Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Watching for Global Threat Correlation activity

I am in the process of upgrading all of our sensors to the 7.x code so that we can benefit from senderbase/global threat correlation.  I have been going over the syslog document and dont see anything that I can use to alert me as to when Global Threat Correlation is influencing what is allowed through the ASA. Am I missing something or is there another way to watch when it is active ?  I have mine set to Agressive to get max benefit from Senderbase.

Thanks,

Ron

3 REPLIES
Cisco Employee

Re: Watching for Global Threat Correlation activity

Ron;

  For global correlation inspection, you will know if global correlation has influenced the risk rating assigned to the signature event, as there will be details in the firing event.

  For reputation filtering, there will not be a signature event, as the filtering occurs prior to the packet being passed to the analysis engine for signature inspection.  You can check the output of 'show statistics analysis-engine'.  The last section of output from that command will display the global correlation histograms as well as IP addresses that have been dropped due to reputation filtering.

Scott

New Member

Re: Watching for Global Threat Correlation activity

Scott:

Thanks for the info.  Do you happen to know what will show up in the signature event ?

Management is leaning on me to be able 1) prove that this working and 2) know when it is causing a problem to see about tuning it.  I already have IPSME sending me emails.  Didnt know if there was a syslog event for the 2nd part of your answer that I could watch for.

Hope that IPS will someday support syslog.  That would make my life easier.

Ron

Cisco Employee

Re: Watching for Global Threat Correlation activity

Ron;

  At the end of a signature event you should see details similar to:

globalCorrelation:

    globalCorrelationScore: 0

    globalCorrelationRiskDelta: 0

    globalCorrelationModifiedRiskRating: false

    globalCorrelationDenyPacket: false

    globalCorrelationDenyAttacker: false

    globalCorrelationOtherOverrides: false

    globalCorrelationAuditMode: false

  Of course, they will be non-zero/non-false when global correlation has impacted calculations within the signature event.


Scott

292
Views
0
Helpful
3
Replies
CreatePlease to create content