Hello,
I am seeing this repeatedly in our log file and wanted to try and tease out patterns in what IP is sourcing most of this traffic but the IP addresses don't appear to be getting recognized as I was hoping. I was using
firewall.company.com SYN from Inside* | stats sum(count)
on the following data:
Mar 10 09:49:05 firewall.Company.COM %ASA-4-419002: Duplicate TCP SYN from Inside:someipaddress/33641 to Inside:someipaddress/80 with different initial sequence number
No statistics or visualization are getting generated though.
Any suggestions?
Thanks!
That sounds like you're looking for stats count by src_ip
or top src_ip
or timechart count by src_ip
, each assuming the source ip address is extracted as field src_ip
.
419002
Error Message %ASA-4-419002: Received duplicate TCP SYN from
in_interface:src_address/src_port to out_interface:dest_address/dest_port with different
initial sequence number.
Explanation A duplicate TCP SYN was received during the three-way-handshake that has a different initial sequence number than the SYN that opened the embryonic connection. This could indicate that SYNs are being spoofed. This message occurs in Release 7.0.4.1 and later.
•in_interface—The input interface
•src_address—The source IP address of the packet
•src_port—The source port of the packet
•out_interface—The output interface
•dest_address—The destination IP address of the packet
•dest_port—The destination port of the packet
Recommended Action None required.
That sounds like you're looking for stats count by src_ip
or top src_ip
or timechart count by src_ip
, each assuming the source ip address is extracted as field src_ip
.
Close, but no cigar... Square brackets [] in regular expressions form a character group. Based on your one example event you'd need something like this:
base search | rex "Inside:(?<src_ip>[^/]+)/(?<src_port>\d+)\s+to\s+Inside:(?<dst_ip>[^/]+)/(?<dst_port>\d+)"
Look for the first Inside:, grab the src ip until the slash, grab the src port, look for the second Inside, grab the dest ip until the slash, grab the dest port.
Once you're happy with the regex you should configure that as a field extraction, so everyone can use the fields without having to add the rex call every time.
So that sounds like that is correct. I went to the event actions on the left and src_ip does not appear to be getting extracted. How do I extract that field at search time?
Does this look close?
firewall.company.com SYN | rex "[Inside(?
Thanks!
Hi Martin,
What I'm trying to do is see which ip addresses are talking the most/participating in the 'Duplicate TCP SYN' traffic the most. Essentially a top talker report.
There are a ton of those log lines in the report and I'm trying to trace down those IP's to get them worked on.
Does that make sense?
Thanks,
Lindsay
stats sum(count)
would compute the sum of all values for the field count
. I don't see such a field in your data, so that's likely why you're not getting any statistics.
What are you actually trying to compute?
If you're going for a total count, try stats count
. To split that by a field, try stats count by field
.