Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
968
Views
0
Helpful
5
Replies

Global correlation events

Go to solution
snowmizer
Level 1
Level 1

‎08-17-2010 11:42 AM - edited ‎03-10-2019 05:05 AM

I have an ASA 5510 with an SSM-10 module. I have global correlation turned on and updating. When I look at the dashboard's "Global Correlation Report" I see packets that have been denied by global correlation. Can someone tell me how global correlation events are logged? I'd like to be able to see the raw data associated with the global correlation.

Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
praprama
Cisco Employee
Cisco Employee
In response to snowmizer

‎08-19-2010 07:30 AM

Hi,

Take a look at this:

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_collaboration.html#wp1065809

As can be seen, whenever "global correlation" causes any kind of action to be taken by the IPS it produces an alert unless the packet is being denied by "reputation filtering" which does not produce any kind of alert. Also, "This feature only applies to global correlation  inspection where the traffic is allowed if no specific signature is  matched".

I am not sure of all those fields in then alert but i have seen at least some of them. If you are not seeing any alerts with those fields, then global correlation may not be seeing any instances where it has had to modify the risk ratings and take appropriate actions for it, that is, you may not be receiving any kind of such packets from malicious hosts at all in the first place.

Also, if you have "reputation filtering" on, you might want to turn it OFF to ensure it is not causing this behavior.

Rregards,

Prapanch

View solution in original post

0 Helpful
5 Replies 5

Go to solution
praprama
Cisco Employee
Cisco Employee

‎08-17-2010 06:32 PM

Hi,

For starters, below is information regarding Global correlation (GC) on the IPS:

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_collaboration.html

As can be seen, basically, the global correlation feature adjusts the risk ratings based on the level at which we configure the GC, that is, permissive/standard/aggressive, and also based on the GC score for the attacker IP address. After adjusting the risk ratings, the IPS denies packets based on the event action overrides that we may have configured.

Another method in which GC is used for filtering is "reputation filtering" (by default it's OFF in the IPS). What this feature does when ON is it denies packets from certain known bad hosts that are downloaded along with the manifests. Hope this helps.

All the best!

Regards,

Prapanch

0 Helpful

Go to solution
snowmizer
Level 1
Level 1
In response to praprama

‎08-19-2010 06:37 AM

This helps. However, I have one other question. I've got a python script that some wrote to pull SDEE events from the IPS module. In the code they are pulling the following fields related to global correlation:

Global Correlation Score

Global Correlation Risk Delta

Global Correlation Modified Risk Rating

Global Correlation Deny Packet

Global Correlation Deny Attacker

Also a field that specifies if the packet was dropped (isDropped)?

I've looked at the settings, including setting the Event action on rule0 for all risk levels to at least produce a verbose alert but I'm still not seeing these fields. Where do these fields come from and how can I get them?

Thanks.

0 Helpful

Go to solution
praprama
Cisco Employee
Cisco Employee
In response to snowmizer

‎08-19-2010 07:30 AM

Hi,

Take a look at this:

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_collaboration.html#wp1065809

As can be seen, whenever "global correlation" causes any kind of action to be taken by the IPS it produces an alert unless the packet is being denied by "reputation filtering" which does not produce any kind of alert. Also, "This feature only applies to global correlation  inspection where the traffic is allowed if no specific signature is  matched".

I am not sure of all those fields in then alert but i have seen at least some of them. If you are not seeing any alerts with those fields, then global correlation may not be seeing any instances where it has had to modify the risk ratings and take appropriate actions for it, that is, you may not be receiving any kind of such packets from malicious hosts at all in the first place.

Also, if you have "reputation filtering" on, you might want to turn it OFF to ensure it is not causing this behavior.

Rregards,

Prapanch

0 Helpful

Go to solution
snowmizer
Level 1
Level 1
In response to praprama

‎08-19-2010 09:06 AM

I looked at the Global Correlation Report on my IPS and discovered that all of the traffic that was being dropped was being done by the traditional IPS rules. I think that when I looked at it last time I mis-read the report and thought that stuff had been dropped by global correlation. I'll have to monitor this and see if we get any drops from the global correlation. Once we have that maybe I'll see the fields I'm looking for.

Thanks.

0 Helpful

Go to solution
praprama
Cisco Employee
Cisco Employee
In response to snowmizer

‎08-19-2010 09:46 AM

Yeah that was my thought Anyway let me know once you are able to see some global correlation events.

Rregards,

Prapanch

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card