Analyzing high number of udp teardrown messages in short internval?
I'm security analyst tasked to running SIEM we are getting Cisco asa5585 traffic logs. Two firewall running in active -active configuration. I'm detecting some suspcious pattern which I need clarification/understanding from the community.
In less then 3 hours between 7:00 am to 9:00 am cisco asa logs shows unprecedented increase in UDP teardown messages going as far2 million
in total. The number is odd for many reason some which include:-
The ratio of udp teardown messages didn't matched with udp built connections. These udp teardown messages for that short period were are almost 20 times more then built connections.
A trend-analysis was made to see If such high occurrence of udp-teardown messages was observed before. For such, comparative analysis was made for exact time-windows from previous months/weeks and following sub-patterns were deduced:-
On Dec-22-2013, the ratio between two was only 2%.
On Dec-29-2013, the ratio remained the same i.e 2%.
On Dec-29-2013, the ratio was 2.1%.
On Jan-5-2014, the ratio was 2%.
<166>Jan 20 2014 09:28:49: %ASA-6-302016: Teardown UDP connection 2542342834 for client:22.214.171.124/53 to inside:192.168.1.2/59270 duration 0:02:27 bytes 73
NOTE: Nearly every other teardrop messages comes from src port 53.
Is such sporadic increase in anyway considered an Anomaly (i.e networking loop perhaps)?Also, do these messages esp udp teardown relates to drop action taken by fw due security voilation of some sort, or the traffic logs just tells us its has logged udp connection request teardrop / close request?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :