Solved: ASA SYN attacks report

lbogle · ‎03-10-2014

Hello,
I am seeing this repeatedly in our log file and wanted to try and tease out patterns in what IP is sourcing most of this traffic but the IP addresses don't appear to be getting recognized as I was hoping. I was using

firewall.company.com SYN from Inside* | stats sum(count)

on the following data:

Mar 10 09:49:05 firewall.Company.COM %ASA-4-419002: Duplicate TCP SYN from Inside:someipaddress/33641 to Inside:someipaddress/80 with different initial sequence number

No statistics or visualization are getting generated though.
Any suggestions?

Thanks!

martin_mueller · ‎03-10-2014

That sounds like you're looking for stats count by src_ip or top src_ip or timechart count by src_ip, each assuming the source ip address is extracted as field src_ip.

View solution in original post

terrabit · ‎10-19-2015

419002

Error Message %ASA-4-419002: Received duplicate TCP SYN from
in_interface:src_address/src_port to out_interface:dest_address/dest_port with different
initial sequence number.
Explanation A duplicate TCP SYN was received during the three-way-handshake that has a different initial sequence number than the SYN that opened the embryonic connection. This could indicate that SYNs are being spoofed. This message occurs in Release 7.0.4.1 and later.
•in_interface—The input interface

•src_address—The source IP address of the packet

•src_port—The source port of the packet

•out_interface—The output interface

•dest_address—The destination IP address of the packet

•dest_port—The destination port of the packet

Recommended Action None required.

martin_mueller · ‎03-10-2014

That sounds like you're looking for stats count by src_ip or top src_ip or timechart count by src_ip, each assuming the source ip address is extracted as field src_ip.

martin_mueller · ‎03-13-2014

Close, but no cigar... Square brackets [] in regular expressions form a character group. Based on your one example event you'd need something like this:

base search | rex "Inside:(?<src_ip>[^/]+)/(?<src_port>\d+)\s+to\s+Inside:(?<dst_ip>[^/]+)/(?<dst_port>\d+)"

Look for the first Inside:, grab the src ip until the slash, grab the src port, look for the second Inside, grab the dest ip until the slash, grab the dest port.
Once you're happy with the regex you should configure that as a field extraction, so everyone can use the fields without having to add the rex call every time.

lbogle · ‎03-10-2014

So that sounds like that is correct. I went to the event actions on the left and src_ip does not appear to be getting extracted. How do I extract that field at search time?
Does this look close?
firewall.company.com SYN | rex "[Inside(?.+?)]" | top ip

Thanks!

lbogle · ‎03-10-2014

Hi Martin,
What I'm trying to do is see which ip addresses are talking the most/participating in the 'Duplicate TCP SYN' traffic the most. Essentially a top talker report.
There are a ton of those log lines in the report and I'm trying to trace down those IP's to get them worked on.
Does that make sense?
Thanks,
Lindsay

martin_mueller · ‎03-10-2014

stats sum(count) would compute the sum of all values for the field count. I don't see such a field in your data, so that's likely why you're not getting any statistics.

What are you actually trying to compute?

If you're going for a total count, try stats count. To split that by a field, try stats count by field.

ASA SYN attacks report

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms