diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 9c2943d5f43..014da906806 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -212,6 +212,7 @@ field. You can revert this change by configuring tags for the module and omittin - Okta module now sets the Elasticsearch `_id` field to the Okta UUID value contained in each system log to minimize the possibility of duplicating events. {pull}18953[18953] - Fix `netflow` module to support 7 bytepad for IPFIX template. {issue}18098[18098] - Fix improper nesting of session_issuer object in aws cloudtrail fileset. {issue}18894[18894] {pull}18915[18915] +- Fix Cisco ASA ASA 3020** and 106023 messages {pull}17964[17964] *Heartbeat* diff --git a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log new file mode 100644 index 00000000000..00819e8eec1 --- /dev/null +++ b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log @@ -0,0 +1,5 @@ +Apr 17 2020 14:08:08 SNL-ASA-VPN-A01 : %ASA-6-302016: Teardown UDP connection 110577675 for Outside:10.123.123.123/53723(LOCAL\Elastic) to Inside:10.233.123.123/53 duration 0:00:00 bytes 148 (zzzzzz) +Apr 17 2020 14:00:31 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny icmp src Inside:10.123.123.123 dst Outside:10.123.123.123 (type 11, code 0) by access-group "Inside_access_in" [0x0, 0x0] +Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.123.123.123/6316 dst outside:10.123.123.123/53 type 3, code 0, by access-group "acl_dmz" [0xe3afb522, 0x0] +Apr 17 2020 14:16:20 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny udp src Inside:10.123.123.123/57621(LOCAL\Elastic) dst Outside:10.123.123.123/57621 by access-group "Inside_access_in" [0x0, 0x0] +Apr 17 2020 14:15:07 SNL-ASA-VPN-A01 : %ASA-2-106017: Deny IP due to Land Attack from 10.123.123.123 to 10.123.123.123 diff --git a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json new file mode 100644 index 00000000000..de470786f66 --- /dev/null +++ b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json @@ -0,0 +1,152 @@ +[ + { + "cisco.asa.connection_id": "110577675", + "cisco.asa.destination_interface": "Inside", + "cisco.asa.message_id": "302016", + "cisco.asa.source_interface": "Outside", + "cisco.asa.source_username": "(LOCAL\\Elastic)", + "destination.address": "10.233.123.123", + "destination.ip": "10.233.123.123", + "destination.port": 53, + "event.action": "flow-expiration", + "event.code": 302016, + "event.dataset": "cisco.asa", + "event.duration": 0, + "event.end": "2020-04-17T14:08:08.000-02:00", + "event.module": "cisco", + "event.original": "%ASA-6-302016: Teardown UDP connection 110577675 for Outside:10.123.123.123/53723(LOCAL\\Elastic) to Inside:10.233.123.123/53 duration 0:00:00 bytes 148 (zzzzzz)", + "event.severity": 6, + "event.start": "2020-04-17T16:08:08.000Z", + "event.timezone": "-02:00", + "fileset.name": "asa", + "host.hostname": "SNL-ASA-VPN-A01", + "input.type": "log", + "log.level": "informational", + "log.offset": 0, + "network.bytes": 148, + "network.iana_number": 17, + "network.transport": "udp", + "service.type": "cisco", + "source.address": "10.123.123.123", + "source.ip": "10.123.123.123", + "source.port": 53723, + "tags": [ + "cisco-asa" + ] + }, + { + "cisco.asa.destination_interface": "Outside", + "cisco.asa.message_id": "106023", + "cisco.asa.rule_name": "Inside_access_in", + "cisco.asa.source_interface": "Inside", + "destination.address": "10.123.123.123", + "destination.ip": "10.123.123.123", + "event.action": "firewall-rule", + "event.code": 106023, + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.original": "%ASA-4-106023: Deny icmp src Inside:10.123.123.123 dst Outside:10.123.123.123 (type 11, code 0) by access-group \"Inside_access_in\" [0x0, 0x0]", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "-02:00", + "fileset.name": "asa", + "host.hostname": "SNL-ASA-VPN-A01", + "input.type": "log", + "log.level": "warning", + "log.offset": 200, + "network.iana_number": 1, + "network.transport": "icmp", + "service.type": "cisco", + "source.address": "10.123.123.123", + "source.ip": "10.123.123.123", + "tags": [ + "cisco-asa" + ] + }, + { + "cisco.asa.destination_interface": "outside", + "cisco.asa.message_id": "106023", + "cisco.asa.rule_name": "acl_dmz", + "cisco.asa.source_interface": "dmz", + "destination.address": "10.123.123.123", + "destination.ip": "10.123.123.123", + "destination.port": 53, + "event.action": "firewall-rule", + "event.code": 106023, + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.original": "%ASA-4-106023: Deny tcp src dmz:10.123.123.123/6316 dst outside:10.123.123.123/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3afb522, 0x0]", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "-02:00", + "fileset.name": "asa", + "input.type": "log", + "log.level": "warning", + "log.offset": 381, + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.address": "10.123.123.123", + "source.ip": "10.123.123.123", + "source.port": 6316, + "tags": [ + "cisco-asa" + ] + }, + { + "cisco.asa.destination_interface": "Outside", + "cisco.asa.message_id": "106023", + "cisco.asa.rule_name": "Inside_access_in", + "cisco.asa.source_interface": "Inside", + "cisco.asa.source_username": "(LOCAL\\Elastic)", + "destination.address": "10.123.123.123", + "destination.ip": "10.123.123.123", + "destination.port": 57621, + "event.action": "firewall-rule", + "event.code": 106023, + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.original": "%ASA-4-106023: Deny udp src Inside:10.123.123.123/57621(LOCAL\\Elastic) dst Outside:10.123.123.123/57621 by access-group \"Inside_access_in\" [0x0, 0x0]", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "-02:00", + "fileset.name": "asa", + "host.hostname": "SNL-ASA-VPN-A01", + "input.type": "log", + "log.level": "warning", + "log.offset": 545, + "network.iana_number": 17, + "network.transport": "udp", + "service.type": "cisco", + "source.address": "10.123.123.123", + "source.ip": "10.123.123.123", + "source.port": 57621, + "tags": [ + "cisco-asa" + ] + }, + { + "cisco.asa.message_id": "106017", + "destination.address": "10.123.123.123", + "destination.ip": "10.123.123.123", + "event.action": "firewall-rule", + "event.code": 106017, + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.original": "%ASA-2-106017: Deny IP due to Land Attack from 10.123.123.123 to 10.123.123.123", + "event.outcome": "deny", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "asa", + "host.hostname": "SNL-ASA-VPN-A01", + "input.type": "log", + "log.level": "critical", + "log.offset": 734, + "service.type": "cisco", + "source.address": "10.123.123.123", + "source.ip": "10.123.123.123", + "tags": [ + "cisco-asa" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log b/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log new file mode 100644 index 00000000000..00819e8eec1 --- /dev/null +++ b/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log @@ -0,0 +1,5 @@ +Apr 17 2020 14:08:08 SNL-ASA-VPN-A01 : %ASA-6-302016: Teardown UDP connection 110577675 for Outside:10.123.123.123/53723(LOCAL\Elastic) to Inside:10.233.123.123/53 duration 0:00:00 bytes 148 (zzzzzz) +Apr 17 2020 14:00:31 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny icmp src Inside:10.123.123.123 dst Outside:10.123.123.123 (type 11, code 0) by access-group "Inside_access_in" [0x0, 0x0] +Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.123.123.123/6316 dst outside:10.123.123.123/53 type 3, code 0, by access-group "acl_dmz" [0xe3afb522, 0x0] +Apr 17 2020 14:16:20 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny udp src Inside:10.123.123.123/57621(LOCAL\Elastic) dst Outside:10.123.123.123/57621 by access-group "Inside_access_in" [0x0, 0x0] +Apr 17 2020 14:15:07 SNL-ASA-VPN-A01 : %ASA-2-106017: Deny IP due to Land Attack from 10.123.123.123 to 10.123.123.123 diff --git a/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json new file mode 100644 index 00000000000..bf6c6b521da --- /dev/null +++ b/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json @@ -0,0 +1,157 @@ +[ + { + "@timestamp": "2020-04-17T14:08:08.000-02:00", + "cisco.ftd.connection_id": "110577675", + "cisco.ftd.destination_interface": "Inside", + "cisco.ftd.message_id": "302016", + "cisco.ftd.source_interface": "Outside", + "cisco.ftd.source_username": "(LOCAL\\Elastic)", + "destination.address": "10.233.123.123", + "destination.ip": "10.233.123.123", + "destination.port": 53, + "event.action": "flow-expiration", + "event.code": 302016, + "event.dataset": "cisco.ftd", + "event.duration": 0, + "event.end": "2020-04-17T14:08:08.000-02:00", + "event.module": "cisco", + "event.original": "%ASA-6-302016: Teardown UDP connection 110577675 for Outside:10.123.123.123/53723(LOCAL\\Elastic) to Inside:10.233.123.123/53 duration 0:00:00 bytes 148 (zzzzzz)", + "event.severity": 6, + "event.start": "2020-04-17T16:08:08.000Z", + "event.timezone": "-02:00", + "fileset.name": "ftd", + "host.hostname": "SNL-ASA-VPN-A01", + "input.type": "log", + "log.level": "informational", + "log.offset": 0, + "network.bytes": 148, + "network.iana_number": 17, + "network.transport": "udp", + "service.type": "cisco", + "source.address": "10.123.123.123", + "source.ip": "10.123.123.123", + "source.port": 53723, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2020-04-17T14:00:31.000-02:00", + "cisco.ftd.destination_interface": "Outside", + "cisco.ftd.message_id": "106023", + "cisco.ftd.rule_name": "Inside_access_in", + "cisco.ftd.source_interface": "Inside", + "destination.address": "10.123.123.123", + "destination.ip": "10.123.123.123", + "event.action": "firewall-rule", + "event.code": 106023, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-4-106023: Deny icmp src Inside:10.123.123.123 dst Outside:10.123.123.123 (type 11, code 0) by access-group \"Inside_access_in\" [0x0, 0x0]", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "-02:00", + "fileset.name": "ftd", + "host.hostname": "SNL-ASA-VPN-A01", + "input.type": "log", + "log.level": "warning", + "log.offset": 200, + "network.iana_number": 1, + "network.transport": "icmp", + "service.type": "cisco", + "source.address": "10.123.123.123", + "source.ip": "10.123.123.123", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-15T09:36:50.000-02:00", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.message_id": "106023", + "cisco.ftd.rule_name": "acl_dmz", + "cisco.ftd.source_interface": "dmz", + "destination.address": "10.123.123.123", + "destination.ip": "10.123.123.123", + "destination.port": 53, + "event.action": "firewall-rule", + "event.code": 106023, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-4-106023: Deny tcp src dmz:10.123.123.123/6316 dst outside:10.123.123.123/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3afb522, 0x0]", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "-02:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "warning", + "log.offset": 381, + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.address": "10.123.123.123", + "source.ip": "10.123.123.123", + "source.port": 6316, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2020-04-17T14:16:20.000-02:00", + "cisco.ftd.destination_interface": "Outside", + "cisco.ftd.message_id": "106023", + "cisco.ftd.rule_name": "Inside_access_in", + "cisco.ftd.source_interface": "Inside", + "cisco.ftd.source_username": "(LOCAL\\Elastic)", + "destination.address": "10.123.123.123", + "destination.ip": "10.123.123.123", + "destination.port": 57621, + "event.action": "firewall-rule", + "event.code": 106023, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-4-106023: Deny udp src Inside:10.123.123.123/57621(LOCAL\\Elastic) dst Outside:10.123.123.123/57621 by access-group \"Inside_access_in\" [0x0, 0x0]", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "-02:00", + "fileset.name": "ftd", + "host.hostname": "SNL-ASA-VPN-A01", + "input.type": "log", + "log.level": "warning", + "log.offset": 545, + "network.iana_number": 17, + "network.transport": "udp", + "service.type": "cisco", + "source.address": "10.123.123.123", + "source.ip": "10.123.123.123", + "source.port": 57621, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2020-04-17T14:15:07.000-02:00", + "cisco.ftd.message_id": "106017", + "destination.address": "10.123.123.123", + "destination.ip": "10.123.123.123", + "event.action": "firewall-rule", + "event.code": 106017, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-2-106017: Deny IP due to Land Attack from 10.123.123.123 to 10.123.123.123", + "event.outcome": "deny", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "ftd", + "host.hostname": "SNL-ASA-VPN-A01", + "input.type": "log", + "log.level": "critical", + "log.offset": 734, + "service.type": "cisco", + "source.address": "10.123.123.123", + "source.ip": "10.123.123.123", + "tags": [ + "cisco-ftd" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml index afb8bd1b71d..cc37b6493c4 100644 --- a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml +++ b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml @@ -1,3 +1,4 @@ +--- description: "Pipeline for Cisco {< .internal_PREFIX >} logs" processors: # @@ -240,10 +241,11 @@ processors: if: "ctx._temp_.cisco.message_id == '106022'" field: "message" pattern: "%{event.outcome} %{network.transport} connection spoof from %{source.address} to %{destination.address} on interface %{_temp_.cisco.source_interface}" - - dissect: + - grok: if: "ctx._temp_.cisco.message_id == '106023'" field: "message" - pattern: '%{event.outcome} %{network.transport} src %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} dst %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} %{} access%{}group "%{_temp_.cisco.list_id}"%{}' + patterns: + - ^%{NOTSPACE:event.outcome} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{IPORHOST:source.address}(/%{POSINT:source.port})?\s*(%{GREEDYDATA:_temp_.cisco.source_username} )?dst %{NOTSPACE:_temp_.cisco.destination_interface}:%{IPORHOST:destination.address}(/%{POSINT:destination.port})?%{DATA}by access.group "%{NOTSPACE:_temp_.cisco.list_id}" - dissect: if: "ctx._temp_.cisco.message_id == '106027'" field: "message" @@ -440,8 +442,8 @@ processors: field: "message" if: '["302014", "302016", "302018", "302021", "302036", "302304", "302306"].contains(ctx._temp_.cisco.message_id)' patterns: - - "Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int} (?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int} (?:%{NOTSPACE:_temp_.cisco.destination_username} )?(?:duration %{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes:int})%{GREEDYDATA}" - - "Teardown %{NOTSPACE:network.transport} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER} (?:%{NOTSPACE:_temp_.cisco.destination_username} )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}(?: %{NOTSPACE:_temp_.cisco.source_username})?%{GREEDYDATA}" + - Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?(?:duration %{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes:int})%{GREEDYDATA} + - Teardown %{NOTSPACE:network.transport} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\s*(?:%{NOTSPACE:_temp_.cisco.source_username})?%{GREEDYDATA} pattern_definitions: NOTCOLON: "[^:]*" ECSSOURCEIPORHOST: "(?:%{IP:source.address}|%{HOSTNAME:source.domain})"