From c6eea919dd6a59c9596d2ab1bf8ce9c2b1e9b97a Mon Sep 17 00:00:00 2001 From: Angelo Oliveira Date: Tue, 16 Jun 2020 05:25:00 -0400 Subject: [PATCH] [Filebeat] Fix Cisco ASA dissect pattern for 313008 & 313009 (#19149) Extra space after column causes 'Unable to find match for dissect pattern' error. --- CHANGELOG.next.asciidoc | 1 + .../module/cisco/asa/test/asa-fix.log | 2 + .../cisco/asa/test/asa-fix.log-expected.json | 86 +++++++++++++++++++ .../cisco/shared/ingest/asa-ftd-pipeline.yml | 4 +- 4 files changed, 91 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 356a067fb67..b587467fcd6 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -189,6 +189,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix improper nesting of session_issuer object in aws cloudtrail fileset. {issue}18894[18894] {pull}18915[18915] - Fix `o365` module ignoring `var.api` settings. {pull}18948[18948] - Fix `netflow` module to support 7 bytepad for IPFIX template. {issue}18098[18098] +- Fix Cisco ASA dissect pattern for 313008 & 313009 messages. {pull}19149[19149] *Heartbeat* diff --git a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log index 00819e8eec1..19509b9f9ef 100644 --- a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log +++ b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log @@ -3,3 +3,5 @@ Apr 17 2020 14:00:31 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny icmp src Inside:10.12 Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.123.123.123/6316 dst outside:10.123.123.123/53 type 3, code 0, by access-group "acl_dmz" [0xe3afb522, 0x0] Apr 17 2020 14:16:20 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny udp src Inside:10.123.123.123/57621(LOCAL\Elastic) dst Outside:10.123.123.123/57621 by access-group "Inside_access_in" [0x0, 0x0] Apr 17 2020 14:15:07 SNL-ASA-VPN-A01 : %ASA-2-106017: Deny IP due to Land Attack from 10.123.123.123 to 10.123.123.123 +Apr 17 2020 14:15:07 SNL-ASA-VPN-A01 : %ASA-3-313008: Denied IPv6-ICMP type=134, code=0 from fe80::1ff:fe23:4567:890a on interface ISP1 +Jun 08 2020 12:59:57: %ASA-4-313009: Denied invalid ICMP code 9, for Inside:10.255.0.206/8795 (10.255.0.206/8795) to identity:10.12.31.51/0 (10.12.31.51/0), ICMP id 295, ICMP type 8 diff --git a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json index 72e5c6a96a1..9fb6401ea55 100644 --- a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json @@ -213,5 +213,91 @@ "cisco-asa", "forwarded" ] + }, + { + "cisco.asa.icmp_code": 0, + "cisco.asa.icmp_type": 134, + "cisco.asa.message_id": "313008", + "cisco.asa.source_interface": "ISP1", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 313008, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-3-313008: Denied IPv6-ICMP type=134, code=0 from fe80::1ff:fe23:4567:890a on interface ISP1", + "event.outcome": "deny", + "event.severity": 3, + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "SNL-ASA-VPN-A01", + "input.type": "log", + "log.level": "error", + "log.offset": 853, + "network.iana_number": 58, + "network.transport": "ipv6-icmp", + "related.ip": [ + "fe80::1ff:fe23:4567:890a" + ], + "service.type": "cisco", + "source.address": "fe80::1ff:fe23:4567:890a", + "source.ip": "fe80::1ff:fe23:4567:890a", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "identity", + "cisco.asa.icmp_code": 9, + "cisco.asa.mapped_destination_ip": "10.12.31.51", + "cisco.asa.mapped_destination_port": 0, + "cisco.asa.mapped_source_ip": "10.255.0.206", + "cisco.asa.mapped_source_port": 8795, + "cisco.asa.message_id": "313009", + "cisco.asa.source_interface": "Inside", + "destination.address": "10.12.31.51", + "destination.ip": "10.12.31.51", + "destination.port": 0, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 313009, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-4-313009: Denied invalid ICMP code 9, for Inside:10.255.0.206/8795 (10.255.0.206/8795) to identity:10.12.31.51/0 (10.12.31.51/0), ICMP id 295, ICMP type 8", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], + "fileset.name": "asa", + "input.type": "log", + "log.level": "warning", + "log.offset": 989, + "network.iana_number": 1, + "network.transport": "icmp", + "related.ip": [ + "10.255.0.206", + "10.12.31.51" + ], + "service.type": "cisco", + "source.address": "10.255.0.206", + "source.ip": "10.255.0.206", + "source.port": 8795, + "tags": [ + "cisco-asa", + "forwarded" + ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml index cc37b6493c4..91f1bf38fed 100644 --- a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml +++ b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml @@ -289,11 +289,11 @@ processors: - dissect: if: "ctx._temp_.cisco.message_id == '313008'" field: "message" - pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type} , code=%{_temp_.cisco.icmp_code} from %{source.address} on interface %{_temp_.cisco.source_interface}" + pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, code=%{_temp_.cisco.icmp_code} from %{source.address} on interface %{_temp_.cisco.source_interface}" - dissect: if: "ctx._temp_.cisco.message_id == '313009'" field: "message" - pattern: "%{event.outcome} invalid %{network.transport} code %{_temp_.cisco.icmp_code} , for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}" + pattern: "%{event.outcome} invalid %{network.transport} code %{_temp_.cisco.icmp_code}, for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}" - dissect: if: "ctx._temp_.cisco.message_id == '322001'" field: "message"