I have analysed the normalized rule: Teardown TCP connection & observed every time event subtype: ‘STOP’ triggering from this alert. It means the TCP connection was dropped as per expert advice.
Log Details:
E.g.
<166>May 03 2015 14:23:38: %ASA-6-302014: Teardown TCP connection 858001055 for DMZ:10.10.10.2/80 to Trust:190.76.49.144/36706 duration 0:00:00 bytes 526 TCP FINs 166>
<166>May 03 2015 14:23:38: %25ASA-6-302014: Teardown TCP connection 858001181 for DMZ:10.10.10.6/20411 to Trust:105.70.81.170/445 duration 0:00:00 bytes 1571 TCP Reset-O 166>
Q. When the alert trigger?
Whenever there is request for connection/communication at firewall, it generate the event “Built inbound/outbound TCP connection” with event subtype: ‘START’. Firewall process this request and proceed as per ACL/Policy applied on it.
1. If the request is valid then it Allow the request.
2. If the request is invalid then it Denied/reject/STOP it.
2.1 Once it STOPPED, refer below TCP Termination Reasons to find out the issue.
Advantage : -
1. As an SOC Monitoring & Analyst perspective it is important to refer STOP event if built in connection observed.
At initial stage, it will give idea whether connection is allowed or not.
2. Helpful in creation of correlation rule e.g. Dos attempt etc.
Your Good comments Encourages me to keep posting Nice Articles so keep Commenting & Sharing
0 Response to "Firewall Event analysis : Teardown TCP connection | blog-windows Blog"
Post a Comment