Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ASA VPN-SESSIONDB: Bug Fixes with new data #323

Merged
merged 1 commit into from
Jan 3, 2019
Merged

ASA VPN-SESSIONDB: Bug Fixes with new data #323

merged 1 commit into from
Jan 3, 2019

Conversation

jmcgill298
Copy link
Contributor

@jmcgill298 jmcgill298 commented Dec 30, 2018
edited
Loading

BREAKING CHANGES:

  • Fix spelling of received
    • BYTES_RECEIVED
    • PACKETS_RECEIVED
  • Distinguish between total byte counts and individual tunnel byte counts
    • total bytes becomes TOTAL_BYTES_TRANSMITTED and TOTAL_BYTES_RECEIVED
    • tunnel bytes stays BYTES_TRANSMITTED and BYTEC_RECEIVED
  • Change capturing the connection type from using unique named capture groups, to using the same capture group:
    • IKE_CONNECTION_TYPE becomes CONNECTION_TYPE
    • IPSEC_CONNECTION_TYPE becomes CONNECTION_TYPE
    • Support added for NAC connections will also be recorded as CONNECTION_TYPE

BUG FIXES:

  • Update opening lines to allow for, but not require, spaces (^\s+ -> ^\s*)
  • Add support for multiple Connections under the same Session Type header
  • Update IKE matches to account for IKE or IKE with version number
  • PROTOCOL - change capture to support for Protocol fields with multiple protocols
  • ENCRYPTION - Change capture to support for Encryption fields with multiple encryption types
  • DURATION - Change capture to support any datetime format:
  • TOTAL_*_SESSIONS - Add support for IKE/IPSEC tunnel counts on separate lines:
    • TOTAL_IKE_SESSIONS
    • TOTAL_IPSEC_SESSIONS
  • SESSION_ID - Add support for output that uses Tunnel ID format that is Index + Session ID:
    • Index of 1000
    • Session ID of 1
    • Tunnel ID would be 1000.1
    • Thus the regex looks for anything after (?:\d+\.) for Session ID

NEW CAPTURE GROUPS:

  • FILTER_NAME - Add support for capturing Filter Name
  • HASHING - Add support for capturing Hashing algorithms
  • IPV6_FILTER_NAME - Add support for capturing IPv6 Filters
  • PRF - Add support for capturing Pseudo Random Function
  • IDLE_TIMEOUT_* - Add support for captureing Idle Timeout data:
    • IDLE_TIMEOUT_INTERVAL
    • IDLE_TIMEOUT_INTERVAL_UNIT
    • IDLE_TIMEOUT_REMAINING
    • IDLE_TIMEOUT_REMAINING_UNI
  • REKEY_DATA_* - Add support for Rekey data intervals and timeouts:
    • Distinguish between time and data rekey values (\(\w\) -> \([Tt]\) and \([Dd]\)
    • REKEY_DATA_INTERVAL
    • REKEY_DATA_INTERVAL_UNIT
    • REKEY_DATA_REMAINING
    • REKEY_DATA_REMAINING_UNIT
  • NAC - Add support for NAC connections:
    • REVAL_TIMEOUT
    • REVAL_TIMOUT_UNIT
    • REVAL_TIMEOUT_REMAINING
    • REVAL_TIMEOUT_REMAINING_UNIT
    • STATUS_QUERY_INTERVAL
    • STATUS_QUERY_INTERVAL_UNIT
    • EAP_OVER_UDP_TIMER
    • EAP_OVER_UDP_TIMER_UNIT
    • POSTURE_HOLDTIME_REMAINING
    • POSTURE_HOLDTIME_REMAINING_UNIT
    • POSTURE_TOKEN
    • REDIRECT_URL

GENERAL ENHANCEMENTS:

  • Add end-of-line to each expression (\s*$$)
  • Add catch-all error to ensure parser integrity (.* -> Error)
  • Change Record to take place on Session/Protocol Header

TEST UPDATES:

  • Update existing test parsed file to account for updates
  • Add new test files with additional output formats
ISSUE TYPE
  • Bugfix Pull Request
COMPONENT

cisco_asa_show_vpn-sessiondb_detail_l2l

SUMMARY

New data collected for command output; this updates the template to account for this info.

Fixes #231
Alternate solution to #237

@jmcgill298
ASA VPN-SESSIONDB: Bug Fixes with new data
56dff6c 
BREAKING CHANGES:
  * Fix spelling of `received`
    - `BYTES_RECEIVED`
    - `PACKETS_RECEIVED`

  * Distinguish between total byte counts and individual tunnel byte counts
    - total bytes becomes `TOTAL_BYTES_TRANSMITTED` and `TOTAL_BYTES_RECEIVED`
    - tunnel bytes stays `BYTES_TRANSMITTED` and `BYTEC_RECEIVED`

  * Change capturing the connection type from using unique named capture groups, to using the same capture group:
    - `IKE_CONNECTION_TYPE becomes `CONNECTION_TYPE`
    - `IPSEC_CONNECTION_TYPE becomes `CONNECTION_TYPE`
    - Support added for NAC connections will also be recorded as `CONNECTION_TYPE`

BUG FIXES:
  * Update opening lines to allow for, but not require, spaces (`^\s+` -> `^\s*`)

  * Add support for multiple Connections under the same `Session Type` header

  * Update IKE matches to account for IKE or IKE with version number

  * `PROTOCOL` - change capture to support for Protocol fields with multiple protocols

  * `ENCRYPTION` - Change capture to support for Encryption fields with multiple encryption types

  * `DURATION` - Change capture to support any datetime format:

  * `TOTAL_*_SESSIONS` - Add support for IKE/IPSEC tunnel counts on separate lines (TOTAL_IKE_SESSIONS, TOTAL_IPSEC_SESSIONS):

  * `SESSION_ID` - Add support for output that uses `Tunnel ID` format that is Index + Session ID:
     - Index of `1000`
     - Session ID of `1`
     - Tunnel ID would be `1000.1`
     - Thus the regex looks for anything after `(?:\d+\.)` for Session ID

NEW CAPTURE GROUPS:
  * `FILTER_NAME` - Add support for capturing Filter Name

  * `HASHING` - Add support for capturing Hashing algorithms

  * `IPV6_FILTER_NAME` - Add support for capturing IPv6 Filters

  * `PRF` - Add support for capturing Pseudo Random Function

  * `IDLE_TIMEOUT_*` - Add support for captureing Idle Timeout data:
    - `IDLE_TIMEOUT_INTERVAL`
    - `IDLE_TIMEOUT_INTERVAL_UNIT`
    - `IDLE_TIMEOUT_REMAINING`
    - `IDLE_TIMEOUT_REMAINING_UNI`

  * `REKEY_DATA_*` - Add support for Rekey data intervals and timeouts:
    - Distinguish between time and data rekey values (`\(\w\)` -> `\([Tt]\)` and `\([Dd]\)`
    - `REKEY_DATA_INTERVAL`
    - `REKEY_DATA_INTERVAL_UNIT`
    - `REKEY_DATA_REMAINING`
    - `REKEY_DATA_REMAINING_UNIT`

  * NAC - Add support for NAC connections:
    - `REVAL_TIMEOUT`
    - `REVAL_TIMOUT_UNIT`
    - `REVAL_TIMEOUT_REMAINING`
    - `REVAL_TIMEOUT_REMAINING_UNIT`
    - `STATUS_QUERY_INTERVAL`
    - `STATUS_QUERY_INTERVAL_UNIT`
    - `EAP_OVER_UDP_TIMER`
    - `EAP_OVER_UDP_TIMER_UNIT`
    - `POSTURE_HOLDTIME_REMAINING`
    - `POSTURE_HOLDTIME_REMAINING_UNIT`
    - `POSTURE_TOKEN`
    - `REDIRECT_URL`

GENERAL ENHANCEMENTS:
  * Add end-of-line to each expression (`\s*$$`)

  * Add catch-all error to ensure parser integrity (`.* -> Error`)

  * Change Record to take place on Session/Protocol Header

TEST UPDATES:
  * Update existing test parsed file to account for updates

  * Add new test files with additional output formats
@jmcgill298 jmcgill298 mentioned this pull request Dec 30, 2018
Closed
@FragmentedPacket
Copy link
Contributor

FragmentedPacket commented Jan 1, 2019
edited
Loading

@jmcgill298 Thanks for all the work on this!

Would it be worth while to set the authentication_mode to filldown?

Also, I'm not sure if it'd be worth it to change encryption and hashing to lists or separate them out to each phase as they were in #237 and possibly rename them to encryption_avail_methods and hashing_avail_methods. My thoughts on that is if we were using this data to determine if say MD5/3DES was still an available option when building the tunnel, that we'd want to act on that and make changes or use that for reporting (phase 1 still has weak methods available for negotiation and needs to be updated)

@jmcgill298
Copy link
Contributor Author

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s14.html

ENCRYPTION and HASHING are strings, and, per the documentation above, are the algorithms being used.

I think all of your concerns stem back to including IKE as part of the overall session data, but I don't think that it would necessarily represent all possible options.

  1. Why include IKE Sessions field if it is always 1.
  2. The above documentation says this: Number of IKE (IPsec Phase 1) sessions; **usually** 1. These sessions establish the tunnel for IPsec traffic.

I think it would be better to record each section individually, and handle assembling data in post-processing.

@jmcgill298
Copy link
Contributor Author

@FragmentedPacket based on our conversation yesterday, are you good with this solution?

@FragmentedPacket
Copy link
Contributor

@jmcgill298 Yup. Everything makes sense!

@jmcgill298 jmcgill298 merged commit 1fc4892 into networktocode:master Jan 3, 2019
jvanderaa pushed a commit that referenced this pull request Nov 10, 2021
@jmcgill298
ASA VPN-SESSIONDB: Bug Fixes with new data (#323)
7da120c 
BREAKING CHANGES:
  * Fix spelling of `received`
    - `BYTES_RECEIVED`
    - `PACKETS_RECEIVED`

  * Distinguish between total byte counts and individual tunnel byte counts
    - total bytes becomes `TOTAL_BYTES_TRANSMITTED` and `TOTAL_BYTES_RECEIVED`
    - tunnel bytes stays `BYTES_TRANSMITTED` and `BYTEC_RECEIVED`

  * Change capturing the connection type from using unique named capture groups, to using the same capture group:
    - `IKE_CONNECTION_TYPE becomes `CONNECTION_TYPE`
    - `IPSEC_CONNECTION_TYPE becomes `CONNECTION_TYPE`
    - Support added for NAC connections will also be recorded as `CONNECTION_TYPE`

BUG FIXES:
  * Update opening lines to allow for, but not require, spaces (`^\s+` -> `^\s*`)

  * Add support for multiple Connections under the same `Session Type` header

  * Update IKE matches to account for IKE or IKE with version number

  * `PROTOCOL` - change capture to support for Protocol fields with multiple protocols

  * `ENCRYPTION` - Change capture to support for Encryption fields with multiple encryption types

  * `DURATION` - Change capture to support any datetime format:

  * `TOTAL_*_SESSIONS` - Add support for IKE/IPSEC tunnel counts on separate lines (TOTAL_IKE_SESSIONS, TOTAL_IPSEC_SESSIONS):

  * `SESSION_ID` - Add support for output that uses `Tunnel ID` format that is Index + Session ID:
     - Index of `1000`
     - Session ID of `1`
     - Tunnel ID would be `1000.1`
     - Thus the regex looks for anything after `(?:\d+\.)` for Session ID

NEW CAPTURE GROUPS:
  * `FILTER_NAME` - Add support for capturing Filter Name

  * `HASHING` - Add support for capturing Hashing algorithms

  * `IPV6_FILTER_NAME` - Add support for capturing IPv6 Filters

  * `PRF` - Add support for capturing Pseudo Random Function

  * `IDLE_TIMEOUT_*` - Add support for captureing Idle Timeout data:
    - `IDLE_TIMEOUT_INTERVAL`
    - `IDLE_TIMEOUT_INTERVAL_UNIT`
    - `IDLE_TIMEOUT_REMAINING`
    - `IDLE_TIMEOUT_REMAINING_UNI`

  * `REKEY_DATA_*` - Add support for Rekey data intervals and timeouts:
    - Distinguish between time and data rekey values (`\(\w\)` -> `\([Tt]\)` and `\([Dd]\)`
    - `REKEY_DATA_INTERVAL`
    - `REKEY_DATA_INTERVAL_UNIT`
    - `REKEY_DATA_REMAINING`
    - `REKEY_DATA_REMAINING_UNIT`

  * NAC - Add support for NAC connections:
    - `REVAL_TIMEOUT`
    - `REVAL_TIMOUT_UNIT`
    - `REVAL_TIMEOUT_REMAINING`
    - `REVAL_TIMEOUT_REMAINING_UNIT`
    - `STATUS_QUERY_INTERVAL`
    - `STATUS_QUERY_INTERVAL_UNIT`
    - `EAP_OVER_UDP_TIMER`
    - `EAP_OVER_UDP_TIMER_UNIT`
    - `POSTURE_HOLDTIME_REMAINING`
    - `POSTURE_HOLDTIME_REMAINING_UNIT`
    - `POSTURE_TOKEN`
    - `REDIRECT_URL`

GENERAL ENHANCEMENTS:
  * Add end-of-line to each expression (`\s*$$`)

  * Add catch-all error to ensure parser integrity (`.* -> Error`)

  * Change Record to take place on Session/Protocol Header

TEST UPDATES:
  * Update existing test parsed file to account for updates

  * Add new test files with additional output formats
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

cisco_asa_show_vpn-sessiondb_detail_l2l.template not parsing
2 participants
@jmcgill298 @FragmentedPacket