From 2a47c3c1472c38d19d969a3499c8f6536064ab14 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Mon, 27 Jul 2020 16:45:54 +0200 Subject: [PATCH] Cisco ASA: Fix message 106100 This updates the parser for Cisco ASA message 106100 so that it doesn't fail when extra information is appended after the port numbers. Fixes #19350 --- CHANGELOG.next.asciidoc | 1 + .../module/cisco/asa/test/asa-fix.log | 2 + .../cisco/asa/test/asa-fix.log-expected.json | 86 +++++++++++++++++++ .../cisco/shared/ingest/asa-ftd-pipeline.yml | 2 +- 4 files changed, 90 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 306dc5f96a3..ee4109ca5b0 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -223,6 +223,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix Filebeat OOMs on very long lines {issue}19500[19500], {pull}19552[19552] - Fix s3 input parsing json file without expand_event_list_from_field. {issue}19902[19902] {pull}19962[19962] - Fix millisecond timestamp normalization issues in CrowdStrike module {issue}20035[20035], {pull}20138[20138] +- Fix support for message code 106100 in Cisco ASA and FTD. {issue}19350[19350] {pull}20245[20245] *Heartbeat* diff --git a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log index 19509b9f9ef..d33c318fb6d 100644 --- a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log +++ b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log @@ -5,3 +5,5 @@ Apr 17 2020 14:16:20 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny udp src Inside:10.123 Apr 17 2020 14:15:07 SNL-ASA-VPN-A01 : %ASA-2-106017: Deny IP due to Land Attack from 10.123.123.123 to 10.123.123.123 Apr 17 2020 14:15:07 SNL-ASA-VPN-A01 : %ASA-3-313008: Denied IPv6-ICMP type=134, code=0 from fe80::1ff:fe23:4567:890a on interface ISP1 Jun 08 2020 12:59:57: %ASA-4-313009: Denied invalid ICMP code 9, for Inside:10.255.0.206/8795 (10.255.0.206/8795) to identity:10.12.31.51/0 (10.12.31.51/0), ICMP id 295, ICMP type 8 +Oct 20 2019 15:42:53: %ASA-6-106100: access-list incoming permitted udp dmz2/127.2.3.4(56575) -> inside/127.3.4.5(53) hit-cnt 1 first hit [0x93d0e533, 0x578ef52f] +Oct 20 2019 15:42:54: %ASA-6-106100: access-list incoming permitted udp dmz2/127.2.3.4(56575)(LOCAL\\username) -> inside/127.3.4.5(53) hit-cnt 1 first hit [0x93d0e533, 0x578ef52f] diff --git a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json index 9fb6401ea55..66bf1812769 100644 --- a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json @@ -299,5 +299,91 @@ "cisco-asa", "forwarded" ] + }, + { + "cisco.asa.destination_interface": "inside", + "cisco.asa.message_id": "106100", + "cisco.asa.rule_name": "incoming", + "cisco.asa.source_interface": "dmz2", + "destination.address": "127.3.4.5", + "destination.ip": "127.3.4.5", + "destination.port": 53, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106100, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-106100: access-list incoming permitted udp dmz2/127.2.3.4(56575) -> inside/127.3.4.5(53) hit-cnt 1 first hit [0x93d0e533, 0x578ef52f]", + "event.outcome": "allow", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 1171, + "network.iana_number": 17, + "network.transport": "udp", + "related.ip": [ + "127.2.3.4", + "127.3.4.5" + ], + "service.type": "cisco", + "source.address": "127.2.3.4", + "source.ip": "127.2.3.4", + "source.port": 56575, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "inside", + "cisco.asa.message_id": "106100", + "cisco.asa.rule_name": "incoming", + "cisco.asa.source_interface": "dmz2", + "destination.address": "127.3.4.5", + "destination.ip": "127.3.4.5", + "destination.port": 53, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106100, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-106100: access-list incoming permitted udp dmz2/127.2.3.4(56575)(LOCAL\\\\username) -> inside/127.3.4.5(53) hit-cnt 1 first hit [0x93d0e533, 0x578ef52f]", + "event.outcome": "allow", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 1334, + "network.iana_number": 17, + "network.transport": "udp", + "related.ip": [ + "127.2.3.4", + "127.3.4.5" + ], + "service.type": "cisco", + "source.address": "127.2.3.4", + "source.ip": "127.2.3.4", + "source.port": 56575, + "tags": [ + "cisco-asa", + "forwarded" + ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml index 8f14c7df3c0..d34f3562e68 100644 --- a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml +++ b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml @@ -253,7 +253,7 @@ processors: - dissect: if: "ctx._temp_.cisco.message_id == '106100'" field: "message" - pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} %{_temp_.cisco.source_interface}/%{source.address}(%{source.port}) -> %{_temp_.cisco.destination_interface}/%{destination.address}(%{destination.port}) %{}" + pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} %{_temp_.cisco.source_interface}/%{source.address}(%{source.port})%{}-> %{_temp_.cisco.destination_interface}/%{destination.address}(%{destination.port})%{}" - dissect: if: "ctx._temp_.cisco.message_id == '106102'" field: "message"