diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 1f73195e510..e468debf28b 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -45,6 +45,7 @@ https://github.com/elastic/beats/compare/v8.2.0\...main[Check the HEAD diff] *Filebeat* +- cisco/asa: fix handling of user names when there are Security Group Tags present. {issue}32009[32009] {pull}32196[32196] *Heartbeat* diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 20be3e0ac27..a75f574429a 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -21459,6 +21459,16 @@ type: keyword -- +*`cisco.asa.source_user_security_group_tag`*:: ++ +-- +The Security Group Tag for the source user. Security Group Tag are 16-bit identifiers used to represent logical group privilege. + + +type: long + +-- + *`cisco.asa.destination_username`*:: + -- @@ -21469,6 +21479,16 @@ type: keyword -- +*`cisco.asa.destination_user_security_group_tag`*:: ++ +-- +The Security Group Tag for the destination user. Security Group Tag are 16-bit identifiers used to represent logical group privilege. + + +type: long + +-- + *`cisco.asa.mapped_source_ip`*:: + -- diff --git a/x-pack/filebeat/module/cisco/asa/_meta/fields.yml b/x-pack/filebeat/module/cisco/asa/_meta/fields.yml index 342bea8b4e9..cc4f603560c 100644 --- a/x-pack/filebeat/module/cisco/asa/_meta/fields.yml +++ b/x-pack/filebeat/module/cisco/asa/_meta/fields.yml @@ -34,11 +34,21 @@ description: > Name of the user that is the source for this event. + - name: source_user_security_group_tag + type: long + description: > + The Security Group Tag for the source user. Security Group Tag are 16-bit identifiers used to represent logical group privilege. + - name: destination_username type: keyword description: > Name of the user that is the destination for this event. + - name: destination_user_security_group_tag + type: long + description: > + The Security Group Tag for the destination user. Security Group Tag are 16-bit identifiers used to represent logical group privilege. + - name: mapped_source_ip type: ip description: > diff --git a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log index 80efe8a5553..7f13d09fa3b 100644 --- a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log +++ b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log @@ -9,3 +9,6 @@ Oct 20 2019 15:42:53: %ASA-6-106100: access-list incoming permitted udp dmz2/127 Oct 20 2019 15:42:54: %ASA-6-106100: access-list incoming permitted udp dmz2/127.2.3.4(56575)(LOCAL\\username) -> inside/127.3.4.5(53) hit-cnt 1 first hit [0x93d0e533, 0x578ef52f] Aug 6 2020 11:01:37: %ASA-session-3-106102: access-list dev_inward_client permitted udp for user redacted outside/10.123.123.20(49721) -> inside/10.223.223.40(53) hit-cnt 1 first hit [0x3c8b88c1, 0xbee595c3] Aug 6 2020 11:01:38: %ASA-1-106103: access-list filter denied icmp for user joe inside/10.1.2.3(64321) -> outside/1.2.33.40(8080) hit-cnt 1 first hit [0x3c8b88c1, 0xbee595c3] +Jun 21 2022 11:47:08: %ASA-6-302015: Built inbound UDP connection 7 for outside:81.2.69.142/3424 (81.2.69.142/3424)(LOCAL\alice, 123) to inside:89.160.20.112/9803 (89.160.20.112/9803) (bob) +Jun 21 2022 11:47:08: %ASA-6-302015: Built inbound UDP connection 7 for outside:81.2.69.142/3424 (81.2.69.142/3424)(LOCAL\alice) to inside:89.160.20.112/9803 (89.160.20.112/9803) (bob) +Jun 21 2022 11:47:09: %ASA-6-302015: Built inbound UDP connection 7 for outside:81.2.69.142/3424 (81.2.69.142/3424)(LOCAL\alice, 123) to inside:89.160.20.112/9803 (89.160.20.112/9803)(LOCAL\dave, 246) (bob) diff --git a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json index a8e799341b3..6caa04996e5 100644 --- a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json @@ -566,5 +566,240 @@ "forwarded" ], "user.name": "joe" + }, + { + "cisco.asa.connection_id": "7", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "89.160.20.112", + "cisco.asa.mapped_destination_port": 9803, + "cisco.asa.mapped_source_ip": "81.2.69.142", + "cisco.asa.mapped_source_port": 3424, + "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "cisco.asa.source_user_security_group_tag": 123, + "cisco.asa.source_username": "LOCAL\\alice", + "cisco.asa.termination_user": "bob", + "destination.address": "89.160.20.112", + "destination.as.number": 29518, + "destination.as.organization.name": "Bredband2 AB", + "destination.geo.city_name": "Link\u00f6ping", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "SE", + "destination.geo.country_name": "Sweden", + "destination.geo.location.lat": 58.4167, + "destination.geo.location.lon": 15.6167, + "destination.geo.region_iso_code": "SE-E", + "destination.geo.region_name": "\u00d6sterg\u00f6tland County", + "destination.ip": "89.160.20.112", + "destination.port": 9803, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302015, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302015: Built inbound UDP connection 7 for outside:81.2.69.142/3424 (81.2.69.142/3424)(LOCAL\\alice, 123) to inside:89.160.20.112/9803 (89.160.20.112/9803) (bob)", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 1899, + "network.community_id": "1:797FALeb94mYDqvQDgC+6NRdALQ=", + "network.direction": "inbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "81.2.69.142", + "89.160.20.112" + ], + "related.user": [ + "alice" + ], + "service.type": "cisco", + "source.address": "81.2.69.142", + "source.geo.city_name": "London", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", + "source.geo.location.lat": 51.5142, + "source.geo.location.lon": -0.0931, + "source.geo.region_iso_code": "GB-ENG", + "source.geo.region_name": "England", + "source.ip": "81.2.69.142", + "source.port": 3424, + "source.user.name": "alice", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.connection_id": "7", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "89.160.20.112", + "cisco.asa.mapped_destination_port": 9803, + "cisco.asa.mapped_source_ip": "81.2.69.142", + "cisco.asa.mapped_source_port": 3424, + "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "cisco.asa.source_username": "LOCAL\\alice", + "cisco.asa.termination_user": "bob", + "destination.address": "89.160.20.112", + "destination.as.number": 29518, + "destination.as.organization.name": "Bredband2 AB", + "destination.geo.city_name": "Link\u00f6ping", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "SE", + "destination.geo.country_name": "Sweden", + "destination.geo.location.lat": 58.4167, + "destination.geo.location.lon": 15.6167, + "destination.geo.region_iso_code": "SE-E", + "destination.geo.region_name": "\u00d6sterg\u00f6tland County", + "destination.ip": "89.160.20.112", + "destination.port": 9803, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302015, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302015: Built inbound UDP connection 7 for outside:81.2.69.142/3424 (81.2.69.142/3424)(LOCAL\\alice) to inside:89.160.20.112/9803 (89.160.20.112/9803) (bob)", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 2089, + "network.community_id": "1:797FALeb94mYDqvQDgC+6NRdALQ=", + "network.direction": "inbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "81.2.69.142", + "89.160.20.112" + ], + "related.user": [ + "alice" + ], + "service.type": "cisco", + "source.address": "81.2.69.142", + "source.geo.city_name": "London", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", + "source.geo.location.lat": 51.5142, + "source.geo.location.lon": -0.0931, + "source.geo.region_iso_code": "GB-ENG", + "source.geo.region_name": "England", + "source.ip": "81.2.69.142", + "source.port": 3424, + "source.user.name": "alice", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.connection_id": "7", + "cisco.asa.destination_interface": "inside", + "cisco.asa.destination_user_security_group_tag": 246, + "cisco.asa.destination_username": "LOCAL\\dave", + "cisco.asa.mapped_destination_ip": "89.160.20.112", + "cisco.asa.mapped_destination_port": 9803, + "cisco.asa.mapped_source_ip": "81.2.69.142", + "cisco.asa.mapped_source_port": 3424, + "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "cisco.asa.source_user_security_group_tag": 123, + "cisco.asa.source_username": "LOCAL\\alice", + "cisco.asa.termination_user": "bob", + "destination.address": "89.160.20.112", + "destination.as.number": 29518, + "destination.as.organization.name": "Bredband2 AB", + "destination.geo.city_name": "Link\u00f6ping", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "SE", + "destination.geo.country_name": "Sweden", + "destination.geo.location.lat": 58.4167, + "destination.geo.location.lon": 15.6167, + "destination.geo.region_iso_code": "SE-E", + "destination.geo.region_name": "\u00d6sterg\u00f6tland County", + "destination.ip": "89.160.20.112", + "destination.port": 9803, + "destination.user.name": "dave", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302015, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302015: Built inbound UDP connection 7 for outside:81.2.69.142/3424 (81.2.69.142/3424)(LOCAL\\alice, 123) to inside:89.160.20.112/9803 (89.160.20.112/9803)(LOCAL\\dave, 246) (bob)", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 2274, + "network.community_id": "1:797FALeb94mYDqvQDgC+6NRdALQ=", + "network.direction": "inbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "81.2.69.142", + "89.160.20.112" + ], + "related.user": [ + "alice", + "dave" + ], + "service.type": "cisco", + "source.address": "81.2.69.142", + "source.geo.city_name": "London", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", + "source.geo.location.lat": 51.5142, + "source.geo.location.lon": -0.0931, + "source.geo.region_iso_code": "GB-ENG", + "source.geo.region_name": "England", + "source.ip": "81.2.69.142", + "source.port": 3424, + "source.user.name": "alice", + "tags": [ + "cisco-asa", + "forwarded" + ], + "user.name": "dave" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json index 26374ec1ba1..8777ae5bd9e 100644 --- a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json @@ -3933,7 +3933,7 @@ "89.160.20.156" ], "related.user": [ - "user@domain.tld" + "user" ], "service.type": "cisco", "source.address": "1.128.3.4", @@ -3944,7 +3944,7 @@ "source.nat.port": "34534", "source.port": 12312, "source.user.domain": "domain.tld", - "source.user.name": "user@domain.tld", + "source.user.name": "user", "tags": [ "cisco-asa", "forwarded" @@ -4028,7 +4028,7 @@ "destination.as.organization.name": "Telstra Pty Ltd", "destination.ip": "1.128.3.4", "destination.user.domain": "domain.tld", - "destination.user.name": "user@domain.tld", + "destination.user.name": "user", "event.action": "flow-expiration", "event.category": [ "network" @@ -4062,7 +4062,7 @@ "89.160.20.156" ], "related.user": [ - "user@domain.tld" + "user" ], "service.type": "cisco", "source.address": "89.160.20.156", @@ -4078,12 +4078,12 @@ "source.geo.region_name": "\u00d6sterg\u00f6tland County", "source.ip": "89.160.20.156", "source.user.domain": "domain.tld", - "source.user.name": "user@domain.tld", + "source.user.name": "user", "tags": [ "cisco-asa", "forwarded" ], - "user.name": "user@domain.tld" + "user.name": "user" }, { "@timestamp": "2021-01-13T19:12:37.000-02:00", diff --git a/x-pack/filebeat/module/cisco/fields.go b/x-pack/filebeat/module/cisco/fields.go index 3e0eb729289..40d2eb18562 100644 --- a/x-pack/filebeat/module/cisco/fields.go +++ b/x-pack/filebeat/module/cisco/fields.go @@ -19,5 +19,5 @@ func init() { // AssetCisco returns asset data. // This is the base64 encoded zlib format compressed contents of module/cisco. func AssetCisco() string { - return "" + return "" } diff --git a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml index 99a5782d57c..460db388419 100644 --- a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml +++ b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml @@ -282,7 +282,7 @@ processors: - ^%{NOTSPACE:event.outcome} ((protocol %{POSINT:network.iana_number})|%{NOTSPACE:network.transport}) src %{NOTCOLON:_temp_.cisco.source_interface}:%{IPORHOST:source.address}(/%{POSINT:source.port})?\s*(\(%{CISCO_USER:_temp_.cisco.source_username}\) )?dst %{NOTCOLON:_temp_.cisco.destination_interface}:%{IPORHOST:destination.address}(/%{POSINT:destination.port})?%{DATA}by access-group "%{NOTSPACE:_temp_.cisco.list_id}" pattern_definitions: NOTCOLON: "[^:]*" - CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?) + CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?(, *%{NUMBER})?) - dissect: if: "ctx._temp_.cisco.message_id == '106027'" field: "message" @@ -343,10 +343,10 @@ processors: field: "message" description: "302013, 302015" patterns: - - Built %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} connection %{NUMBER:_temp_.cisco.connection_id} for %{NOTCOLON:_temp_.cisco.source_interface}:%{IP:source.address}/%{NUMBER:source.port} \(%{IP:_temp_.natsrcip}/%{NUMBER:_temp_.cisco.mapped_source_port}\)(\(%{CISCO_USER:_temp_.cisco.source_username}\))? to %{NOTCOLON:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}/%{NUMBER:destination.port} \(%{NOTSPACE:_temp_.natdstip}/%{NUMBER:_temp_.cisco.mapped_destination_port}\)(\(%{CISCO_USER:destination.user.name}\))?( \(%{CISCO_USER:_temp_.cisco.termination_user}\))?%{GREEDYDATA} + - Built %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} connection %{NUMBER:_temp_.cisco.connection_id} for %{NOTCOLON:_temp_.cisco.source_interface}:%{IP:source.address}/%{NUMBER:source.port} \(%{IP:_temp_.natsrcip}/%{NUMBER:_temp_.cisco.mapped_source_port}\)(\(%{CISCO_USER:_temp_.cisco.source_username}\))? to %{NOTCOLON:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}/%{NUMBER:destination.port} \(%{NOTSPACE:_temp_.natdstip}/%{NUMBER:_temp_.cisco.mapped_destination_port}\)(\(%{CISCO_USER:_temp_.cisco.destination_username}\))?( \(%{CISCO_USER:_temp_.cisco.termination_user}\))?%{GREEDYDATA} pattern_definitions: NOTCOLON: "[^:]*" - CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?) + CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?(, *%{NUMBER})?) - dissect: if: "ctx._temp_.cisco.message_id == '303002'" field: "message" @@ -360,7 +360,7 @@ processors: - Teardown %{DATA} %{NOTSPACE:network.transport} translation from %{NOTCOLON:_temp_.cisco.source_interface}:%{IP:source.address}/%{NUMBER:source.port}(\s*\(%{CISCO_USER:_temp_.cisco.source_username}\))? to %{NOTCOLON:_temp_.cisco.destination_interface}:%{IP:destination.address}/%{NUMBER:destination.port} duration %{DURATION:_temp_.duration_hms} pattern_definitions: NOTCOLON: "[^:]*" - CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?) + CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?(, *%{NUMBER})?) DURATION: "%{INT}:%{MINUTE}:%{SECOND}" - grok: if: "ctx._temp_.cisco.message_id == '302020'" @@ -373,7 +373,7 @@ processors: ECSSOURCEIPORHOST: "(?:%{IP:source.address}|%{HOSTNAME:source.domain})" ECSDESTIPORHOST: "(?:%{IP:destination.address}|%{HOSTNAME:destination.domain})" MAPPEDSRC: "(?:%{DATA:_temp_.natsrcip}|%{HOSTNAME})" - CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?) + CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?(, *%{NUMBER})?) - dissect: if: "ctx._temp_.cisco.message_id == '302022'" field: "message" @@ -827,7 +827,7 @@ processors: ECSDESTIPORHOST: "(?:%{IP:destination.address}|%{HOSTNAME:destination.domain})" MAPPEDSRC: "(?:%{IPORHOST:_temp_.natsrcip}|%{HOSTNAME})" DURATION: "%{INT}:%{MINUTE}:%{SECOND}" - CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?) + CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?(, *%{NUMBER})?) # # Decode FTD's Security Event Syslog Messages # @@ -1367,6 +1367,36 @@ processors: # # Parse Source/Dest Username/Domain # + - grok: + field: "_temp_.cisco.source_username" + if: 'ctx?._temp_?.cisco?.source_username != null' + ignore_failure: true + patterns: + - '%{CISCO_DOMAIN_USER:_temp_.cisco.source_username}%{CISCO_SGT}' + pattern_definitions: + CISCO_DOMAIN_USER: (%{CISCO_DOMAIN})?%{CISCO_USER} + CISCO_SGT: (, *%{NUMBER:_temp_.cisco.source_user_security_group_tag})? + CISCO_USER: "%{USERNAME}(@%{HOSTNAME})?" + CISCO_DOMAIN: (LOCAL\\)?(%{HOSTNAME}\\)? + - convert: + field: _temp_.cisco.source_user_security_group_tag + type: long + ignore_missing: true + - grok: + field: "_temp_.cisco.destination_username" + if: 'ctx?._temp_?.cisco?.destination_username != null' + ignore_failure: true + patterns: + - '%{CISCO_DOMAIN_USER:_temp_.cisco.destination_username}%{CISCO_SGT}' + pattern_definitions: + CISCO_DOMAIN_USER: (%{CISCO_DOMAIN})?%{CISCO_USER} + CISCO_SGT: (, *%{NUMBER:_temp_.cisco.destination_user_security_group_tag})? + CISCO_USER: "%{USERNAME}(@%{HOSTNAME})?" + CISCO_DOMAIN: (LOCAL\\)?(%{HOSTNAME}\\)? + - convert: + field: _temp_.cisco.destination_user_security_group_tag + type: long + ignore_missing: true - set: field: source.user.name value: "{{{ _temp_.cisco.source_username }}}" @@ -1380,18 +1410,18 @@ processors: if: 'ctx?.source?.user?.name != null' ignore_failure: true patterns: - - (%{CISCO_DOMAIN})?%{CISCO_USER:source.user.name} + - (%{CISCO_DOMAIN})?%{CISCO_USER} pattern_definitions: - CISCO_USER: "%{USERNAME}(@%{HOSTNAME:source.user.domain})?" + CISCO_USER: "%{USERNAME:source.user.name}(@%{HOSTNAME:source.user.domain})?" CISCO_DOMAIN: (LOCAL\\)?(%{HOSTNAME:source.user.domain}\\)? - grok: field: "destination.user.name" if: 'ctx?.destination?.user?.name != null' ignore_failure: true patterns: - - (%{CISCO_DOMAIN})?%{CISCO_USER:destination.user.name} + - (%{CISCO_DOMAIN})?%{CISCO_USER} pattern_definitions: - CISCO_USER: "%{USERNAME}(@%{HOSTNAME:destination.user.domain})?" + CISCO_USER: "%{USERNAME:destination.user.name}(@%{HOSTNAME:destination.user.domain})?" CISCO_DOMAIN: (LOCAL\\)?(%{HOSTNAME:destination.user.domain}\\)? # # Normalize protocol names