CCNA CyberOps SECOPS – Objective 2.7

Map the provided events to these source technologies: NetFlow, IDS / IPS, Firewall, Network application control, Proxy logs, Antivirus

Implementing Cisco Cybersecurity Operations (210-255)


NetFlow (or IPFIX) data will contain the standard 5-tuple of information: source IP address, destination IP address, source port, destination port, and the protocol.


Intrusion Detection or Protection Systems will produce logs that include information about the traffic and the rule that was tripped. Below are example logs from the open-source Snort IDS provided by SecRepo.

05/30-19:09:10.918155  [**] [1:527:8] BAD-TRAFFIC same SRC/DST [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} ->
05/30-19:09:28.472094  [**] [1:2012811:2] ET DNS DNS Query to a .tk domain - Likely Hostile [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} ->
05/30-19:09:28.439113  [**] [1:2014665:2] ET CURRENT_EVENTS DRIVEBY Generic - Redirection to Kit - BrowserDetect with var stopit [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} ->


Firewall logs will provide information about the traffic that was allowed or denied on a firewall. An example Cisco ASA log is below:

Tue Aug 15 23:30:09 %ASA-6-302016: Teardown UDP connection 40 for outside: to inside: duration 0:02:02 bytes 1416

Network Application Control

In the Cisco world, this would be what Cisco calls Cisco Application and Visibility Control (AVC) which is tied to Network Based Application Recognition (NBAR). These tools help to determine what application was being sent beyond using just port numbers for identification.

Proxy Logs

Example proxy logs from SecRepo are below. They can help identify which internal host used the proxy to access which resource externally.

1157689312.049   5006 TCP_MISS/200 19763 CONNECT badeyek DIRECT/ -
1157689320.327   2864 TCP_MISS/200 10182 GET badeyek DIRECT/ text/html
1157689320.343   1357 TCP_REFRESH_HIT/304 214 GET badeyek DIRECT/ -


Antivirus logs and events can help determine what was found on a host or hosts.