Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SIEM] Fix Cisco ASA and FTD message 106001 producing bad network.direction #13903

Merged
merged 3 commits into from
Oct 4, 2019

Conversation

adriansr
Copy link
Contributor

@adriansr adriansr commented Oct 3, 2019

In some case network.direction can be Inbound instead of inbound
as expected. This happens only with message 106001 in the ASA and FTD.

Fixes #13891

In some case network.direction can be `Inbound` instead of `inbound`
as expected. This happens with message 106001 in the ASA and FTD.

Fixes elastic#13891
@adriansr adriansr requested a review from a team as a code owner October 3, 2019 17:56
@adriansr adriansr requested a review from a team October 3, 2019 17:58
@@ -960,6 +960,9 @@ processors:
- lowercase:
field: "file.type"
ignore_failure: true
- lowercase:
field: "network.direction"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@adriansr Make sure the possible values are actually one of those listed for network.direction in ECS https://www.elastic.co/guide/en/ecs/current/ecs-network.html

E.g. If Cisco has "Inbound", then just lowercasing that is fine. But if instead of "unknown" they have "Unavailable", then just the lowercasing doesn't get you there completely :-)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, in these logs the direction is not a variable but a hardcoded part of the message, like "Deny inbound {protocol} for {ip}", and then there is another similar message with a different code for "Deny outbound {protocol} for {ip}". Just with message 106001, the direction was at the beginning of the message so it started with an uppercase character.

@adriansr adriansr merged commit e40fbdd into elastic:master Oct 4, 2019
adriansr added a commit to adriansr/beats that referenced this pull request Oct 4, 2019
…ection (elastic#13903)

In some case network.direction can be `Inbound` instead of `inbound`
as expected. This happens with message 106001 in the ASA and FTD.

Fixes elastic#13891

(cherry picked from commit e40fbdd)
@adriansr adriansr added the v7.4.1 label Oct 4, 2019
adriansr added a commit that referenced this pull request Oct 4, 2019
…1 producing bad network.direction (#13912)

In some case network.direction can be `Inbound` instead of `inbound`
as expected. This happens with message 106001 in the ASA and FTD.

Fixes #13891
leweafan pushed a commit to leweafan/beats that referenced this pull request Apr 28, 2023
…e 106001 producing bad network.direction (elastic#13912)

In some case network.direction can be `Inbound` instead of `inbound`
as expected. This happens with message 106001 in the ASA and FTD.

Fixes elastic#13891
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[SIEM] Bad network.direction ingested by Cisco module
3 participants