From 3382f5584ef60f41a10308f1556efaa971c2cfbe Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Mon, 13 Jul 2020 23:03:38 +0200 Subject: [PATCH] Cherry-pick #19149 to 7.x: [Filebeat] Fix Cisco ASA dissect pattern for 313008 & 313009 (#19235) Extra space after column causes 'Unable to find match for dissect pattern' error. (cherry picked from commit 155013a076aab3114360927320685c7294ddf1c9) --- CHANGELOG.next.asciidoc | 1 + .../module/cisco/asa/test/asa-fix.log | 2 + .../cisco/asa/test/asa-fix.log-expected.json | 161 +++++++++++++++++- .../cisco/ftd/test/asa-fix.log-expected.json | 75 +++++++- .../security-connection.log-expected.json | 2 +- .../cisco/shared/ingest/asa-ftd-pipeline.yml | 4 +- 6 files changed, 232 insertions(+), 13 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 506b91151ba..6cd24ae5354 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -232,6 +232,7 @@ field. You can revert this change by configuring tags for the module and omittin - Add missing `default_field: false` to aws filesets fields.yml. {pull}19568[19568] - Fix tls mapping in suricata module {issue}19492[19492] {pull}19494[19494] - Fix memory leak in tcp and unix input sources. {pull}19459[19459] +- Fix Cisco ASA dissect pattern for 313008 & 313009 messages. {pull}19149[19149] *Heartbeat* diff --git a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log index 00819e8eec1..19509b9f9ef 100644 --- a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log +++ b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log @@ -3,3 +3,5 @@ Apr 17 2020 14:00:31 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny icmp src Inside:10.12 Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.123.123.123/6316 dst outside:10.123.123.123/53 type 3, code 0, by access-group "acl_dmz" [0xe3afb522, 0x0] Apr 17 2020 14:16:20 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny udp src Inside:10.123.123.123/57621(LOCAL\Elastic) dst Outside:10.123.123.123/57621 by access-group "Inside_access_in" [0x0, 0x0] Apr 17 2020 14:15:07 SNL-ASA-VPN-A01 : %ASA-2-106017: Deny IP due to Land Attack from 10.123.123.123 to 10.123.123.123 +Apr 17 2020 14:15:07 SNL-ASA-VPN-A01 : %ASA-3-313008: Denied IPv6-ICMP type=134, code=0 from fe80::1ff:fe23:4567:890a on interface ISP1 +Jun 08 2020 12:59:57: %ASA-4-313009: Denied invalid ICMP code 9, for Inside:10.255.0.206/8795 (10.255.0.206/8795) to identity:10.12.31.51/0 (10.12.31.51/0), ICMP id 295, ICMP type 8 diff --git a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json index de470786f66..9fb6401ea55 100644 --- a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json @@ -9,15 +9,23 @@ "destination.ip": "10.233.123.123", "destination.port": 53, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302016, "event.dataset": "cisco.asa", "event.duration": 0, "event.end": "2020-04-17T14:08:08.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302016: Teardown UDP connection 110577675 for Outside:10.123.123.123/53723(LOCAL\\Elastic) to Inside:10.233.123.123/53 duration 0:00:00 bytes 148 (zzzzzz)", "event.severity": 6, "event.start": "2020-04-17T16:08:08.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "asa", "host.hostname": "SNL-ASA-VPN-A01", "input.type": "log", @@ -26,12 +34,17 @@ "network.bytes": 148, "network.iana_number": 17, "network.transport": "udp", + "related.ip": [ + "10.123.123.123", + "10.233.123.123" + ], "service.type": "cisco", "source.address": "10.123.123.123", "source.ip": "10.123.123.123", "source.port": 53723, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -42,13 +55,21 @@ "destination.address": "10.123.123.123", "destination.ip": "10.123.123.123", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106023, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny icmp src Inside:10.123.123.123 dst Outside:10.123.123.123 (type 11, code 0) by access-group \"Inside_access_in\" [0x0, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "asa", "host.hostname": "SNL-ASA-VPN-A01", "input.type": "log", @@ -56,11 +77,16 @@ "log.offset": 200, "network.iana_number": 1, "network.transport": "icmp", + "related.ip": [ + "10.123.123.123", + "10.123.123.123" + ], "service.type": "cisco", "source.address": "10.123.123.123", "source.ip": "10.123.123.123", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -72,25 +98,38 @@ "destination.ip": "10.123.123.123", "destination.port": 53, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106023, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src dmz:10.123.123.123/6316 dst outside:10.123.123.123/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3afb522, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "asa", "input.type": "log", "log.level": "warning", "log.offset": 381, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "10.123.123.123", + "10.123.123.123" + ], "service.type": "cisco", "source.address": "10.123.123.123", "source.ip": "10.123.123.123", "source.port": 6316, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -103,13 +142,21 @@ "destination.ip": "10.123.123.123", "destination.port": 57621, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106023, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny udp src Inside:10.123.123.123/57621(LOCAL\\Elastic) dst Outside:10.123.123.123/57621 by access-group \"Inside_access_in\" [0x0, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "asa", "host.hostname": "SNL-ASA-VPN-A01", "input.type": "log", @@ -117,12 +164,17 @@ "log.offset": 545, "network.iana_number": 17, "network.transport": "udp", + "related.ip": [ + "10.123.123.123", + "10.123.123.123" + ], "service.type": "cisco", "source.address": "10.123.123.123", "source.ip": "10.123.123.123", "source.port": 57621, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -130,23 +182,122 @@ "destination.address": "10.123.123.123", "destination.ip": "10.123.123.123", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106017, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106017: Deny IP due to Land Attack from 10.123.123.123 to 10.123.123.123", "event.outcome": "deny", "event.severity": 2, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "asa", "host.hostname": "SNL-ASA-VPN-A01", "input.type": "log", "log.level": "critical", "log.offset": 734, + "related.ip": [ + "10.123.123.123", + "10.123.123.123" + ], "service.type": "cisco", "source.address": "10.123.123.123", "source.ip": "10.123.123.123", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.icmp_code": 0, + "cisco.asa.icmp_type": 134, + "cisco.asa.message_id": "313008", + "cisco.asa.source_interface": "ISP1", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 313008, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-3-313008: Denied IPv6-ICMP type=134, code=0 from fe80::1ff:fe23:4567:890a on interface ISP1", + "event.outcome": "deny", + "event.severity": 3, + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "SNL-ASA-VPN-A01", + "input.type": "log", + "log.level": "error", + "log.offset": 853, + "network.iana_number": 58, + "network.transport": "ipv6-icmp", + "related.ip": [ + "fe80::1ff:fe23:4567:890a" + ], + "service.type": "cisco", + "source.address": "fe80::1ff:fe23:4567:890a", + "source.ip": "fe80::1ff:fe23:4567:890a", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "identity", + "cisco.asa.icmp_code": 9, + "cisco.asa.mapped_destination_ip": "10.12.31.51", + "cisco.asa.mapped_destination_port": 0, + "cisco.asa.mapped_source_ip": "10.255.0.206", + "cisco.asa.mapped_source_port": 8795, + "cisco.asa.message_id": "313009", + "cisco.asa.source_interface": "Inside", + "destination.address": "10.12.31.51", + "destination.ip": "10.12.31.51", + "destination.port": 0, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 313009, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-4-313009: Denied invalid ICMP code 9, for Inside:10.255.0.206/8795 (10.255.0.206/8795) to identity:10.12.31.51/0 (10.12.31.51/0), ICMP id 295, ICMP type 8", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], + "fileset.name": "asa", + "input.type": "log", + "log.level": "warning", + "log.offset": 989, + "network.iana_number": 1, + "network.transport": "icmp", + "related.ip": [ + "10.255.0.206", + "10.12.31.51" + ], + "service.type": "cisco", + "source.address": "10.255.0.206", + "source.ip": "10.255.0.206", + "source.port": 8795, + "tags": [ + "cisco-asa", + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json index bf6c6b521da..94cd0b8b7bd 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json @@ -10,15 +10,23 @@ "destination.ip": "10.233.123.123", "destination.port": 53, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302016, "event.dataset": "cisco.ftd", "event.duration": 0, "event.end": "2020-04-17T14:08:08.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302016: Teardown UDP connection 110577675 for Outside:10.123.123.123/53723(LOCAL\\Elastic) to Inside:10.233.123.123/53 duration 0:00:00 bytes 148 (zzzzzz)", "event.severity": 6, "event.start": "2020-04-17T16:08:08.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "ftd", "host.hostname": "SNL-ASA-VPN-A01", "input.type": "log", @@ -27,12 +35,17 @@ "network.bytes": 148, "network.iana_number": 17, "network.transport": "udp", + "related.ip": [ + "10.123.123.123", + "10.233.123.123" + ], "service.type": "cisco", "source.address": "10.123.123.123", "source.ip": "10.123.123.123", "source.port": 53723, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -44,13 +57,21 @@ "destination.address": "10.123.123.123", "destination.ip": "10.123.123.123", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106023, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny icmp src Inside:10.123.123.123 dst Outside:10.123.123.123 (type 11, code 0) by access-group \"Inside_access_in\" [0x0, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "ftd", "host.hostname": "SNL-ASA-VPN-A01", "input.type": "log", @@ -58,11 +79,16 @@ "log.offset": 200, "network.iana_number": 1, "network.transport": "icmp", + "related.ip": [ + "10.123.123.123", + "10.123.123.123" + ], "service.type": "cisco", "source.address": "10.123.123.123", "source.ip": "10.123.123.123", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -75,25 +101,38 @@ "destination.ip": "10.123.123.123", "destination.port": 53, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106023, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src dmz:10.123.123.123/6316 dst outside:10.123.123.123/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3afb522, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "ftd", "input.type": "log", "log.level": "warning", "log.offset": 381, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "10.123.123.123", + "10.123.123.123" + ], "service.type": "cisco", "source.address": "10.123.123.123", "source.ip": "10.123.123.123", "source.port": 6316, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -107,13 +146,21 @@ "destination.ip": "10.123.123.123", "destination.port": 57621, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106023, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny udp src Inside:10.123.123.123/57621(LOCAL\\Elastic) dst Outside:10.123.123.123/57621 by access-group \"Inside_access_in\" [0x0, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "ftd", "host.hostname": "SNL-ASA-VPN-A01", "input.type": "log", @@ -121,12 +168,17 @@ "log.offset": 545, "network.iana_number": 17, "network.transport": "udp", + "related.ip": [ + "10.123.123.123", + "10.123.123.123" + ], "service.type": "cisco", "source.address": "10.123.123.123", "source.ip": "10.123.123.123", "source.port": 57621, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -135,23 +187,36 @@ "destination.address": "10.123.123.123", "destination.ip": "10.123.123.123", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106017, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106017: Deny IP due to Land Attack from 10.123.123.123 to 10.123.123.123", "event.outcome": "deny", "event.severity": 2, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "ftd", "host.hostname": "SNL-ASA-VPN-A01", "input.type": "log", "log.level": "critical", "log.offset": 734, + "related.ip": [ + "10.123.123.123", + "10.123.123.123" + ], "service.type": "cisco", "source.address": "10.123.123.123", "source.ip": "10.123.123.123", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json index 51da7aa889f..89bd797ebff 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json @@ -904,4 +904,4 @@ "user.name": "No Authentication Required", "user_agent.original": "curl/7.58.0" } -] +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml index 1dd00c9b4cf..8f14c7df3c0 100644 --- a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml +++ b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml @@ -289,11 +289,11 @@ processors: - dissect: if: "ctx._temp_.cisco.message_id == '313008'" field: "message" - pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type} , code=%{_temp_.cisco.icmp_code} from %{source.address} on interface %{_temp_.cisco.source_interface}" + pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, code=%{_temp_.cisco.icmp_code} from %{source.address} on interface %{_temp_.cisco.source_interface}" - dissect: if: "ctx._temp_.cisco.message_id == '313009'" field: "message" - pattern: "%{event.outcome} invalid %{network.transport} code %{_temp_.cisco.icmp_code} , for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}" + pattern: "%{event.outcome} invalid %{network.transport} code %{_temp_.cisco.icmp_code}, for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}" - dissect: if: "ctx._temp_.cisco.message_id == '322001'" field: "message"