CCNA CyberOps SECOPS – Objective 2.7

Reading Time: 2 minutes

Map the provided events to these source technologies: NetFlow, IDS / IPS, Firewall, Network application control, Proxy logs, Antivirus

Implementing Cisco Cybersecurity Operations (210-255)

NetFlow

NetFlow (or IPFIX) data will contain the standard 5-tuple of information: source IP address, destination IP address, source port, destination port, and the protocol.

IDS/IPS

Intrusion Detection or Protection Systems will produce logs that include information about the traffic and the rule that was tripped. Below are example logs from the open-source Snort IDS provided by SecRepo.

05/30-19:09:10.918155  [**] [1:527:8] BAD-TRAFFIC same SRC/DST [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 0.0.0.0:68 -> 255.255.255.255:67
05/30-19:09:28.472094  [**] [1:2012811:2] ET DNS DNS Query to a .tk domain - Likely Hostile [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.88.10:1029 -> 4.2.2.3:53
05/30-19:09:28.439113  [**] [1:2014665:2] ET CURRENT_EVENTS DRIVEBY Generic - Redirection to Kit - BrowserDetect with var stopit [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 50.28.53.156:80 -> 192.168.88.10:1031

Firewall

Firewall logs will provide information about the traffic that was allowed or denied on a firewall. An example Cisco ASA log is below:

Tue Aug 15 23:30:09 %ASA-6-302016: Teardown UDP connection 40 for outside:44.44.4.4/500 to inside:44.44.2.2/500 duration 0:02:02 bytes 1416

Network Application Control

In the Cisco world, this would be what Cisco calls Cisco Application and Visibility Control (AVC) which is tied to Network Based Application Recognition (NBAR). These tools help to determine what application was being sent beyond using just port numbers for identification.

Proxy Logs

Example proxy logs from SecRepo are below. They can help identify which internal host used the proxy to access which resource externally.

1157689312.049   5006 10.105.21.199 TCP_MISS/200 19763 CONNECT login.yahoo.com:443 badeyek DIRECT/209.73.177.115 -
1157689320.327   2864 10.105.21.199 TCP_MISS/200 10182 GET http://www.goonernews.com/ badeyek DIRECT/207.58.145.61 text/html
1157689320.343   1357 10.105.21.199 TCP_REFRESH_HIT/304 214 GET http://www.goonernews.com/styles.css badeyek DIRECT/207.58.145.61 -

Antivirus

Antivirus logs and events can help determine what was found on a host or hosts.