CISCO ASA IDS 7.3(5)E4, Need to save all kind of attacks response.

Ankush Kumar · ‎01-20-2018

Hi Gents,

I required your support in one of the query which is we are using CISCO ASA 5545 Firewall and its inbuilt AIP-SSM module in IDS fail-open mode.

Because its in IDS mode its detecting attacks but the requirement is to know we want packet capture and storage facility of those detecting attacks with server response so that we can correlate whether that particular attack based on http response was successful or not. How can I achieve that? Need your help guys.

Thanks.

Karsten Iwen · ‎01-21-2018

You need a management-Software for this. The free Cisco offering is the (near) EOL "IPS Manager Express (IME)" to manage the (near) EOL legacy IPS/IDS that you are running.

In my opinion it's not worth spending any time on this system. It's outdated, doesn't get any development any more and is soon end of life/support.

Better plan to migrate to Cisco Firepower managed by Cisco Firepower Management Center. That is the actual supported solution.

Marvin Rhoads · ‎01-21-2018

Karsten is giving good advice.

The old IPS type will only get signature updates (assuming a current subscription) until April 2018. It is well past its viable lifetime.

If your organization is serious about security, they won't continue to use it.

Ankush Kumar · ‎01-21-2018

Agree and thanks for response.

Ankush Kumar · ‎01-21-2018

Hi Karsten,

Thanks for your reply.

Quick query on this, in case we are going for Firepower series of ASAs with inbuilt module of IPS engine, then does that provide functionality of packet capture of detecting attacks including server replies? and can we configured that Firepower to send those packet captures to remote location for avoiding space limitation of physical device.

So basically a full requirement will be like typical IPS solution e.g McAfee NSM, Suricata.

Marvin Rhoads · ‎01-21-2018

Firepower NGIPS, when using Firepower Management Center (FMC), can capture the packets of attack attempts. It only saves them locally though. You can download a given one on an ad hoc basis.

If the server replied, it would mean that the attack wasn't detected blocked in the first place and we would thus have no criteria (on FMC) for selecting that particular conversation for capture among the many that are coming from the server.

If you wanted to monitor all server conversations to look for suspect flows, you would use something like Cisco Stealthwatch. It collects and analyzes Netflow data.

Ankush Kumar · ‎01-21-2018

Hi Marvin,

One doubt about the posted line
----------------------------------------------------------------------------
"If the server replied, it would mean that the attack wasn't detected blocked in the first place and we would thus have no criteria (on FMC) for selecting that particular conversation for capture among the many that are coming from the server."
-----------------------------------------------------------------------------
What if we are using NGIPS, in detection mode only. In that case attack should reach to the server but in the same time NGIPS should able to capture that communication too.

Kindly correct if I am wrong.

Marvin Rhoads · ‎01-21-2018

Ok, that makes sense.

If the flow from the server is identified as an intrusion event, FMC can capture it. However I'm not positive that it would correlate it with the incoming flow which was the initial indication of compromise.