Enable Logging for Sourcefire Security Intelligence Feeds

blacklist_secint_eventsLast week I had a situation where an external client was reporting a complete inability to access any of our internet-accessible resources. If they changed IPs, though, they were fine. Considering it was over the Labor Day weekend, that we hadn’t changed *anything*, and that only this one client was having the problem, it seemed clear that the cause wasn’t on my side. They were small with outsourced IT, though, so pointing the finger back didn’t help much.

The fly in the ointment even for pointing at a cause was also that I didn’t have any logs of their traffic getting dropped. Normally I can search for initiating IPs or zoom into a small time window and find connections. Not this time. That left me with my own mental loophole of doubt about whether I actually did have an issue on my end.

So I opened a case with Cisco TAC, gave them the troubleshoot file dumps and asked for analysis. They stumbled some because I wasn’t able to attempt a reproduction on demand, since I didn’t have access to the client’s network to try things. TAC tried disabling some completely unrelated Snort rules, which did nothing (as expected). Eventually, I added a temporary explicit trust rule on their traffic so that they could regain access while we dug deeper. Once allowed, the connections were visible in FireSight Management Center (Defense Center) > Analysis > Connections > Events.

A couple days later, TAC returned with the root cause. The Sourcefire Security Intelligence Feed for Malware was blocking the client’s IP. That would have been really great to know on day 1, so I could have asked the client’s IT to address it. Of course, when I did give that root cause back to their IT, they responded that they knew about being blacklisted two days before reporting access issues to our network. Did they mention that at all? Nope. Where’s the love, people?

While the Googlesphere seems devoid of any ability to search/query Sourcefire’s blacklist feeds, it did render some Cisco documentation on enabling logging for blacklist traffic. This also would have saved me the entire TAC case, had I known it was disabled by default.

blacklist_logging_events
Example of Blacklist Events

 

To enable logging for blacklists, follow these steps (based on version 5.4.1):

  1. Login to FireSight Management Center (formerly Defense Center)
  2. Go to Policies > Access Control
  3. Edit your active access control policy

    blacklist_logging_2-3

  4. Select the third tab, Security Intelligence

    blacklist_logging_4

  5. On the far right of the far right (fourth) column above the little Delete trashcans, click the Logging paper icon

    blacklist_logging_5

  6. Check Log Connections and Defense Center (optionally other destinations)

    blacklist_logging_6-7

  7. Click OK and then Save and Apply in the top right of the Access Control page
  8. Blacklist connections will now get logged

2 Comments

  1. Saad said:

    Hey Chris,

    Thank you for the article. I had already configured logging for the security intelligence logs but i would like to know if there’s a way to capture the packets of these events. I would not want all the events packets, just a few based on a particular blacklist.

    Thanks!

    March 31, 2016
    Reply
    • Chris said:

      I’m afraid I don’t have the answer to that. I’ve transitioned out of the role that works with Sourcefire, so I’m unable to explore and figure it out with you. Feel free to post back here when you figure it out, though! Thanks.

      March 31, 2016
      Reply

Leave a Reply