From 1b822056a35329823678ca6a9944a0b2f7d63833 Mon Sep 17 00:00:00 2001 From: Angelo Oliveira Date: Thu, 11 Jun 2020 18:02:26 -0400 Subject: [PATCH 1/5] Fix dissect pattern for 313008 & 313009 Extra space after column causes 'Unable to find match for dissect pattern' error. --- .../filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml index cc37b6493c4..91f1bf38fed 100644 --- a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml +++ b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml @@ -289,11 +289,11 @@ processors: - dissect: if: "ctx._temp_.cisco.message_id == '313008'" field: "message" - pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type} , code=%{_temp_.cisco.icmp_code} from %{source.address} on interface %{_temp_.cisco.source_interface}" + pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, code=%{_temp_.cisco.icmp_code} from %{source.address} on interface %{_temp_.cisco.source_interface}" - dissect: if: "ctx._temp_.cisco.message_id == '313009'" field: "message" - pattern: "%{event.outcome} invalid %{network.transport} code %{_temp_.cisco.icmp_code} , for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}" + pattern: "%{event.outcome} invalid %{network.transport} code %{_temp_.cisco.icmp_code}, for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}" - dissect: if: "ctx._temp_.cisco.message_id == '322001'" field: "message" From d6d305ac101df6fce94e18a5315d94e933e554f2 Mon Sep 17 00:00:00 2001 From: Angelo Oliveira Date: Thu, 11 Jun 2020 20:33:04 -0400 Subject: [PATCH 2/5] Update CHANGELOG.next.asciidoc --- CHANGELOG.next.asciidoc | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 7f1df7c0d85..980de33d952 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -183,6 +183,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Okta module now sets the Elasticsearch `_id` field to the Okta UUID value contained in each system log to minimize the possibility of duplicating events. {pull}18953[18953] - Fix improper nesting of session_issuer object in aws cloudtrail fileset. {issue}18894[18894] {pull}18915[18915] - Fix `o365` module ignoring `var.api` settings. {pull}18948[18948] +- Fix Cisco ASA dissect pattern for 313008 & 313009 messages. {pull}19149[19149] *Heartbeat* From 3ef9f7dafa61ef52c384867170946df9fe9356a4 Mon Sep 17 00:00:00 2001 From: Angelo Oliveira Date: Sun, 14 Jun 2020 23:03:28 -0400 Subject: [PATCH 3/5] Example 313008 line for testing. --- x-pack/filebeat/module/cisco/asa/test/asa-fix.log | 1 + 1 file changed, 1 insertion(+) diff --git a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log index 00819e8eec1..5ecb790777f 100644 --- a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log +++ b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log @@ -3,3 +3,4 @@ Apr 17 2020 14:00:31 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny icmp src Inside:10.12 Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.123.123.123/6316 dst outside:10.123.123.123/53 type 3, code 0, by access-group "acl_dmz" [0xe3afb522, 0x0] Apr 17 2020 14:16:20 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny udp src Inside:10.123.123.123/57621(LOCAL\Elastic) dst Outside:10.123.123.123/57621 by access-group "Inside_access_in" [0x0, 0x0] Apr 17 2020 14:15:07 SNL-ASA-VPN-A01 : %ASA-2-106017: Deny IP due to Land Attack from 10.123.123.123 to 10.123.123.123 +Apr 17 2020 14:15:07 SNL-ASA-VPN-A01 : %ASA-3-313008: Denied IPv6-ICMP type=134, code=0 from fe80::1ff:fe23:4567:890a on interface ISP1 From b0b061f1514b79c130b3cffdb624ab14c756a67d Mon Sep 17 00:00:00 2001 From: Angelo Oliveira Date: Sun, 14 Jun 2020 23:33:12 -0400 Subject: [PATCH 4/5] Example 313009 line for testing. --- x-pack/filebeat/module/cisco/asa/test/asa-fix.log | 1 + 1 file changed, 1 insertion(+) diff --git a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log index 5ecb790777f..19509b9f9ef 100644 --- a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log +++ b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log @@ -4,3 +4,4 @@ Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.123.123.123/6316 dst ou Apr 17 2020 14:16:20 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny udp src Inside:10.123.123.123/57621(LOCAL\Elastic) dst Outside:10.123.123.123/57621 by access-group "Inside_access_in" [0x0, 0x0] Apr 17 2020 14:15:07 SNL-ASA-VPN-A01 : %ASA-2-106017: Deny IP due to Land Attack from 10.123.123.123 to 10.123.123.123 Apr 17 2020 14:15:07 SNL-ASA-VPN-A01 : %ASA-3-313008: Denied IPv6-ICMP type=134, code=0 from fe80::1ff:fe23:4567:890a on interface ISP1 +Jun 08 2020 12:59:57: %ASA-4-313009: Denied invalid ICMP code 9, for Inside:10.255.0.206/8795 (10.255.0.206/8795) to identity:10.12.31.51/0 (10.12.31.51/0), ICMP id 295, ICMP type 8 From 67f806206ec49924ce9f2a120afa1be4d783f31c Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Mon, 15 Jun 2020 14:59:56 +0200 Subject: [PATCH 5/5] Update generated test files --- .../cisco/asa/test/asa-fix.log-expected.json | 86 +++++++++++++++++++ 1 file changed, 86 insertions(+) diff --git a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json index 72e5c6a96a1..9fb6401ea55 100644 --- a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json @@ -213,5 +213,91 @@ "cisco-asa", "forwarded" ] + }, + { + "cisco.asa.icmp_code": 0, + "cisco.asa.icmp_type": 134, + "cisco.asa.message_id": "313008", + "cisco.asa.source_interface": "ISP1", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 313008, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-3-313008: Denied IPv6-ICMP type=134, code=0 from fe80::1ff:fe23:4567:890a on interface ISP1", + "event.outcome": "deny", + "event.severity": 3, + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "SNL-ASA-VPN-A01", + "input.type": "log", + "log.level": "error", + "log.offset": 853, + "network.iana_number": 58, + "network.transport": "ipv6-icmp", + "related.ip": [ + "fe80::1ff:fe23:4567:890a" + ], + "service.type": "cisco", + "source.address": "fe80::1ff:fe23:4567:890a", + "source.ip": "fe80::1ff:fe23:4567:890a", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "identity", + "cisco.asa.icmp_code": 9, + "cisco.asa.mapped_destination_ip": "10.12.31.51", + "cisco.asa.mapped_destination_port": 0, + "cisco.asa.mapped_source_ip": "10.255.0.206", + "cisco.asa.mapped_source_port": 8795, + "cisco.asa.message_id": "313009", + "cisco.asa.source_interface": "Inside", + "destination.address": "10.12.31.51", + "destination.ip": "10.12.31.51", + "destination.port": 0, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 313009, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-4-313009: Denied invalid ICMP code 9, for Inside:10.255.0.206/8795 (10.255.0.206/8795) to identity:10.12.31.51/0 (10.12.31.51/0), ICMP id 295, ICMP type 8", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], + "fileset.name": "asa", + "input.type": "log", + "log.level": "warning", + "log.offset": 989, + "network.iana_number": 1, + "network.transport": "icmp", + "related.ip": [ + "10.255.0.206", + "10.12.31.51" + ], + "service.type": "cisco", + "source.address": "10.255.0.206", + "source.ip": "10.255.0.206", + "source.port": 8795, + "tags": [ + "cisco-asa", + "forwarded" + ] } ] \ No newline at end of file