Skip to content

Commit

Permalink
Cherry-pick #19149 to 7.x: [Filebeat] Fix Cisco ASA dissect pattern f…
Browse files Browse the repository at this point in the history 
…or 313008 & 313009 (#19235)

Extra space after column causes 'Unable to find match for dissect pattern' error.

(cherry picked from commit 155013a)
  • Loading branch information
@adriansr
adriansr authored Jul 13, 2020
1 parent 03b4227 commit 3382f55
Show file tree
Hide file tree
Showing 6 changed files with 232 additions and 13 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -232,6 +232,7 @@ field. You can revert this change by configuring tags for the module and omittin
- Add missing `default_field: false` to aws filesets fields.yml. {pull}19568[19568]
- Fix tls mapping in suricata module {issue}19492[19492] {pull}19494[19494]
- Fix memory leak in tcp and unix input sources. {pull}19459[19459]
- Fix Cisco ASA dissect pattern for 313008 & 313009 messages. {pull}19149[19149]

*Heartbeat*

Expand Down
2 changes: 2 additions & 0 deletions x-pack/filebeat/module/cisco/asa/test/asa-fix.log
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,3 +3,5 @@ Apr 17 2020 14:00:31 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny icmp src Inside:10.12
Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.123.123.123/6316 dst outside:10.123.123.123/53 type 3, code 0, by access-group "acl_dmz" [0xe3afb522, 0x0]
Apr 17 2020 14:16:20 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny udp src Inside:10.123.123.123/57621(LOCAL\Elastic) dst Outside:10.123.123.123/57621 by access-group "Inside_access_in" [0x0, 0x0]
Apr 17 2020 14:15:07 SNL-ASA-VPN-A01 : %ASA-2-106017: Deny IP due to Land Attack from 10.123.123.123 to 10.123.123.123
Apr 17 2020 14:15:07 SNL-ASA-VPN-A01 : %ASA-3-313008: Denied IPv6-ICMP type=134, code=0 from fe80::1ff:fe23:4567:890a on interface ISP1
Jun 08 2020 12:59:57: %ASA-4-313009: Denied invalid ICMP code 9, for Inside:10.255.0.206/8795 (10.255.0.206/8795) to identity:10.12.31.51/0 (10.12.31.51/0), ICMP id 295, ICMP type 8
161 changes: 156 additions & 5 deletions x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,15 +9,23 @@
"destination.ip": "10.233.123.123",
"destination.port": 53,
"event.action": "flow-expiration",
"event.category": [
"network"
],
"event.code": 302016,
"event.dataset": "cisco.asa",
"event.duration": 0,
"event.end": "2020-04-17T14:08:08.000-02:00",
"event.kind": "event",
"event.module": "cisco",
"event.original": "%ASA-6-302016: Teardown UDP connection 110577675 for Outside:10.123.123.123/53723(LOCAL\\Elastic) to Inside:10.233.123.123/53 duration 0:00:00 bytes 148 (zzzzzz)",
"event.severity": 6,
"event.start": "2020-04-17T16:08:08.000Z",
"event.timezone": "-02:00",
"event.type": [
"connection",
"end"
],
"fileset.name": "asa",
"host.hostname": "SNL-ASA-VPN-A01",
"input.type": "log",
Expand All @@ -26,12 +34,17 @@
"network.bytes": 148,
"network.iana_number": 17,
"network.transport": "udp",
"related.ip": [
"10.123.123.123",
"10.233.123.123"
],
"service.type": "cisco",
"source.address": "10.123.123.123",
"source.ip": "10.123.123.123",
"source.port": 53723,
"tags": [
"cisco-asa"
"cisco-asa",
"forwarded"
]
},
{
Expand All @@ -42,25 +55,38 @@
"destination.address": "10.123.123.123",
"destination.ip": "10.123.123.123",
"event.action": "firewall-rule",
"event.category": [
"network"
],
"event.code": 106023,
"event.dataset": "cisco.asa",
"event.kind": "event",
"event.module": "cisco",
"event.original": "%ASA-4-106023: Deny icmp src Inside:10.123.123.123 dst Outside:10.123.123.123 (type 11, code 0) by access-group \"Inside_access_in\" [0x0, 0x0]",
"event.outcome": "deny",
"event.severity": 4,
"event.timezone": "-02:00",
"event.type": [
"info",
"denied"
],
"fileset.name": "asa",
"host.hostname": "SNL-ASA-VPN-A01",
"input.type": "log",
"log.level": "warning",
"log.offset": 200,
"network.iana_number": 1,
"network.transport": "icmp",
"related.ip": [
"10.123.123.123",
"10.123.123.123"
],
"service.type": "cisco",
"source.address": "10.123.123.123",
"source.ip": "10.123.123.123",
"tags": [
"cisco-asa"
"cisco-asa",
"forwarded"
]
},
{
Expand All @@ -72,25 +98,38 @@
"destination.ip": "10.123.123.123",
"destination.port": 53,
"event.action": "firewall-rule",
"event.category": [
"network"
],
"event.code": 106023,
"event.dataset": "cisco.asa",
"event.kind": "event",
"event.module": "cisco",
"event.original": "%ASA-4-106023: Deny tcp src dmz:10.123.123.123/6316 dst outside:10.123.123.123/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3afb522, 0x0]",
"event.outcome": "deny",
"event.severity": 4,
"event.timezone": "-02:00",
"event.type": [
"info",
"denied"
],
"fileset.name": "asa",
"input.type": "log",
"log.level": "warning",
"log.offset": 381,
"network.iana_number": 6,
"network.transport": "tcp",
"related.ip": [
"10.123.123.123",
"10.123.123.123"
],
"service.type": "cisco",
"source.address": "10.123.123.123",
"source.ip": "10.123.123.123",
"source.port": 6316,
"tags": [
"cisco-asa"
"cisco-asa",
"forwarded"
]
},
{
Expand All @@ -103,50 +142,162 @@
"destination.ip": "10.123.123.123",
"destination.port": 57621,
"event.action": "firewall-rule",
"event.category": [
"network"
],
"event.code": 106023,
"event.dataset": "cisco.asa",
"event.kind": "event",
"event.module": "cisco",
"event.original": "%ASA-4-106023: Deny udp src Inside:10.123.123.123/57621(LOCAL\\Elastic) dst Outside:10.123.123.123/57621 by access-group \"Inside_access_in\" [0x0, 0x0]",
"event.outcome": "deny",
"event.severity": 4,
"event.timezone": "-02:00",
"event.type": [
"info",
"denied"
],
"fileset.name": "asa",
"host.hostname": "SNL-ASA-VPN-A01",
"input.type": "log",
"log.level": "warning",
"log.offset": 545,
"network.iana_number": 17,
"network.transport": "udp",
"related.ip": [
"10.123.123.123",
"10.123.123.123"
],
"service.type": "cisco",
"source.address": "10.123.123.123",
"source.ip": "10.123.123.123",
"source.port": 57621,
"tags": [
"cisco-asa"
"cisco-asa",
"forwarded"
]
},
{
"cisco.asa.message_id": "106017",
"destination.address": "10.123.123.123",
"destination.ip": "10.123.123.123",
"event.action": "firewall-rule",
"event.category": [
"network"
],
"event.code": 106017,
"event.dataset": "cisco.asa",
"event.kind": "event",
"event.module": "cisco",
"event.original": "%ASA-2-106017: Deny IP due to Land Attack from 10.123.123.123 to 10.123.123.123",
"event.outcome": "deny",
"event.severity": 2,
"event.timezone": "-02:00",
"event.type": [
"info",
"denied"
],
"fileset.name": "asa",
"host.hostname": "SNL-ASA-VPN-A01",
"input.type": "log",
"log.level": "critical",
"log.offset": 734,
"related.ip": [
"10.123.123.123",
"10.123.123.123"
],
"service.type": "cisco",
"source.address": "10.123.123.123",
"source.ip": "10.123.123.123",
"tags": [
"cisco-asa"
"cisco-asa",
"forwarded"
]
},
{
"cisco.asa.icmp_code": 0,
"cisco.asa.icmp_type": 134,
"cisco.asa.message_id": "313008",
"cisco.asa.source_interface": "ISP1",
"event.action": "firewall-rule",
"event.category": [
"network"
],
"event.code": 313008,
"event.dataset": "cisco.asa",
"event.kind": "event",
"event.module": "cisco",
"event.original": "%ASA-3-313008: Denied IPv6-ICMP type=134, code=0 from fe80::1ff:fe23:4567:890a on interface ISP1",
"event.outcome": "deny",
"event.severity": 3,
"event.timezone": "-02:00",
"event.type": [
"info",
"denied"
],
"fileset.name": "asa",
"host.hostname": "SNL-ASA-VPN-A01",
"input.type": "log",
"log.level": "error",
"log.offset": 853,
"network.iana_number": 58,
"network.transport": "ipv6-icmp",
"related.ip": [
"fe80::1ff:fe23:4567:890a"
],
"service.type": "cisco",
"source.address": "fe80::1ff:fe23:4567:890a",
"source.ip": "fe80::1ff:fe23:4567:890a",
"tags": [
"cisco-asa",
"forwarded"
]
},
{
"cisco.asa.destination_interface": "identity",
"cisco.asa.icmp_code": 9,
"cisco.asa.mapped_destination_ip": "10.12.31.51",
"cisco.asa.mapped_destination_port": 0,
"cisco.asa.mapped_source_ip": "10.255.0.206",
"cisco.asa.mapped_source_port": 8795,
"cisco.asa.message_id": "313009",
"cisco.asa.source_interface": "Inside",
"destination.address": "10.12.31.51",
"destination.ip": "10.12.31.51",
"destination.port": 0,
"event.action": "firewall-rule",
"event.category": [
"network"
],
"event.code": 313009,
"event.dataset": "cisco.asa",
"event.kind": "event",
"event.module": "cisco",
"event.original": "%ASA-4-313009: Denied invalid ICMP code 9, for Inside:10.255.0.206/8795 (10.255.0.206/8795) to identity:10.12.31.51/0 (10.12.31.51/0), ICMP id 295, ICMP type 8",
"event.outcome": "deny",
"event.severity": 4,
"event.timezone": "-02:00",
"event.type": [
"info",
"denied"
],
"fileset.name": "asa",
"input.type": "log",
"log.level": "warning",
"log.offset": 989,
"network.iana_number": 1,
"network.transport": "icmp",
"related.ip": [
"10.255.0.206",
"10.12.31.51"
],
"service.type": "cisco",
"source.address": "10.255.0.206",
"source.ip": "10.255.0.206",
"source.port": 8795,
"tags": [
"cisco-asa",
"forwarded"
]
}
]
Loading

0 comments on commit 3382f55

Please sign in to comment.