Splunk

Cisco ASA - Packet Capture Activity

Last updated 2 days ago on 2026-07-17

About

This analytic detects execution of packet capture commands on Cisco ASA devices via CLI or ASDM. Adversaries may abuse the built-in packet capture functionality to perform network sniffing, intercept credentials transmitted over the network, capture sensitive data in transit, or gather intelligence about network traffic patterns and internal communications. Packet captures can reveal usernames, passwords, session tokens, and confidential business data. The detection monitors for command execution events (message ID 111008 or 111010) containing "capture" commands, which are used to initiate packet capture sessions on specific interfaces or for specific traffic patterns on the ASA device. Investigate unauthorized packet capture activities, especially captures targeting sensitive interfaces (internal network segments, DMZ), captures configured to capture large volumes of traffic, captures with suspicious filter criteria, captures initiated by non-administrative accounts, or captures during unusual hours.
Platform
Splunk
Tags
Data Source: SplunkDomain: ApplicationRule Type: QueryOS: Any
Severity
medium
Risk Score
47
References
https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/A-H/asa-command-ref-A-H/ca-cld-commands.html(external, opens in a new tab or window)https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118097-configure-asa-00.html(external, opens in a new tab or window)https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/RayInitiator-LINE-VIPER/ncsc-mar-rayinitiator-line-viper.pdf(external, opens in a new tab or window)
False Positives
Admins use packet captures for troubleshooting, performance monitoring, or security investigations. Verify against change management. Filter known admin accounts during maintenance windows.
Source
View on GitHub(external, opens in a new tab or window)

Definition

Rule Language
SPL
Rule Type
query
text code block:
`cisco_asa` message_id IN (111008, 111010) command IN ("capture *") | fillnull | stats count earliest(_time) as firstTime latest(_time) as lastTime values(user) as user values(action) as action values(message_id) as message_id values(command) as command values(src_ip) as src_ip values(process_name) as process_name by host | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cisco_asa___packet_capture_activity_filter`

View this rule on Splunk

This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).