topic Re: ASA SYN attacks report in Reporting

ASA SYN attacks report

lbogle — Mon, 10 Mar 2014 17:06:17 GMT

Hello,
I am seeing this repeatedly in our log file and wanted to try and tease out patterns in what IP is sourcing most of this traffic but the IP addresses don't appear to be getting recognized as I was hoping. I was using

firewall.company.com SYN from Inside* | stats sum(count)

on the following data:

Mar 10 09:49:05 firewall.Company.COM %ASA-4-419002: Duplicate TCP SYN from Inside:someipaddress/33641 to Inside:someipaddress/80 with different initial sequence number

No statistics or visualization are getting generated though.
Any suggestions?

Thanks!

Re: ASA SYN attacks report

martin_mueller — Mon, 10 Mar 2014 21:14:10 GMT

stats sum(count) would compute the sum of all values for the field count. I don't see such a field in your data, so that's likely why you're not getting any statistics.

What are you actually trying to compute?

If you're going for a total count, try stats count. To split that by a field, try stats count by field.

Re: ASA SYN attacks report

lbogle — Mon, 10 Mar 2014 21:41:03 GMT

Hi Martin,
What I'm trying to do is see which ip addresses are talking the most/participating in the 'Duplicate TCP SYN' traffic the most. Essentially a top talker report.
There are a ton of those log lines in the report and I'm trying to trace down those IP's to get them worked on.
Does that make sense?
Thanks,
Lindsay

Re: ASA SYN attacks report

martin_mueller — Mon, 10 Mar 2014 21:53:13 GMT

That sounds like you're looking for stats count by src_ip or top src_ip or timechart count by src_ip, each assuming the source ip address is extracted as field src_ip.

Re: ASA SYN attacks report

lbogle — Mon, 10 Mar 2014 22:43:59 GMT

So that sounds like that is correct. I went to the event actions on the left and src_ip does not appear to be getting extracted. How do I extract that field at search time?
Does this look close?
firewall.company.com SYN | rex "[Inside(?.+?)]" | top ip

Thanks!

Re: ASA SYN attacks report

martin_mueller — Thu, 13 Mar 2014 20:08:39 GMT

Close, but no cigar... Square brackets [] in regular expressions form a character group. Based on your one example event you'd need something like this:

base search | rex "Inside:(?<src_ip>[^/]+)/(?<src_port>\d+)\s+to\s+Inside:(?<dst_ip>[^/]+)/(?<dst_port>\d+)"

Look for the first Inside:, grab the src ip until the slash, grab the src port, look for the second Inside, grab the dest ip until the slash, grab the dest port.
Once you're happy with the regex you should configure that as a field extraction, so everyone can use the fields without having to add the rex call every time.

Re: ASA SYN attacks report

terrabit — Tue, 29 Sep 2020 07:38:03 GMT

419002

Error Message %ASA-4-419002: Received duplicate TCP SYN from
in_interface:src_address/src_port to out_interface:dest_address/dest_port with different
initial sequence number.
Explanation A duplicate TCP SYN was received during the three-way-handshake that has a different initial sequence number than the SYN that opened the embryonic connection. This could indicate that SYNs are being spoofed. This message occurs in Release 7.0.4.1 and later.
•in_interface—The input interface

•src_address—The source IP address of the packet

•src_port—The source port of the packet

•out_interface—The output interface

•dest_address—The destination IP address of the packet

•dest_port—The destination port of the packet

Recommended Action None required.