02-09-2014 10:40 PM - edited 03-11-2019 08:43 PM
I'm security analyst tasked to running SIEM we are getting Cisco asa5585 traffic logs. Two firewall running in active -active configuration. I'm detecting some suspcious pattern which I need clarification/understanding from the community.
In less then 3 hours between 7:00 am to 9:00 am cisco asa logs shows unprecedented increase in UDP teardown messages going as far 2 million
in total. The number is odd for many reason some which include:-
Sample payload
<166>Jan 20 2014 09:28:49: %ASA-6-302016: Teardown UDP connection 2542342834 for client:202.12.27.33/53 to inside:192.168.1.2/59270 duration 0:02:27 bytes 73
NOTE: Nearly every other teardrop messages comes from src port 53.
Is such sporadic increase in anyway considered an Anomaly (i.e networking loop perhaps)? Also, do these messages esp udp teardown relates to drop action taken by fw due security voilation of some sort, or the traffic logs just tells us its has logged udp connection request teardrop / close request?
Thanks.
02-10-2014 10:33 AM
Hello, Asad.
The message says that connection is removed from connection table.
So, no actions required.
But if you observe too high number of such messages, you'ld better to investigate why.
So, try to analyze "show local-host conn udp 100" and find primary host that generates such amount of connection.
After you identify, try to understand if it's normal (or malware) behavior.
If it's not normal, you might limit a number of connections per host.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide