Tuesday 30 July 2019

Teardown TCP connection

I have analysed the normalized rule: Teardown TCP connection & observed every time event subtype: ‘STOP’ triggering from this alert. It means the TCP connection was dropped as per expert advice.

Log Details:
E.g.
<166>May 03 2015 14:23:38: %ASA-6-302014: Teardown TCP connection 858001055 for DMZ:10.10.10.2/80 to Trust:190.76.49.144/36706 duration 0:00:00 bytes 526 TCP FINs
<166>May 03 2015 14:23:38: %25ASA-6-302014: Teardown TCP connection 858001181 for DMZ:10.10.10.6/20411 to Trust:105.70.81.170/445 duration 0:00:00 bytes 1571 TCP Reset-O

Q. When the alert trigger?

Whenever there is request for connection/communication at firewall, it generate the event “Built inbound/outbound TCP connection” with event subtype: ‘START’. Firewall process this request and proceed as per ACL/Policy applied on it.
1.  If the request is valid then it Allow the request.
2.  If the request is invalid then it Denied/reject/STOP it.
2.1  Once it STOPPED, refer below TCP Termination Reasons to find out the issue.

Advantage : - 

1. As an SOC Monitoring & Analyst perspective it is important to refer STOP event if built in connection observed.
        At initial stage, it will give idea whether connection is allowed or not.
2. Helpful in creation of correlation rule e.g. Dos attempt etc.





No comments:

Post a Comment

iRule

  iRule: -- o iRule is a powerful and flexible feature within the BIG-IP local traffic management (LTM). o IRule is a powerful & flexibl...