Skip to content

Commit

Permalink
Cherry-pick #17964 to 7.8: [Filebeat] Fix Cisco ASA 3020** and 106023…
Browse files Browse the repository at this point in the history 
… messages (#19236)
  • Loading branch information
@sayden
sayden authored Jun 18, 2020
1 parent 08f8a70 commit d3bf31f
Show file tree
Hide file tree
Showing 6 changed files with 326 additions and 4 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Fix `o365.audit` failing to ingest events when ip address is surrounded by square brackets. {issue}18587[18587] {pull}18591[18591]
- Fix `o365` module ignoring `var.api` settings. {pull}18948[18948]
- Fix `netflow` module to support 7 bytepad for IPFIX template. {issue}18098[18098]
- Fix Cisco ASA ASA 3020** and 106023 messages {pull}17964[17964]

*Heartbeat*

Expand Down
5 changes: 5 additions & 0 deletions x-pack/filebeat/module/cisco/asa/test/asa-fix.log
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
Apr 17 2020 14:08:08 SNL-ASA-VPN-A01 : %ASA-6-302016: Teardown UDP connection 110577675 for Outside:10.123.123.123/53723(LOCAL\Elastic) to Inside:10.233.123.123/53 duration 0:00:00 bytes 148 (zzzzzz)
Apr 17 2020 14:00:31 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny icmp src Inside:10.123.123.123 dst Outside:10.123.123.123 (type 11, code 0) by access-group "Inside_access_in" [0x0, 0x0]
Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.123.123.123/6316 dst outside:10.123.123.123/53 type 3, code 0, by access-group "acl_dmz" [0xe3afb522, 0x0]
Apr 17 2020 14:16:20 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny udp src Inside:10.123.123.123/57621(LOCAL\Elastic) dst Outside:10.123.123.123/57621 by access-group "Inside_access_in" [0x0, 0x0]
Apr 17 2020 14:15:07 SNL-ASA-VPN-A01 : %ASA-2-106017: Deny IP due to Land Attack from 10.123.123.123 to 10.123.123.123
152 changes: 152 additions & 0 deletions x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,152 @@
[
{
"cisco.asa.connection_id": "110577675",
"cisco.asa.destination_interface": "Inside",
"cisco.asa.message_id": "302016",
"cisco.asa.source_interface": "Outside",
"cisco.asa.source_username": "(LOCAL\\Elastic)",
"destination.address": "10.233.123.123",
"destination.ip": "10.233.123.123",
"destination.port": 53,
"event.action": "flow-expiration",
"event.code": 302016,
"event.dataset": "cisco.asa",
"event.duration": 0,
"event.end": "2020-04-17T14:08:08.000-02:00",
"event.module": "cisco",
"event.original": "%ASA-6-302016: Teardown UDP connection 110577675 for Outside:10.123.123.123/53723(LOCAL\\Elastic) to Inside:10.233.123.123/53 duration 0:00:00 bytes 148 (zzzzzz)",
"event.severity": 6,
"event.start": "2020-04-17T16:08:08.000Z",
"event.timezone": "-02:00",
"fileset.name": "asa",
"host.hostname": "SNL-ASA-VPN-A01",
"input.type": "log",
"log.level": "informational",
"log.offset": 0,
"network.bytes": 148,
"network.iana_number": 17,
"network.transport": "udp",
"service.type": "cisco",
"source.address": "10.123.123.123",
"source.ip": "10.123.123.123",
"source.port": 53723,
"tags": [
"cisco-asa"
]
},
{
"cisco.asa.destination_interface": "Outside",
"cisco.asa.message_id": "106023",
"cisco.asa.rule_name": "Inside_access_in",
"cisco.asa.source_interface": "Inside",
"destination.address": "10.123.123.123",
"destination.ip": "10.123.123.123",
"event.action": "firewall-rule",
"event.code": 106023,
"event.dataset": "cisco.asa",
"event.module": "cisco",
"event.original": "%ASA-4-106023: Deny icmp src Inside:10.123.123.123 dst Outside:10.123.123.123 (type 11, code 0) by access-group \"Inside_access_in\" [0x0, 0x0]",
"event.outcome": "deny",
"event.severity": 4,
"event.timezone": "-02:00",
"fileset.name": "asa",
"host.hostname": "SNL-ASA-VPN-A01",
"input.type": "log",
"log.level": "warning",
"log.offset": 200,
"network.iana_number": 1,
"network.transport": "icmp",
"service.type": "cisco",
"source.address": "10.123.123.123",
"source.ip": "10.123.123.123",
"tags": [
"cisco-asa"
]
},
{
"cisco.asa.destination_interface": "outside",
"cisco.asa.message_id": "106023",
"cisco.asa.rule_name": "acl_dmz",
"cisco.asa.source_interface": "dmz",
"destination.address": "10.123.123.123",
"destination.ip": "10.123.123.123",
"destination.port": 53,
"event.action": "firewall-rule",
"event.code": 106023,
"event.dataset": "cisco.asa",
"event.module": "cisco",
"event.original": "%ASA-4-106023: Deny tcp src dmz:10.123.123.123/6316 dst outside:10.123.123.123/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3afb522, 0x0]",
"event.outcome": "deny",
"event.severity": 4,
"event.timezone": "-02:00",
"fileset.name": "asa",
"input.type": "log",
"log.level": "warning",
"log.offset": 381,
"network.iana_number": 6,
"network.transport": "tcp",
"service.type": "cisco",
"source.address": "10.123.123.123",
"source.ip": "10.123.123.123",
"source.port": 6316,
"tags": [
"cisco-asa"
]
},
{
"cisco.asa.destination_interface": "Outside",
"cisco.asa.message_id": "106023",
"cisco.asa.rule_name": "Inside_access_in",
"cisco.asa.source_interface": "Inside",
"cisco.asa.source_username": "(LOCAL\\Elastic)",
"destination.address": "10.123.123.123",
"destination.ip": "10.123.123.123",
"destination.port": 57621,
"event.action": "firewall-rule",
"event.code": 106023,
"event.dataset": "cisco.asa",
"event.module": "cisco",
"event.original": "%ASA-4-106023: Deny udp src Inside:10.123.123.123/57621(LOCAL\\Elastic) dst Outside:10.123.123.123/57621 by access-group \"Inside_access_in\" [0x0, 0x0]",
"event.outcome": "deny",
"event.severity": 4,
"event.timezone": "-02:00",
"fileset.name": "asa",
"host.hostname": "SNL-ASA-VPN-A01",
"input.type": "log",
"log.level": "warning",
"log.offset": 545,
"network.iana_number": 17,
"network.transport": "udp",
"service.type": "cisco",
"source.address": "10.123.123.123",
"source.ip": "10.123.123.123",
"source.port": 57621,
"tags": [
"cisco-asa"
]
},
{
"cisco.asa.message_id": "106017",
"destination.address": "10.123.123.123",
"destination.ip": "10.123.123.123",
"event.action": "firewall-rule",
"event.code": 106017,
"event.dataset": "cisco.asa",
"event.module": "cisco",
"event.original": "%ASA-2-106017: Deny IP due to Land Attack from 10.123.123.123 to 10.123.123.123",
"event.outcome": "deny",
"event.severity": 2,
"event.timezone": "-02:00",
"fileset.name": "asa",
"host.hostname": "SNL-ASA-VPN-A01",
"input.type": "log",
"log.level": "critical",
"log.offset": 734,
"service.type": "cisco",
"source.address": "10.123.123.123",
"source.ip": "10.123.123.123",
"tags": [
"cisco-asa"
]
}
]
5 changes: 5 additions & 0 deletions x-pack/filebeat/module/cisco/ftd/test/asa-fix.log
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
Apr 17 2020 14:08:08 SNL-ASA-VPN-A01 : %ASA-6-302016: Teardown UDP connection 110577675 for Outside:10.123.123.123/53723(LOCAL\Elastic) to Inside:10.233.123.123/53 duration 0:00:00 bytes 148 (zzzzzz)
Apr 17 2020 14:00:31 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny icmp src Inside:10.123.123.123 dst Outside:10.123.123.123 (type 11, code 0) by access-group "Inside_access_in" [0x0, 0x0]
Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.123.123.123/6316 dst outside:10.123.123.123/53 type 3, code 0, by access-group "acl_dmz" [0xe3afb522, 0x0]
Apr 17 2020 14:16:20 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny udp src Inside:10.123.123.123/57621(LOCAL\Elastic) dst Outside:10.123.123.123/57621 by access-group "Inside_access_in" [0x0, 0x0]
Apr 17 2020 14:15:07 SNL-ASA-VPN-A01 : %ASA-2-106017: Deny IP due to Land Attack from 10.123.123.123 to 10.123.123.123
157 changes: 157 additions & 0 deletions x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,157 @@
[
{
"@timestamp": "2020-04-17T14:08:08.000-02:00",
"cisco.ftd.connection_id": "110577675",
"cisco.ftd.destination_interface": "Inside",
"cisco.ftd.message_id": "302016",
"cisco.ftd.source_interface": "Outside",
"cisco.ftd.source_username": "(LOCAL\\Elastic)",
"destination.address": "10.233.123.123",
"destination.ip": "10.233.123.123",
"destination.port": 53,
"event.action": "flow-expiration",
"event.code": 302016,
"event.dataset": "cisco.ftd",
"event.duration": 0,
"event.end": "2020-04-17T14:08:08.000-02:00",
"event.module": "cisco",
"event.original": "%ASA-6-302016: Teardown UDP connection 110577675 for Outside:10.123.123.123/53723(LOCAL\\Elastic) to Inside:10.233.123.123/53 duration 0:00:00 bytes 148 (zzzzzz)",
"event.severity": 6,
"event.start": "2020-04-17T16:08:08.000Z",
"event.timezone": "-02:00",
"fileset.name": "ftd",
"host.hostname": "SNL-ASA-VPN-A01",
"input.type": "log",
"log.level": "informational",
"log.offset": 0,
"network.bytes": 148,
"network.iana_number": 17,
"network.transport": "udp",
"service.type": "cisco",
"source.address": "10.123.123.123",
"source.ip": "10.123.123.123",
"source.port": 53723,
"tags": [
"cisco-ftd"
]
},
{
"@timestamp": "2020-04-17T14:00:31.000-02:00",
"cisco.ftd.destination_interface": "Outside",
"cisco.ftd.message_id": "106023",
"cisco.ftd.rule_name": "Inside_access_in",
"cisco.ftd.source_interface": "Inside",
"destination.address": "10.123.123.123",
"destination.ip": "10.123.123.123",
"event.action": "firewall-rule",
"event.code": 106023,
"event.dataset": "cisco.ftd",
"event.module": "cisco",
"event.original": "%ASA-4-106023: Deny icmp src Inside:10.123.123.123 dst Outside:10.123.123.123 (type 11, code 0) by access-group \"Inside_access_in\" [0x0, 0x0]",
"event.outcome": "deny",
"event.severity": 4,
"event.timezone": "-02:00",
"fileset.name": "ftd",
"host.hostname": "SNL-ASA-VPN-A01",
"input.type": "log",
"log.level": "warning",
"log.offset": 200,
"network.iana_number": 1,
"network.transport": "icmp",
"service.type": "cisco",
"source.address": "10.123.123.123",
"source.ip": "10.123.123.123",
"tags": [
"cisco-ftd"
]
},
{
"@timestamp": "2013-04-15T09:36:50.000-02:00",
"cisco.ftd.destination_interface": "outside",
"cisco.ftd.message_id": "106023",
"cisco.ftd.rule_name": "acl_dmz",
"cisco.ftd.source_interface": "dmz",
"destination.address": "10.123.123.123",
"destination.ip": "10.123.123.123",
"destination.port": 53,
"event.action": "firewall-rule",
"event.code": 106023,
"event.dataset": "cisco.ftd",
"event.module": "cisco",
"event.original": "%ASA-4-106023: Deny tcp src dmz:10.123.123.123/6316 dst outside:10.123.123.123/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3afb522, 0x0]",
"event.outcome": "deny",
"event.severity": 4,
"event.timezone": "-02:00",
"fileset.name": "ftd",
"input.type": "log",
"log.level": "warning",
"log.offset": 381,
"network.iana_number": 6,
"network.transport": "tcp",
"service.type": "cisco",
"source.address": "10.123.123.123",
"source.ip": "10.123.123.123",
"source.port": 6316,
"tags": [
"cisco-ftd"
]
},
{
"@timestamp": "2020-04-17T14:16:20.000-02:00",
"cisco.ftd.destination_interface": "Outside",
"cisco.ftd.message_id": "106023",
"cisco.ftd.rule_name": "Inside_access_in",
"cisco.ftd.source_interface": "Inside",
"cisco.ftd.source_username": "(LOCAL\\Elastic)",
"destination.address": "10.123.123.123",
"destination.ip": "10.123.123.123",
"destination.port": 57621,
"event.action": "firewall-rule",
"event.code": 106023,
"event.dataset": "cisco.ftd",
"event.module": "cisco",
"event.original": "%ASA-4-106023: Deny udp src Inside:10.123.123.123/57621(LOCAL\\Elastic) dst Outside:10.123.123.123/57621 by access-group \"Inside_access_in\" [0x0, 0x0]",
"event.outcome": "deny",
"event.severity": 4,
"event.timezone": "-02:00",
"fileset.name": "ftd",
"host.hostname": "SNL-ASA-VPN-A01",
"input.type": "log",
"log.level": "warning",
"log.offset": 545,
"network.iana_number": 17,
"network.transport": "udp",
"service.type": "cisco",
"source.address": "10.123.123.123",
"source.ip": "10.123.123.123",
"source.port": 57621,
"tags": [
"cisco-ftd"
]
},
{
"@timestamp": "2020-04-17T14:15:07.000-02:00",
"cisco.ftd.message_id": "106017",
"destination.address": "10.123.123.123",
"destination.ip": "10.123.123.123",
"event.action": "firewall-rule",
"event.code": 106017,
"event.dataset": "cisco.ftd",
"event.module": "cisco",
"event.original": "%ASA-2-106017: Deny IP due to Land Attack from 10.123.123.123 to 10.123.123.123",
"event.outcome": "deny",
"event.severity": 2,
"event.timezone": "-02:00",
"fileset.name": "ftd",
"host.hostname": "SNL-ASA-VPN-A01",
"input.type": "log",
"log.level": "critical",
"log.offset": 734,
"service.type": "cisco",
"source.address": "10.123.123.123",
"source.ip": "10.123.123.123",
"tags": [
"cisco-ftd"
]
}
]
10 changes: 6 additions & 4 deletions x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
---
description: "Pipeline for Cisco {< .internal_PREFIX >} logs"
processors:
#
Expand Down Expand Up @@ -240,10 +241,11 @@ processors:
if: "ctx._temp_.cisco.message_id == '106022'"
field: "message"
pattern: "%{event.outcome} %{network.transport} connection spoof from %{source.address} to %{destination.address} on interface %{_temp_.cisco.source_interface}"
- dissect:
- grok:
if: "ctx._temp_.cisco.message_id == '106023'"
field: "message"
pattern: '%{event.outcome} %{network.transport} src %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} dst %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} %{} access%{}group "%{_temp_.cisco.list_id}"%{}'
patterns:
- ^%{NOTSPACE:event.outcome} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{IPORHOST:source.address}(/%{POSINT:source.port})?\s*(%{GREEDYDATA:_temp_.cisco.source_username} )?dst %{NOTSPACE:_temp_.cisco.destination_interface}:%{IPORHOST:destination.address}(/%{POSINT:destination.port})?%{DATA}by access.group "%{NOTSPACE:_temp_.cisco.list_id}"
- dissect:
if: "ctx._temp_.cisco.message_id == '106027'"
field: "message"
Expand Down Expand Up @@ -440,8 +442,8 @@ processors:
field: "message"
if: '["302014", "302016", "302018", "302021", "302036", "302304", "302306"].contains(ctx._temp_.cisco.message_id)'
patterns:
- "Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int} (?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int} (?:%{NOTSPACE:_temp_.cisco.destination_username} )?(?:duration %{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes:int})%{GREEDYDATA}"
- "Teardown %{NOTSPACE:network.transport} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER} (?:%{NOTSPACE:_temp_.cisco.destination_username} )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}(?: %{NOTSPACE:_temp_.cisco.source_username})?%{GREEDYDATA}"
- Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?(?:duration %{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes:int})%{GREEDYDATA}
- Teardown %{NOTSPACE:network.transport} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\s*(?:%{NOTSPACE:_temp_.cisco.source_username})?%{GREEDYDATA}
pattern_definitions:
NOTCOLON: "[^:]*"
ECSSOURCEIPORHOST: "(?:%{IP:source.address}|%{HOSTNAME:source.domain})"
Expand Down

0 comments on commit d3bf31f

Please sign in to comment.