08-17-2010 11:42 AM - edited 03-10-2019 05:05 AM
I have an ASA 5510 with an SSM-10 module. I have global correlation turned on and updating. When I look at the dashboard's "Global Correlation Report" I see packets that have been denied by global correlation. Can someone tell me how global correlation events are logged? I'd like to be able to see the raw data associated with the global correlation.
Thanks.
Solved! Go to Solution.
08-19-2010 07:30 AM
Hi,
Take a look at this:
As can be seen, whenever "global correlation" causes any kind of action to be taken by the IPS it produces an alert unless the packet is being denied by "reputation filtering" which does not produce any kind of alert. Also, "This feature only applies to global correlation inspection where the traffic is allowed if no specific signature is matched".
I am not sure of all those fields in then alert but i have seen at least some of them. If you are not seeing any alerts with those fields, then global correlation may not be seeing any instances where it has had to modify the risk ratings and take appropriate actions for it, that is, you may not be receiving any kind of such packets from malicious hosts at all in the first place.
Also, if you have "reputation filtering" on, you might want to turn it OFF to ensure it is not causing this behavior.
Rregards,
Prapanch
08-17-2010 06:32 PM
Hi,
For starters, below is information regarding Global correlation (GC) on the IPS:
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_collaboration.html
As can be seen, basically, the global correlation feature adjusts the risk ratings based on the level at which we configure the GC, that is, permissive/standard/aggressive, and also based on the GC score for the attacker IP address. After adjusting the risk ratings, the IPS denies packets based on the event action overrides that we may have configured.
Another method in which GC is used for filtering is "reputation filtering" (by default it's OFF in the IPS). What this feature does when ON is it denies packets from certain known bad hosts that are downloaded along with the manifests. Hope this helps.
All the best!
Regards,
Prapanch
08-19-2010 06:37 AM
This helps. However, I have one other question. I've got a python script that some wrote to pull SDEE events from the IPS module. In the code they are pulling the following fields related to global correlation:
Global Correlation Score
Global Correlation Risk Delta
Global Correlation Modified Risk Rating
Global Correlation Deny Packet
Global Correlation Deny Attacker
Also a field that specifies if the packet was dropped (isDropped)?
I've looked at the settings, including setting the Event action on rule0 for all risk levels to at least produce a verbose alert but I'm still not seeing these fields. Where do these fields come from and how can I get them?
Thanks.
08-19-2010 07:30 AM
Hi,
Take a look at this:
As can be seen, whenever "global correlation" causes any kind of action to be taken by the IPS it produces an alert unless the packet is being denied by "reputation filtering" which does not produce any kind of alert. Also, "This feature only applies to global correlation inspection where the traffic is allowed if no specific signature is matched".
I am not sure of all those fields in then alert but i have seen at least some of them. If you are not seeing any alerts with those fields, then global correlation may not be seeing any instances where it has had to modify the risk ratings and take appropriate actions for it, that is, you may not be receiving any kind of such packets from malicious hosts at all in the first place.
Also, if you have "reputation filtering" on, you might want to turn it OFF to ensure it is not causing this behavior.
Rregards,
Prapanch
08-19-2010 09:06 AM
I looked at the Global Correlation Report on my IPS and discovered that all of the traffic that was being dropped was being done by the traditional IPS rules. I think that when I looked at it last time I mis-read the report and thought that stuff had been dropped by global correlation. I'll have to monitor this and see if we get any drops from the global correlation. Once we have that maybe I'll see the fields I'm looking for.
Thanks.
08-19-2010 09:46 AM
Yeah that was my thought Anyway let me know once you are able to see some global correlation events.
Rregards,
Prapanch
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide