Cisco Firepower
LogZilla App Store application: Cisco Firepower
Overview
Cisco FirePOWER is a set of management services for Cisco routers. It provides application control, intrusion protection, anti-malware, and URL filtering. There is a management software application called FirePOWER Management Center. FirePOWER log messages can originate both from individual FirePOWER devices and from the FirePOWER Management Center software.
App Function
The Cisco Firepower app has three rules.
The purpose of the first rule is to read Cisco log messages and extract the data elements in the message as certain user tags. The first rule recognizes a large number of Cisco log messages.
The purpose of the second rule is to parse certain key-value pairs in the FMC application log message and convert them into corresponding user tags. It also identifies Cisco log message event types. Last, it detects torrent connections and sets an appropriate user tag.
The purpose of the third rule is to extract the User and Group information from the FirePOWER firewalls, according to the log message format relating to the particular Cisco mnemonic.
Note that the rule behavior is governed in part by the Cisco message code
mnemonic. There is overlap between the FTD- and ASA- mnemonics, and for the
purposes of the Cisco Firepower app, those mnemonics are considered identical.
Vendor Documentation
Log Source Details
| Item | Value |
|---|---|
| Vendor | Cisco |
| Device Type | Firepower |
| Collection Method | Syslog |
| Configurable Log Output? | yes |
| Log Source Type | key-value |
| Exceptions | N/A |
Incoming Log Format
The two rules deal with two different log message formats. The log message
format for the first rule is a list of comma-separated key-value pairs; the key
and value in each pair are separated by a colon (:). This type of log message
is sent by the FMC application.
The log message for the second rule is a common Cisco format consisting of the Cisco mnemonic code followed by variable message text corresponding to the log event type. For purposes of the second rule the log event types parsed all contain information about User and Group, as indicated below. This type of log message is sent by Cisco Firepower firewalls.
Parsed Metadata Fields
The first rule, which recognizes the largest set of Cisco log messages, parses the following user tags:
| Field | Tag Name | Example |
|---|---|---|
| Source IP | SrcIP | 8.8.8.8 |
| Source Port | SrcPort | dynamic |
| Destination IP | DstIP | 8.8.8.8 |
| Destination Port | DstPort | dynamic |
| Source Interface | SrcInterface | n/a |
| Destination Interface | DstInterface | n/a |
| Mapped Source IP | SrcIP Mapped | 8.8.8.8 |
| Mapped Source Port | SrcPort Mapped | dynamic |
| Mapped Destination IP | DstIP Mapped | 8.8.8.8 |
| Mapped Destination Port | DstPort Mapped | dynamic |
| User | User | n/a |
The second rule is restricted to a certain set of key-values to convert to user tags. Those log message keys and the corresponding user tags are:
| Key | Tag Name | Example |
|---|---|---|
Protocol | Protocol | TCP |
SrcIP | SrcIP | 8.8.8.8 |
SrcPort | SrcPort | dynamic |
EgressInterface | Egress Interface | outside |
EgressZone | Egress Zone | Outside-ASA |
IngressInterface | Ingress Interface | inside |
IngressZone | Ingress Zone | Inside-ASA |
AccessControlRuleAction | Access Control Rule Action | Allow |
AccessControlRuleName | Access Control Rule Name | IPS_and_AMP_Catch_all |
DstPort | DstPort | http |
HTTPReferer | HTTP Referer | http://www.host.com |
NAPPolicy | NAP Policy | Balanced Security and Connectivity |
| (based on mnemonic) | Security Alert | Intrusion |
| (based on connection details) | Torrent | 8.8.8.8 -> 1.2.3.4:6884 |
The third rule deals with a different set of mostly-homogeneous log messages and a smaller set of user tags:
| Key | Tag Name | Example |
|---|---|---|
User | User | TCP |
Group | Group | TCP |
TunnelGroup | TunnelGroup | TCP |
GroupPolicy | GroupPolicy | TCP |
High-Cardinality (HC) Tags
SrcIPDstIPSrcIP MappedDstIP Mapped
Log Examples
Log Examples Rule 1 (FMC application)
Intrusion Detected
textProtocol: UDP, SrcIP: 11.22.33.44, OriginalClientIP: ::, DstIP: 127.0.0.1, SrcPort: 42542, DstPort: 443, TCPFlags: 0x0, IngressInterface: inside, EgressInterface: outside, IngressZone: Inside-ASA, EgressZone: Outside-ASA, DE: Primary Detection Engine (99ea7fcc-d26a-11e6-ab37-b0df04229f05), Policy: Corp-FirePower-Policy, ConnectType: End, AccessControlRuleName: Unknown, AccessControlRuleAction: Allow, Prefilter Policy: Unknown, UserName: No Authentication Required, InitiatorPackets: 3, ResponderPackets: 3, InitiatorBytes: 1226, ResponderBytes: 1247, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown"```
Connection End
textEventPriority: Low, DeviceUUID: cefd21fe-afd3-11e8-ac26-a1f3a00f1023, InstanceID: 2, FirstPacketSecond: 2021-07-20T13:30:45Z, ConnectionID: 60241, AccessControlRuleAction: Allow, SrcIP: 11.22.33.44, DstIP: 55.66.77.88, SrcPort: 57395, DstPort: 9080, Protocol: tcp, IngressInterface: vlan-91, EgressInterface: vlan-21, IngressZone: inside, EgressZone: inside, IngressVRF: Global, EgressVRF: Global, ACPolicy: 91-Cyber-ACP, AccessControlRuleName: Permit Any, Prefilter Policy: Default Prefilter Policy, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 128, ResponderBytes: 70, NAPPolicy: Balanced Security and Connectivity
Log Examples Rule 2 (Firepower firewall)
New TCP Connection
text%FTD-svc-5-722034: Group <GP_corpUSA_SplitTunnel> User <jdoe> IP <11.22.33.44> New TCP SVC connection, no existing connection.
No IP Address Available
text%FTD-4-722041: TunnelGroup <corpUSA> GroupPolicy <GP_corpUSA_SplitTunnel> User <jdoe> IP <11.22.33.44> No IPv6 address available for SVC connection