Skip to content

Commit

Permalink
Fix Cisco ASA/FTD msgs that use a host name as NAT address (elastic#1…
Browse files Browse the repository at this point in the history
…8376)

Sometimes the mapped source/destination IP field of an event is a hostname
instead of an IP address. This caused ingestion of the event to fail.

This patch makes the asa-ftd-pipeline to only populate those fields when
a valid IP address is found.

In the future we may want to revisit this if .nat.domain or
.nat.address fields become available.

(cherry picked from commit b24ed97)
  • Loading branch information
adriansr committed May 14, 2020
1 parent 00536b0 commit 5e71708
Show file tree
Hide file tree
Showing 10 changed files with 277 additions and 20 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -128,6 +128,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Fixed typo in log message. {pull}17897[17897]
- Unescape file name from SQS message. {pull}18370[18370]
- Improve cisco asa and ftd pipelines' failure handler to avoid mapping temporary fields. {issue}18391[18391] {pull}18392[18392]
- Fixed ingestion of some Cisco ASA and FTD messages when a hostname was used instead of an IP for NAT fields. {issue}14034[14034] {pull}18376[18376]

*Heartbeat*

Expand Down
40 changes: 40 additions & 0 deletions filebeat/docs/fields.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -5469,6 +5469,16 @@ type: ip
--
*`cisco.asa.mapped_source_host`*::
+
--
The translated source host.
type: keyword
--
*`cisco.asa.mapped_source_port`*::
+
--
Expand All @@ -5489,6 +5499,16 @@ type: ip
--
*`cisco.asa.mapped_destination_host`*::
+
--
The translated destination host.
type: keyword
--
*`cisco.asa.mapped_destination_port`*::
+
--
Expand Down Expand Up @@ -5658,6 +5678,16 @@ type: ip
--
*`cisco.ftd.mapped_source_host`*::
+
--
The translated source host.
type: keyword
--
*`cisco.ftd.mapped_source_port`*::
+
--
Expand All @@ -5678,6 +5708,16 @@ type: ip
--
*`cisco.ftd.mapped_destination_host`*::
+
--
The translated destination host.
type: keyword
--
*`cisco.ftd.mapped_destination_port`*::
+
--
Expand Down
12 changes: 12 additions & 0 deletions x-pack/filebeat/module/cisco/asa/_meta/fields.yml
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,12 @@
description: >
The translated source IP address.
- name: mapped_source_host
type: keyword
default_field: false
description: >
The translated source host.
- name: mapped_source_port
type: long
description: >
Expand All @@ -54,6 +60,12 @@
description: >
The translated destination IP address.
- name: mapped_destination_host
type: keyword
default_field: false
description: >
The translated destination host.
- name: mapped_destination_port
type: long
description: >
Expand Down
2 changes: 2 additions & 0 deletions x-pack/filebeat/module/cisco/asa/test/not-ip.log
Original file line number Diff line number Diff line change
@@ -1 +1,3 @@
<165>Oct 04 2019 15:27:55: %ASA-5-106100: access-list AL-DMZ-LB-IN denied tcp LB-DMZ/WHAT-IS-THIS-A-HOSTNAME-192.0.2.244(27218) -> OUTSIDE/203.0.113.42(53) hit-cnt 1 first hit [0x16847359, 0x00000000]
Jan 1 2020 10:42:53 localhost : %ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr mydomain.example.net/17233 laddr 192.168.132.46/17233
Jan 2 2020 11:33:20 localhost : %ASA-4-338204: Dynamic filter dropped greylisted TCP traffic from eth0:10.10.10.1/1234 (source.example.net/11234) to wan:172.24.177.3/80 (www.example.org/80), destination malicious address resolved from dynamic list: example.org, threat-level: high, category: malware
71 changes: 71 additions & 0 deletions x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json
Original file line number Diff line number Diff line change
Expand Up @@ -31,5 +31,76 @@
"tags": [
"cisco-asa"
]
},
{
"@timestamp": "2020-01-01T10:42:53.000-02:00",
"cisco.asa.mapped_source_host": "mydomain.example.net",
"cisco.asa.message_id": "302021",
"destination.address": "172.24.177.29",
"destination.ip": "172.24.177.29",
"event.action": "flow-expiration",
"event.code": 302021,
"event.dataset": "cisco.asa",
"event.module": "cisco",
"event.original": "%ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr mydomain.example.net/17233 laddr 192.168.132.46/17233",
"event.severity": 6,
"event.timezone": "-02:00",
"fileset.name": "asa",
"host.hostname": "localhost",
"input.type": "log",
"log.file.path": "not-ip.log",
"log.level": "informational",
"log.offset": 201,
"network.iana_number": 1,
"network.transport": "icmp",
"service.type": "cisco",
"source.address": "192.168.132.46",
"source.ip": "192.168.132.46",
"tags": [
"cisco-asa"
]
},
{
"@timestamp": "2020-01-02T11:33:20.000-02:00",
"cisco.asa.destination_interface": "wan",
"cisco.asa.mapped_destination_host": "www.example.org",
"cisco.asa.mapped_destination_port": 80,
"cisco.asa.mapped_source_host": "source.example.net",
"cisco.asa.mapped_source_port": 11234,
"cisco.asa.message_id": "338204",
"cisco.asa.rule_name": "dynamic",
"cisco.asa.source_interface": "eth0",
"cisco.asa.threat_category": "malware",
"cisco.asa.threat_level": "high",
"destination.address": "172.24.177.3",
"destination.domain": "example.org",
"destination.ip": "172.24.177.3",
"destination.nat.port": "80",
"destination.port": 80,
"event.action": "firewall-rule",
"event.code": 338204,
"event.dataset": "cisco.asa",
"event.module": "cisco",
"event.original": "%ASA-4-338204: Dynamic filter dropped greylisted TCP traffic from eth0:10.10.10.1/1234 (source.example.net/11234) to wan:172.24.177.3/80 (www.example.org/80), destination malicious address resolved from dynamic list: example.org, threat-level: high, category: malware",
"event.outcome": "deny",
"event.severity": 4,
"event.timezone": "-02:00",
"fileset.name": "asa",
"host.hostname": "localhost",
"input.type": "log",
"log.file.path": "not-ip.log",
"log.level": "warning",
"log.offset": 360,
"network.iana_number": 6,
"network.transport": "tcp",
"server.domain": "example.org",
"service.type": "cisco",
"source.address": "10.10.10.1",
"source.ip": "10.10.10.1",
"source.nat.port": "11234",
"source.port": 1234,
"tags": [
"cisco-asa"
]
}
]
2 changes: 1 addition & 1 deletion x-pack/filebeat/module/cisco/fields.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

14 changes: 13 additions & 1 deletion x-pack/filebeat/module/cisco/ftd/_meta/fields.yml
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,12 @@
description: >
The translated source IP address. Use ECS source.nat.ip.
- name: mapped_source_host
type: keyword
default_field: false
description: >
The translated source host.
- name: mapped_source_port
type: long
description: >
Expand All @@ -54,6 +60,12 @@
description: >
The translated destination IP address. Use ECS destination.nat.ip.
- name: mapped_destination_host
type: keyword
default_field: false
description: >
The translated destination host.
- name: mapped_destination_port
type: long
description: >
Expand Down Expand Up @@ -90,7 +102,7 @@
type: object
description:
Raw fields for Security Events.

- name: connection_type
type: keyword
default_field: false
Expand Down
3 changes: 3 additions & 0 deletions x-pack/filebeat/module/cisco/ftd/test/not-ip.log
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
<165>Oct 04 2019 15:27:55: %ASA-5-106100: access-list AL-DMZ-LB-IN denied tcp LB-DMZ/WHAT-IS-THIS-A-HOSTNAME-192.0.2.244(27218) -> OUTSIDE/203.0.113.42(53) hit-cnt 1 first hit [0x16847359, 0x00000000]
Jan 1 2020 10:42:53 localhost : %ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr mydomain.example.net/17233 laddr 192.168.132.46/17233
Jan 2 2020 11:33:20 localhost : %ASA-4-338204: Dynamic filter dropped greylisted TCP traffic from eth0:10.10.10.1/1234 (source.example.net/11234) to wan:172.24.177.3/80 (www.example.org/80), destination malicious address resolved from dynamic list: example.org, threat-level: high, category: malware
103 changes: 103 additions & 0 deletions x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,103 @@
[
{
"@timestamp": "2019-10-04T15:27:55.000-02:00",
"cisco.ftd.destination_interface": "OUTSIDE",
"cisco.ftd.message_id": "106100",
"cisco.ftd.rule_name": "AL-DMZ-LB-IN",
"cisco.ftd.source_interface": "LB-DMZ",
"destination.address": "203.0.113.42",
"destination.ip": "203.0.113.42",
"destination.port": 53,
"event.action": "firewall-rule",
"event.code": 106100,
"event.dataset": "cisco.ftd",
"event.module": "cisco",
"event.original": "%ASA-5-106100: access-list AL-DMZ-LB-IN denied tcp LB-DMZ/WHAT-IS-THIS-A-HOSTNAME-192.0.2.244(27218) -> OUTSIDE/203.0.113.42(53) hit-cnt 1 first hit [0x16847359, 0x00000000]",
"event.outcome": "deny",
"event.severity": 5,
"event.timezone": "-02:00",
"fileset.name": "ftd",
"input.type": "log",
"log.level": "notification",
"log.offset": 0,
"network.iana_number": 6,
"network.transport": "tcp",
"service.type": "cisco",
"source.address": "WHAT-IS-THIS-A-HOSTNAME-192.0.2.244",
"source.domain": "WHAT-IS-THIS-A-HOSTNAME-192.0.2.244",
"source.port": 27218,
"syslog.facility": 165,
"tags": [
"cisco-ftd"
]
},
{
"@timestamp": "2020-01-01T10:42:53.000-02:00",
"cisco.ftd.mapped_source_host": "mydomain.example.net",
"cisco.ftd.message_id": "302021",
"destination.address": "172.24.177.29",
"destination.ip": "172.24.177.29",
"event.action": "flow-expiration",
"event.code": 302021,
"event.dataset": "cisco.ftd",
"event.module": "cisco",
"event.original": "%ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr mydomain.example.net/17233 laddr 192.168.132.46/17233",
"event.severity": 6,
"event.timezone": "-02:00",
"fileset.name": "ftd",
"host.hostname": "localhost",
"input.type": "log",
"log.level": "informational",
"log.offset": 201,
"network.iana_number": 1,
"network.transport": "icmp",
"service.type": "cisco",
"source.address": "192.168.132.46",
"source.ip": "192.168.132.46",
"tags": [
"cisco-ftd"
]
},
{
"@timestamp": "2020-01-02T11:33:20.000-02:00",
"cisco.ftd.destination_interface": "wan",
"cisco.ftd.mapped_destination_host": "www.example.org",
"cisco.ftd.mapped_destination_port": 80,
"cisco.ftd.mapped_source_host": "source.example.net",
"cisco.ftd.mapped_source_port": 11234,
"cisco.ftd.message_id": "338204",
"cisco.ftd.rule_name": "dynamic",
"cisco.ftd.source_interface": "eth0",
"cisco.ftd.threat_category": "malware",
"cisco.ftd.threat_level": "high",
"destination.address": "172.24.177.3",
"destination.domain": "example.org",
"destination.ip": "172.24.177.3",
"destination.nat.port": "80",
"destination.port": 80,
"event.action": "firewall-rule",
"event.code": 338204,
"event.dataset": "cisco.ftd",
"event.module": "cisco",
"event.original": "%ASA-4-338204: Dynamic filter dropped greylisted TCP traffic from eth0:10.10.10.1/1234 (source.example.net/11234) to wan:172.24.177.3/80 (www.example.org/80), destination malicious address resolved from dynamic list: example.org, threat-level: high, category: malware",
"event.outcome": "deny",
"event.severity": 4,
"event.timezone": "-02:00",
"fileset.name": "ftd",
"host.hostname": "localhost",
"input.type": "log",
"log.level": "warning",
"log.offset": 360,
"network.iana_number": 6,
"network.transport": "tcp",
"server.domain": "example.org",
"service.type": "cisco",
"source.address": "10.10.10.1",
"source.ip": "10.10.10.1",
"source.nat.port": "11234",
"source.port": 1234,
"tags": [
"cisco-ftd"
]
}
]
Loading

0 comments on commit 5e71708

Please sign in to comment.