- Bronze, 100 points or more
I have one ASA firewall that services 2000+ users spread out over dozens of small/remote offices. The inside-to-outside ruleset permits certain traffic (http/s, DNS, other 'normal' ports), and but has a "deny any any" at the end. I think this is fairly normal in a corporate environment, otherwise you'd have all sorts of nastiness (p2p for example) transiting your firewall and internet circuits.
The problem is that the 'deny any any' syslogs that get forwarded to MARS generate a TON of events, all GREEN level (since the packets were denied), all based off of 'Deny packet due to security Policy'.
The rules that fire include:
System Rule: Network Errors - Likely Routing Related
System Rule: Configuration Issue - Firewall
System Rule: Network Activity - Excessive Denies - Host Compromise Likely
System Rule: Network Activity - P2P
Keeping up with the volume of MARS events was proving to difficult, so I created a report that runs every hour, aggregating the above events. I used Custom Columns, with Source IP/port, Destination IP/port/protocol, Reporting Device, and Time Range. This does a great job of showing me which devices are generating the most denies on the firewall, and therefore the most events/incidents in MARS.
I've been able to isolate some of the traffic to peer-to-peer apps running on corporate laptops (tcp port 6346 is a dead giveaway), which I solved with corporate policy and not technology per-se.
However, I'm still left with a slew of events that clog up MARS. Sometimes its a laptop that must have just come from a client/project site, and they were configured to use/print to one of their servers/printers. Other times I can research the destination ports and/or IP addresses and determine what the app was that created the traffic (e.g. although IM ports are not enabled by default, the IM apps (AOL, Yahoo, etc) always do their standard checks first before defaulting to 80 or 443 (sic).)
My question is: how does everyone else deal with this? I could literally spend all day researching why IP address ABC sent traffic XYZ to some random destination. There's definite value to this (again, p2p, plus I've caught a number of systems infected with viruses, and even some of my own servers that were doing funky (but not malicious) things, etc.)
Am I doomed to forever play MARS 'whack-a-mole', or is there a better way to reduce the volume of incidents that appear?
I'd be really interested to hear how others are keeping ahead of MARS when it floods them with events.
I should also note that, as a test, I disabled the aforementioned Rules that were creating all of the incidents. This just caused other (Red level) MARS rules to fire (Excessive denies, DoS attacks, etc.)