cancel
Showing results for 
Search instead for 
Did you mean: 
lukel
Level 8
Report Inappropriate Content
Message 1 of 9

Cisco Firepower Syslog Parsing

For those with Cisco Firepower firewalls, how are you parsing the data?  We are receiving the logs via Syslog, but there are only 10 syslog parsers built in to the ESM (all of which are basically useless).  We are considering switching to the eStreamer, but we have heard that IPS events don't come through.

We have been pretty disappointed with the Firepower support so far.  There were 1000+ parsers for ASA events, and there appears to be next-to-none support for Cisco's new(ish) flagship firewalls.

Labels (3)
8 Replies
Leath
Level 7
Report Inappropriate Content
Message 2 of 9

Re: Cisco Firepower Syslog Parsing

Welcome to ESM the SIEM "supports" Data Sources in the supported list but may not really. 
We use eStreamer and Syslog and get quiet a bit info out. 

You can also create correlation rules on Firepower which SIEM parses correctly. 
Basically each SFR module should send Syslog to ERC, and the FMS should use eStreamer and Syslog. 

Goodluck! 

Tags (1)
Highlighted
jfi
Level 8
Report Inappropriate Content
Message 3 of 9

Re: Cisco Firepower Syslog Parsing

We have the same problem. Running ESM 10.3.3 and Cisco FMC/FTD 6.2.3.

We also use syslog because e-streamer kills FMC performance, and the events are not correctly parsed with any of the available data source models. 

I've opened a support case to check if there aren't any new data source models available, because I'm not looking forward to writing the parse rules myself 😞 

Joeri

Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 4 of 9

Re: Cisco Firepower Syslog Parsing

@jfi: I don't have a firepower enabled device to test this with, do you have some sample data you can provide?

Brent
jfi
Level 8
Report Inappropriate Content
Message 5 of 9

Re: Cisco Firepower Syslog Parsing

[Normal Allowed Connection event (default FTD FW policy setting, log at end of connection)]:
<46>May 3 09:53:00 Firewall_Hostname SFIMS: Protocol: TCP, SrcIP: 10.11.12.13, OriginalClientIP: ::, DstIP: 10.4.3.2, SrcPort: 56079, DstPort: 50100, TCPFlags: 0x0, IngressInterface: DMZ, EgressInterface: INSIDE, EgressZone: Inside, DE: Primary Detection Engine (87103996-93a3-11e7-af93-a10250af3b71), Policy: MY_FW_POLICY, ConnectType: End, AccessControlRuleName: RULENAME_0001, AccessControlRuleAction: Allow, Prefilter Policy: Unknown, UserName: No Authentication Required, UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, Client: Internet Explorer, ClientVersion: rv:11.0, ApplicationProtocol: HTTP, InitiatorPackets: 8, ResponderPackets: 6, InitiatorBytes: 3007, ResponderBytes: 1046, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, HTTPResponse: 200, HTTPReferer: http://ourserver.internal.server:50100/somestuff, ReferencedHost: our.internal.server:50100, URLCategory: Unknown, URLReputation: Risk unknown, URL: http://our.internal.server:50100/gibberish/GUID:17098c68d4ea6c9647a2d36a02501c63/UR/baseLib/baseThem...

[DNS Connection Start Event]:
<46>May 3 09:53:25 Firewall_Hostname SFIMS: Protocol: UDP, SrcIP: 221.164.34.71, OriginalClientIP: ::, DstIP: 10.1.1.1, SrcPort: 52875, DstPort: 53, TCPFlags: 0x0, IngressInterface: OUTSIDE, EgressInterface: DMZ, IngressZone: Internet, DE: Primary Detection Engine (87103996-93a3-11e7-af93-a10250af3b71), Policy: MY_FW_POLICY, ConnectType: Start, AccessControlRuleName: RULENAME_0003, AccessControlRuleAction: Allow, Prefilter Policy: Unknown, UserName: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 110, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity, DNSQuery: someserver.mycompany.com, DNSRecordType: a host address, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown

[Security Intelligence Block event, Blacklisted IP address (IP Reputation=Malware)]:
<46>May 3 09:44:00 Firewall_Hostname SFIMS: Protocol: UDP, SrcIP: 1.1.1.1, OriginalClientIP: ::, DstIP: 10.2.3.4, SrcPort: 4498, DstPort: 53, TCPFlags: 0x0, IngressInterface: OUTSIDE, EgressInterface: DMZ, IngressZone: Internet, DE: Primary Detection Engine (87103996-93a3-11e7-af93-a10250af3b71), Policy: MYPOLICY, ConnectType: Start, AccessControlRuleName: Unknown, AccessControlRuleAction: Block, AccessControlRuleReason: IP Block, Prefilter Policy: Unknown, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 98, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, SecIntMatchingIP: Destination, IPReputationSICategory: Malware, URLCategory: Unknown, URLReputation: Risk unknown

[Security Intelligence Block event, Blacklisted IP address (IP Reputation=Attackers)]:
<46>May 3 02:01:32 Firewall_Hostname SFIMS: Protocol: TCP, SrcIP: 46.161.27.112, OriginalClientIP: ::, DstIP: 10.2.2.2, SrcPort: 62203, DstPort: 8214, TCPFlags: 0x0, IngressInterface: OUTSIDE, EgressInterface: INTERNAL_DMZ, IngressZone: Internet, DE: Primary Detection Engine (87103996-93a3-11e7-af93-a10250af3b71), Policy: MY_FW_POLICY, ConnectType: Start, AccessControlRuleName: Unknown, AccessControlRuleAction: Block, AccessControlRuleReason: IP Block, Prefilter Policy: Unknown, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 70, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, SecIntMatchingIP: Destination, IPReputationSICategory: Attackers, URLCategory: Unknown, URLReputation: Risk unknown

[Security Intelligence Block event, DNS Sinkhole]:
<46>May 3 09:49:22 Firewall_Hostname SFIMS: Protocol: UDP, SrcIP: 10.9.8.7, OriginalClientIP: ::, DstIP: 156.154.125.70, SrcPort: 63982, DstPort: 53, TCPFlags: 0x0, IngressInterface: INSIDE, EgressInterface: OUTSIDE, IngressZone: Inside, EgressZone: Internet, DE: Primary Detection Engine (87103996-93a3-11e7-af93-a10250af3b71), Policy: MY_FW_POLICY, ConnectType: Start, AccessControlRuleName: Unknown, AccessControlRuleAction: Sinkhole, AccessControlRuleReason: DNS Block, Prefilter Policy: Unknown, UserName: No Authentication Required, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 90, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity, DNSQuery: ns2.honeybot.us, DNSRecordType: a host address, DNSResponseType: No Error, Sinkhole: Unknown, DNSSICategory: DNS Phishing, URLCategory: Unknown, URLReputation: Risk unknown

[Intrusion Detection Block, IPS]:
<46>May 3 07:25:56 Firewall_Hostname SFIMS: Protocol: TCP, SrcIP: 212.113.67.180, OriginalClientIP: 208.118.237.43, DstIP: 10.11.11.11, SrcPort: 58252, DstPort: 80, TCPFlags: 0x0, IngressInterface: OUTSIDE, EgressInterface: INSIDE, IngressZone: Internet, EgressZone: Inside, DE: Primary Detection Engine (87103996-93a3-11e7-af93-a10250af3b71), Policy: MY_FW_POLICY, ConnectType: End, AccessControlRuleName: RULENAME_0002, AccessControlRuleAction: Block, AccessControlRuleReason: Intrusion Block, Prefilter Policy: Unknown, UserName: No Authentication Required, UserAgent: Jakarta Commons-HttpClient/3.1, Client: Eclipse, ClientVersion: 3.1, ApplicationProtocol: HTTP, IPSCount: 1, InitiatorPackets: 3, ResponderPackets: 1, InitiatorBytes: 533, ResponderBytes: 78, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, ReferencedHost: 101.102.103.104, URLCategory: Unknown, URLReputation: Risk unknown, URL: http://101.102.103.104/CFIDE/administrator/enter.cfm?locale=../../../../../../../lib/password.proper...

jfi
Level 8
Report Inappropriate Content
Message 6 of 9

Re: Cisco Firepower Syslog Parsing

I've tried to reply and paste some sample data, however, it doesn't show up as a reply. I think it gets blocked by the forum system. I'll post it as a screenshot.

Joeri

jfi
Level 8
Report Inappropriate Content
Message 7 of 9

Re: Cisco Firepower Syslog Parsing

Below are some sanitized examples. (If you know how to paste these as text, without the forum system blocking the message, please let me know 🙂 )

example_01.JPG

example_02.JPGexample_03.JPGexample_04.JPGexample_05.JPGexample_06.JPG

Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 8 of 9

Re: Cisco Firepower Syslog Parsing

Oh ok, these have a lot of data in them. Building an efficient parser looks like it would be quite simple. However, from my experience, parsing all of this data will likely significantly impact the performance of your SIEM general responsiveness, especially if you get a significant number of these packets.

For example, adding the entire URL to the ESM database for each hit, is probably not reasonable.

This is so close to the CEF format, but I guess Cisco just needs to do their own thing (sigh).

It looks like the order of the fields is the same, but some fields may be omitted in different messages. Hopefully this is the case and it's possible to be an only forward looking parser. Could you verify this? If it is the case a list of possible fields from all the events would be great, and I can get you started on the parser, what you map the to database is something you will need to manage and consider based on your environment and other factors.

Brent
jfi
Level 8
Report Inappropriate Content
Message 9 of 9

Re: Cisco Firepower Syslog Parsing

Here are some (sanitized) examples:

 

[Normal Allowed Connection event (default FTD FW policy setting, log at end of connection)]:
<46>May 3 09:53:00 Firewall_Hostname SFIMS: Protocol: TCP, SrcIP: 10.11.12.13, OriginalClientIP: ::, DstIP: 10.4.3.2, SrcPort: 56079, DstPort: 50100, TCPFlags: 0x0, IngressInterface: DMZ, EgressInterface: INSIDE, EgressZone: Inside, DE: Primary Detection Engine (87103996-93a3-11e7-af93-a10250af3b71), Policy: MY_FW_POLICY, ConnectType: End, AccessControlRuleName: RULENAME_0001, AccessControlRuleAction: Allow, Prefilter Policy: Unknown, UserName: No Authentication Required, UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, Client: Internet Explorer, ClientVersion: rv:11.0, ApplicationProtocol: HTTP, InitiatorPackets: 8, ResponderPackets: 6, InitiatorBytes: 3007, ResponderBytes: 1046, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, HTTPResponse: 200, HTTPReferer: httpx://ourserver.internal.server:50100/somestuff, ReferencedHost: our.internal.server:50100, URLCategory: Unknown, URLReputation: Risk unknown, URL: httpx://our.internal.server:50100/gibberish/GUID:17098c68d4ea6c9647a2d36a02501c63/UR/baseLib/baseTheme/img/statusicons/msg/ico12_msg_success.gif

[DNS Connection Start Event]:
<46>May 3 09:53:25 Firewall_Hostname SFIMS: Protocol: UDP, SrcIP: 221.164.34.71, OriginalClientIP: ::, DstIP: 10.1.1.1, SrcPort: 52875, DstPort: 53, TCPFlags: 0x0, IngressInterface: OUTSIDE, EgressInterface: DMZ, IngressZone: Internet, DE: Primary Detection Engine (87103996-93a3-11e7-af93-a10250af3b71), Policy: MY_FW_POLICY, ConnectType: Start, AccessControlRuleName: RULENAME_0003, AccessControlRuleAction: Allow, Prefilter Policy: Unknown, UserName: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 110, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity, DNSQuery: someserver.mycompany.com, DNSRecordType: a host address, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown

[Security Intelligence Block event, Blacklisted IP address (IP Reputation=Malware)]:
<46>May 3 09:44:00 Firewall_Hostname SFIMS: Protocol: UDP, SrcIP: 1.1.1.1, OriginalClientIP: ::, DstIP: 10.2.3.4, SrcPort: 4498, DstPort: 53, TCPFlags: 0x0, IngressInterface: OUTSIDE, EgressInterface: DMZ, IngressZone: Internet, DE: Primary Detection Engine (87103996-93a3-11e7-af93-a10250af3b71), Policy: MYPOLICY, ConnectType: Start, AccessControlRuleName: Unknown, AccessControlRuleAction: Block, AccessControlRuleReason: IP Block, Prefilter Policy: Unknown, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 98, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, SecIntMatchingIP: Destination, IPReputationSICategory: Malware, URLCategory: Unknown, URLReputation: Risk unknown

[Security Intelligence Block event, Blacklisted IP address (IP Reputation=Attackers)]:
<46>May 3 02:01:32 Firewall_Hostname SFIMS: Protocol: TCP, SrcIP: 46.161.27.112, OriginalClientIP: ::, DstIP: 10.2.2.2, SrcPort: 62203, DstPort: 8214, TCPFlags: 0x0, IngressInterface: OUTSIDE, EgressInterface: INTERNAL_DMZ, IngressZone: Internet, DE: Primary Detection Engine (87103996-93a3-11e7-af93-a10250af3b71), Policy: MY_FW_POLICY, ConnectType: Start, AccessControlRuleName: Unknown, AccessControlRuleAction: Block, AccessControlRuleReason: IP Block, Prefilter Policy: Unknown, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 70, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, SecIntMatchingIP: Destination, IPReputationSICategory: Attackers, URLCategory: Unknown, URLReputation: Risk unknown

[Security Intelligence Block event, DNS Sinkhole]:
<46>May 3 09:49:22 Firewall_Hostname SFIMS: Protocol: UDP, SrcIP: 10.9.8.7, OriginalClientIP: ::, DstIP: 156.154.125.70, SrcPort: 63982, DstPort: 53, TCPFlags: 0x0, IngressInterface: INSIDE, EgressInterface: OUTSIDE, IngressZone: Inside, EgressZone: Internet, DE: Primary Detection Engine (87103996-93a3-11e7-af93-a10250af3b71), Policy: MY_FW_POLICY, ConnectType: Start, AccessControlRuleName: Unknown, AccessControlRuleAction: Sinkhole, AccessControlRuleReason: DNS Block, Prefilter Policy: Unknown, UserName: No Authentication Required, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 90, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity, DNSQuery: ns2.honeybot.us, DNSRecordType: a host address, DNSResponseType: No Error, Sinkhole: Unknown, DNSSICategory: DNS Phishing, URLCategory: Unknown, URLReputation: Risk unknown

[Intrusion Detection Block, IPS]:
<46>May 3 07:25:56 Firewall_Hostname SFIMS: Protocol: TCP, SrcIP: 212.113.67.180, OriginalClientIP: 208.118.237.43, DstIP: 10.11.11.11, SrcPort: 58252, DstPort: 80, TCPFlags: 0x0, IngressInterface: OUTSIDE, EgressInterface: INSIDE, IngressZone: Internet, EgressZone: Inside, DE: Primary Detection Engine (87103996-93a3-11e7-af93-a10250af3b71), Policy: MY_FW_POLICY, ConnectType: End, AccessControlRuleName: RULENAME_0002, AccessControlRuleAction: Block, AccessControlRuleReason: Intrusion Block, Prefilter Policy: Unknown, UserName: No Authentication Required, UserAgent: Jakarta Commons-HttpClient/3.1, Client: Eclipse, ClientVersion: 3.1, ApplicationProtocol: HTTP, IPSCount: 1, InitiatorPackets: 3, ResponderPackets: 1, InitiatorBytes: 533, ResponderBytes: 78, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, ReferencedHost: 101.102.103.104, URLCategory: Unknown, URLReputation: Risk unknown, URL: httpx://101.102.103.104/CFIDE/administrator/enter.cfm?locale=../../../../../../../lib/password.properties%00en

 

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community