This tidbit is a refresher on looking at Cisco Firepower Intrusion Event logs and daily reports. Specifically, I wanted to review for all of you again the meaning of two key columns, the Impact and Inline Result columns
The Firepower Impact scale is designed to help the recipient understand where to focus scarce resources first. Think of them as priorities and work on understanding and resolving them in that order.
- Impact 1 – Target Host Likely Vulnerable to the attack
• Host is known to be running the attacked service
• The service on host is running a vulnerable version
• The attacker executed a known profiled attack on that service
• The host is showing “indications of compromise” (past attack)
This level of event deserves first priority for investigation, and if appropriate remediation. At a minimum you want to have a complete understanding of what triggered this event and if there are any actions you need to take today to prevent new or continuing compromise
- Impact 2 – Target Host Not Likely Vulnerable to the attack
• Host is known to be running the attacked service
• The service on host is NOT running a vulnerable version
• The attacker executed a known profiled attack on that service
There is generally no action to take with this level of event. The IPS has done its job in sniffing out and terminating the traffic, but in this case the host was determined to not be vulnerable to the specific exploit attempted
- Impact 3 – Target Not Vulnerable to the attack
• Host is NOT running the attacked service
• The attacker executed a known profiled attack on that service
• If attacker is on inside network this should be investigated
Most of the action we see on this type of event is because of sub-bullet #3. We see most of these type events with source hosts that are inside the protected network, with most of the events being logged being blocked outbound DNS requests. We generally just ignore them as the systems have done their job preventing the unwanted DNS lookup, but if you saw other types of internally sourced Impact 3 events, again you want to make sure you understand what they are to make sure they are benign.
There are a couple other possible event Impact levels that we rarely see on our daily event reviews:
- Impact 4 – Target Host Unknown
• Either Attacker or Target is on the internal network
• No Host profile for device yet – previously unseen host on network - Impact 0 - Neither Attacker or Target are located on the monitored (internal) network
• Possible network/host configuration issues
I can’t remember the last time I saw an Impact 4, generally these will clear up on their own as the system learns the internal hosts. Persistent Impact 0 events need to be investigated as it could be an indication of some misconfiguration someplace on your network.
For Firepower event Inline Results, we have a few options that you will see for each event in the log or report:
- Dropped or black down arrow – fairly self-explanatory, the IPS dropped the traffic
- “0” or blank – the IPS did not block or drop the traffic. This result occurs with IPS rules that are set to generate events only without blocking the traffic. You might consider these events more informational in nature but still requiring review and understanding
- “Would have dropped” or grey down arrow – this result shows up if a drop rule was hit but the “Drop when Inline” policy option is not enabled on your IPS. These occasionally also can show up if the IPS is overloaded. If you consistently see this Inline Result something needs to be investigated with the IPS system.
As always feel free to contact our office for help with understanding anything you see in your Firepower IPS Intrusion Event logs or your Daily IPS reports.
You must be logged in to post a comment.