From b492c1682b1a2b5fa56b7f2efe539c233934a6c3 Mon Sep 17 00:00:00 2001
From: Andrew Kroh <andrew.kroh@elastic.co>
Date: Mon, 25 Jan 2021 12:20:13 -0500
Subject: [PATCH] [Filebeat] Add Cisco ASA message '302023' parsing (#23092)
 (#23660)

Enhance message parsing to Cisco ASA message 302023.

Signed-off-by: Kevin  Klopfenstein <kk@sudo-i.net>
Signed-off-by: kevin <kk@sudo-i.net>
(cherry picked from commit 47889ebdcb2f427d16b4b35f0414f8ffb662ea11)

Co-authored-by: Kevin Klopfenstein <kk@sudo-i.net>
---
 .../additional_messages.log-expected.json     | 42 +++++++++++++++++++
 .../cisco/shared/ingest/asa-ftd-pipeline.yml  |  4 ++
 2 files changed, 46 insertions(+)

diff --git a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json
index 8b07b91acb4..1d225c42add 100644
--- a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json
+++ b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json
@@ -1604,17 +1604,26 @@
         ]
     },
     {
+        "cisco.asa.destination_interface": "net",
         "cisco.asa.message_id": "302023",
+        "cisco.asa.source_interface": "fw111",
+        "destination.address": "192.168.2.2",
+        "destination.ip": "192.168.2.2",
+        "destination.port": 10051,
         "event.action": "firewall-rule",
         "event.category": [
             "network"
         ],
         "event.code": 302023,
         "event.dataset": "cisco.asa",
+        "event.duration": 0,
+        "event.end": "2021-05-05T19:02:58.000-02:00",
         "event.kind": "event",
         "event.module": "cisco",
         "event.original": "%ASA-6-302023: Teardown stub TCP connection for fw111:10.10.10.10/39210 to net:192.168.2.2/10051 duration 0:00:00 forwarded bytes 0 Cluster flow with CLU closed on owner",
+        "event.reason": "Cluster flow with CLU closed on owner",
         "event.severity": 6,
+        "event.start": "2021-05-05T21:02:58.000Z",
         "event.timezone": "-02:00",
         "event.type": [
             "info"
@@ -1624,31 +1633,52 @@
         "input.type": "log",
         "log.level": "informational",
         "log.offset": 4949,
+        "network.bytes": "0",
+        "network.iana_number": 6,
+        "network.transport": "tcp",
+        "observer.egress.interface.name": "fw111",
         "observer.hostname": "dev01",
+        "observer.ingress.interface.name": "net",
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
         "related.hosts": [
             "dev01"
         ],
+        "related.ip": [
+            "10.10.10.10",
+            "192.168.2.2"
+        ],
         "service.type": "cisco",
+        "source.address": "10.10.10.10",
+        "source.ip": "10.10.10.10",
+        "source.port": 39210,
         "tags": [
             "cisco-asa",
             "forwarded"
         ]
     },
     {
+        "cisco.asa.destination_interface": "unknown",
         "cisco.asa.message_id": "302023",
+        "cisco.asa.source_interface": "net",
+        "destination.address": "192.168.2.2",
+        "destination.ip": "192.168.2.2",
+        "destination.port": 39222,
         "event.action": "firewall-rule",
         "event.category": [
             "network"
         ],
         "event.code": 302023,
         "event.dataset": "cisco.asa",
+        "event.duration": 0,
+        "event.end": "2021-05-05T19:02:58.000-02:00",
         "event.kind": "event",
         "event.module": "cisco",
         "event.original": "%ASA-6-302023: Teardown stub TCP connection for net:10.10.10.10/10051 to unknown:192.168.2.2/39222 duration 0:00:00 forwarded bytes 0 Forwarding or redirect flow removed to create director or backup flow",
+        "event.reason": "Forwarding or redirect flow removed to create director or backup flow",
         "event.severity": 6,
+        "event.start": "2021-05-05T21:02:58.000Z",
         "event.timezone": "-02:00",
         "event.type": [
             "info"
@@ -1658,14 +1688,26 @@
         "input.type": "log",
         "log.level": "informational",
         "log.offset": 5142,
+        "network.bytes": "0",
+        "network.iana_number": 6,
+        "network.transport": "tcp",
+        "observer.egress.interface.name": "net",
         "observer.hostname": "dev01",
+        "observer.ingress.interface.name": "unknown",
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
         "related.hosts": [
             "dev01"
         ],
+        "related.ip": [
+            "10.10.10.10",
+            "192.168.2.2"
+        ],
         "service.type": "cisco",
+        "source.address": "10.10.10.10",
+        "source.ip": "10.10.10.10",
+        "source.port": 10051,
         "tags": [
             "cisco-asa",
             "forwarded"
diff --git a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml
index 72920d75a0e..c46227b79a1 100644
--- a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml
+++ b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml
@@ -318,6 +318,10 @@ processors:
       if: "ctx._temp_.cisco.message_id == '302022'"
       field: "message"
       pattern: "Built %{} stub %{network.transport} connection for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}"
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '302023'"
+      field: "message"
+      pattern: "Teardown stub %{network.transport} connection for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} duration %{_temp_.duration_hms} forwarded bytes %{network.bytes} %{event.reason}"
   - grok:
       if: "ctx._temp_.cisco.message_id == '304001'"
       field: "message"