Cisco Firepower

Cisco FirePOWER is a set of management services for Cisco routers. It provides application control, intrusion protection, anti-malware, and URL filtering. There is a management software application called FirePOWER Management Center. FirePOWER log messages can originate both from individual FirePOWER devices and from the FirePOWER Management Center software.

Rule Function

This app has three rules.

The purpose of the first rule is to read Cisco log messages and extract the data elements in the message as certain user tags. This rule recognizes a large number of Cisco log messages.

The purpose of the second rule is to parse certain key-value pairs in the FMC application log message and convert them into corresponding user tags. It also it identifies Cisco log message event types. Last, it detects torrent connections and sets an appropriate user tag.

The purpose of the third rule is to extract the User and Group information from the FirePOWER firewalls, according to the log message format relating to the particular Cisco mnemonic.

Note that the rule behavior is governed in part by the Cisco message code mnemonic. There is overlap between the FTD- and ASA- mnemonics, and for the purposes of this app, those mnemonics are considered identical.

Vendor Documentation

Introduction to the Cisco Firepower Management Center Virtual Appliance

Log Source Details

Item	Value
Vendor	Cisco
Device Type	Firepower
Collection Method	Syslog
Configurable Log Output?	yes
Log Source Type	key-value
Exceptions	N/A

Currently Supported Log Types

The two rules deal with two different log message formats. The log message format for the first rule is a list of comma-separated key-value pairs; the key and value in each pair are separated by a colon (:). This type of log message is sent by the FMC application

The log message for the second rule is a common Cisco format consisting of the Cisco mnemonic code followed by variable message text corresponding to the log event type. For purposes of this rule the log event types parsed all contain information about User and Group, as indicated below. This type of log message is sent by Cisco Firepower firewalls.

Parsed Metadata Fields

The first rule, which recognizes the largest set of Cisco log messages, parses the following user tags:

Field	Tag Name	Example
Source IP	`SrcIP`	`8.8.8.8`
Source Port	`SrcPort`	`dynamic`
Destination IP	`DstIP`	`8.8.8.8`
Destination Port	`DstPort`	`dynamic`
Source Interface	`SrcInterface`	n/a
Destination Interface	`DstInterface`	n/a
Mapped Source IP	`SrcIP Mapped`	`8.8.8.8`
Mapped Source Port	`SrcPort Mapped`	`dynamic`
Mapped Destination IP	`DstIP Mapped`	`8.8.8.8`
Mapped Destination Port	`DstPort Mapped`	`dynamic`
User	`User`	n/a

The second rule is restricted to a certain set of key-values to convert to user tags. Those log message keys and the corresponding user tags are:

Key	Tag Name	Example
`Protocol`	`Protocol`	`TCP`
`SrcIP`	`SrcIP`	`8.8.8.8`
`SrcPort`	`SrcPort`	`dynamic`
`EgressInterface`	`Egress Interface`	`outside`
`EgressZone`	`Egress Zone`	`Outside-ASA`
`IngressInterface`	`Ingress Interface`	`inside`
`IngressZone`	`Ingress Zone`	`Inside-ASA`
`AccessControlRuleAction`	`Access Control Rule Action`	`Allow`
`AccessControlRuleName`	`Access Control Rule Name`	`IPS_and_AMP_Catch_all`
`DstPort`	`DstPort`	`http`
`HTTPReferer`	`HTTP Referer`	`http://www.host.com`
`NAPPolicy`	`NAP Policy`	`Balanced Security and Connectivity`
(based on mnemonic)	`Security Alert`	`Intrusion`
(based on connection details)	`Torrent`	`8.8.8.8 -> 1.2.3.4:6884`

The third rule deals with a different set of mostly-homogeneous log messages and a smaller set of user tags:

Key	Tag Name	Example
`User`	`User`	`TCP`
`Group`	`Group`	`TCP`
`TunnelGroup`	`TunnelGroup`	`TCP`
`GroupPolicy`	`GroupPolicy`	`TCP`

High-Cardinality (HC) Tags

SrcIP
DstIP
SrcIP Mapped
DstIP Mapped

Log Examples

Log Examples Rule 1 (FMC application)

Intrusion Detected

Protocol: UDP, SrcIP: 11.22.33.44, OriginalClientIP: ::, DstIP: 127.0.0.1,
SrcPort: 42542, DstPort: 443, TCPFlags: 0x0, IngressInterface: inside,
EgressInterface: outside, IngressZone: Inside-ASA, EgressZone:
Outside-ASA, DE: Primary Detection Engine (99ea7fcc-d26a-11e6-ab37-b0df04229f05),
Policy: Corp-FirePower-Policy, ConnectType: End, AccessControlRuleName: Unknown,
AccessControlRuleAction: Allow, Prefilter Policy: Unknown,
UserName: No Authentication Required, InitiatorPackets: 3, ResponderPackets: 3,
InitiatorBytes: 1226, ResponderBytes: 1247, NAPPolicy: Balanced Security and Connectivity,
DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown,
URLReputation: Risk unknown"```

Connection End

EventPriority: Low, DeviceUUID: cefd21fe-afd3-11e8-ac26-a1f3a00f1023,
InstanceID: 2, FirstPacketSecond: 2021-07-20T13:30:45Z, ConnectionID: 60241,
AccessControlRuleAction: Allow, SrcIP: 11.22.33.44, DstIP: 55.66.77.88,
SrcPort: 57395, DstPort: 9080, Protocol: tcp, IngressInterface: vlan-91,
EgressInterface: vlan-21, IngressZone: inside, EgressZone: inside,
IngressVRF: Global, EgressVRF: Global, ACPolicy: 91-Cyber-ACP,
AccessControlRuleName: Permit Any, Prefilter Policy: Default Prefilter Policy,
InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 128,
ResponderBytes: 70, NAPPolicy: Balanced Security and Connectivity

Log Examples Rule 2 (Firepower firewall)

New TCP Connection

%FTD-svc-5-722034: Group <GP_corpUSA_SplitTunnel> User <jdoe> IP
<11.22.33.44> New TCP SVC connection, no existing connection.

No IP Address Available

%FTD-4-722041: TunnelGroup <corpUSA> GroupPolicy <GP_corpUSA_SplitTunnel>
User <jdoe> IP <11.22.33.44> No IPv6 address available for SVC connection