Detection rules for ASA data sources. Each rule includes its MITRE ATT&CK mapping, impact rating, and a description of what it detects.
This category contains 3 detection rules.
| Rule | Category | Technique | Impact (C/I/A) |
|---|---|---|---|
| Botnet Command and Control Traffic Detected | Command and Control | T1071 - Application Layer Protocol | C:3 / I:2 / A:1 |
| IPS Signature Match - Malicious Pattern Detected | Initial Access | T1190 - Exploit Public-Facing Application | C:3 / I:3 / A:2 |
| Multiple Failed VPN Authentication Attempts | Credential Access | T1110 - Brute Force | C:3 / I:2 / A:1 |
Rule Example
Below is an example of a rule definition for Botnet Command and Control Traffic Detected (view in repository):
# Rule version v1.0.0
dataTypes:
- firewall-cisco-asa
name: Botnet Command and Control Traffic Detected
impact:
confidentiality: 3
integrity: 2
availability: 1
category: Command and Control
technique: "T1071 - Application Layer Protocol"
adversary: origin
references:
- https://www.cisco.com/c/en/us/td/docs/security/asa/special/botnet/asa-botnet.pdf
- https://attack.mitre.org/techniques/T1071/
description: |
Detects botnet command and control traffic identified by Cisco ASA's dynamic filter/botnet database. Message IDs 338001-338002 indicate blacklisted traffic from/to malicious addresses. This could indicate compromised hosts communicating with known botnet infrastructure.
Next Steps:
1. Immediately isolate the affected host(s) to prevent further communication with C2 infrastructure
2. Review the source IP address (origin.ip) to identify the compromised internal host
3. Check the destination IP/domain against threat intelligence sources to confirm malicious nature
4. Examine other logs from the affected host for signs of initial compromise or lateral movement
5. Run full antivirus/anti-malware scans on the affected system
6. Review DNS logs for additional suspicious queries from the same host
7. Check for any data exfiltration attempts or unusual outbound traffic patterns
8. Consider reimaging the affected system if compromise is confirmed
where: |
oneOf("log.messageId", ["338001", "338002"])
|| regexMatch("log.message", "botnet.*(detected|blocked|dropped)")
|| contains("log.message", "dynamic filter blacklisted")
|| contains("log.message", "malicious address")
groupBy:
- adversary.ip
- target.ip
Rule Details
Botnet Command and Control Traffic Detected
Detects botnet command and control traffic identified by Cisco ASA's dynamic filter/botnet database. Message IDs 338001-338002 indicate blacklisted traffic from/to malicious addresses. This could indicate compromised hosts communicating with known botnet infrastructure.
Category: Command and Control
Technique: T1071 - Application Layer Protocol
Impact: C:3 / I:2 / A:1
Rule file: botnet_traffic_detection.yml
Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/special/botnet/asa-botnet.pdf
Reference: https://attack.mitre.org/techniques/T1071/
IPS Signature Match - Malicious Pattern Detected
Detects when ASA IPS features identify malicious patterns in network traffic. Message ID 108003 indicates ESMTP/SMTP connections terminated due to malicious patterns. Also monitors for general IPS/IDS signature matches and threat intelligence hits.
Category: Initial Access
Technique: T1190 - Exploit Public-Facing Application
Impact: C:3 / I:3 / A:2
Rule file: ips_signature_matches.yml
Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog.html
Reference: https://attack.mitre.org/techniques/T1190/
Multiple Failed VPN Authentication Attempts
Detects multiple failed VPN authentication attempts from the same source IP address, which could indicate a brute force attack or password guessing attempt against VPN credentials.
Category: Credential Access
Technique: T1110 - Brute Force
Impact: C:3 / I:2 / A:1
Rule file: multiple_failed_vpn_attempts.yml
Reference: https://attack.mitre.org/techniques/T1110/
Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs1.html