Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cisco module ingest processor for ASA 106100 events doesn't account for all possibilities #19350

Closed
makeitthingsbetter opened this issue Jun 24, 2020 · 1 comment · Fixed by #20245
Closed

Cisco module ingest processor for ASA 106100 events doesn't account for all possibilities #19350

makeitthingsbetter opened this issue Jun 24, 2020 · 1 comment · Fixed by #20245
Assignees
@adriansr

Comments

@makeitthingsbetter
Copy link

makeitthingsbetter commented Jun 24, 2020
edited
Loading 

Version: 7.8.0
Steps to Reproduce:

The ASA 106100 log event can produce log lines similar to both of the following:

%ASA-6-106100: access-list blabla_incoming_list permitted udp dmz2/1.2.3.4(56575) -> inside/2.3.4.5(53) hit-cnt 1 first hit [0x93d0e533, 0x578ef52f]

%ASA-6-106100: access-list blabla_incoming_list permitted udp dmz2/1.2.3.4(56575)(LOCAL\\username) -> inside/2.3.4.5(53) hit-cnt 1 first hit [0x93d0e533, 0x578ef52f]

Currently the second log (with the username) event cannot be indexed because the dissect pattern crashes.

Dissect Pattern in beats/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml:

- dissect:
      if: "ctx._temp_.cisco.message_id == '106100'"
      field: "message"
      pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} %{_temp_.cisco.source_interface}/%{source.address}(%{source.port}) -> %{_temp_.cisco.destination_interface}/%{destination.address}(%{destination.port}) %{}"

Cisco Syslog Reference for Event 106100:
https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs1.html#con_4769049
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Jun 24, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Jun 24, 2020
adriansr added a commit to adriansr/beats that referenced this issue Jul 27, 2020
@adriansr
Cisco ASA: Fix message 106100
2a47c3c 
This updates the parser for Cisco ASA message 106100 so that it doesn't
fail when extra information is appended after the port numbers.

Fixes elastic#19350
@adriansr adriansr mentioned this issue Jul 27, 2020
Merged
6 tasks
adriansr added a commit that referenced this issue Jul 28, 2020
@adriansr
Cisco ASA: Fix message 106100 (#20245)
ac688ca 
This updates the parser for Cisco ASA message 106100 so that it doesn't
fail when extra information is appended after the port numbers.

Fixes #19350
adriansr added a commit to adriansr/beats that referenced this issue Jul 28, 2020
@adriansr
Cisco ASA: Fix message 106100 (elastic#20245)
0204356 
This updates the parser for Cisco ASA message 106100 so that it doesn't
fail when extra information is appended after the port numbers.

Fixes elastic#19350

(cherry picked from commit ac688ca)
@adriansr adriansr mentioned this issue Jul 28, 2020
Merged
6 tasks
adriansr added a commit to adriansr/beats that referenced this issue Jul 28, 2020
@adriansr
Cisco ASA: Fix message 106100 (elastic#20245)
fc01852 
This updates the parser for Cisco ASA message 106100 so that it doesn't
fail when extra information is appended after the port numbers.

Fixes elastic#19350

(cherry picked from commit ac688ca)
@adriansr adriansr mentioned this issue Jul 28, 2020
Merged
6 tasks
adriansr added a commit to adriansr/beats that referenced this issue Jul 28, 2020
@adriansr
Cisco ASA: Fix message 106100 (elastic#20245)
06d2d6d 
This updates the parser for Cisco ASA message 106100 so that it doesn't
fail when extra information is appended after the port numbers.

Fixes elastic#19350

(cherry picked from commit ac688ca)
@adriansr adriansr mentioned this issue Jul 28, 2020
Merged
6 tasks
adriansr added a commit that referenced this issue Jul 29, 2020
@adriansr
Cisco ASA: Fix message 106100 (#20245) (#20276)
2cfd69b 
This updates the parser for Cisco ASA message 106100 so that it doesn't
fail when extra information is appended after the port numbers.

Fixes #19350

(cherry picked from commit ac688ca)
adriansr added a commit that referenced this issue Jul 29, 2020
@adriansr
Cisco ASA: Fix message 106100 (#20245) (#20277)
ee87a40 
This updates the parser for Cisco ASA message 106100 so that it doesn't
fail when extra information is appended after the port numbers.

Fixes #19350

(cherry picked from commit ac688ca)
adriansr added a commit that referenced this issue Jul 29, 2020
@adriansr
Cherry-pick #20245 to 7.8: Cisco ASA: Fix message 106100 (#20279)
6959227 
This updates the parser for Cisco ASA message 106100 so that it doesn't
fail when extra information is appended after the port numbers.

Fixes #19350

(cherry picked from commit ac688ca)
melchiormoulin pushed a commit to melchiormoulin/beats that referenced this issue Oct 14, 2020
@adriansr @melchiormoulin
Cisco ASA: Fix message 106100 (elastic#20245)
3282e5c 
This updates the parser for Cisco ASA message 106100 so that it doesn't
fail when extra information is appended after the port numbers.

Fixes elastic#19350
leweafan pushed a commit to leweafan/beats that referenced this issue Apr 28, 2023
@adriansr
Cisco ASA: Fix message 106100 (elastic#20245) (elastic#20277)
bff963a 
This updates the parser for Cisco ASA message 106100 so that it doesn't
fail when extra information is appended after the port numbers.

Fixes elastic#19350

(cherry picked from commit 170f9c2)
leweafan pushed a commit to leweafan/beats that referenced this issue Apr 28, 2023
@adriansr
Cherry-pick elastic#20245 to 7.8: Cisco ASA: Fix message 106100 (elas…
e7c9da0 
…tic#20279)

This updates the parser for Cisco ASA message 106100 so that it doesn't
fail when extra information is appended after the port numbers.

Fixes elastic#19350

(cherry picked from commit 170f9c2)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@adriansr adriansr

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Cisco ASA: Fix message 106100 adriansr/beats
4 participants
@andresrc @adriansr @elasticmachine @makeitthingsbetter