Cisco Firepower

Previously known as Sourcefire 3D, Cisco Firepower is an intrusion detection response system that produces security data and enhances the InsightIDR analysis. You can also send Web Proxy events from Cisco Firepower. InsightIDR automatically separates and parses your IDS and Web proxy logs from this application.

Configuration Instructions work for Cisco Firepower, Sourcefire 3D, and Cisco FireSIGHT

The configuration instructions in this document work for Cisco Firepower, Sourcefire 3D, and Cisco FireSIGHT. Even if you have Cisco Firepower or Cisco FireSIGHT, you still must select Sourcefire 3D in the Event Source dropdown list when configuring in InsightIDR.

Learn more about Cisco Firepower here: https://supportforums.cisco.com/t5/intrusion-prevention-systems-ids/firepower-vs-ngips-vs-firesight-vs-firepower-management-center/td-p/2975375.

Configure Sourcefire 3D, Cisco Firepower, or Cisco FireSIGHT to Send Alerts to InsightIDR

  1. Go to the SourceFire admin panel.
  2. Select Policies > Actions > Alerts. A pop-up window appears.
  3. From the Create Alert drop-down menu, select Create Syslog Alert. A dialog box appears.
  4. In the Name field, type the name you want to use to identify the saved response.
  5. In the Host field, type the hostname or IP address of your syslog server.
    • Note that the system does not warn you if you enter an invalid IPv4 address in this field (such as 192.168.1.456). Instead, the invalid address is treated as a hostname.
  6. In the Port field, enter the port that you will configure your InsightIDR collector to use for this event source.
    • By default, this value is 514.
  7. Select ALERT for facility.
  8. Select ALERT severity.
  9. In the Tag field, type the tag name that you want to appear with the syslog message. Use only alphanumeric characters in tag names. You cannot use spaces or underscores.
  10. Click Save.

When you create an alert response, it is automatically enabled. Only enabled alert responses can generate alerts. To stop alerts from being generated, you can temporarily disable alert responses rather than deleting your configurations.

Use these resources for detailed configuration instructions:

Syslog Example
1
<41>May 1 13:56:07 DefenseCenter SFAppliance: [119:2:1] http_inspect: DOUBLE DECODING ATTACK [Impact: Currently Not Vulnerable] From \"10.111.1.11\" at Fri May 1 19:56:07 2015 UTC [Classification: Not Suspicious Traffic] [Priority: 3] {tcp} 10.11.55.33:61163->50.11.222.55:80

How to Configure This Event Source in InsightIDR

  1. From your dashboard, select Data Collection on the left menu.
  2. When the Data Collection page appears, click Setup Event Source and select Add Event Source from the dropdown list.
  3. From the Security Data section, click the IDS icon. The Add Event Source panel appears.
  4. Choose your collector.
  5. In the Select Event Source Type field, choose the option that corresponds to your Cisco Security Solution as outlined in the following table:
Cisco Security SolutionInsightIDR Event Source Type
ASACisco ASA event-source
NGIPSCisco ASA event-source
NGFWCisco ASA event-source
Any other firepower serviceCisco ASA event-source
Cisco ASA with FirePower servicesCisco ASA event-source
Cisco FirePower Threat Defense (FTD)Cisco FTD event-source
Sourcefire 3DCisco FirePower (Sourcefire 3D) event-source

You can also name your event source if you want.

  1. Choose the timezone that matches the location of your event source logs.
  2. Optionally choose to send unparsed logs.
  3. Select an attribution source.
  4. Select Listen on Network Port and specify the port you used earlier along with a protocol.
    • Optionally choose to Encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
  5. Click Save.

Attribution source options

Sourcefire 3D, Cisco Firepower, or Cisco FireSIGHT logs can contain information about hosts and accounts. When setting up Sourcefire 3D, Cisco Firepower, or Cisco FireSIGHT as an event source, you will have the ability to specify the following attribution options:

  1. Use IDR engine if possible; if not, use event log

By selecting this option, the InsightIDR attribution engine will perform attribution using the source address present in the log lines. If it's unable to resolve assets or accounts using the source address, it will use the assets or accounts present in the log lines, if any.

  1. Use event log if possible; if not, use IDR engine

By selecting this option, attribution will be done using the assets and accounts present in the log lines. If no assets or accounts are present in the log lines, the InsightIDR attribution engine will perform attribution using the source address present in the log lines.

  1. Use IDR engine only

By selecting this option, the InsightIDR attribution engine will perform the attribution using the source address present in the log lines, ignoring any assets and accounts present in the log lines.

  1. Use event log only

By selecting this option, attribution will be done using the assets and accounts present in the log lines, ignoring the source address.

Verify the Configuration

To see Cisco Firepower logs in InsightIDR: From the left menu, click Log Search to view your logs to ensure events are being forwarded to the Collector. Select the applicable Log Sets and the Log Names within them. The Log Name will be the event source name or “Cisco Firepower” if you did not name the event source. Cisco Firepower logs flow into these Log Sets:

  • Web Proxy
  • Intrusion Detection System (IDS)

Please note that logs take at least 7 minutes to appear in Log Search after you set up the event source.

Example Input Logs

Your Cisco Firepower logs will look similar to the following:

log
1
<113>Mar 18 11:38:39 Sourcefire3D sfdc1500avc: [Primary Detection Engine (11727814-7b90-11e2-6666-888888888888)][MHPSA] Connection Type: Start, User: Unknown, Client: SSL client, Application Protocol: HTTPS, Web App: Unknown, Access Control Rule Name: CatchAll-Scan_for_Malware, Access Control Rule Action: Allow, Access Control Rule Reasons: Unknown, URL Category: Parked Domains, URL Reputation: Well known, URL: https://razor.com, Interface Ingress: s1p1, Interface Egress: s1p2, Security Zone Ingress: Internal, Security Zone Egress: External, Security Intelligence Matching IP: None, Security Intelligence Category: None, Client Version: (null), Number of File Events: 0, Number of IPS Events: 0, TCP Flags: 0x0, NetBIOS Domain: (null), Initiator Packets: 4, Responder Packets: 4, Initiator Bytes: 608, Responder Bytes: 4368, Context: Unknown, SSL Rule Name: N/A, SSL Flow Status: N/A, SSL Cipher Suite: N/A, SSL Certificate: 0000000000000000000000000000000000000000, SSL Subject CN: N/A, SSL Subject Country: N/A, SSL Subject OU: N/A, SSL Subject Org: N/A, SSL Issuer CN: N/A, SSL Issuer Country: N/A, SSL Issuer OU: N/A, SSL Issuer Org: N/A, SSL Valid Start Date: N/A, SSL Valid End Date: N/A, SSL Version: N/A, SSL Server Certificate Status: N/A, SSL Actual Action: N/A, SSL Expected Action: N/A, SSL Server Name: (null), SSL URL Category: N/A, SSL Session ID: 0000000000000000000000000000000000000000000000000000000000000000, SSL Ticket Id: 0000000000000000000000000000000000000000, {TCP} 10.7.33.22:53431 -> 66.55.11.77:443
log
1
<113>Mar 18 11:38:39 Razor: Protocol: TCP, SrcIP: 10.100.11.222, OriginalClientIP: ::, DstIP: 65.55.44.111, SrcPort: 63399, DstPort: 443, TCPFlags: 0x0, IngressInterface: insidepc, EgressInterface: outside, DE: Primary Detection Engine (ecfee06e-8a6f-11e7-6666-888888888888), Policy: MSSA-Access Control, ConnectType: Start, AccessControlRuleName: Allow-GoodApps, AccessControlRuleAction: Allow, Prefilter Policy: Unknown, UserName: No Authentication Required, Client: SSL client, ApplicationProtocol: HTTPS, WebApplication: Microsoft, InitiatorPackets: 3, ResponderPackets: 1, InitiatorBytes: 386, ResponderBytes: 66, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown, URL: https://microsoft.com
log
1
<113>Mar 18 11:38:39 Razor: Protocol: TCP, SrcIP: 10.100.11.222, OriginalClientIP: ::, DstIP: 65.55.44.111, SrcPort: 63399, DstPort: 443, TCPFlags: 0x0, IngressInterface: insidepc, EgressInterface: outside, DE: Primary Detection Engine (ecfee06e-8a6f-11e7-6666-888888888888), Policy: MSSA-Access Control, ConnectType: Start, AccessControlRuleName: Allow-GoodApps, AccessControlRuleAction: Block, Prefilter Policy: Unknown, UserName: No Authentication Required, Client: SSL client, ApplicationProtocol: HTTPS, WebApplication: Microsoft, InitiatorPackets: 3, ResponderPackets: 1, InitiatorBytes: 386, ResponderBytes: 66, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown, URL: https://microsoft.com
log
1
<113>Mar 18 11:38:39 Sourcefire3D sfdc1500avc: [Primary Detection Engine (11727814-7b90-11e2-6666-888888888888)][MHPSA] Connection Type: Start, User: Unknown, Client: DNS client, Application Protocol: DNS, Web App: Unknown, Access Control Rule Name: CatchAll-Scan_for_Malware, Access Control Rule Action: Block, Access Control Rule Reasons: Unknown, URL Category: Unknown, URL Reputation: Risk unknown, URL: https://razor.com, Interface Ingress: s1p1, Interface Egress: s1p2, Security Zone Ingress: Internal, Security Zone Egress: External, Security Intelligence Matching IP: None, Security Intelligence Category: None, Client Version: (null), Number of File Events: 0, Number of IPS Events: 0, TCP Flags: 0x0, NetBIOS Domain: (null), Initiator Packets: 1, Responder Packets: 1, Initiator Bytes: 91, Responder Bytes: 187, Context: Unknown, SSL Rule Name: N/A, SSL Flow Status: N/A, SSL Cipher Suite: Nhttps://razor.com/, SSL Certificate: 0000000000000000000000000000000000000000, SSL Subject CN: N/A, SSL Subject Country: N/A, SSL Subject OU: N/A, SSL Subject Org: N/A, SSL Issuer CN: N/A, SSL Issuer Country: N/A, SSL Issuer OU: N/A, SSL Issuer Org: N/A, SSL Valid Start Date: N/A, SSL Valid End Date: N/A, SSL Version: N/A, SSL Server Certificate Status: N/A, SSL Actual Action: N/A, SSL Expected Action: N/A, SSL Server Name: (null), SSL URL Category: N/A, SSL Session ID: 0000000000000000000000000000000000000000000000000000000000000000, SSL Ticket Id: 0000000000000000000000000000000000000000, {UDP} 192.168.44.88:58962 -> 8.8.8.8:53
log
1
<113>Mar 18 11:38:39 tulsa-firesight SFIMS: [1:32123:2] "MALWARE-CNC Win.Trojan.Zbot variant outbound connection" [Impact: Vulnerable] From \"10.3.22.111\" at Tue Feb 16 20:12:48 2016 UTC [Classification: A Network Trojan was Detected] [Priority: 1] {tcp} 208.111.222.222:59186 (united states)->10.3.22.11:9999 (unknown)
log
1
<113>Mar 18 11:38:39 cde2b SFIMS: Protocol: TCP, SrcIP: 10.5.5.55, DstIP: 145.30.44.22, SrcPort: 27097, DstPort: 80, IngressZone: R7_Inside_SZ, EgressZone: R7_DMZ_SZ, Priority: 1, DE: Primary Detection Engine (42e15562-35e7-11e7-6666-888888888888), Policy: CWF R7, GID: 1, SID: 25976, Revision: 2, Message: "POLICY-OTHER Adobe ColdFusion admin API access attempt", Classification: Potential Corporate Policy Violation, Client: Web browser, ApplicationProtocol: HTTP, ACPolicy: Razor, NAPPolicy: Balanced Security and Connectivity