Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Filebeat] Fix Cisco ASA dissect pattern for 313008 & 313009 #19149

Merged
merged 6 commits into from
Jun 16, 2020
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -189,6 +189,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Fix improper nesting of session_issuer object in aws cloudtrail fileset. {issue}18894[18894] {pull}18915[18915]
- Fix `o365` module ignoring `var.api` settings. {pull}18948[18948]
- Fix `netflow` module to support 7 bytepad for IPFIX template. {issue}18098[18098]
- Fix Cisco ASA dissect pattern for 313008 & 313009 messages. {pull}19149[19149]

*Heartbeat*

Expand Down
2 changes: 2 additions & 0 deletions x-pack/filebeat/module/cisco/asa/test/asa-fix.log
Original file line number Diff line number Diff line change
Expand Up @@ -3,3 +3,5 @@ Apr 17 2020 14:00:31 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny icmp src Inside:10.12
Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.123.123.123/6316 dst outside:10.123.123.123/53 type 3, code 0, by access-group "acl_dmz" [0xe3afb522, 0x0]
Apr 17 2020 14:16:20 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny udp src Inside:10.123.123.123/57621(LOCAL\Elastic) dst Outside:10.123.123.123/57621 by access-group "Inside_access_in" [0x0, 0x0]
Apr 17 2020 14:15:07 SNL-ASA-VPN-A01 : %ASA-2-106017: Deny IP due to Land Attack from 10.123.123.123 to 10.123.123.123
Apr 17 2020 14:15:07 SNL-ASA-VPN-A01 : %ASA-3-313008: Denied IPv6-ICMP type=134, code=0 from fe80::1ff:fe23:4567:890a on interface ISP1
Jun 08 2020 12:59:57: %ASA-4-313009: Denied invalid ICMP code 9, for Inside:10.255.0.206/8795 (10.255.0.206/8795) to identity:10.12.31.51/0 (10.12.31.51/0), ICMP id 295, ICMP type 8
86 changes: 86 additions & 0 deletions x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json
Original file line number Diff line number Diff line change
Expand Up @@ -213,5 +213,91 @@
"cisco-asa",
"forwarded"
]
},
{
"cisco.asa.icmp_code": 0,
"cisco.asa.icmp_type": 134,
"cisco.asa.message_id": "313008",
"cisco.asa.source_interface": "ISP1",
"event.action": "firewall-rule",
"event.category": [
"network"
],
"event.code": 313008,
"event.dataset": "cisco.asa",
"event.kind": "event",
"event.module": "cisco",
"event.original": "%ASA-3-313008: Denied IPv6-ICMP type=134, code=0 from fe80::1ff:fe23:4567:890a on interface ISP1",
"event.outcome": "deny",
"event.severity": 3,
"event.timezone": "-02:00",
"event.type": [
"info",
"denied"
],
"fileset.name": "asa",
"host.hostname": "SNL-ASA-VPN-A01",
"input.type": "log",
"log.level": "error",
"log.offset": 853,
"network.iana_number": 58,
"network.transport": "ipv6-icmp",
"related.ip": [
"fe80::1ff:fe23:4567:890a"
],
"service.type": "cisco",
"source.address": "fe80::1ff:fe23:4567:890a",
"source.ip": "fe80::1ff:fe23:4567:890a",
"tags": [
"cisco-asa",
"forwarded"
]
},
{
"cisco.asa.destination_interface": "identity",
"cisco.asa.icmp_code": 9,
"cisco.asa.mapped_destination_ip": "10.12.31.51",
"cisco.asa.mapped_destination_port": 0,
"cisco.asa.mapped_source_ip": "10.255.0.206",
"cisco.asa.mapped_source_port": 8795,
"cisco.asa.message_id": "313009",
"cisco.asa.source_interface": "Inside",
"destination.address": "10.12.31.51",
"destination.ip": "10.12.31.51",
"destination.port": 0,
"event.action": "firewall-rule",
"event.category": [
"network"
],
"event.code": 313009,
"event.dataset": "cisco.asa",
"event.kind": "event",
"event.module": "cisco",
"event.original": "%ASA-4-313009: Denied invalid ICMP code 9, for Inside:10.255.0.206/8795 (10.255.0.206/8795) to identity:10.12.31.51/0 (10.12.31.51/0), ICMP id 295, ICMP type 8",
"event.outcome": "deny",
"event.severity": 4,
"event.timezone": "-02:00",
"event.type": [
"info",
"denied"
],
"fileset.name": "asa",
"input.type": "log",
"log.level": "warning",
"log.offset": 989,
"network.iana_number": 1,
"network.transport": "icmp",
"related.ip": [
"10.255.0.206",
"10.12.31.51"
],
"service.type": "cisco",
"source.address": "10.255.0.206",
"source.ip": "10.255.0.206",
"source.port": 8795,
"tags": [
"cisco-asa",
"forwarded"
]
}
]
Original file line number Diff line number Diff line change
Expand Up @@ -289,11 +289,11 @@ processors:
- dissect:
if: "ctx._temp_.cisco.message_id == '313008'"
field: "message"
pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type} , code=%{_temp_.cisco.icmp_code} from %{source.address} on interface %{_temp_.cisco.source_interface}"
pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, code=%{_temp_.cisco.icmp_code} from %{source.address} on interface %{_temp_.cisco.source_interface}"
- dissect:
if: "ctx._temp_.cisco.message_id == '313009'"
field: "message"
pattern: "%{event.outcome} invalid %{network.transport} code %{_temp_.cisco.icmp_code} , for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}"
pattern: "%{event.outcome} invalid %{network.transport} code %{_temp_.cisco.icmp_code}, for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}"
- dissect:
if: "ctx._temp_.cisco.message_id == '322001'"
field: "message"
Expand Down