From b492c1682b1a2b5fa56b7f2efe539c233934a6c3 Mon Sep 17 00:00:00 2001 From: Andrew Kroh <andrew.kroh@elastic.co> Date: Mon, 25 Jan 2021 12:20:13 -0500 Subject: [PATCH] [Filebeat] Add Cisco ASA message '302023' parsing (#23092) (#23660) Enhance message parsing to Cisco ASA message 302023. Signed-off-by: Kevin Klopfenstein <kk@sudo-i.net> Signed-off-by: kevin <kk@sudo-i.net> (cherry picked from commit 47889ebdcb2f427d16b4b35f0414f8ffb662ea11) Co-authored-by: Kevin Klopfenstein <kk@sudo-i.net> --- .../additional_messages.log-expected.json | 42 +++++++++++++++++++ .../cisco/shared/ingest/asa-ftd-pipeline.yml | 4 ++ 2 files changed, 46 insertions(+) diff --git a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json index 8b07b91acb4..1d225c42add 100644 --- a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json @@ -1604,17 +1604,26 @@ ] }, { + "cisco.asa.destination_interface": "net", "cisco.asa.message_id": "302023", + "cisco.asa.source_interface": "fw111", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.port": 10051, "event.action": "firewall-rule", "event.category": [ "network" ], "event.code": 302023, "event.dataset": "cisco.asa", + "event.duration": 0, + "event.end": "2021-05-05T19:02:58.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302023: Teardown stub TCP connection for fw111:10.10.10.10/39210 to net:192.168.2.2/10051 duration 0:00:00 forwarded bytes 0 Cluster flow with CLU closed on owner", + "event.reason": "Cluster flow with CLU closed on owner", "event.severity": 6, + "event.start": "2021-05-05T21:02:58.000Z", "event.timezone": "-02:00", "event.type": [ "info" @@ -1624,31 +1633,52 @@ "input.type": "log", "log.level": "informational", "log.offset": 4949, + "network.bytes": "0", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "fw111", "observer.hostname": "dev01", + "observer.ingress.interface.name": "net", "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ "dev01" ], + "related.ip": [ + "10.10.10.10", + "192.168.2.2" + ], "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.port": 39210, "tags": [ "cisco-asa", "forwarded" ] }, { + "cisco.asa.destination_interface": "unknown", "cisco.asa.message_id": "302023", + "cisco.asa.source_interface": "net", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.port": 39222, "event.action": "firewall-rule", "event.category": [ "network" ], "event.code": 302023, "event.dataset": "cisco.asa", + "event.duration": 0, + "event.end": "2021-05-05T19:02:58.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302023: Teardown stub TCP connection for net:10.10.10.10/10051 to unknown:192.168.2.2/39222 duration 0:00:00 forwarded bytes 0 Forwarding or redirect flow removed to create director or backup flow", + "event.reason": "Forwarding or redirect flow removed to create director or backup flow", "event.severity": 6, + "event.start": "2021-05-05T21:02:58.000Z", "event.timezone": "-02:00", "event.type": [ "info" @@ -1658,14 +1688,26 @@ "input.type": "log", "log.level": "informational", "log.offset": 5142, + "network.bytes": "0", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "net", "observer.hostname": "dev01", + "observer.ingress.interface.name": "unknown", "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ "dev01" ], + "related.ip": [ + "10.10.10.10", + "192.168.2.2" + ], "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.port": 10051, "tags": [ "cisco-asa", "forwarded" diff --git a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml index 72920d75a0e..c46227b79a1 100644 --- a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml +++ b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml @@ -318,6 +318,10 @@ processors: if: "ctx._temp_.cisco.message_id == '302022'" field: "message" pattern: "Built %{} stub %{network.transport} connection for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" + - dissect: + if: "ctx._temp_.cisco.message_id == '302023'" + field: "message" + pattern: "Teardown stub %{network.transport} connection for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} duration %{_temp_.duration_hms} forwarded bytes %{network.bytes} %{event.reason}" - grok: if: "ctx._temp_.cisco.message_id == '304001'" field: "message"