ASA VPN-SESSIONDB: Bug Fixes with new data (#323)

BREAKING CHANGES:
  * Fix spelling of `received`
    - `BYTES_RECEIVED`
    - `PACKETS_RECEIVED`

  * Distinguish between total byte counts and individual tunnel byte counts
    - total bytes becomes `TOTAL_BYTES_TRANSMITTED` and `TOTAL_BYTES_RECEIVED`
    - tunnel bytes stays `BYTES_TRANSMITTED` and `BYTEC_RECEIVED`

  * Change capturing the connection type from using unique named capture groups, to using the same capture group:
    - `IKE_CONNECTION_TYPE becomes `CONNECTION_TYPE`
    - `IPSEC_CONNECTION_TYPE becomes `CONNECTION_TYPE`
    - Support added for NAC connections will also be recorded as `CONNECTION_TYPE`

BUG FIXES:
  * Update opening lines to allow for, but not require, spaces (`^\s+` -> `^\s*`)

  * Add support for multiple Connections under the same `Session Type` header

  * Update IKE matches to account for IKE or IKE with version number

  * `PROTOCOL` - change capture to support for Protocol fields with multiple protocols

  * `ENCRYPTION` - Change capture to support for Encryption fields with multiple encryption types

  * `DURATION` - Change capture to support any datetime format:

  * `TOTAL_*_SESSIONS` - Add support for IKE/IPSEC tunnel counts on separate lines (TOTAL_IKE_SESSIONS, TOTAL_IPSEC_SESSIONS):

  * `SESSION_ID` - Add support for output that uses `Tunnel ID` format that is Index + Session ID:
     - Index of `1000`
     - Session ID of `1`
     - Tunnel ID would be `1000.1`
     - Thus the regex looks for anything after `(?:\d+\.)` for Session ID

NEW CAPTURE GROUPS:
  * `FILTER_NAME` - Add support for capturing Filter Name

  * `HASHING` - Add support for capturing Hashing algorithms

  * `IPV6_FILTER_NAME` - Add support for capturing IPv6 Filters

  * `PRF` - Add support for capturing Pseudo Random Function

  * `IDLE_TIMEOUT_*` - Add support for captureing Idle Timeout data:
    - `IDLE_TIMEOUT_INTERVAL`
    - `IDLE_TIMEOUT_INTERVAL_UNIT`
    - `IDLE_TIMEOUT_REMAINING`
    - `IDLE_TIMEOUT_REMAINING_UNI`

  * `REKEY_DATA_*` - Add support for Rekey data intervals and timeouts:
    - Distinguish between time and data rekey values (`\(\w\)` -> `\([Tt]\)` and `\([Dd]\)`
    - `REKEY_DATA_INTERVAL`
    - `REKEY_DATA_INTERVAL_UNIT`
    - `REKEY_DATA_REMAINING`
    - `REKEY_DATA_REMAINING_UNIT`

  * NAC - Add support for NAC connections:
    - `REVAL_TIMEOUT`
    - `REVAL_TIMOUT_UNIT`
    - `REVAL_TIMEOUT_REMAINING`
    - `REVAL_TIMEOUT_REMAINING_UNIT`
    - `STATUS_QUERY_INTERVAL`
    - `STATUS_QUERY_INTERVAL_UNIT`
    - `EAP_OVER_UDP_TIMER`
    - `EAP_OVER_UDP_TIMER_UNIT`
    - `POSTURE_HOLDTIME_REMAINING`
    - `POSTURE_HOLDTIME_REMAINING_UNIT`
    - `POSTURE_TOKEN`
    - `REDIRECT_URL`

GENERAL ENHANCEMENTS:
  * Add end-of-line to each expression (`\s*$$`)

  * Add catch-all error to ensure parser integrity (`.* -> Error`)

  * Change Record to take place on Session/Protocol Header

TEST UPDATES:
  * Update existing test parsed file to account for updates

  * Add new test files with additional output formats

templates/cisco_asa_show_vpn-sessiondb_detail_l2l.template

@@ -2,76 +2,163 @@ Value Filldown,Required SESSION_TYPE (\S+)
 Value Filldown CONNECTION (\d+\.\d+\.\d+\.\d+)
 Value Filldown INDEX (\d+)
 Value Filldown IP_ADDRESS (\d+\.\d+\.\d+\.\d+)
-Value Filldown PROTOCOL (\w+)
-Value Filldown ENCRYPTION (\w+)
-Value Filldown BYTES_TRANSMITTED (\d+)
-Value Filldown BYTES_RECIEVED (\d+)
+Value Filldown PROTOCOL (.+?)
+Value Filldown ENCRYPTION (.+?)
+Value Filldown HASHING (.+?)
+Value Filldown TOTAL_BYTES_TRANSMITTED (\d+)
+Value Filldown TOTAL_BYTES_RECEIVED (\d+)
 Value Filldown LOGIN_TIME (\d+:\d+:\d+)
 Value Filldown LOGIN_TIME_ZONE (\w+)
 Value Filldown LOGIN_WEEKDAY (\w+)
 Value Filldown LOGIN_MONTH (\w+)
 Value Filldown LOGIN_DAY (\d+)
 Value Filldown LOGIN_YEAR (\d+)
-Value Filldown DURATION (\d+:\d+:\d+)
+Value Filldown DURATION (.+?)
+Value Filldown FILTER_NAME (.*?)
 Value Filldown TOTAL_IKE_SESSIONS (\d+)
 Value Filldown TOTAL_IPSEC_SESSIONS (\d+)
-Value IKE_CONNECTION_TYPE (IKE)
-Value IPSEC_CONNECTION_TYPE (IPSec)
+Value CONNECTION_TYPE (\S+)
 Value SESSION_ID (\d+)
 Value UDP_SRC_PORT (\d+)
 Value UDP_DST_PORT (\d+)
 Value NEGOTIAION_MODE (\w+)
 Value AUTHENTICATION_MODE (\w+)
+Value REMOTE_AUTHENTICATION_MODE (\S+|)
+Value LOCAL_AUTHENTICATION_MODE (\S+|)
 Value ENCRYPTION_METHOD (\w+)
 Value HASH_METHOD (\w+)
 Value REKEY_INTERVAL (\d+)
-Value REKEY_INTERVAL_UNIT (\w+)
+Value REKEY_INTERVAL_UNIT (\S+)
 Value REKEY_TIME_LEFT (\d+)
-Value REKEY_TIME_LEFT_UNIT (\w+)
+Value REKEY_TIME_LEFT_UNIT (\S+)
+Value REKEY_DATA_INTERVAL (\d+)
+Value REKEY_DATA_INTERVAL_UNIT (\S+)
+Value REKEY_DATA_REMAINING (\d+)
+Value REKEY_DATA_REMAINING_UNIT (\S+)
+Value IDLE_TIMEOUT_INTERVAL (\d+)
+Value IDLE_TIMEOUT_INTERVAL_UNIT (\S+)
+Value IDLE_TIMEOUT_REMAINING (\d+)
+Value IDLE_TIMEOUT_REMAINING_UNIT (\S+)
+Value PRF (\S+)
 Value DH_GROUP (\d+)
+Value IPV6_FILTER_NAME (.*?)
 Value LOCAL_ADDRESS_NETWORK (\d+\.\d+\.\d+\.\d+)
 Value LOCAL_ADDRESS_MASK (\d+\.\d+\.\d+\.\d+)
 Value REMOTE_ADDRESS_NETWORK (\d+\.\d+\.\d+\.\d+)
 Value REMOTE_ADDRESS_MASK (\d+\.\d+\.\d+\.\d+)
 Value ENCAPSULATION (\w+)
 Value PFS_GROUP (\d+)
+Value BYTES_TRANSMITTED (\d+)
+Value BYTES_RECEIVED (\d+)
 Value PACKETS_TRANSMITTED (\d+)
-Value PACKETS_RECIEVED (\d+)
+Value PACKETS_RECEIVED (\d+)
+Value REVAL_TIMEOUT (\d+)
+Value REVAL_TIMOUT_UNIT (\S+)
+Value REVAL_TIMEOUT_REMAINING (\d+)
+Value REVAL_TIMEOUT_REMAINING_UNIT (\S+)
+Value STATUS_QUERY_INTERVAL (\S+)
+Value STATUS_QUERY_INTERVAL_UNIT (\S+)
+Value EAP_OVER_UDP_TIMER (\d+)
+Value EAP_OVER_UDP_TIMER_UNIT (\S+)
+Value POSTURE_HOLDTIME_REMAINING (\d+)
+Value POSTURE_HOLDTIME_REMAINING_UNIT (\S+)
+Value POSTURE_TOKEN (.*?)
+Value REDIRECT_URL (.*?)
+
 
 Start
+  ^Session\s+Type:\s+${SESSION_TYPE}\s+Detailed\s*$$ -> Connection
+
+Connection
+  ^\s*Connection\s*:\s+${CONNECTION}\s*$$
+  ^\s*Index\s*:\s+${INDEX}\s+IP\s+Addr\s*:\s+${IP_ADDRESS}\s*$$
+  ^\s*Protocol\s*:\s+${PROTOCOL}(?:\s+Encryption\s*:\s+${ENCRYPTION}|)\s*$$
+  ^\s*Encryption\s*:\s+${ENCRYPTION}\s+Hashing\s*:\s+${HASHING}\s*$$
+  ^\s*Encryption\s*:\s+${ENCRYPTION}\s*$$
+  ^\s*Hashing\s*:\s+${HASHING}\s*$$
+  ^\s*Bytes\s+Tx\s*:\s+${TOTAL_BYTES_TRANSMITTED}\s+Bytes\s+Rx\s*:\s+${TOTAL_BYTES_RECEIVED}\s*$$
+  ^\s*Login\s+Time\s*:\s+${LOGIN_TIME}\s+${LOGIN_TIME_ZONE}\s+${LOGIN_WEEKDAY}\s+${LOGIN_MONTH}\s+${LOGIN_DAY}\s+${LOGIN_YEAR}\s*$$
+  ^\s*Duration\s*:\s+${DURATION}\s*$$
+  ^\s*Filter\s+Name\s*:\s*${FILTER_NAME}\s*$$
+  ^\s*IKE(?:[Vv]\d|)\s+Sessions:\s+${TOTAL_IKE_SESSIONS}\s+IPSec\s+Sessions:\s+${TOTAL_IPSEC_SESSIONS}\s*$$
+  ^\s*IKE(?:[Vv]\d|)\s+Tunnels:\s*${TOTAL_IKE_SESSIONS}\s*$$
+  ^\s*IP[Ss]ec\s+Tunnels:\s*${TOTAL_IPSEC_SESSIONS}\s*$$
+  ^\s*${CONNECTION_TYPE}:\s*$$ -> Continue
+  ^\s*IKE(?:[Vv]\d|): -> IKE
+  ^\s*IP[Ss]ec: -> IPSec
+  ^\s*NAC: -> NAC
+  ^\s*Connection\s*: -> Continue.Record
+  ^\s*Connection\s*:\s+${CONNECTION}\s*$$
+  ^Session\s+Type -> Continue.Record
   ^Session\s+Type -> Continue.Clearall
-  ^Session\s+Type:\s+${SESSION_TYPE}\s+Detailed\s*
-  ^\s+Connection\s*:\s+${CONNECTION}\s*
-  ^\s+Index\s*:\s+${INDEX}\s+IP\s+Addr\s*:\s+${IP_ADDRESS}\s*
-  ^\s+Protocol\s*:\s+${PROTOCOL}\s+Encryption\s*:\s+${ENCRYPTION}\s*
-  ^\s+Bytes\s+Tx\s*:\s+${BYTES_TRANSMITTED}\s+Bytes\s+Rx\s*:\s+${BYTES_RECIEVED}\s*
-  ^\s+Login\s+Time\s*:\s+${LOGIN_TIME}\s+${LOGIN_TIME_ZONE}\s+${LOGIN_WEEKDAY}\s+${LOGIN_MONTH}\s+${LOGIN_DAY}\s+${LOGIN_YEAR}\s*
-  ^\s+Duration\s*:\s+${DURATION}\s*
-  ^\s+Filter\s+Name\s*:\s+\S*\s*
-  # IKE and IPSEC Session Counts will capture and continue on the first iteration. This data will be recorded on the second iteration if both IKE and IPSec have 0 Sessions
-  ^\s+IKE\s+Sessions:\s+${TOTAL_IKE_SESSIONS}\s+IPSec\s+Sessions:\s+${TOTAL_IPSEC_SESSIONS}\s* -> Continue
-  ^\s+IKE\s+Sessions:\s+0\s+IPSec\s+Sessions:\s+0\s* -> Record
-  ^\s+${IKE_CONNECTION_TYPE}:\s* -> IKE
-  ^\s+${IPSEC_CONNECTION_TYPE}:\s* -> IPSec
+  ^Session\s+Type:\s+${SESSION_TYPE}\s+Detailed\s*$$
+  ^\s*$$
+  ^. -> Error
 
 IKE
-  ^\s+Session\s+ID\s*:\s+${SESSION_ID}
-  ^\s+UDP\s+Src\s+Port\s*:\s+${UDP_SRC_PORT}\s+UDP\s+Dst\s+Port\s*:\s+${UDP_DST_PORT}\s*
-  ^\s+IKE\s+Neg\s+Mode\s*:\s+${NEGOTIAION_MODE}\s+Auth\s+Mode\s*:\s+${AUTHENTICATION_MODE}\s*
-  ^\s+Encryption\s*:\s+${ENCRYPTION_METHOD}\s+Hashing\s*:\s+${HASH_METHOD}
-  ^\s+Rekey\s+Int\s+\(\w\):\s+${REKEY_INTERVAL}\s+${REKEY_INTERVAL_UNIT}\s+Rekey\s+Left\(\w+\):\s+${REKEY_TIME_LEFT}\s+${REKEY_TIME_LEFT_UNIT}\s*
-  ^\s+D\/H\s+Group\s*:\s+${DH_GROUP}\s*
-  ^\s*$$ -> Record Start
+  ^\s*(Session|Tunnel)\s+ID\s*:\s+(?:\d+\.|)${SESSION_ID}\s*$$
+  ^\s*UDP\s+Src\s+Port\s*:\s+${UDP_SRC_PORT}\s+UDP\s+Dst\s+Port\s*:\s+${UDP_DST_PORT}\s*$$
+  ^\s*Rem\s+Auth\s+Mode\s*:\s*${REMOTE_AUTHENTICATION_MODE}\s*$$
+  ^\s*Loc\s+Auth\s+Mode\s*:\s*${LOCAL_AUTHENTICATION_MODE}\s*$$
+  ^\s*IKE\s+Neg\s+Mode\s*:\s+${NEGOTIAION_MODE}\s+Auth\s+Mode\s*:\s+${AUTHENTICATION_MODE}\s*$$
+  ^\s*Encryption\s*:\s+${ENCRYPTION_METHOD}\s+Hashing\s*:\s+${HASH_METHOD}\s*$$
+  ^\s*Encapsulation\s+:\s*${ENCAPSULATION}\s*$$
+  ^\s*Rekey\s+Int\s+\([Tt]\):\s+${REKEY_INTERVAL}\s+${REKEY_INTERVAL_UNIT}\s+Rekey\s+Left\([Tt]\):\s+${REKEY_TIME_LEFT}\s+${REKEY_TIME_LEFT_UNIT}\s*$$
+  ^\s*Rekey\s+Int\s+\([Dd]\):\s+${REKEY_DATA_INTERVAL}\s+${REKEY_DATA_INTERVAL_UNIT}\s+Rekey\s+Left\([Dd]+\):\s+${REKEY_DATA_REMAINING}\s+${REKEY_DATA_REMAINING_UNIT}\s*$$
+  ^\s*(?:PRF\s*:\s+${PRF}\s+|)D\/H\s+Group\s*:\s+${DH_GROUP}\s*$$
+  ^\s*Filter\s+Name\s+:\s*${FILTER_NAME}\s*$$
+  ^\s*IPv6\s+Filter\s+:\s*${IPV6_FILTER_NAME}\s*$$
+  ^\s*\S+:\s*$$ -> Continue.Record
+  ^\s*${CONNECTION_TYPE}:\s*$$ -> Continue
+  ^\s*IKE(?:[Vv]\d|): -> IKE
+  ^\s*IP[Ss]ec: -> IPSec
+  ^\s*NAC: -> NAC
+  ^\s*Connection\s*: -> Continue.Record
+  ^\s*Connection\s*:\s+${CONNECTION}\s*$$ -> Connection
+  ^Session\s+Type -> Continue.Record
+  ^Session\s+Type -> Continue.Clearall
+  ^Session\s+Type:\s+${SESSION_TYPE}\s+Detailed\s*$$ -> Connection
+  ^\s*$$
+  ^. -> Error
 
 IPSec
-  ^\s+Session\s+ID\s*:\s+${SESSION_ID}
-  ^\s+Local\s+Addr\s*:\s+${LOCAL_ADDRESS_NETWORK}\/${LOCAL_ADDRESS_MASK}\s*
-  ^\s+Remote\s+Addr\s*:\s+${REMOTE_ADDRESS_NETWORK}\/${REMOTE_ADDRESS_MASK}\s*
-  ^\s+Encryption\s*:\s+${ENCRYPTION_METHOD}\s+Hashing\s*:\s+${HASH_METHOD}\s*
-  ^\s+Encapsulation\s*:\s+${ENCAPSULATION}\s+PFS\s+Group\s*:\s+${PFS_GROUP}\s*
-  ^\s+Rekey\s+Int\s+\(\w\)\s*:\s+${REKEY_INTERVAL}\s+${REKEY_INTERVAL_UNIT}\s+Rekey\s+Left\(\w+\)\s*:\s+${REKEY_TIME_LEFT}\s+${REKEY_TIME_LEFT_UNIT}\s*
-  ^\s+Bytes\s+Tx\s*:\s+${BYTES_TRANSMITTED}\s+Bytes\s+Rx\s*:\s+${BYTES_RECIEVED}\s*
-  ^\s+Pkts\s+Tx\s*:\s+${PACKETS_TRANSMITTED}\s+Pkts\s+Rx\s*:\s+${PACKETS_RECIEVED}\s*
-  ^\s*$$ -> Record Start
+  ^\s*(Session|Tunnel)\s+ID\s*:\s+(?:\d+\.|)${SESSION_ID}\s*$$
+  ^\s*Local\s+Addr\s*:\s+${LOCAL_ADDRESS_NETWORK}\/${LOCAL_ADDRESS_MASK}
+  ^\s*Remote\s+Addr\s*:\s+${REMOTE_ADDRESS_NETWORK}\/${REMOTE_ADDRESS_MASK}
+  ^\s*Encryption\s*:\s+${ENCRYPTION_METHOD}\s+Hashing\s*:\s+${HASH_METHOD}\s*$$
+  ^\s*Encapsulation\s*:\s+${ENCAPSULATION}(?:\s+PFS\s+Group\s*:\s+${PFS_GROUP}|)\s*$$
+  ^\s*Rekey\s+Int\s+\([Tt]\):\s+${REKEY_INTERVAL}\s+${REKEY_INTERVAL_UNIT}\s+Rekey\s+Left\([Tt]\):\s+${REKEY_TIME_LEFT}\s+${REKEY_TIME_LEFT_UNIT}\s*$$
+  ^\s*Rekey\s+Int\s+\([Dd]\):\s+${REKEY_DATA_INTERVAL}\s+${REKEY_DATA_INTERVAL_UNIT}\s+Rekey\s+Left\([Dd]+\):\s+${REKEY_DATA_REMAINING}\s+${REKEY_DATA_REMAINING_UNIT}\s*$$
+  ^\s*Idle\s+Time\s+Out\s*:\s+${IDLE_TIMEOUT_INTERVAL}\s+${IDLE_TIMEOUT_INTERVAL_UNIT}\s+Idle\s+TO\s+Left\s*:\s+${IDLE_TIMEOUT_REMAINING}\s+${IDLE_TIMEOUT_REMAINING_UNIT}\s*$$             
+  ^\s*Bytes\s+Tx\s*:\s+${BYTES_TRANSMITTED}\s+Bytes\s+Rx\s*:\s+${BYTES_RECEIVED}\s*$$
+  ^\s*Pkts\s+Tx\s*:\s+${PACKETS_TRANSMITTED}\s+Pkts\s+Rx\s*:\s+${PACKETS_RECEIVED}\s*$$
+  ^\s*\S+:\s*$$ -> Continue.Record
+  ^\s*${CONNECTION_TYPE}:\s*$$ -> Continue
+  ^\s*IKE(?:[Vv]\d|): -> IKE
+  ^\s*IP[Ss]ec: -> IPSec
+  ^\s*NAC: -> NAC
+  ^\s*Connection\s*: -> Continue.Record
+  ^\s*Connection\s*:\s+${CONNECTION}\s*$$ -> Connection
+  ^Session\s+Type -> Continue.Record
+  ^Session\s+Type -> Continue.Clearall
+  ^Session\s+Type:\s+${SESSION_TYPE}\s+Detailed\s*$$ -> Connection
+  ^\s*$$
+  ^. -> Error
 
-EOF
+NAC
+  ^\s*Reval\s+Int\s+\(\w\)\s*:\s+${REVAL_TIMEOUT}\s+${REVAL_TIMOUT_UNIT}\s+Reval\s+Left\s*\(\w\)\s*:\s+${REVAL_TIMEOUT_REMAINING}\s+${REVAL_TIMEOUT_REMAINING_UNIT}\s*$$
+  ^\s*SQ\s+Int\s+\(\w\)\s*:\s+${STATUS_QUERY_INTERVAL}\s+${STATUS_QUERY_INTERVAL_UNIT}\s+EoU\s+Age\(\w\)\s*:\s+${EAP_OVER_UDP_TIMER}\s+${EAP_OVER_UDP_TIMER_UNIT}\s*$$
+  ^\s*Hold\s+Left\s+\(\w\)\s*:\s+${POSTURE_HOLDTIME_REMAINING}\s+${POSTURE_HOLDTIME_REMAINING_UNIT}\s+Posture\s+Token\s*:\s*${POSTURE_TOKEN}\s*$$
+  ^\s*Redirect\s+URL\s*:\s*${REDIRECT_URL}\s*$$
+  ^\s*\S+:\s*$$ -> Continue.Record
+  ^\s*${CONNECTION_TYPE}:\s*$$ -> Continue
+  ^\s*IKE(?:[Vv]\d|): -> IKE
+  ^\s*IP[Ss]ec: -> IPSec
+  ^\s*NAC: -> NAC
+  ^\s*Connection\s*: -> Continue.Record
+  ^\s*Connection\s*:\s+${CONNECTION}\s*$$ -> Connection
+  ^Session\s+Type -> Continue.Record
+  ^Session\s+Type -> Continue.Clearall
+  ^Session\s+Type:\s+${SESSION_TYPE}\s+Detailed\s*$$ -> Connection
+  ^\s*$$
+  ^. -> Error