE ATT&CK | T1499 – Endpoint Denial of Service |
| LP_CiscoPixAsa DoS Attack | |
|---|---|
| Description | Triggered when an attacker attempts to perform a Network Denial of Service(DoS) attack to reduce or block the availability of resources to users. |
| Log source | Cisco PixASA |
| Value | Can be used to detect Denial-of-Service(DoS) attacks. |
| Rationale | This alert identifies potential Denial-of-Service (DoS) attacks aimed at overwhelming network resources and reducing system availability. Early detection is critical to ensure continuity of operations, especially in public sector infrastructure. It supports NIST 800-53 SC-5 (Denial of Service Protection), SI-4 (System Monitoring), ISO 27001 A.12.1.3 (Capacity Management), and CIS Control 13.1 (Network Monitoring). |
| Query |
Copy
|
| Comments | This can potentially generate several 'failed DoS attack' alerts and it is worth considering whether the number of alerts needs to be reduced. |
| Type | Alert |
| MITRE ATT&CK | T1499 – Endpoint Denial of Service |
| LP_Cisco Mac Spoofing or Misconfiguration | |
|---|---|
| Description | Is triggered whenever a packet from an offending MAC address is on a specified interface, but the source MAC address in the packet is statically bound to another interface in the configuration (event id 322001). |
| Log source | Firewall |
| Value | Threat actors can use MAC Spoofing to position them between two or more network devices. |
| Rationale | This alert detects packets with MAC addresses appearing on unexpected interfaces, which may signal MAC spoofing attempts. Threat actors may use this technique to perform Man-in-the-Middle (MitM) attacks. Monitoring helps detect unauthorized network positioning. This supports NIST 800-53 AC-4 (Information Flow Enforcement), SI-4 (Monitoring), ISO 27001 A.13.1.1 (Network Controls), and CIS Control 13.8 (Detect Unusual Network Behavior). |
| Query |
Copy
|
| Comments | Check the device configuration to conclude whether it is a misconfiguration or a potential case of MAC spoofing. |
| Type | Alert |
| MITRE ATT&CK | T1557.002 – Man-in-the-Middle: ARP Spoofing |
| LP_CiscoPixAsa Malicious Pattern in Email | |
|---|---|
| Description | Is triggered if the ASA detects a malicious pattern in an e-mail address (Event ID: 108003) and connection is 'dropped'. |
| Log source | Cisco PixASA |
| Value | Since the connection is already 'dropped' it is a good opportunity to investigate whether the e-mail was actually malicious and thus monitor the accuracy of this alarm. |
| Rationale | This alert triggers when a malicious pattern is detected in an email address and the connection is dropped (Event ID: 108003). While the threat is blocked, it offers a chance to validate phishing detection capabilities and investigate targeting patterns. Supports NIST 800-53 SI-4 (Monitoring), IR-4 (Incident Handling), ISO 27001 A.12.2.1 (Malware Protection), and CIS Control 14.4 (Monitor Email and Web Content). |
| Query |
Copy
|
| Comments | - |
| Type | Alert |
| MITRE ATT&CK | T1566.001 – Phishing: Spearphishing Attachment |
| LP_CiscoPixAsa Man in the Middle Attack | |
|---|---|
| Description | Triggered if the 'peer certificate' includes a subject name that does not match the output of the 'ca verifycertdn' command (Event ID: 320001) |
| Log source | Cisco PixASA |
| Value | Can help provide good insoght to the network. |
| Rationale | This alert detects when a peer certificate subject name does not match the expected identity (ca verifycertdn mismatch), suggesting a possible Man-in-the-Middle (MitM) attack using spoofed certificates. This type of inspection helps protect against credential theft or traffic interception. It aligns with NIST 800-53 SC-12 (Cryptographic Protection), SC-23 (Session Authenticity), ISO 27001 A.10.1 (Cryptographic Controls), and CIS Control 13.8 (Detect Unusual Network Behavior). |
| Query |
Copy
|
| Comments | - |
| Type | Alert |
| MITRE ATT&CK | T1566.001 – Phishing: Spearphishing Attachment |
| LP_CiscoPixAsa Per Client Embryonic Connection Limit was Exceeded | |
|---|---|
| Description | Triggered when a 'per client embryonic connection' (a connection in the process of being established) limit is exceeded (Event ID: 201012) |
| Log source | Cisco PixASA |
| Value | When the limit is reached, any new connection request will be proxied by the Secure Firewall ASA to avoid a SYN flood attack. It is possible to increase the number of allowed 'embryonic connections'. |
| Rationale | This alert detects when the number of embryonic (half-open) TCP connections from a single client exceeds the configured threshold, which is a common symptom of a SYN flood Denial-of-Service (DoS) attack. Monitoring and limiting such connections helps maintain network availability. It supports NIST 800-53 SC-5 (DoS Protection), SI-4 (Monitoring), ISO 27001 A.12.1.3 (Capacity Management), and CIS Control 13.1 (Network Monitoring). |
| Query | norm_id=CiscoPixAsaFirewall event_id= 201012 |
| Comments | - |
| Type | Alert |
| MITRE ATT&CK | T1499 – Endpoint Denial of Service |
| LP_CiscoPixAsa Remote Access Denied | |
|---|---|
| Description | Triggered if a remote connection is denied. |
| Log source | Cisco PixASA |
| Value | This alarm can provide insight into the number of remote connections that are being rejected. In this way, it can be investigated whether someone is trying to log in from the outside, or whether there is a problem elsewhere. |
| Rationale | This alert tracks denied remote access attempts, which could indicate unauthorized access attempts or misconfigurations. Monitoring such activity helps detect early signs of intrusion and supports access control enforcement. It aligns with NIST 800-53 AC-17 (Remote Access), SI-4 (System Monitoring), ISO 27001 A.9.4.2 (Secure Log-on Procedures), and CIS Control 12.6 (Remote Access Monitoring). |
| Query |
Copy
|
| Comments | - |
| Type | Alert |
| MITRE ATT&CK | T1021 – Remote Services |
| LP_CiscoPixAsa Rip Packet Failed | |
|---|---|
| Description | Triggered when a RIP packet fails. It may be an attempt to exploit the ASA's routing table (Event ID: 107002). |
| Log source | Firewall |
| Value | It makes it possible to detect if someone is trying to exploit the ASA's routing table (Event ID: 107002). |
| Rationale | This alert identifies failed RIP packets, which may indicate attempts to probe or manipulate the ASA’s routing table. Such reconnaissance activity could precede route injection or man-in-the-middle attacks. Monitoring this supports NIST 800-53 SI-4 (System Monitoring), AC-4 (Information Flow Enforcement), ISO 27001 A.13.1.1 (Network Controls), and CIS Control 13.1 (Network Monitoring). |
| Query |
Copy
|
| Comments | This alert indicates a potential attack and should be monitored. |
| Type | Alert |
| MITRE ATT&CK | T1595.002 – Active Scanning: Network Service Scanning |
| LP_CiscoPixAsa Suspicious Network Activity | |
|---|---|
| Description | Is triggered if a 'RIP packet' fails and may be an attempt to exploit the ASA's routing table (Event ID: 107002) |
| Log source | Cisco PixASA |
| Value | Can be instrumental in detecting suspicious network activity. |
| Rationale | This alert triggers on repeated denied connections—particularly failed RIP packets—which may indicate scanning or probing attempts against the firewall's routing table. Detecting such anomalous activity supports early threat identification. It aligns with NIST 800-53 SI-4 (System Monitoring), AC-4 (Information Flow Enforcement), ISO 27001 A.13.1.1 (Network Controls), and CIS Control 13.1 (Network Monitoring). |
| Query |
Copy
|
| Comments | It can be considered how many events are needed for the alarm to be triggered. Default is 10. |
| Type | Alert |
| MITRE ATT&CK | T1595.002 – Active Scanning: Network Service Scanning |
Cisco PIX/ASA Dashboards
| LP_CISCO: PIX ASA -Overview | |
|---|---|
| Description | Displays information from Cisco PIX ASA firewall logs. The majority of data is presented as top 10 lists. |
| Log source | Cisco PixASA |
| Value | Provides organizations a comprehensive overview of network activity, user behavior, and potential security threats, enabling proactive response and improved security posture. |
| Rationale | This dashboard aggregates a broad range of network and user activity from Cisco PIX ASA logs, such as authentication attempts, dropped packets, and protocol usage. It supports identifying misconfigurations, unauthorized access, and potential threat activity. This contributes to situational awareness per NIST 800-53 SI-4 (System Monitoring), ISO 27001 A.13.1.1 (Network Controls), and CIS Control 13.1 (Network Monitoring). |
| Widgets / Use cases |
1. Top 10 Successful User Authentication 2. Top 10 Failed User Authentication 3. Top 10 Blocked Ports 4. Dropped Packets timeline 5. Accepted Packet timeline 6. Top 10 protocols by Action 7. Top 10 outgoing sources 8. Top 10 incoming sources 9. Top 10 Dropped Packet source 10. Top 10 Successful Remote User Login 11. Top 10 Failed Remote Login 12. Top 10 Successful Network Login 13. Top 10 Failed Network Login 14. Interface Status 15. CPU Usage timeline 16. Number of connections 17. Top 10 ports in inbound connections 18. Top 10 ports in outbound connections 19. Top 10 outbound destinations by Geolocation 20. Top 10 inbound sources by Geolocation 21. Top 10 Data Transfer 22. Top 10 outbound data transfer 23. Top 10 inbound received data size |
| Comments | It is possible to configure the widgets, e.g. Top 20 instead of Top 10. |
| Type | Dashboard |
| MITRE ATT&CK | T1040 – Network Sniffing |
