diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 6be3fb0cfa44..793c94615b11 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -316,6 +316,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Added categorization fields for SSH login events in the system/auth fileset. {pull}11334[11334] - Add support for MySQL 8.0 slow logs and tests also for Percona 8.0 and MariaDB 10.3. {pull}11417[11417] - New Filebeat coredns module to ingest coredns logs. It supports both native coredns deployment and coredns deployment in kubernetes. {pull}11200[11200] +- New module for Cisco ASA logs. {issue}9200[9200] {pull}11171[11171] *Heartbeat* diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 266270e4d194..84463b69ab3f 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -15,6 +15,7 @@ grouped in the following categories: * <> * <> * <> +* <> * <> * <> * <> @@ -1047,6 +1048,189 @@ type: alias alias to: agent.hostname +-- + +[[exported-fields-cisco]] +== Cisco fields + +Module for handling Cisco network device logs. + + + +[float] +== cisco fields + +Fields from Cisco logs. + + + +[float] +== asa fields + +Fields for Cisco ASA Firewall. + + + +*`cisco.asa.message_id`*:: ++ +-- +type: keyword + +The Cisco ASA message identifier. + + +-- + +*`cisco.asa.suffix`*:: ++ +-- +type: keyword + +example: session + +Optional suffix after %ASA identifier. + + +-- + +*`cisco.asa.source_interface`*:: ++ +-- +type: keyword + +Source interface for the flow or event. + + +-- + +*`cisco.asa.destination_interface`*:: ++ +-- +type: keyword + +Destination interface for the flow or event. + + +-- + +*`cisco.asa.list_id`*:: ++ +-- +type: keyword + +Name of the Access Control List that matched this event. + + +-- + +*`cisco.asa.source_username`*:: ++ +-- +type: keyword + +Name of the user that is the source for this event. + + +-- + +*`cisco.asa.destination_username`*:: ++ +-- +type: keyword + +Name of the user that is the destination for this event. + + +-- + +*`cisco.asa.mapped_source_ip`*:: ++ +-- +type: ip + +The translated source IP address. + + +-- + +*`cisco.asa.mapped_source_port`*:: ++ +-- +type: long + +The translated source port. + + +-- + +*`cisco.asa.mapped_destination_ip`*:: ++ +-- +type: ip + +The translated destination IP address. + + +-- + +*`cisco.asa.mapped_destination_port`*:: ++ +-- +type: long + +The translated destination port. + + +-- + +*`cisco.asa.threat_level`*:: ++ +-- +type: keyword + +Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high. + + +-- + +*`cisco.asa.threat_category`*:: ++ +-- +type: keyword + +Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc. + + +-- + +*`cisco.asa.connection_id`*:: ++ +-- +type: keyword + +Unique identifier for a flow. + + +-- + +*`cisco.asa.icmp_type`*:: ++ +-- +type: short + +ICMP type. + + +-- + +*`cisco.asa.icmp_code`*:: ++ +-- +type: short + +ICMP code. + + -- [[exported-fields-cloud]] diff --git a/filebeat/docs/modules/cisco.asciidoc b/filebeat/docs/modules/cisco.asciidoc new file mode 100644 index 000000000000..ce4036e7fa51 --- /dev/null +++ b/filebeat/docs/modules/cisco.asciidoc @@ -0,0 +1,103 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-cisco]] +[role="xpack"] + +:modulename: cisco +:has-dashboards: true + +== Cisco module + +This is a module for Cisco network device's logs. Currently supports the `asa` +fileset for Cisco ASA firewall logs received over syslog or read from a file. + +Cisco ASA devices also support exporting flow records using NetFlow, which is +supported by the {filebeat-ref}/filebeat-module-netflow.html[netflow module] in +{beatname_uc}. + +include::../include/what-happens.asciidoc[] + +[float] +=== Compatibility + +This module requires the {plugins}/ingest-geoip.html[ingest-geoip] +Elasticsearch plugin. + +include::../include/running-modules.asciidoc[] + +[float] +=== Example dashboard + +This module comes with a sample dashboard: + +[role="screenshot"] +image::./images/kibana-cisco-asa.png[] + +include::../include/configuring-intro.asciidoc[] + +The module is by default configured to run via syslog on port 9001. However +it can also be configured to read from a file path. See the following example. + +["source","yaml",subs="attributes"] +----- +- module: cisco + asa: + enabled: true + var.paths: ["/var/log/cisco-asa.log"] + var.input: "file" +----- + +:fileset_ex: asa + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `asa` fileset settings + +Example config: + +[source,yaml] +---- + asa: + var.log_level: 5 +---- + +include::../include/var-paths.asciidoc[] + +*`var.log_level`*:: + +An integer between 1 and 7 that allows to filter messages based on the +severity level. The different severity levels supported by the Cisco ASA are: + +[width="30%",cols="^1,2",options="header"] +|=========================== +| log_level | severity +| 1 | Alert +| 2 | Critical +| 3 | Error +| 4 | Warning +| 5 | Notification +| 6 | Informational +| 7 | Debugging +|=========================== + +A value of 7 (default) will not filter any messages. A lower value will drop +any messages with a severity level higher than the specified value. For +example, `var.log_level: 3` will allow messages of level 1 (Alert), 2 (Critical) +and 3 (Error). All other messages will be dropped. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules_list.asciidoc b/filebeat/docs/modules_list.asciidoc index f7e808fddab0..79320965fd29 100644 --- a/filebeat/docs/modules_list.asciidoc +++ b/filebeat/docs/modules_list.asciidoc @@ -5,6 +5,7 @@ This file is generated! See scripts/docs_collector.py * <> * <> * <> + * <> * <> * <> * <> @@ -34,6 +35,7 @@ This file is generated! See scripts/docs_collector.py include::modules-overview.asciidoc[] include::modules/apache.asciidoc[] include::modules/auditd.asciidoc[] +include::modules/cisco.asciidoc[] include::modules/coredns.asciidoc[] include::modules/elasticsearch.asciidoc[] include::modules/haproxy.asciidoc[] diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index 28cafb25cd2b..484c46b2b7a8 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -82,6 +82,23 @@ filebeat.modules: # can be added under this section. #input: +#-------------------------------- Cisco Module -------------------------------- +- module: cisco + asa: + enabled: true + + # Set which input to use between syslog (default) or file. + #var.input: + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: + + # Set the log level from 1 (alerts only) to 7 (include all messages). + # Messages with a log level higher than the specified will be dropped. + # See https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs-sev-level.html + #var.log_level: 7 + #------------------------------- Coredns Module ------------------------------- - module: coredns # Fileset for native deployment diff --git a/x-pack/filebeat/include/list.go b/x-pack/filebeat/include/list.go index b3df5fd15193..2541405ea0d5 100644 --- a/x-pack/filebeat/include/list.go +++ b/x-pack/filebeat/include/list.go @@ -9,6 +9,7 @@ package include import ( // Import packages that need to register themselves. _ "github.com/elastic/beats/x-pack/filebeat/input/netflow" + _ "github.com/elastic/beats/x-pack/filebeat/module/cisco" _ "github.com/elastic/beats/x-pack/filebeat/module/coredns" _ "github.com/elastic/beats/x-pack/filebeat/module/iptables" _ "github.com/elastic/beats/x-pack/filebeat/module/netflow" diff --git a/x-pack/filebeat/module/cisco/README.md b/x-pack/filebeat/module/cisco/README.md new file mode 100644 index 000000000000..47f420f83ec1 --- /dev/null +++ b/x-pack/filebeat/module/cisco/README.md @@ -0,0 +1,6 @@ +# Cisco module + +## Caveats + +* Module is to be considered _beta_. + diff --git a/x-pack/filebeat/module/cisco/_meta/config.yml b/x-pack/filebeat/module/cisco/_meta/config.yml new file mode 100644 index 000000000000..f6e53cb0d64f --- /dev/null +++ b/x-pack/filebeat/module/cisco/_meta/config.yml @@ -0,0 +1,15 @@ +- module: cisco + asa: + enabled: true + + # Set which input to use between syslog (default) or file. + #var.input: + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: + + # Set the log level from 1 (alerts only) to 7 (include all messages). + # Messages with a log level higher than the specified will be dropped. + # See https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs-sev-level.html + #var.log_level: 7 diff --git a/x-pack/filebeat/module/cisco/_meta/docs.asciidoc b/x-pack/filebeat/module/cisco/_meta/docs.asciidoc new file mode 100644 index 000000000000..2c04b0c3a462 --- /dev/null +++ b/x-pack/filebeat/module/cisco/_meta/docs.asciidoc @@ -0,0 +1,90 @@ +[role="xpack"] + +:modulename: cisco +:has-dashboards: true + +== Cisco module + +This is a module for Cisco network device's logs. Currently supports the `asa` +fileset for Cisco ASA firewall logs received over syslog or read from a file. + +Cisco ASA devices also support exporting flow records using NetFlow, which is +supported by the {filebeat-ref}/filebeat-module-netflow.html[netflow module] in +{beatname_uc}. + +include::../include/what-happens.asciidoc[] + +[float] +=== Compatibility + +This module requires the {plugins}/ingest-geoip.html[ingest-geoip] +Elasticsearch plugin. + +include::../include/running-modules.asciidoc[] + +[float] +=== Example dashboard + +This module comes with a sample dashboard: + +[role="screenshot"] +image::./images/kibana-cisco-asa.png[] + +include::../include/configuring-intro.asciidoc[] + +The module is by default configured to run via syslog on port 9001. However +it can also be configured to read from a file path. See the following example. + +["source","yaml",subs="attributes"] +----- +- module: cisco + asa: + enabled: true + var.paths: ["/var/log/cisco-asa.log"] + var.input: "file" +----- + +:fileset_ex: asa + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `asa` fileset settings + +Example config: + +[source,yaml] +---- + asa: + var.log_level: 5 +---- + +include::../include/var-paths.asciidoc[] + +*`var.log_level`*:: + +An integer between 1 and 7 that allows to filter messages based on the +severity level. The different severity levels supported by the Cisco ASA are: + +[width="30%",cols="^1,2",options="header"] +|=========================== +| log_level | severity +| 1 | Alert +| 2 | Critical +| 3 | Error +| 4 | Warning +| 5 | Notification +| 6 | Informational +| 7 | Debugging +|=========================== + +A value of 7 (default) will not filter any messages. A lower value will drop +any messages with a severity level higher than the specified value. For +example, `var.log_level: 3` will allow messages of level 1 (Alert), 2 (Critical) +and 3 (Error). All other messages will be dropped. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: diff --git a/x-pack/filebeat/module/cisco/_meta/fields.yml b/x-pack/filebeat/module/cisco/_meta/fields.yml new file mode 100644 index 000000000000..8209de0cd6f6 --- /dev/null +++ b/x-pack/filebeat/module/cisco/_meta/fields.yml @@ -0,0 +1,10 @@ +- key: cisco + title: Cisco + description: > + Module for handling Cisco network device logs. + fields: + - name: cisco + type: group + description: > + Fields from Cisco logs. + fields: diff --git a/x-pack/filebeat/module/cisco/_meta/images/kibana-cisco-asa.png b/x-pack/filebeat/module/cisco/_meta/images/kibana-cisco-asa.png new file mode 100644 index 000000000000..ad51be22046c Binary files /dev/null and b/x-pack/filebeat/module/cisco/_meta/images/kibana-cisco-asa.png differ diff --git a/x-pack/filebeat/module/cisco/_meta/kibana/7/dashboard/Filebeat-Cisco-ASA.json b/x-pack/filebeat/module/cisco/_meta/kibana/7/dashboard/Filebeat-Cisco-ASA.json new file mode 100644 index 000000000000..beb78cc1f50a --- /dev/null +++ b/x-pack/filebeat/module/cisco/_meta/kibana/7/dashboard/Filebeat-Cisco-ASA.json @@ -0,0 +1,1045 @@ +{ + "objects": [ + { + "attributes": { + "description": "Sample dashboard for Cisco ASA Firewall devices", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "vis": { + "legendOpen": false + } + }, + "gridData": { + "h": 15, + "i": "1", + "w": 12, + "x": 12, + "y": 15 + }, + "panelIndex": "1", + "panelRefName": "panel_0", + "title": "Destination Port and Transport", + "version": "7.0.0-SNAPSHOT" + }, + { + "embeddableConfig": { + "vis": { + "legendOpen": false + } + }, + "gridData": { + "h": 15, + "i": "2", + "w": 12, + "x": 0, + "y": 15 + }, + "panelIndex": "2", + "panelRefName": "panel_1", + "title": "Source Port and Transport", + "version": "7.0.0-SNAPSHOT" + }, + { + "embeddableConfig": { + "vis": { + "legendOpen": false + } + }, + "gridData": { + "h": 15, + "i": "3", + "w": 24, + "x": 0, + "y": 0 + }, + "panelIndex": "3", + "panelRefName": "panel_2", + "title": "ASA Firewall Events Over Time", + "version": "7.0.0-SNAPSHOT" + }, + { + "embeddableConfig": { + "vis": { + "legendOpen": false + } + }, + "gridData": { + "h": 15, + "i": "4", + "w": 24, + "x": 24, + "y": 0 + }, + "panelIndex": "4", + "panelRefName": "panel_3", + "title": "ASA Flows by Network Bytes", + "version": "7.0.0-SNAPSHOT" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 15, + "i": "5", + "w": 12, + "x": 24, + "y": 15 + }, + "panelIndex": "5", + "panelRefName": "panel_4", + "title": "Blocked by Source", + "version": "7.0.0-SNAPSHOT" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 15, + "i": "8", + "w": 12, + "x": 36, + "y": 15 + }, + "panelIndex": "8", + "panelRefName": "panel_5", + "title": "Top ACL by Blocked", + "version": "7.0.0-SNAPSHOT" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 12, + "i": "9", + "w": 48, + "x": 0, + "y": 30 + }, + "panelIndex": "9", + "panelRefName": "panel_6", + "version": "7.0.0-SNAPSHOT" + } + ], + "timeRestore": false, + "title": " [Filebeat Cisco] ASA Firewall", + "version": 1 + }, + "id": "a555b160-4987-11e9-b8ce-ed898b5ef295", + "migrationVersion": { + "dashboard": "7.0.0" + }, + "references": [ + { + "id": "118da960-4987-11e9-b8ce-ed898b5ef295", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "5d0322d0-4987-11e9-b8ce-ed898b5ef295", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "a3b5ab10-4989-11e9-b8ce-ed898b5ef295", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "80d0c1b0-498a-11e9-b8ce-ed898b5ef295", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "d05cdf60-498b-11e9-b8ce-ed898b5ef295", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "08ef4d90-499b-11e9-b8ce-ed898b5ef295", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "fd89b1e0-49a2-11e9-b8ce-ed898b5ef295", + "name": "panel_6", + "type": "visualization" + } + ], + "type": "dashboard", + "updated_at": "2019-03-18T18:39:06.844Z", + "version": "WzI2MiwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Destination Port and Transport [Filebeat Cisco]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "network.transport", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "destination.port", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "Destination Port and Transport [Filebeat Cisco]", + "type": "pie" + } + }, + "id": "118da960-4987-11e9-b8ce-ed898b5ef295", + "migrationVersion": { + "visualization": "7.0.0" + }, + "references": [ + { + "id": "753406e0-4986-11e9-b8ce-ed898b5ef295", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2019-03-18T14:07:22.932Z", + "version": "WzI0NiwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Source Port and Transport [Filebeat Cisco]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "network.transport", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "source.port", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "Source Port and Transport [Filebeat Cisco]", + "type": "pie" + } + }, + "id": "5d0322d0-4987-11e9-b8ce-ed898b5ef295", + "migrationVersion": { + "visualization": "7.0.0" + }, + "references": [ + { + "id": "753406e0-4986-11e9-b8ce-ed898b5ef295", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2019-03-18T14:08:54.141Z", + "version": "WzI0NywxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "ASA Events Over Time [Filebeat Cisco]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "event.outcome", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "group", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "customInterval": "2h", + "drop_partials": false, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "auto", + "min_doc_count": 1, + "timeRange": { + "from": "now-15y", + "to": "now+1y" + }, + "time_zone": "Europe/Madrid", + "useNormalizedEsInterval": true + }, + "schema": "segment", + "type": "date_histogram" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "grid": { + "categoryLines": false + }, + "legendPosition": "right", + "seriesParams": [ + { + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "mode": "stacked", + "show": "true", + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "times": [], + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Count" + }, + "type": "value" + } + ] + }, + "title": "ASA Events Over Time [Filebeat Cisco]", + "type": "histogram" + } + }, + "id": "a3b5ab10-4989-11e9-b8ce-ed898b5ef295", + "migrationVersion": { + "visualization": "7.0.0" + }, + "references": [ + { + "id": "96c6ff60-4986-11e9-b8ce-ed898b5ef295", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2019-03-18T14:27:16.950Z", + "version": "WzI1MSwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "ASA Flows by Network Bytes [Filebeat Cisco]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "2", + "params": { + "customInterval": "2h", + "drop_partials": false, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "auto", + "min_doc_count": 1, + "timeRange": { + "from": "now-15y", + "to": "now+1y" + }, + "time_zone": "Europe/Madrid", + "useNormalizedEsInterval": true + }, + "schema": "segment", + "type": "date_histogram" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "Total bytes", + "field": "network.bytes" + }, + "schema": "metric", + "type": "sum" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "grid": { + "categoryLines": false + }, + "legendPosition": "right", + "seriesParams": [ + { + "data": { + "id": "3", + "label": "Total bytes" + }, + "drawLinesBetweenPoints": true, + "mode": "stacked", + "show": true, + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "times": [], + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Total bytes" + }, + "type": "value" + } + ] + }, + "title": "ASA Flows by Network Bytes [Filebeat Cisco]", + "type": "histogram" + } + }, + "id": "80d0c1b0-498a-11e9-b8ce-ed898b5ef295", + "migrationVersion": { + "visualization": "7.0.0" + }, + "references": [ + { + "id": "753406e0-4986-11e9-b8ce-ed898b5ef295", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2019-03-18T14:31:22.699Z", + "version": "WzI1MiwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "ASA Firewall Blocked by Source [Filebeat Cisco]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "" + }, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "source.ip", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "ASA Firewall Blocked by Source [Filebeat Cisco]", + "type": "table" + } + }, + "id": "d05cdf60-498b-11e9-b8ce-ed898b5ef295", + "migrationVersion": { + "visualization": "7.0.0" + }, + "references": [ + { + "id": "96c6ff60-4986-11e9-b8ce-ed898b5ef295", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2019-03-18T14:42:05.159Z", + "version": "WzI1NCwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "event.outcome:\"deny\"" + } + } + }, + "savedSearchRefName": "search_0", + "title": "ASA Top ACL by Blocked [Filebeat Cisco]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "" + }, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "ACL ID", + "field": "cisco.asa.list_id", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "ASA Top ACL by Blocked [Filebeat Cisco]", + "type": "table" + } + }, + "id": "08ef4d90-499b-11e9-b8ce-ed898b5ef295", + "migrationVersion": { + "visualization": "7.0.0" + }, + "references": [ + { + "id": "96c6ff60-4986-11e9-b8ce-ed898b5ef295", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2019-03-18T16:29:43.017Z", + "version": "WzI1NywxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Top ASA Messages [Filebeat Cisco]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": 1, + "direction": "desc" + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "ID", + "field": "cisco.asa.message_id", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "_key", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 15 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "4", + "params": { + "aggregate": "concat", + "customLabel": "Severity", + "field": "log.level", + "size": 1, + "sortField": "@timestamp", + "sortOrder": "desc" + }, + "schema": "metric", + "type": "top_hits" + }, + { + "enabled": true, + "id": "1", + "params": { + "aggregate": "concat", + "customLabel": "Sample message", + "field": "log.original", + "size": 1, + "sortField": "@timestamp", + "sortOrder": "desc" + }, + "schema": "metric", + "type": "top_hits" + } + ], + "params": { + "perPage": 10, + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": true, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Top ASA Messages [Filebeat Cisco]", + "type": "table" + } + }, + "id": "fd89b1e0-49a2-11e9-b8ce-ed898b5ef295", + "migrationVersion": { + "visualization": "7.0.0" + }, + "references": [ + { + "id": "14fce5e0-498f-11e9-b8ce-ed898b5ef295", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2019-03-18T17:26:39.870Z", + "version": "WzI1OSwxXQ==" + }, + { + "attributes": { + "columns": [ + "_source" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "cisco.asa.message_id:* and event.action:\"flow-expiration\"" + }, + "version": true + } + }, + "sort": [ + "@timestamp", + "desc" + ], + "title": "ASA Firewall flows [Filebeat Cisco]", + "version": 1 + }, + "id": "753406e0-4986-11e9-b8ce-ed898b5ef295", + "migrationVersion": { + "search": "7.0.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search", + "updated_at": "2019-03-18T14:02:44.176Z", + "version": "WzI0MywxXQ==" + }, + { + "attributes": { + "columns": [ + "_source" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "cisco.asa.message_id:* and event.action:\"firewall-rule\"" + }, + "version": true + } + }, + "sort": [ + "@timestamp", + "desc" + ], + "title": "ASA Firewall Events [Filebeat Cisco]", + "version": 1 + }, + "id": "96c6ff60-4986-11e9-b8ce-ed898b5ef295", + "migrationVersion": { + "search": "7.0.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search", + "updated_at": "2019-03-18T14:03:21.558Z", + "version": "WzI0NCwxXQ==" + }, + { + "attributes": { + "columns": [ + "_source" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "cisco.asa.message_id :*" + }, + "version": true + } + }, + "sort": [ + "@timestamp", + "desc" + ], + "title": "All ASA Logs [Filebeat Cisco]", + "version": 1 + }, + "id": "14fce5e0-498f-11e9-b8ce-ed898b5ef295", + "migrationVersion": { + "search": "7.0.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search", + "updated_at": "2019-03-18T15:04:09.277Z", + "version": "WzI1NiwxXQ==" + } + ], + "version": "7.0.0-SNAPSHOT" +} diff --git a/x-pack/filebeat/module/cisco/asa/_meta/fields.yml b/x-pack/filebeat/module/cisco/asa/_meta/fields.yml new file mode 100644 index 000000000000..4c1f51000072 --- /dev/null +++ b/x-pack/filebeat/module/cisco/asa/_meta/fields.yml @@ -0,0 +1,87 @@ +- name: asa + type: group + description: > + Fields for Cisco ASA Firewall. + fields: + - name: message_id + type: keyword + description: > + The Cisco ASA message identifier. + + - name: suffix + type: keyword + example: session + description: > + Optional suffix after %ASA identifier. + + - name: source_interface + type: keyword + description: > + Source interface for the flow or event. + + - name: destination_interface + type: keyword + description: > + Destination interface for the flow or event. + + - name: list_id + type: keyword + description: > + Name of the Access Control List that matched this event. + + - name: source_username + type: keyword + description: > + Name of the user that is the source for this event. + + - name: destination_username + type: keyword + description: > + Name of the user that is the destination for this event. + + - name: mapped_source_ip + type: ip + description: > + The translated source IP address. + + - name: mapped_source_port + type: long + description: > + The translated source port. + + - name: mapped_destination_ip + type: ip + description: > + The translated destination IP address. + + - name: mapped_destination_port + type: long + description: > + The translated destination port. + + - name: threat_level + type: keyword + description: > + Threat level for malware / botnet traffic. One of very-low, low, + moderate, high or very-high. + + - name: threat_category + type: keyword + description: > + Category for the malware / botnet traffic. For example: virus, botnet, + trojan, etc. + + - name: connection_id + type: keyword + description: > + Unique identifier for a flow. + + - name: icmp_type + type: short + description: > + ICMP type. + + - name: icmp_code + type: short + description: > + ICMP code. diff --git a/x-pack/filebeat/module/cisco/asa/config/input.yml b/x-pack/filebeat/module/cisco/asa/config/input.yml new file mode 100644 index 000000000000..18098200fc3e --- /dev/null +++ b/x-pack/filebeat/module/cisco/asa/config/input.yml @@ -0,0 +1,23 @@ +{{ if eq .input "syslog" }} + +type: syslog +protocol.udp: + host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ else if eq .input "file" }} + +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] + +{{ end }} + +tags: {{.tags}} + +processors: +{{ if .convert_timezone }} + - add_locale: ~ +{{ end }} diff --git a/x-pack/filebeat/module/cisco/asa/ingest/pipeline.yml b/x-pack/filebeat/module/cisco/asa/ingest/pipeline.yml new file mode 100644 index 000000000000..ca86ed594a84 --- /dev/null +++ b/x-pack/filebeat/module/cisco/asa/ingest/pipeline.yml @@ -0,0 +1,472 @@ +description: "Pipeline for Cisco ASA" +processors: + + - grok: + field: message + patterns: + - "(:?%{ASA_DATE:_temp_.raw_date})?%{ASA_PREFIX}-(:?%{ASA_SUFFIX:cisco.asa.suffix}-)?%{POSINT:event.severity:int}-%{POSINT:cisco.asa.message_id}:?\\s*%{GREEDYDATA:log.original}" + pattern_definitions: + ASA_PREFIX: "%{DATA}%ASA" + ASA_SUFFIX: "[^0-9-]+" + ASA_DATE: "(:?%{DAY} )?%{MONTH} *%{MONTHDAY}(:? %{YEAR})? %{TIME}(:? %{TZ})?" + +# +# Drop messages above configured log_level +# + - drop: + if: "ctx.event.severity > {< .log_level >}" + +# +# Parse the date included in ASA logs +# + - date: + field: "_temp_.raw_date" + ignore_failure: true + {< if .convert_timezone >} + timezone: "{{ event.timezone }}" + {< end >} + formats: + - "MMM d HH:mm:ss" + - "MMM dd HH:mm:ss" + - "EEE MMM d HH:mm:ss" + - "EEE MMM dd HH:mm:ss" + - "MMM d HH:mm:ss z" + - "MMM dd HH:mm:ss z" + - "EEE MMM d HH:mm:ss z" + - "EEE MMM dd HH:mm:ss z" + - "MMM d yyyy HH:mm:ss" + - "MMM dd yyyy HH:mm:ss" + - "EEE MMM d yyyy HH:mm:ss" + - "EEE MMM dd yyyy HH:mm:ss" + - "MMM d yyyy HH:mm:ss z" + - "MMM dd yyyy HH:mm:ss z" + - "EEE MMM d yyyy HH:mm:ss z" + - "EEE MMM dd yyyy HH:mm:ss z" + +# +# Set log.level +# + - set: + field: "log.level" + if: "ctx.event.severity == 1" + value: alert + - set: + field: "log.level" + if: "ctx.event.severity == 2" + value: critical + - set: + field: "log.level" + if: "ctx.event.severity == 3" + value: error + - set: + field: "log.level" + if: "ctx.event.severity == 4" + value: warning + - set: + field: "log.level" + if: "ctx.event.severity == 5" + value: notification + - set: + field: "log.level" + if: "ctx.event.severity == 6" + value: informational + - set: + field: "log.level" + if: "ctx.event.severity == 7" + value: debug + +# +# Firewall messages +# + - set: + field: "event.action" + value: "firewall-rule" + - dissect: + if: "ctx.cisco.asa.message_id == '106001'" + field: "log.original" + pattern: "%{network.direction} %{network.transport} connection %{event.outcome} from %{source.ip}/%{source.port} to %{destination.ip}/%{destination.port} flags %{} on interface %{cisco.asa.source_interface}" + - dissect: + if: "ctx.cisco.asa.message_id == '106002'" + field: "log.original" + pattern: "%{network.transport} Connection %{event.outcome} by %{network.direction} list %{cisco.asa.list_id} src %{source.ip} dest %{destination.ip}" + - dissect: + if: "ctx.cisco.asa.message_id == '106006'" + field: "log.original" + pattern: "%{event.outcome} %{network.direction} %{network.transport} from %{source.ip}/%{source.port} to %{destination.ip}/%{destination.port} on interface %{cisco.asa.source_interface}" + - dissect: + if: "ctx.cisco.asa.message_id == '106007'" + field: "log.original" + pattern: "%{event.outcome} %{network.direction} %{network.transport} from %{source.ip}/%{source.port} to %{destination.ip}/%{destination.port} due to %{network.protocol} %{}" + - dissect: + if: "ctx.cisco.asa.message_id == '106010'" + field: "log.original" + pattern: "%{event.outcome} %{network.direction} %{network.transport} src %{cisco.asa.source_interface}:%{source.ip}/%{source.port} %{} dst %{cisco.asa.destination_interface}:%{destination.ip}/%{destination.port} %{}" + - dissect: + if: "ctx.cisco.asa.message_id == '106013'" + field: "log.original" + pattern: "Dropping echo request from %{source.ip} to PAT address %{destination.ip}" + - set: + if: "ctx.cisco.asa.message_id == '106013'" + field: "network.transport" + value: icmp + - set: + if: "ctx.cisco.asa.message_id == '106013'" + field: "network.direction" + value: inbound + - dissect: + if: "ctx.cisco.asa.message_id == '106014'" + field: "log.original" + pattern: "%{event.outcome} %{network.direction} %{network.transport} src %{cisco.asa.source_interface}:%{source.ip} %{}dst %{cisco.asa.destination_interface}:%{destination.ip} %{}" + - dissect: + if: "ctx.cisco.asa.message_id == '106015'" + field: "log.original" + pattern: "%{event.outcome} %{network.transport} (no connection) from %{source.ip}/%{source.port} to %{destination.ip}/%{destination.port} flags %{} on interface %{cisco.asa.source_interface}" + - dissect: + if: "ctx.cisco.asa.message_id == '106016'" + field: "log.original" + pattern: "%{event.outcome} IP spoof from (%{source.ip}) to %{destination.ip} on interface %{cisco.asa.source_interface}" + - dissect: + if: "ctx.cisco.asa.message_id == '106017'" + field: "log.original" + pattern: "%{event.outcome} IP due to Land Attack from %{source.ip} to %{destination.ip}" + - dissect: + if: "ctx.cisco.asa.message_id == '106018'" + field: "log.original" + pattern: "%{network.transport} packet type %{cisco.asa.icmp_type} %{event.outcome} by %{network.direction} list %{cisco.asa.list_id} src %{source.ip} dest %{destination.ip}" + - dissect: + if: "ctx.cisco.asa.message_id == '106020'" + field: "log.original" + pattern: "%{event.outcome} IP teardrop fragment (size = %{}, offset = %{}) from %{source.ip} to %{destination.ip}" + - dissect: + if: "ctx.cisco.asa.message_id == '106021'" + field: "log.original" + pattern: "%{event.outcome} %{network.transport} reverse path check from %{source.ip} to %{destination.ip} on interface %{cisco.asa.source_interface}" + - dissect: + if: "ctx.cisco.asa.message_id == '106022'" + field: "log.original" + pattern: "%{event.outcome} %{network.transport} connection spoof from %{source.ip} to %{destination.ip} on interface %{cisco.asa.source_interface}" + - dissect: + if: "ctx.cisco.asa.message_id == '106023'" + field: "log.original" + pattern: "%{event.outcome} %{network.transport} src %{cisco.asa.source_interface}:%{source.ip}/%{source.port} dst %{cisco.asa.destination_interface}:%{destination.ip}/%{destination.port} %{} access%{}group \"%{cisco.asa.list_id}\"%{}" + - dissect: + if: "ctx.cisco.asa.message_id == '106027'" + field: "log.original" + pattern: "%{} %{event.outcome} src %{source.ip} dst %{destination.ip} by access-group \"%{cisco.asa.list_id}\"" + - dissect: + if: "ctx.cisco.asa.message_id == '106100'" + field: "log.original" + pattern: "access-list %{cisco.asa.list_id} %{event.outcome} %{network.transport} %{cisco.asa.source_interface}/%{source.ip}(%{source.port}) -> %{cisco.asa.destination_interface}/%{destination.ip}(%{destination.port}) %{}" + - dissect: + if: "ctx.cisco.asa.message_id == '106102'" + field: "log.original" + pattern: "access-list %{cisco.asa.list_id} %{event.outcome} %{network.transport} for user %{cisco.asa.username} %{cisco.asa.source_interface}/%{source.ip} %{source.port} %{cisco.asa.destination_interface}/%{destination.ip} %{destination.port} %{}" + - dissect: + if: "ctx.cisco.asa.message_id == '106103'" + field: "log.original" + pattern: "access-list %{cisco.asa.list_id} %{event.outcome} %{network.transport} for user %{cisco.asa.username} %{cisco.asa.source_interface}/%{source.ip} %{source.port} %{cisco.asa.destination_interface}/%{destination.ip} %{destination.port} %{}" + - dissect: + if: "ctx.cisco.asa.message_id == '304001'" + field: "log.original" + pattern: "%{source.ip} %{}ccessed URL %{destination.ip}:%{url.original}" + - set: + if: "ctx.cisco.asa.message_id == '304001'" + field: "event.outcome" + value: allow + - dissect: + if: "ctx.cisco.asa.message_id == '304002'" + field: "log.original" + pattern: "Access %{event.outcome} URL %{url.original} SRC %{source.ip} %{}EST %{destination.ip} on interface %{cisco.asa.source_interface}" + - dissect: + if: "ctx.cisco.asa.message_id == '313001'" + field: "log.original" + pattern: "%{event.outcome} %{network.transport} type=%{cisco.asa.icmp_type}, code=%{cisco.asa.icmp_code} from %{source.ip} on interface %{cisco.asa.source_interface}" + - dissect: + if: "ctx.cisco.asa.message_id == '313004'" + field: "log.original" + pattern: "%{event.outcome} %{network.transport} type=%{cisco.asa.icmp_type}, from%{}addr %{source.ip} on interface %{cisco.asa.source_interface} to %{destination.ip}: no matching session" + - dissect: + if: "ctx.cisco.asa.message_id == '313005'" + field: "log.original" + pattern: "No matching connection for %{network.transport} error message: %{} on %{cisco.asa.source_interface} interface.%{}riginal IP payload: %{}" + - dissect: + if: "ctx.cisco.asa.message_id == '313008'" + field: "log.original" + pattern: "%{event.outcome} %{network.transport} type=%{cisco.asa.icmp_type} , code=%{cisco.asa.icmp_code} from %{source.ip} on interface %{cisco.asa.source_interface}" + - dissect: + if: "ctx.cisco.asa.message_id == '313009'" + field: "log.original" + pattern: "%{event.outcome} invalid %{network.transport} code %{cisco.asa.icmp_code} , for %{cisco.asa.source_interface}:%{source.ip}/%{source.port} (%{cisco.asa.mapped_source_ip}/%{cisco.asa.mapped_source_port}) to %{cisco.asa.destination_interface}:%{destination.ip}/%{destination.port} (%{cisco.asa.mapped_destination_ip}/%{cisco.asa.mapped_destination_port})%{}" + - dissect: + if: "ctx.cisco.asa.message_id == '322001'" + field: "log.original" + pattern: "%{event.outcome} MAC address %{source.mac}, possible spoof attempt on interface %{cisco.asa.source_interface}" + - dissect: + if: "ctx.cisco.asa.message_id == '338001'" + field: "log.original" + pattern: "Dynamic filter %{event.outcome} black%{}d %{network.transport} traffic from %{cisco.asa.source_interface}:%{source.ip}/%{source.port} (%{cisco.asa.mapped_source_ip}/%{cisco.asa.mapped_source_port}) to %{cisco.asa.destination_interface}:%{destination.ip}/%{destination.port} (%{cisco.asa.mapped_destination_ip}/%{cisco.asa.mapped_destination_port})%{}source %{} resolved from %{cisco.asa.list_id} list: %{source.domain}, threat-level: %{cisco.asa.threat_level}, category: %{cisco.asa.threat_category}" + - set: + if: "ctx.cisco.asa.message_id == '338001'" + field: "server.domain" + value: "{{source.domain}}" + - dissect: + if: "ctx.cisco.asa.message_id == '338002'" + field: "log.original" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{cisco.asa.source_interface}:%{source.ip}/%{source.port} (%{cisco.asa.mapped_source_ip}/%{cisco.asa.mapped_source_port}) to %{cisco.asa.destination_interface}:%{destination.ip}/%{destination.port} (%{cisco.asa.mapped_destination_ip}/%{cisco.asa.mapped_destination_port})%{}destination %{} resolved from %{cisco.asa.list_id} list: %{destination.domain}" + - set: + if: "ctx.cisco.asa.message_id == '338002'" + field: "server.domain" + value: "{{destination.domain}}" + - dissect: + if: "ctx.cisco.asa.message_id == '338003'" + field: "log.original" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{cisco.asa.source_interface}:%{source.ip}/%{source.port} (%{cisco.asa.mapped_source_ip}/%{cisco.asa.mapped_source_port}) to %{cisco.asa.destination_interface}:%{destination.ip}/%{destination.port} (%{cisco.asa.mapped_destination_ip}/%{cisco.asa.mapped_destination_port})%{}source %{} resolved from %{cisco.asa.list_id} list: %{}, threat-level: %{cisco.asa.threat_level}, category: %{cisco.asa.threat_category}" + - dissect: + if: "ctx.cisco.asa.message_id == '338004'" + field: "log.original" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{cisco.asa.source_interface}:%{source.ip}/%{source.port} (%{cisco.asa.mapped_source_ip}/%{cisco.asa.mapped_source_port}) to %{cisco.asa.destination_interface}:%{destination.ip}/%{destination.port} (%{cisco.asa.mapped_destination_ip}/%{cisco.asa.mapped_destination_port})%{}destination %{} resolved from %{cisco.asa.list_id} list: %{}, threat-level: %{cisco.asa.threat_level}, category: %{cisco.asa.threat_category}" + - dissect: + if: "ctx.cisco.asa.message_id == '338005'" + field: "log.original" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{cisco.asa.source_interface}:%{source.ip}/%{source.port} (%{cisco.asa.mapped_source_ip}/%{cisco.asa.mapped_source_port}) to %{cisco.asa.destination_interface}:%{destination.ip}/%{destination.port} (%{cisco.asa.mapped_destination_ip}/%{cisco.asa.mapped_destination_port})%{}source %{} resolved from %{cisco.asa.list_id} list: %{source.domain}, threat-level: %{cisco.asa.threat_level}, category: %{cisco.asa.threat_category}" + - set: + if: "ctx.cisco.asa.message_id == '338005'" + field: "server.domain" + value: "{{source.domain}}" + - dissect: + if: "ctx.cisco.asa.message_id == '338006'" + field: "log.original" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{cisco.asa.source_interface}:%{source.ip}/%{source.port} (%{cisco.asa.mapped_source_ip}/%{cisco.asa.mapped_source_port}) to %{cisco.asa.destination_interface}:%{destination.ip}/%{destination.port} (%{cisco.asa.mapped_destination_ip}/%{cisco.asa.mapped_destination_port})%{}destination %{} resolved from %{cisco.asa.list_id} list: %{destination.domain}, threat-level: %{cisco.asa.threat_level}, category: %{cisco.asa.threat_category}" + - set: + if: "ctx.cisco.asa.message_id == '338006'" + field: "server.domain" + value: "{{destination.domain}}" + - dissect: + if: "ctx.cisco.asa.message_id == '338007'" + field: "log.original" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{cisco.asa.source_interface}:%{source.ip}/%{source.port} (%{cisco.asa.mapped_source_ip}/%{cisco.asa.mapped_source_port}) to %{cisco.asa.destination_interface}:%{destination.ip}/%{destination.port} (%{cisco.asa.mapped_destination_ip}/%{cisco.asa.mapped_destination_port})%{}source %{} resolved from %{cisco.asa.list_id} list: %{}, threat-level: %{cisco.asa.threat_level}, category: %{cisco.asa.threat_category}" + - dissect: + if: "ctx.cisco.asa.message_id == '338008'" + field: "log.original" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{cisco.asa.source_interface}:%{source.ip}/%{source.port} (%{cisco.asa.mapped_source_ip}/%{cisco.asa.mapped_source_port}) to %{cisco.asa.destination_interface}:%{destination.ip}/%{destination.port} (%{cisco.asa.mapped_destination_ip}/%{cisco.asa.mapped_destination_port})%{}destination %{} resolved from %{cisco.asa.list_id} list: %{}, threat-level: %{cisco.asa.threat_level}, category: %{cisco.asa.threat_category}" + - dissect: + if: "ctx.cisco.asa.message_id == '338101'" + field: "log.original" + pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{cisco.asa.source_interface}:%{source.ip}/%{source.port} (%{cisco.asa.mapped_source_ip}/%{cisco.asa.mapped_source_port}) to %{cisco.asa.destination_interface}:%{destination.ip}/%{destination.port} (%{cisco.asa.mapped_destination_ip}/%{cisco.asa.mapped_destination_port})%{}source %{} resolved from %{cisco.asa.list_id} list: %{source.domain}" + - set: + if: "ctx.cisco.asa.message_id == '338101'" + field: "server.domain" + value: "{{source.domain}}" + - dissect: + if: "ctx.cisco.asa.message_id == '338102'" + field: "log.original" + pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{cisco.asa.source_interface}:%{source.ip}/%{source.port} (%{cisco.asa.mapped_source_ip}/%{cisco.asa.mapped_source_port}) to %{cisco.asa.destination_interface}:%{destination.ip}/%{destination.port} (%{cisco.asa.mapped_destination_ip}/%{cisco.asa.mapped_destination_port})%{}destination %{} resolved from %{cisco.asa.list_id} list: %{destination.domain}" + - set: + if: "ctx.cisco.asa.message_id == '338102'" + field: "server.domain" + value: "{{destination.domain}}" + - dissect: + if: "ctx.cisco.asa.message_id == '338103'" + field: "log.original" + pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{cisco.asa.source_interface}:%{source.ip}/%{source.port} (%{cisco.asa.mapped_source_ip}/%{cisco.asa.mapped_source_port}) to %{cisco.asa.destination_interface}:%{destination.ip}/%{destination.port} (%{cisco.asa.mapped_destination_ip}/%{cisco.asa.mapped_destination_port})%{}source %{} resolved from %{cisco.asa.list_id} list: %{}" + - dissect: + if: "ctx.cisco.asa.message_id == '338104'" + field: "log.original" + pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{cisco.asa.source_interface}:%{source.ip}/%{source.port} (%{cisco.asa.mapped_source_ip}/%{cisco.asa.mapped_source_port}) to %{cisco.asa.destination_interface}:%{destination.ip}/%{destination.port} (%{cisco.asa.mapped_destination_ip}/%{cisco.asa.mapped_destination_port})%{}destination %{} resolved from %{cisco.asa.list_id} list: %{}" + - dissect: + if: "ctx.cisco.asa.message_id == '338201'" + field: "log.original" + pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{cisco.asa.source_interface}:%{source.ip}/%{source.port} (%{cisco.asa.mapped_source_ip}/%{cisco.asa.mapped_source_port}) to %{cisco.asa.destination_interface}:%{destination.ip}/%{destination.port} (%{cisco.asa.mapped_destination_ip}/%{cisco.asa.mapped_destination_port})%{}source %{} resolved from %{cisco.asa.list_id} list: %{source.domain}, threat-level: %{cisco.asa.threat_level}, category: %{cisco.asa.threat_category}" + - set: + if: "ctx.cisco.asa.message_id == '338201'" + field: "server.domain" + value: "{{source.domain}}" + - dissect: + if: "ctx.cisco.asa.message_id == '338202'" + field: "log.original" + pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{cisco.asa.source_interface}:%{source.ip}/%{source.port} (%{cisco.asa.mapped_source_ip}/%{cisco.asa.mapped_source_port}) to %{cisco.asa.destination_interface}:%{destination.ip}/%{destination.port} (%{cisco.asa.mapped_destination_ip}/%{cisco.asa.mapped_destination_port})%{}destination %{} resolved from %{cisco.asa.list_id} list: %{destination.domain}, threat-level: %{cisco.asa.threat_level}, category: %{cisco.asa.threat_category}" + - set: + if: "ctx.cisco.asa.message_id == '338202'" + field: "server.domain" + value: "{{destination.domain}}" + - dissect: + if: "ctx.cisco.asa.message_id == '338203'" + field: "log.original" + pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{cisco.asa.source_interface}:%{source.ip}/%{source.port} (%{cisco.asa.mapped_source_ip}/%{cisco.asa.mapped_source_port}) to %{cisco.asa.destination_interface}:%{destination.ip}/%{destination.port} (%{cisco.asa.mapped_destination_ip}/%{cisco.asa.mapped_destination_port})%{}source %{} resolved from %{cisco.asa.list_id} list: %{source.domain}, threat-level: %{cisco.asa.threat_level}, category: %{cisco.asa.threat_category}" + - set: + if: "ctx.cisco.asa.message_id == '338203'" + field: "server.domain" + value: "{{source.domain}}" + - dissect: + if: "ctx.cisco.asa.message_id == '338204'" + field: "log.original" + pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{cisco.asa.source_interface}:%{source.ip}/%{source.port} (%{cisco.asa.mapped_source_ip}/%{cisco.asa.mapped_source_port}) to %{cisco.asa.destination_interface}:%{destination.ip}/%{destination.port} (%{cisco.asa.mapped_destination_ip}/%{cisco.asa.mapped_destination_port})%{}destination %{} resolved from %{cisco.asa.list_id} list: %{destination.domain}, threat-level: %{cisco.asa.threat_level}, category: %{cisco.asa.threat_category}" + - set: + if: "ctx.cisco.asa.message_id == '338204'" + field: "server.domain" + value: "{{destination.domain}}" + - dissect: + if: "ctx.cisco.asa.message_id == '338301'" + field: "log.original" + pattern: "Intercepted DNS reply for domain %{source.domain} from %{cisco.asa.source_interface}:%{source.ip}/%{source.port} to %{cisco.asa.destination_interface}:%{destination.ip}/%{destination.port}, matched %{cisco.asa.list_id}" + - set: + if: "ctx.cisco.asa.message_id == '338301'" + field: "client.ip" + value: "{{destination.ip}}" + - set: + if: "ctx.cisco.asa.message_id == '338301'" + field: "client.port" + value: "{{destination.port}}" + - set: + if: "ctx.cisco.asa.message_id == '338301'" + field: "server.ip" + value: "{{source.ip}}" + - set: + if: "ctx.cisco.asa.message_id == '338301'" + field: "server.port" + value: "{{source.port}}" + +# +# Handle 302xxx messages (Flow expiration a.k.a "Teardown") +# + - set: + if: "[\"302014\", \"302016\", \"302018\", \"302021\", \"302036\", \"302304\", \"302306\"].contains(ctx.cisco.asa.message_id)" + field: "event.action" + value: "flow-expiration" + - grok: + field: "log.original" + if: "[\"302014\", \"302016\", \"302018\", \"302021\", \"302036\", \"302304\", \"302306\"].contains(ctx.cisco.asa.message_id)" + patterns: + - "Teardown %{NOTSPACE:network.transport} (:?state-bypass )?connection %{NOTSPACE:cisco.asa.connection_id} (:?for|from) %{NOTCOLON:cisco.asa.source_interface}:%{IP:source.ip}/%{NUMBER:source.port:int} (:?%{NOTSPACE:cisco.asa.source_username} )?to %{NOTCOLON:cisco.asa.destination_interface}:%{IP:destination.ip}/%{NUMBER:destination.port:int} (:?%{NOTSPACE:cisco.asa.destination_username} )?(:?duration %{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes:int})%{GREEDYDATA}" + - "Teardown %{NOTSPACE:network.transport} connection for faddr (:?%{NOTCOLON:cisco.asa.source_interface}:)?%{IP:source.ip}/%{NUMBER:source.port:int} (:?%{NOTSPACE:cisco.asa.source_username} )?gaddr (:?%{NOTCOLON}:)?%{IP}/%{NUMBER} laddr (:?%{NOTCOLON:cisco.asa.destination_interface}:)?%{IP:destination.ip}/%{NUMBER:destination.port:int}(:? %{NOTSPACE:cisco.asa.destination_username})?%{GREEDYDATA}" + pattern_definitions: + NOTCOLON: "[^:]*" + +# +# Process the flow duration "hh:mm:ss" present in some messages +# This will fill event.start, event.end and event.duration +# + - script: + lang: painless + if: "ctx?._temp_?.duration_hms != null" + source: > + long parse_hms(String s) { + long cur = 0, total = 0; + for (char c: s.toCharArray()) { + if (c >= (char)'0' && c <= (char)'9') { + cur = (cur*10) + (long)c - (char)'0'; + } else if (c == (char)':') { + total = (total + cur) * 60; + cur = 0; + } else { + return 0; + } + } + return total + cur; + } + if (ctx?.event == null) { + ctx['event'] = new HashMap(); + } + String end = ctx['@timestamp']; + ctx.event['end'] = end; + long nanos = parse_hms(ctx._temp_.duration_hms) * 1000000000L; + ctx.event['duration'] = nanos; + ctx.event['start'] = ZonedDateTime.ofInstant( + Instant.parse(end).minusNanos(nanos), + ZoneOffset.UTC); + +# +# Normalize protocol names +# + - lowercase: + field: "network.transport" + ignore_missing: true + - lowercase: + field: "network.protocol" + ignore_missing: true + +# +# Normalize event.outcome +# + - lowercase: + field: "event.outcome" + ignore_missing: true + - set: + field: "event.outcome" + if: "ctx.event?.outcome == \"est-allowed\"" + value: allow + - set: + field: "event.outcome" + if: "ctx.event?.outcome == \"permitted\"" + value: allow + - set: + field: "event.outcome" + if: "ctx.event?.outcome == \"denied\"" + value: deny + - set: + field: "event.outcome" + if: "ctx.event?.outcome == \"dropped\"" + value: deny + + - set: + field: "network.transport" + if: "ctx.network?.transport == \"icmpv6\"" + value: "ipv6-icmp" + +# +# Convert integer fields, as output of dissect processor is always a string +# + - convert: + field: "source.port" + type: integer + ignore_failure: true + - convert: + field: "destination.port" + type: integer + ignore_failure: true + - convert: + field: "cisco.asa.mapped_source_port" + type: integer + ignore_failure: true + - convert: + field: "cisco.asa.mapped_destination_port" + type: integer + ignore_failure: true + - convert: + field: "cisco.asa.icmp_code" + type: integer + ignore_failure: true + - convert: + field: "cisco.asa.icmp_type" + type: integer + ignore_failure: true + +# +# Geolocation for source and destination addresses +# + - geoip: + field: "source.ip" + target_field: "source.geo" + ignore_missing: true + - geoip: + field: "destination.ip" + target_field: "destination.geo" + ignore_missing: true + +# +# Remove temporary fields +# + - remove: + field: + - message + - _temp_ + ignore_missing: true + +on_failure: + - set: + field: "error.message" + value: "{{ _ingest.on_failure_message }}" + - remove: + field: + - _temp_ + ignore_missing: true diff --git a/x-pack/filebeat/module/cisco/asa/manifest.yml b/x-pack/filebeat/module/cisco/asa/manifest.yml new file mode 100644 index 000000000000..b92607f91688 --- /dev/null +++ b/x-pack/filebeat/module/cisco/asa/manifest.yml @@ -0,0 +1,30 @@ +module_version: "1.0" + +var: + - name: paths + default: + - /var/log/cisco-asa.log + - name: tags + default: [cisco-asa] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9001 + - name: input + default: syslog + - name: convert_timezone + default: false + - name: log_level + default: 7 + # if ES < 6.1.0, this flag switches to false automatically when evaluating the + # pipeline + min_elasticsearch_version: + version: 6.1.0 + value: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip diff --git a/x-pack/filebeat/module/cisco/asa/test/asa.log b/x-pack/filebeat/module/cisco/asa/test/asa.log new file mode 100644 index 000000000000..9f0a0b8b5984 --- /dev/null +++ b/x-pack/filebeat/module/cisco/asa/test/asa.log @@ -0,0 +1,268 @@ +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:100.66.98.44/8256 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11757 for outside:100.66.205.104/80 (100.66.205.104/80) to inside:172.31.98.44/1772 (172.31.98.44/1772) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11749 for outside:100.66.211.242/80 to inside:172.31.98.44/1758 duration 0:01:07 bytes 38110 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11748 for outside:100.66.211.242/80 to inside:172.31.98.44/1757 duration 0:01:07 bytes 44010 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11745 for outside:100.66.185.90/80 to inside:172.31.98.44/1755 duration 0:01:07 bytes 7652 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11744 for outside:100.66.185.90/80 to inside:172.31.98.44/1754 duration 0:01:07 bytes 7062 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11742 for outside:100.66.160.197/80 to inside:172.31.98.44/1752 duration 0:01:08 bytes 5738 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11738 for outside:100.66.205.14/80 to inside:172.31.98.44/1749 duration 0:01:08 bytes 4176 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11739 for outside:100.66.124.33/80 to inside:172.31.98.44/1750 duration 0:01:08 bytes 1715 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11731 for outside:100.66.35.9/80 to inside:172.31.98.44/1747 duration 0:01:09 bytes 45595 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11723 for outside:100.66.211.242/80 to inside:172.31.98.44/1742 duration 0:01:09 bytes 27359 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11715 for outside:100.66.218.21/80 to inside:172.31.98.44/1741 duration 0:01:09 bytes 4457 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11711 for outside:100.66.198.27/80 to inside:172.31.98.44/1739 duration 0:01:09 bytes 26709 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11712 for outside:100.66.198.27/80 to inside:172.31.98.44/1740 duration 0:01:09 bytes 22097 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11708 for outside:100.66.202.211/80 to inside:172.31.98.44/1738 duration 0:01:10 bytes 2209 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11746 for outside:100.66.124.15/80 to inside:172.31.98.44/1756 duration 0:01:07 bytes 10404 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11706 for outside:100.66.124.15/80 to inside:172.31.98.44/1737 duration 0:01:10 bytes 123694 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11702 for outside:100.66.209.247/80 to inside:172.31.98.44/1736 duration 0:01:11 bytes 35835 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11753 for outside:100.66.35.162/80 to inside:172.31.98.44/1765 duration 0:00:30 bytes 0 SYN Timeout +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1188 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11758 for outside:100.66.80.32/53 (100.66.80.32/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11758 for outside:100.66.80.32/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 148 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11759 for outside:100.66.252.6/53 (100.66.252.6/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11759 for outside:100.66.252.6/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 164 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1773 to outside:100.66.98.44/8257 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11760 for outside:100.66.252.226/80 (100.66.252.226/80) to inside:172.31.98.44/1773 (172.31.98.44/1773) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1774 to outside:100.66.98.44/8258 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11761 for outside:100.66.252.226/80 (100.66.252.226/80) to inside:172.31.98.44/1774 (172.31.98.44/1774) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11762 for outside:100.66.238.126/53 (100.66.238.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11763 for outside:100.66.93.51/53 (100.66.93.51/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11762 for outside:100.66.238.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 111 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11763 for outside:100.66.93.51/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 237 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1775 to outside:100.66.98.44/8259 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11764 for outside:100.66.225.103/443 (100.66.225.103/443) to inside:172.31.98.44/1775 (172.31.98.44/1775) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1189 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11772 for outside:100.66.240.126/53 (100.66.240.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11773 for outside:100.66.44.45/53 (100.66.44.45/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11772 for outside:100.66.240.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 87 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11773 for outside:100.66.44.45/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 221 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1452 to outside:100.66.98.44/8265 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11774 for outside:100.66.179.219/80 (100.66.179.219/80) to inside:172.31.98.44/1452 (172.31.98.44/1452) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11775 for outside:100.66.157.232/53 (100.66.157.232/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11776 for outside:100.66.178.133/53 (100.66.178.133/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11775 for outside:100.66.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 101 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11776 for outside:100.66.178.133/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 126 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1453 to outside:100.66.98.44/8266 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11777 for outside:100.66.133.112/80 (100.66.133.112/80) to inside:172.31.98.44/1453 (172.31.98.44/1453) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11777 for outside:100.66.133.112/80 to inside:172.31.98.44/1453 duration 0:00:00 bytes 862 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11779 for outside:100.66.204.197/53 (100.66.204.197/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11778 for outside:100.66.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11779 for outside:100.66.204.197/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 176 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11780 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1454 (172.31.98.44/1454) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11781 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1455 (172.31.98.44/1455) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11782 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1456 (172.31.98.44/1456) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11783 for outside:100.66.100.4/53 (100.66.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11783 for outside:100.66.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11784 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1457 (172.31.98.44/1457) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11785 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1458 (172.31.98.44/1458) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11786 for outside:100.66.1.107/53 (100.66.1.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11784 for outside:100.66.198.40/80 to inside:172.31.98.44/1457 duration 0:00:00 bytes 593 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11787 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1459 (172.31.98.44/1459) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11786 for outside:100.66.1.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 375 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11788 for outside:100.66.192.44/80 (100.66.192.44/80) to inside:172.31.98.44/1460 (172.31.98.44/1460) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1385 to outside:100.66.98.44/8277 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11797 for outside:100.66.19.254/80 (100.66.19.254/80) to inside:172.31.156.80/1385 (172.31.156.80/1385) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11564 for outside:100.66.115.46/80 to inside:172.31.156.80/1382 duration 0:05:25 bytes 575 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11797 for outside:100.66.19.254/80 to inside:172.31.156.80/1385 duration 0:00:00 bytes 5391 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1386 to outside:100.66.98.44/8278 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11798 for outside:100.66.115.46/80 (100.66.115.46/80) to inside:172.31.156.80/1386 (172.31.156.80/1386) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1275 to outside:100.66.98.44/8279 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11799 for outside:100.66.205.99/80 (100.66.205.99/80) to inside:172.31.98.44/1275 (172.31.98.44/1275) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1190 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11800 for outside:100.66.14.30/53 (100.66.14.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11800 for outside:100.66.14.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 373 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11801 for outside:100.66.252.210/53 (100.66.252.210/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11801 for outside:100.66.252.210/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 207 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1276 to outside:100.66.98.44/8280 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11802 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1276 (172.31.98.44/1276) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1277 to outside:100.66.98.44/8281 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11803 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1277 (172.31.98.44/1277) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11802 for outside:100.66.98.165/80 to inside:172.31.98.44/1276 duration 0:00:00 bytes 12853 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1278 to outside:100.66.98.44/8282 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11804 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1278 (172.31.98.44/1278) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11803 for outside:100.66.98.165/80 to inside:172.31.98.44/1277 duration 0:00:00 bytes 5291 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1279 to outside:100.66.98.44/8283 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11805 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1279 (172.31.98.44/1279) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11804 for outside:100.66.98.165/80 to inside:172.31.98.44/1278 duration 0:00:00 bytes 965 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11805 for outside:100.66.98.165/80 to inside:172.31.98.44/1279 duration 0:00:00 bytes 8605 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1280 to outside:100.66.98.44/8284 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11806 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1280 (172.31.98.44/1280) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11806 for outside:100.66.98.165/80 to inside:172.31.98.44/1280 duration 0:00:00 bytes 3428 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1281 to outside:100.66.98.44/8285 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11807 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1281 (172.31.98.44/1281) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1282 to outside:100.66.98.44/8286 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11808 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1282 (172.31.98.44/1282) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1283 to outside:100.66.98.44/8287 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11809 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1283 (172.31.98.44/1283) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1284 to outside:100.66.98.44/8288 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11810 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1284 (172.31.98.44/1284) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11807 for outside:100.66.98.165/80 to inside:172.31.98.44/1281 duration 0:00:00 bytes 2028 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11808 for outside:100.66.98.165/80 to inside:172.31.98.44/1282 duration 0:00:00 bytes 1085 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11809 for outside:100.66.98.165/80 to inside:172.31.98.44/1283 duration 0:00:00 bytes 868 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1285 to outside:100.66.98.44/8289 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11811 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1285 (172.31.98.44/1285) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1286 to outside:100.66.98.44/8290 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11812 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1286 (172.31.98.44/1286) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11810 for outside:100.66.98.165/80 to inside:172.31.98.44/1284 duration 0:00:00 bytes 4439 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1287 to outside:100.66.98.44/8291 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11813 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1287 (172.31.98.44/1287) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11811 for outside:100.66.98.165/80 to inside:172.31.98.44/1285 duration 0:00:00 bytes 914 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11812 for outside:100.66.98.165/80 to inside:172.31.98.44/1286 duration 0:00:00 bytes 871 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11814 for outside:100.66.100.107/53 (100.66.100.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1288 to outside:100.66.98.44/8292 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11815 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1288 (172.31.98.44/1288) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11814 for outside:100.66.100.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 384 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11816 for outside:100.66.104.8/53 (100.66.104.8/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11816 for outside:100.66.104.8/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 94 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1289 to outside:100.66.98.44/8293 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11817 for outside:100.66.123.191/80 (100.66.123.191/80) to inside:172.31.98.44/1289 (172.31.98.44/1289) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11815 for outside:100.66.98.165/80 to inside:172.31.98.44/1288 duration 0:00:00 bytes 945 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11813 for outside:100.66.98.165/80 to inside:172.31.98.44/1287 duration 0:00:00 bytes 13284 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11818 for outside:100.66.100.4/53 (100.66.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11818 for outside:100.66.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1290 to outside:100.66.98.44/8294 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11819 for outside:100.66.198.25/80 (100.66.198.25/80) to inside:172.31.98.44/1290 (172.31.98.44/1290) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 9828 for outside:100.66.48.1/67 to NP Identity Ifc:255.255.255.255/68 duration 0:58:46 bytes 58512 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1272 to outside:100.66.98.44/8276 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11820 for outside:100.66.3.39/53 (100.66.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11821 for outside:100.66.162.30/53 (100.66.162.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11820 for outside:100.66.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 168 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11822 for outside:100.66.3.39/53 (100.66.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11821 for outside:100.66.162.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 198 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11822 for outside:100.66.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11823 for outside:100.66.48.186/53 (100.66.48.186/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11823 for outside:100.66.48.186/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 84 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1291 to outside:100.66.98.44/8295 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11824 for outside:100.66.54.190/80 (100.66.54.190/80) to inside:172.31.98.44/1291 (172.31.98.44/1291) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11825 for outside:100.66.254.94/53 (100.66.254.94/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11825 for outside:100.66.254.94/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 188 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1292 to outside:100.66.98.44/8296 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11826 for outside:100.66.54.190/80 (100.66.54.190/80) to inside:172.31.98.44/1292 (172.31.98.44/1292) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1293 to outside:100.66.98.44/8297 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11827 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1293 (172.31.98.44/1293) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1294 to outside:100.66.98.44/8298 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11828 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1294 (172.31.98.44/1294) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11827 for outside:100.66.98.165/80 to inside:172.31.98.44/1293 duration 0:00:00 bytes 5964 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1295 to outside:100.66.98.44/8299 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11829 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1295 (172.31.98.44/1295) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1296 to outside:100.66.98.44/8300 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11830 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1296 (172.31.98.44/1296) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11828 for outside:100.66.98.165/80 to inside:172.31.98.44/1294 duration 0:00:00 bytes 6694 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11829 for outside:100.66.98.165/80 to inside:172.31.98.44/1295 duration 0:00:00 bytes 1493 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11830 for outside:100.66.98.165/80 to inside:172.31.98.44/1296 duration 0:00:00 bytes 893 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1297 to outside:100.66.98.44/8301 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11831 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1297 (172.31.98.44/1297) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1298 to outside:100.66.98.44/8302 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11832 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1298 (172.31.98.44/1298) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11833 for outside:100.66.179.9/53 (100.66.179.9/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11833 for outside:100.66.179.9/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11831 for outside:100.66.98.165/80 to inside:172.31.98.44/1297 duration 0:00:00 bytes 2750 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1299 to outside:100.66.98.44/8303 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11834 for outside:100.66.247.99/80 (100.66.247.99/80) to inside:172.31.98.44/1299 (172.31.98.44/1299) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1300 to outside:100.66.98.44/8304 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11835 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1300 (172.31.98.44/1300) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11832 for outside:100.66.98.165/80 to inside:172.31.98.44/1298 duration 0:00:00 bytes 881 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11835 for outside:100.66.98.165/80 to inside:172.31.98.44/1300 duration 0:00:00 bytes 2202 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1301 to outside:100.66.98.44/8305 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11836 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1301 (172.31.98.44/1301) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1302 to outside:100.66.98.44/8306 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11837 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1302 (172.31.98.44/1302) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1276 to outside:100.66.98.44/8280 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1277 to outside:100.66.98.44/8281 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1278 to outside:100.66.98.44/8282 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1279 to outside:100.66.98.44/8283 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1280 to outside:100.66.98.44/8284 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1281 to outside:100.66.98.44/8285 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1282 to outside:100.66.98.44/8286 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1283 to outside:100.66.98.44/8287 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1284 to outside:100.66.98.44/8288 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1285 to outside:100.66.98.44/8289 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1286 to outside:100.66.98.44/8290 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1287 to outside:100.66.98.44/8291 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1288 to outside:100.66.98.44/8292 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1293 to outside:100.66.98.44/8297 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1294 to outside:100.66.98.44/8298 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1304 to outside:100.66.98.44/8308 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11840 for outside:100.66.205.99/80 (100.66.205.99/80) to inside:172.31.98.44/1304 (172.31.98.44/1304) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1295 to outside:100.66.98.44/8299 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1296 to outside:100.66.98.44/8300 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11841 for outside:100.66.0.124/53 (100.66.0.124/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11842 for outside:100.66.160.2/53 (100.66.160.2/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11841 for outside:100.66.0.124/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 318 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11842 for outside:100.66.160.2/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1305 to outside:100.66.98.44/8309 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11843 for outside:100.66.124.24/80 (100.66.124.24/80) to inside:172.31.98.44/1305 (172.31.98.44/1305) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1297 to outside:100.66.98.44/8301 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1298 to outside:100.66.98.44/8302 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1299 to outside:100.66.98.44/8303 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1300 to outside:100.66.98.44/8304 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1301 to outside:100.66.98.44/8305 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1302 to outside:100.66.98.44/8306 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1303 to outside:100.66.98.44/8307 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11843 for outside:100.66.124.24/80 to inside:172.31.98.44/1305 duration 0:00:04 bytes 410333 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1306 to outside:100.66.98.44/8310 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11844 for outside:100.66.124.24/80 (100.66.124.24/80) to inside:172.31.98.44/1306 (172.31.98.44/1306) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] diff --git a/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json new file mode 100644 index 000000000000..79e23f88b0b4 --- /dev/null +++ b/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json @@ -0,0 +1,2315 @@ +[ + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.message_id": "305011", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 0, + "log.original": "Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:100.66.98.44/8256", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.message_id": "302013", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 150, + "log.original": "Built outbound TCP connection 11757 for outside:100.66.205.104/80 (100.66.205.104/80) to inside:172.31.98.44/1772 (172.31.98.44/1772)", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.connection_id": "11749", + "cisco.asa.destination_interface": "inside", + "cisco.asa.message_id": "302014", + "cisco.asa.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 1758, + "ecs.version": "1.0.0", + "event.action": "flow-expiration", + "event.dataset": "cisco.asa", + "event.duration": 67000000000, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:33:49.000Z", + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 345, + "log.original": "Teardown TCP connection 11749 for outside:100.66.211.242/80 to inside:172.31.98.44/1758 duration 0:01:07 bytes 38110 TCP Reset-I", + "network.bytes": 38110, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "100.66.211.242", + "source.port": 80, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.connection_id": "11748", + "cisco.asa.destination_interface": "inside", + "cisco.asa.message_id": "302014", + "cisco.asa.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 1757, + "ecs.version": "1.0.0", + "event.action": "flow-expiration", + "event.dataset": "cisco.asa", + "event.duration": 67000000000, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:33:49.000Z", + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 535, + "log.original": "Teardown TCP connection 11748 for outside:100.66.211.242/80 to inside:172.31.98.44/1757 duration 0:01:07 bytes 44010 TCP Reset-I", + "network.bytes": 44010, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "100.66.211.242", + "source.port": 80, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.connection_id": "11745", + "cisco.asa.destination_interface": "inside", + "cisco.asa.message_id": "302014", + "cisco.asa.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 1755, + "ecs.version": "1.0.0", + "event.action": "flow-expiration", + "event.dataset": "cisco.asa", + "event.duration": 67000000000, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:33:49.000Z", + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 725, + "log.original": "Teardown TCP connection 11745 for outside:100.66.185.90/80 to inside:172.31.98.44/1755 duration 0:01:07 bytes 7652 TCP Reset-I", + "network.bytes": 7652, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "100.66.185.90", + "source.port": 80, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.connection_id": "11744", + "cisco.asa.destination_interface": "inside", + "cisco.asa.message_id": "302014", + "cisco.asa.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 1754, + "ecs.version": "1.0.0", + "event.action": "flow-expiration", + "event.dataset": "cisco.asa", + "event.duration": 67000000000, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:33:49.000Z", + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 913, + "log.original": "Teardown TCP connection 11744 for outside:100.66.185.90/80 to inside:172.31.98.44/1754 duration 0:01:07 bytes 7062 TCP Reset-I", + "network.bytes": 7062, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "100.66.185.90", + "source.port": 80, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.connection_id": "11742", + "cisco.asa.destination_interface": "inside", + "cisco.asa.message_id": "302014", + "cisco.asa.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 1752, + "ecs.version": "1.0.0", + "event.action": "flow-expiration", + "event.dataset": "cisco.asa", + "event.duration": 68000000000, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:33:48.000Z", + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 1101, + "log.original": "Teardown TCP connection 11742 for outside:100.66.160.197/80 to inside:172.31.98.44/1752 duration 0:01:08 bytes 5738 TCP Reset-I", + "network.bytes": 5738, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "100.66.160.197", + "source.port": 80, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.connection_id": "11738", + "cisco.asa.destination_interface": "inside", + "cisco.asa.message_id": "302014", + "cisco.asa.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 1749, + "ecs.version": "1.0.0", + "event.action": "flow-expiration", + "event.dataset": "cisco.asa", + "event.duration": 68000000000, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:33:48.000Z", + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 1290, + "log.original": "Teardown TCP connection 11738 for outside:100.66.205.14/80 to inside:172.31.98.44/1749 duration 0:01:08 bytes 4176 TCP Reset-I", + "network.bytes": 4176, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "100.66.205.14", + "source.port": 80, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.connection_id": "11739", + "cisco.asa.destination_interface": "inside", + "cisco.asa.message_id": "302014", + "cisco.asa.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 1750, + "ecs.version": "1.0.0", + "event.action": "flow-expiration", + "event.dataset": "cisco.asa", + "event.duration": 68000000000, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:33:48.000Z", + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 1478, + "log.original": "Teardown TCP connection 11739 for outside:100.66.124.33/80 to inside:172.31.98.44/1750 duration 0:01:08 bytes 1715 TCP Reset-I", + "network.bytes": 1715, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "100.66.124.33", + "source.port": 80, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.connection_id": "11731", + "cisco.asa.destination_interface": "inside", + "cisco.asa.message_id": "302014", + "cisco.asa.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 1747, + "ecs.version": "1.0.0", + "event.action": "flow-expiration", + "event.dataset": "cisco.asa", + "event.duration": 69000000000, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:33:47.000Z", + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 1666, + "log.original": "Teardown TCP connection 11731 for outside:100.66.35.9/80 to inside:172.31.98.44/1747 duration 0:01:09 bytes 45595 TCP Reset-I", + "network.bytes": 45595, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "100.66.35.9", + "source.port": 80, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.connection_id": "11723", + "cisco.asa.destination_interface": "inside", + "cisco.asa.message_id": "302014", + "cisco.asa.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 1742, + "ecs.version": "1.0.0", + "event.action": "flow-expiration", + "event.dataset": "cisco.asa", + "event.duration": 69000000000, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:33:47.000Z", + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 1853, + "log.original": "Teardown TCP connection 11723 for outside:100.66.211.242/80 to inside:172.31.98.44/1742 duration 0:01:09 bytes 27359 TCP Reset-I", + "network.bytes": 27359, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "100.66.211.242", + "source.port": 80, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.connection_id": "11715", + "cisco.asa.destination_interface": "inside", + "cisco.asa.message_id": "302014", + "cisco.asa.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 1741, + "ecs.version": "1.0.0", + "event.action": "flow-expiration", + "event.dataset": "cisco.asa", + "event.duration": 69000000000, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:33:47.000Z", + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 2043, + "log.original": "Teardown TCP connection 11715 for outside:100.66.218.21/80 to inside:172.31.98.44/1741 duration 0:01:09 bytes 4457 TCP Reset-I", + "network.bytes": 4457, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "100.66.218.21", + "source.port": 80, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.connection_id": "11711", + "cisco.asa.destination_interface": "inside", + "cisco.asa.message_id": "302014", + "cisco.asa.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 1739, + "ecs.version": "1.0.0", + "event.action": "flow-expiration", + "event.dataset": "cisco.asa", + "event.duration": 69000000000, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:33:47.000Z", + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 2231, + "log.original": "Teardown TCP connection 11711 for outside:100.66.198.27/80 to inside:172.31.98.44/1739 duration 0:01:09 bytes 26709 TCP Reset-I", + "network.bytes": 26709, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "100.66.198.27", + "source.port": 80, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.connection_id": "11712", + "cisco.asa.destination_interface": "inside", + "cisco.asa.message_id": "302014", + "cisco.asa.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 1740, + "ecs.version": "1.0.0", + "event.action": "flow-expiration", + "event.dataset": "cisco.asa", + "event.duration": 69000000000, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:33:47.000Z", + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 2420, + "log.original": "Teardown TCP connection 11712 for outside:100.66.198.27/80 to inside:172.31.98.44/1740 duration 0:01:09 bytes 22097 TCP Reset-I", + "network.bytes": 22097, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "100.66.198.27", + "source.port": 80, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.connection_id": "11708", + "cisco.asa.destination_interface": "inside", + "cisco.asa.message_id": "302014", + "cisco.asa.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 1738, + "ecs.version": "1.0.0", + "event.action": "flow-expiration", + "event.dataset": "cisco.asa", + "event.duration": 70000000000, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:33:46.000Z", + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 2609, + "log.original": "Teardown TCP connection 11708 for outside:100.66.202.211/80 to inside:172.31.98.44/1738 duration 0:01:10 bytes 2209 TCP Reset-I", + "network.bytes": 2209, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "100.66.202.211", + "source.port": 80, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.connection_id": "11746", + "cisco.asa.destination_interface": "inside", + "cisco.asa.message_id": "302014", + "cisco.asa.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 1756, + "ecs.version": "1.0.0", + "event.action": "flow-expiration", + "event.dataset": "cisco.asa", + "event.duration": 67000000000, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:33:49.000Z", + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 2798, + "log.original": "Teardown TCP connection 11746 for outside:100.66.124.15/80 to inside:172.31.98.44/1756 duration 0:01:07 bytes 10404 TCP Reset-I", + "network.bytes": 10404, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "100.66.124.15", + "source.port": 80, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.connection_id": "11706", + "cisco.asa.destination_interface": "inside", + "cisco.asa.message_id": "302014", + "cisco.asa.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 1737, + "ecs.version": "1.0.0", + "event.action": "flow-expiration", + "event.dataset": "cisco.asa", + "event.duration": 70000000000, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:33:46.000Z", + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 2987, + "log.original": "Teardown TCP connection 11706 for outside:100.66.124.15/80 to inside:172.31.98.44/1737 duration 0:01:10 bytes 123694 TCP Reset-I", + "network.bytes": 123694, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "100.66.124.15", + "source.port": 80, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.connection_id": "11702", + "cisco.asa.destination_interface": "inside", + "cisco.asa.message_id": "302014", + "cisco.asa.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 1736, + "ecs.version": "1.0.0", + "event.action": "flow-expiration", + "event.dataset": "cisco.asa", + "event.duration": 71000000000, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:33:45.000Z", + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 3177, + "log.original": "Teardown TCP connection 11702 for outside:100.66.209.247/80 to inside:172.31.98.44/1736 duration 0:01:11 bytes 35835 TCP Reset-I", + "network.bytes": 35835, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "100.66.209.247", + "source.port": 80, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.connection_id": "11753", + "cisco.asa.destination_interface": "inside", + "cisco.asa.message_id": "302014", + "cisco.asa.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 1765, + "ecs.version": "1.0.0", + "event.action": "flow-expiration", + "event.dataset": "cisco.asa", + "event.duration": 30000000000, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:34:26.000Z", + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 3367, + "log.original": "Teardown TCP connection 11753 for outside:100.66.35.162/80 to inside:172.31.98.44/1765 duration 0:00:30 bytes 0 SYN Timeout", + "network.bytes": 0, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "100.66.35.162", + "source.port": 80, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.message_id": "305011", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 3552, + "log.original": "Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1188", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.message_id": "302015", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 3703, + "log.original": "Built outbound UDP connection 11758 for outside:100.66.80.32/53 (100.66.80.32/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.connection_id": "11758", + "cisco.asa.destination_interface": "inside", + "cisco.asa.message_id": "302016", + "cisco.asa.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 56132, + "ecs.version": "1.0.0", + "event.action": "flow-expiration", + "event.dataset": "cisco.asa", + "event.duration": 0, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:34:56.000Z", + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 3896, + "log.original": "Teardown UDP connection 11758 for outside:100.66.80.32/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 148", + "network.bytes": 148, + "network.transport": "udp", + "service.type": "cisco", + "source.ip": "100.66.80.32", + "source.port": 53, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.message_id": "302015", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 4071, + "log.original": "Built outbound UDP connection 11759 for outside:100.66.252.6/53 (100.66.252.6/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.connection_id": "11759", + "cisco.asa.destination_interface": "inside", + "cisco.asa.message_id": "302016", + "cisco.asa.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 56132, + "ecs.version": "1.0.0", + "event.action": "flow-expiration", + "event.dataset": "cisco.asa", + "event.duration": 0, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:34:56.000Z", + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 4264, + "log.original": "Teardown UDP connection 11759 for outside:100.66.252.6/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 164", + "network.bytes": 164, + "network.transport": "udp", + "service.type": "cisco", + "source.ip": "100.66.252.6", + "source.port": 53, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.message_id": "305011", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 4439, + "log.original": "Built dynamic TCP translation from inside:172.31.98.44/1773 to outside:100.66.98.44/8257", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.message_id": "302013", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 4589, + "log.original": "Built outbound TCP connection 11760 for outside:100.66.252.226/80 (100.66.252.226/80) to inside:172.31.98.44/1773 (172.31.98.44/1773)", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.message_id": "305011", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 4784, + "log.original": "Built dynamic TCP translation from inside:172.31.98.44/1774 to outside:100.66.98.44/8258", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.message_id": "302013", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 4934, + "log.original": "Built outbound TCP connection 11761 for outside:100.66.252.226/80 (100.66.252.226/80) to inside:172.31.98.44/1774 (172.31.98.44/1774)", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.message_id": "302015", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 5129, + "log.original": "Built outbound UDP connection 11762 for outside:100.66.238.126/53 (100.66.238.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.message_id": "302015", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 5326, + "log.original": "Built outbound UDP connection 11763 for outside:100.66.93.51/53 (100.66.93.51/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.connection_id": "11762", + "cisco.asa.destination_interface": "inside", + "cisco.asa.message_id": "302016", + "cisco.asa.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 56132, + "ecs.version": "1.0.0", + "event.action": "flow-expiration", + "event.dataset": "cisco.asa", + "event.duration": 0, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:34:56.000Z", + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 5519, + "log.original": "Teardown UDP connection 11762 for outside:100.66.238.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 111", + "network.bytes": 111, + "network.transport": "udp", + "service.type": "cisco", + "source.ip": "100.66.238.126", + "source.port": 53, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.connection_id": "11763", + "cisco.asa.destination_interface": "inside", + "cisco.asa.message_id": "302016", + "cisco.asa.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 56132, + "ecs.version": "1.0.0", + "event.action": "flow-expiration", + "event.dataset": "cisco.asa", + "event.duration": 0, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:34:56.000Z", + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 5696, + "log.original": "Teardown UDP connection 11763 for outside:100.66.93.51/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 237", + "network.bytes": 237, + "network.transport": "udp", + "service.type": "cisco", + "source.ip": "100.66.93.51", + "source.port": 53, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.message_id": "305011", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 5871, + "log.original": "Built dynamic TCP translation from inside:172.31.98.44/1775 to outside:100.66.98.44/8259", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.message_id": "302013", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 6021, + "log.original": "Built outbound TCP connection 11764 for outside:100.66.225.103/443 (100.66.225.103/443) to inside:172.31.98.44/1775 (172.31.98.44/1775)", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.message_id": "305011", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 6218, + "log.original": "Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1189", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.message_id": "302015", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 6369, + "log.original": "Built outbound UDP connection 11772 for outside:100.66.240.126/53 (100.66.240.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.message_id": "302015", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 6566, + "log.original": "Built outbound UDP connection 11773 for outside:100.66.44.45/53 (100.66.44.45/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.connection_id": "11772", + "cisco.asa.destination_interface": "inside", + "cisco.asa.message_id": "302016", + "cisco.asa.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 56132, + "ecs.version": "1.0.0", + "event.action": "flow-expiration", + "event.dataset": "cisco.asa", + "event.duration": 0, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:34:56.000Z", + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 6759, + "log.original": "Teardown UDP connection 11772 for outside:100.66.240.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 87", + "network.bytes": 87, + "network.transport": "udp", + "service.type": "cisco", + "source.ip": "100.66.240.126", + "source.port": 53, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.connection_id": "11773", + "cisco.asa.destination_interface": "inside", + "cisco.asa.message_id": "302016", + "cisco.asa.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 56132, + "ecs.version": "1.0.0", + "event.action": "flow-expiration", + "event.dataset": "cisco.asa", + "event.duration": 0, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:34:56.000Z", + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 6935, + "log.original": "Teardown UDP connection 11773 for outside:100.66.44.45/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 221", + "network.bytes": 221, + "network.transport": "udp", + "service.type": "cisco", + "source.ip": "100.66.44.45", + "source.port": 53, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.message_id": "305011", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 7110, + "log.original": "Built dynamic TCP translation from inside:172.31.98.44/1452 to outside:100.66.98.44/8265", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.message_id": "302013", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 7260, + "log.original": "Built outbound TCP connection 11774 for outside:100.66.179.219/80 (100.66.179.219/80) to inside:172.31.98.44/1452 (172.31.98.44/1452)", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.message_id": "302015", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 7455, + "log.original": "Built outbound UDP connection 11775 for outside:100.66.157.232/53 (100.66.157.232/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.message_id": "302015", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 7652, + "log.original": "Built outbound UDP connection 11776 for outside:100.66.178.133/53 (100.66.178.133/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.connection_id": "11775", + "cisco.asa.destination_interface": "inside", + "cisco.asa.message_id": "302016", + "cisco.asa.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 56132, + "ecs.version": "1.0.0", + "event.action": "flow-expiration", + "event.dataset": "cisco.asa", + "event.duration": 0, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:34:56.000Z", + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 7849, + "log.original": "Teardown UDP connection 11775 for outside:100.66.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 101", + "network.bytes": 101, + "network.transport": "udp", + "service.type": "cisco", + "source.ip": "100.66.157.232", + "source.port": 53, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.connection_id": "11776", + "cisco.asa.destination_interface": "inside", + "cisco.asa.message_id": "302016", + "cisco.asa.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 56132, + "ecs.version": "1.0.0", + "event.action": "flow-expiration", + "event.dataset": "cisco.asa", + "event.duration": 0, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:34:56.000Z", + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 8026, + "log.original": "Teardown UDP connection 11776 for outside:100.66.178.133/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 126", + "network.bytes": 126, + "network.transport": "udp", + "service.type": "cisco", + "source.ip": "100.66.178.133", + "source.port": 53, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.message_id": "305011", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 8203, + "log.original": "Built dynamic TCP translation from inside:172.31.98.44/1453 to outside:100.66.98.44/8266", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.message_id": "302013", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 8353, + "log.original": "Built outbound TCP connection 11777 for outside:100.66.133.112/80 (100.66.133.112/80) to inside:172.31.98.44/1453 (172.31.98.44/1453)", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.connection_id": "11777", + "cisco.asa.destination_interface": "inside", + "cisco.asa.message_id": "302014", + "cisco.asa.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 1453, + "ecs.version": "1.0.0", + "event.action": "flow-expiration", + "event.dataset": "cisco.asa", + "event.duration": 0, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:34:56.000Z", + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 8548, + "log.original": "Teardown TCP connection 11777 for outside:100.66.133.112/80 to inside:172.31.98.44/1453 duration 0:00:00 bytes 862 TCP FINs", + "network.bytes": 862, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "100.66.133.112", + "source.port": 80, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.message_id": "302015", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 8733, + "log.original": "Built outbound UDP connection 11779 for outside:100.66.204.197/53 (100.66.204.197/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.connection_id": "11778", + "cisco.asa.destination_interface": "inside", + "cisco.asa.message_id": "302016", + "cisco.asa.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 56132, + "ecs.version": "1.0.0", + "event.action": "flow-expiration", + "event.dataset": "cisco.asa", + "event.duration": 0, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:34:56.000Z", + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 8930, + "log.original": "Teardown UDP connection 11778 for outside:100.66.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", + "network.bytes": 104, + "network.transport": "udp", + "service.type": "cisco", + "source.ip": "100.66.157.232", + "source.port": 53, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.connection_id": "11779", + "cisco.asa.destination_interface": "inside", + "cisco.asa.message_id": "302016", + "cisco.asa.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 56132, + "ecs.version": "1.0.0", + "event.action": "flow-expiration", + "event.dataset": "cisco.asa", + "event.duration": 0, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:34:56.000Z", + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 9107, + "log.original": "Teardown UDP connection 11779 for outside:100.66.204.197/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 176", + "network.bytes": 176, + "network.transport": "udp", + "service.type": "cisco", + "source.ip": "100.66.204.197", + "source.port": 53, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.message_id": "305011", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 9284, + "log.original": "Built dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.message_id": "302013", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 9434, + "log.original": "Built outbound TCP connection 11780 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1454 (172.31.98.44/1454)", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.message_id": "305011", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 9625, + "log.original": "Built dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.message_id": "302013", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 9775, + "log.original": "Built outbound TCP connection 11781 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1455 (172.31.98.44/1455)", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.message_id": "305011", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 9966, + "log.original": "Built dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.message_id": "302013", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 10116, + "log.original": "Built outbound TCP connection 11782 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1456 (172.31.98.44/1456)", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.message_id": "302015", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 10307, + "log.original": "Built outbound UDP connection 11783 for outside:100.66.100.4/53 (100.66.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.connection_id": "11783", + "cisco.asa.destination_interface": "inside", + "cisco.asa.message_id": "302016", + "cisco.asa.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 56132, + "ecs.version": "1.0.0", + "event.action": "flow-expiration", + "event.dataset": "cisco.asa", + "event.duration": 0, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:34:56.000Z", + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 10500, + "log.original": "Teardown UDP connection 11783 for outside:100.66.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", + "network.bytes": 104, + "network.transport": "udp", + "service.type": "cisco", + "source.ip": "100.66.100.4", + "source.port": 53, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.message_id": "305011", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 10675, + "log.original": "Built dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.message_id": "302013", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 10825, + "log.original": "Built outbound TCP connection 11784 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1457 (172.31.98.44/1457)", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.message_id": "305011", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 11018, + "log.original": "Built dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.message_id": "302013", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 11168, + "log.original": "Built outbound TCP connection 11785 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1458 (172.31.98.44/1458)", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.message_id": "302015", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 11361, + "log.original": "Built outbound UDP connection 11786 for outside:100.66.1.107/53 (100.66.1.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.connection_id": "11784", + "cisco.asa.destination_interface": "inside", + "cisco.asa.message_id": "302014", + "cisco.asa.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 1457, + "ecs.version": "1.0.0", + "event.action": "flow-expiration", + "event.dataset": "cisco.asa", + "event.duration": 0, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:34:56.000Z", + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 11554, + "log.original": "Teardown TCP connection 11784 for outside:100.66.198.40/80 to inside:172.31.98.44/1457 duration 0:00:00 bytes 593 TCP FINs", + "network.bytes": 593, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "100.66.198.40", + "source.port": 80, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.message_id": "305011", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 11738, + "log.original": "Built dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.message_id": "302013", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 11888, + "log.original": "Built outbound TCP connection 11787 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1459 (172.31.98.44/1459)", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.connection_id": "11786", + "cisco.asa.destination_interface": "inside", + "cisco.asa.message_id": "302016", + "cisco.asa.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 56132, + "ecs.version": "1.0.0", + "event.action": "flow-expiration", + "event.dataset": "cisco.asa", + "event.duration": 0, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:34:56.000Z", + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 12081, + "log.original": "Teardown UDP connection 11786 for outside:100.66.1.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 375", + "network.bytes": 375, + "network.transport": "udp", + "service.type": "cisco", + "source.ip": "100.66.1.107", + "source.port": 53, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.message_id": "305011", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 12256, + "log.original": "Built dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.message_id": "302013", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 12406, + "log.original": "Built outbound TCP connection 11788 for outside:100.66.192.44/80 (100.66.192.44/80) to inside:172.31.98.44/1460 (172.31.98.44/1460)", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.message_id": "305012", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 12599, + "log.original": "Teardown dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267 duration 0:00:30", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.message_id": "305011", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 12769, + "log.original": "Built dynamic TCP translation from inside:172.31.156.80/1385 to outside:100.66.98.44/8277", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.message_id": "302013", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 12920, + "log.original": "Built outbound TCP connection 11797 for outside:100.66.19.254/80 (100.66.19.254/80) to inside:172.31.156.80/1385 (172.31.156.80/1385)", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.message_id": "305012", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 13115, + "log.original": "Teardown dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268 duration 0:00:30", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.message_id": "305012", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 13285, + "log.original": "Teardown dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269 duration 0:00:30", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.message_id": "305012", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 13455, + "log.original": "Teardown dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270 duration 0:00:30", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.message_id": "305012", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 13625, + "log.original": "Teardown dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271 duration 0:00:30", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.message_id": "305012", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 13795, + "log.original": "Teardown dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272 duration 0:00:30", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.message_id": "305012", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 13965, + "log.original": "Teardown dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273 duration 0:00:30", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.connection_id": "11564", + "cisco.asa.destination_interface": "inside", + "cisco.asa.message_id": "302014", + "cisco.asa.source_interface": "outside", + "destination.ip": "172.31.156.80", + "destination.port": 1382, + "ecs.version": "1.0.0", + "event.action": "flow-expiration", + "event.dataset": "cisco.asa", + "event.duration": 325000000000, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:29:31.000Z", + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 14135, + "log.original": "Teardown TCP connection 11564 for outside:100.66.115.46/80 to inside:172.31.156.80/1382 duration 0:05:25 bytes 575 TCP FINs", + "network.bytes": 575, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "100.66.115.46", + "source.port": 80, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.connection_id": "11797", + "cisco.asa.destination_interface": "inside", + "cisco.asa.message_id": "302014", + "cisco.asa.source_interface": "outside", + "destination.ip": "172.31.156.80", + "destination.port": 1385, + "ecs.version": "1.0.0", + "event.action": "flow-expiration", + "event.dataset": "cisco.asa", + "event.duration": 0, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:34:56.000Z", + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 14320, + "log.original": "Teardown TCP connection 11797 for outside:100.66.19.254/80 to inside:172.31.156.80/1385 duration 0:00:00 bytes 5391 TCP Reset-I", + "network.bytes": 5391, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "100.66.19.254", + "source.port": 80, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.message_id": "305011", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 14509, + "log.original": "Built dynamic TCP translation from inside:172.31.156.80/1386 to outside:100.66.98.44/8278", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.message_id": "302013", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 14660, + "log.original": "Built outbound TCP connection 11798 for outside:100.66.115.46/80 (100.66.115.46/80) to inside:172.31.156.80/1386 (172.31.156.80/1386)", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.destination_interface": "inside", + "cisco.asa.list_id": "inbound", + "cisco.asa.message_id": "106023", + "cisco.asa.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 8277, + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 4, + "fileset.name": "asa", + "input.type": "log", + "log.level": "warning", + "log.offset": 14855, + "log.original": "Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "100.66.19.254", + "source.port": 80, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.destination_interface": "inside", + "cisco.asa.list_id": "inbound", + "cisco.asa.message_id": "106023", + "cisco.asa.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 8277, + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 4, + "fileset.name": "asa", + "input.type": "log", + "log.level": "warning", + "log.offset": 15020, + "log.original": "Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "100.66.19.254", + "source.port": 80, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.destination_interface": "inside", + "cisco.asa.list_id": "inbound", + "cisco.asa.message_id": "106023", + "cisco.asa.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 8277, + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 4, + "fileset.name": "asa", + "input.type": "log", + "log.level": "warning", + "log.offset": 15185, + "log.original": "Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "100.66.19.254", + "source.port": 80, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.destination_interface": "inside", + "cisco.asa.list_id": "inbound", + "cisco.asa.message_id": "106023", + "cisco.asa.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 8277, + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 4, + "fileset.name": "asa", + "input.type": "log", + "log.level": "warning", + "log.offset": 15350, + "log.original": "Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "100.66.19.254", + "source.port": 80, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.destination_interface": "inside", + "cisco.asa.list_id": "inbound", + "cisco.asa.message_id": "106023", + "cisco.asa.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 8277, + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 4, + "fileset.name": "asa", + "input.type": "log", + "log.level": "warning", + "log.offset": 15515, + "log.original": "Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "100.66.19.254", + "source.port": 80, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.destination_interface": "inside", + "cisco.asa.list_id": "inbound", + "cisco.asa.message_id": "106023", + "cisco.asa.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 8277, + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 4, + "fileset.name": "asa", + "input.type": "log", + "log.level": "warning", + "log.offset": 15680, + "log.original": "Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "100.66.19.254", + "source.port": 80, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.destination_interface": "inside", + "cisco.asa.list_id": "inbound", + "cisco.asa.message_id": "106023", + "cisco.asa.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 8277, + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 4, + "fileset.name": "asa", + "input.type": "log", + "log.level": "warning", + "log.offset": 15845, + "log.original": "Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "100.66.19.254", + "source.port": 80, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.destination_interface": "inside", + "cisco.asa.list_id": "inbound", + "cisco.asa.message_id": "106023", + "cisco.asa.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 8277, + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 4, + "fileset.name": "asa", + "input.type": "log", + "log.level": "warning", + "log.offset": 16010, + "log.original": "Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "100.66.19.254", + "source.port": 80, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.destination_interface": "inside", + "cisco.asa.list_id": "inbound", + "cisco.asa.message_id": "106023", + "cisco.asa.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 8277, + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 4, + "fileset.name": "asa", + "input.type": "log", + "log.level": "warning", + "log.offset": 16175, + "log.original": "Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "100.66.19.254", + "source.port": 80, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.destination_interface": "inside", + "cisco.asa.list_id": "inbound", + "cisco.asa.message_id": "106023", + "cisco.asa.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 8277, + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 4, + "fileset.name": "asa", + "input.type": "log", + "log.level": "warning", + "log.offset": 16340, + "log.original": "Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "100.66.19.254", + "source.port": 80, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.destination_interface": "inside", + "cisco.asa.list_id": "inbound", + "cisco.asa.message_id": "106023", + "cisco.asa.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 8277, + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 4, + "fileset.name": "asa", + "input.type": "log", + "log.level": "warning", + "log.offset": 16505, + "log.original": "Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "100.66.19.254", + "source.port": 80, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.destination_interface": "inside", + "cisco.asa.list_id": "inbound", + "cisco.asa.message_id": "106023", + "cisco.asa.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 8277, + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 4, + "fileset.name": "asa", + "input.type": "log", + "log.level": "warning", + "log.offset": 16670, + "log.original": "Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "100.66.19.254", + "source.port": 80, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.destination_interface": "inside", + "cisco.asa.list_id": "inbound", + "cisco.asa.message_id": "106023", + "cisco.asa.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 8277, + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 4, + "fileset.name": "asa", + "input.type": "log", + "log.level": "warning", + "log.offset": 16835, + "log.original": "Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "100.66.19.254", + "source.port": 80, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.message_id": "305011", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 17000, + "log.original": "Built dynamic TCP translation from inside:172.31.98.44/1275 to outside:100.66.98.44/8279", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.message_id": "302013", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 17150, + "log.original": "Built outbound TCP connection 11799 for outside:100.66.205.99/80 (100.66.205.99/80) to inside:172.31.98.44/1275 (172.31.98.44/1275)", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.message_id": "305011", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 17343, + "log.original": "Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1190", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.asa.message_id": "302015", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 17494, + "log.original": "Built outbound UDP connection 11800 for outside:100.66.14.30/53 (100.66.14.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/asa/test/filtered.log b/x-pack/filebeat/module/cisco/asa/test/filtered.log new file mode 100644 index 000000000000..5a6cd918d77a --- /dev/null +++ b/x-pack/filebeat/module/cisco/asa/test/filtered.log @@ -0,0 +1,2 @@ +Jan 1 01:00:27 beats asa[1234]: %ASA-7-999999: This message is not filtered. +Jan 1 01:00:30 beats asa[1234]: %ASA-8-999999: This phony message is dropped due to log level. diff --git a/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json new file mode 100644 index 000000000000..43eb4509a387 --- /dev/null +++ b/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json @@ -0,0 +1,20 @@ +[ + { + "@timestamp": "2019-01-01T01:00:27.000Z", + "cisco.asa.message_id": "999999", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 7, + "fileset.name": "asa", + "input.type": "log", + "log.level": "debug", + "log.offset": 0, + "log.original": "This message is not filtered.", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/asa/test/sample.log b/x-pack/filebeat/module/cisco/asa/test/sample.log new file mode 100644 index 000000000000..2f3e126bb9ad --- /dev/null +++ b/x-pack/filebeat/module/cisco/asa/test/sample.log @@ -0,0 +1,72 @@ +Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 by access-group "acl_dmz" [0xe3aab522, 0x0] +Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 type 3, code 0, by access-group "acl_dmz" [0xe3aab522, 0x0] +Apr 15 2014 09:34:34 EDT: %ASA-session-5-106100: access-list acl_in permitted tcp inside/10.1.2.16(2241) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 24 2013 16:00:28 INT-FW01 : %ASA-6-106100: access-list inside denied udp inside/172.29.2.101(1039) -> outside/192.0.2.10(53) hit-cnt 1 first hit [0xd820e56a, 0x0] +Apr 24 2013 16:00:27 INT-FW01 : %ASA-6-106100: access-list inside permitted udp inside/172.29.2.3(1065) -> outside/192.0.2.57(53) hit-cnt 144 300-second interval [0xe982c7a4, 0x0] +Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4952 to outside:192.0.2.130/12834 +Apr 29 2013 12:59:50: %ASA-6-302013: Built outbound TCP connection 89743274 for outside:192.0.2.43/443 (192.0.2.43/443) to outside:10.123.3.42/4952 (10.123.3.42.130/12834) +Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic UDP translation from outside:10.123.1.35/52925 to outside:192.0.2.130/25882 +Apr 29 2013 12:59:50: %ASA-6-302015: Built outbound UDP connection 89743275 for outside:192.0.2.222/53 (192.0.2.43/53) to outside:10.123.1.35/52925 (10.123.1.35/25882) +Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4953 to outside:192.0.2.130/45392 +Apr 29 2013 12:59:50: %ASA-6-302013: Built outbound TCP connection 89743276 for outside:192.0.2.1/80 (192.0.2.1/80) to outside:10.123.3.42/4953 (10.123.3.130/45392) +Apr 29 2013 12:59:50: %ASA-6-302016: Teardown UDP connection 89743275 for outside:192.0.2.222/53 to inside:10.123.1.35/52925 duration 1:23:45 bytes 140 +Apr 29 2013 12:59:50: %ASA-6-302016: Teardown UDP connection 666 for outside:192.0.2.222/53 user1 to inside:10.123.1.35/52925 user2 duration 10:00:00 bytes 9999999 +Jun 04 2011 21:59:52 FJSG2NRFW01 : %ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr 192.168.132.46/17233 laddr 192.168.132.46/17233 +Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic TCP translation from inside:192.168.3.42/4954 to outside:192.0.0.130/10879 +Apr 29 2013 12:59:50: %ASA-6-302013: Built outbound TCP connection 89743277 for outside:192.0.0.17/80 (192.0.0.17/80) to inside:192.168.3.42/4954 (10.0.0.130/10879) +Apr 30 2013 09:22:33: %ASA-2-106007: Deny inbound UDP from 192.0.0.66/12981 to 10.1.2.60/53 due to DNS Query +Apr 30 2013 09:22:38: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2006) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:38: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49734) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:39: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49735) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:39: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49736) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:39: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49737) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:40: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49738) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:41: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49746) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:47: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2007) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:48: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.13(43013) -> dmz/192.168.33.31(25) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:56: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2008) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:23:02: %ASA-2-106006: Deny inbound UDP from 192.0.2.66/137 to 10.1.2.42/137 on interface inside +Apr 30 2013 09:23:03: %ASA-2-106007: Deny inbound UDP from 192.0.2.66/12981 to 10.1.5.60/53 due to DNS Query +Apr 30 2013 09:23:06: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2009) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:23:08: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49776) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:23:15: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2010) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:23:24: %ASA-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2011) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:23:34: %ASA-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2012) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:23:40: %ASA-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group "acl_out" [0x71761f18, 0x0] +Apr 30 2013 09:23:41: %ASA-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group "acl_out" [0x71761f18, 0x0] +Apr 30 2013 09:23:43: %ASA-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.46(49840) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:23:43: %ASA-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 15 2018 09:34:34 EDT: %ASA-session-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2241) -> outside/192.0.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Dec 11 2018 08:01:24 %ASA-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80 (10.0.13.13/80) +Dec 11 2018 08:01:24 %ASA-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80port> (10.0.13.13/80) +Dec 11 2018 08:01:24 %ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group "dmz" [0x123a465e, 0x4c7bf613] +Dec 11 2018 08:01:24 %ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group "dmz" [0x123a465e, 0x4c7bf613] +Dec 11 2018 08:01:31 %ASA-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678) +Dec 11 2018 08:01:31 %ASA-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678) +Dec 11 2018 08:01:31 %ASA-6-302014: Teardown TCP connection 447236 for outside:192.0.2.222/1234 to dmz:192.168.1.34/5678 duration 0:00:00 bytes 14804 TCP FINs +Dec 11 2018 08:01:38 %ASA-6-302014: Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs +Dec 11 2018 08:01:38 %ASA-6-302014: Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs +Dec 11 2018 08:01:38 %ASA-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside +Dec 11 2018 08:01:38 %ASA-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside +Dec 11 2018 08:01:39 %ASA-4-106023: Deny udp src dmz:192.168.1.34/5679 dst outside:192.0.0.12/5000 by access-group "dmz" [0x123a465e, 0x8c20f21] +Dec 11 2018 08:01:53 %ASA-6-302013: Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000) +Dec 11 2018 08:01:53 %ASA-6-302013: Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000) +Dec 11 2018 08:01:53 %ASA-6-302014: Teardown TCP connection 447237 for outside:192.0.2.222/1234 to dmz:10.10.10.10/1235 duration 23:59:59 bytes 11420 TCP FINs +Aug 15 2012 23:30:09 %ASA-6-302016: Teardown UDP connection 40 for outside:10.44.4.4/500 to inside:10.44.2.2/500 duration 0:02:02 bytes 1416 +Sep 12 2014 06:50:53 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic +Sep 12 2014 06:51:01 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic +Sep 12 2014 06:51:05 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic +Sep 12 2014 06:51:05 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic +Sep 12 2014 06:51:06 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic +Sep 12 2014 06:51:17 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic +Sep 12 2014 06:52:48 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic +Sep 12 2014 06:53:00 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic +Sep 12 2014 06:53:01 GIFRCHN01 : %ASA-4-106023: Deny tcp src outside:192.0.2.95/24069 dst inside:10.32.112.125/25 by access-group "PERMIT_IN" [0x0, 0x0]" +Sep 12 2014 06:53:02 GIFRCHN01 : %ASA-3-313001: Denied ICMP type=3, code=3 from 10.2.3.5 on interface Outside +Jan 14 2015 13:16:13: %ASA-4-313004: Denied ICMP type=0, from laddr 172.16.30.2 on interface inside to 172.16.1.10: no matching session +Jan 14 2015 13:16:14: %ASA-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798 (192.88.99.1/7890) to outside:192.88.99.129/80 (192.88.99.129/80), destination 192.88.99.129 resolved from dynamic list: bad.example.com +Jan 14 2015 13:16:14: %ASA-4-338004: Dynamic Filter monitored blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.223/80), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware +Jan 14 2015 13:16:14: %ASA-4-338008: Dynamic Filter dropped blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.223/80), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware +Nov 16 2009 14:12:35: %ASA-5-304001: 10.30.30.30 Accessed URL 192.0.2.1:/app +Nov 16 2009 14:12:36: %ASA-5-304001: 10.5.111.32 Accessed URL 192.0.2.32:http://example.com +Nov 16 2009 14:12:37: %ASA-5-304002: Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.0.0.19 on interface inside diff --git a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json new file mode 100644 index 000000000000..d56e1e0879d2 --- /dev/null +++ b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json @@ -0,0 +1,1792 @@ +[ + { + "@timestamp": "2013-04-15T09:36:50.000Z", + "cisco.asa.destination_interface": "outside", + "cisco.asa.list_id": "acl_dmz", + "cisco.asa.message_id": "106023", + "cisco.asa.source_interface": "dmz", + "destination.ip": "192.0.0.8", + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 4, + "fileset.name": "asa", + "input.type": "log", + "log.level": "warning", + "log.offset": 0, + "log.original": "Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 by access-group \"acl_dmz\" [0xe3aab522, 0x0]", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.1.2.30", + "source.port": 63016, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2013-04-15T09:36:50.000Z", + "cisco.asa.destination_interface": "outside", + "cisco.asa.list_id": "acl_dmz", + "cisco.asa.message_id": "106023", + "cisco.asa.source_interface": "dmz", + "destination.ip": "192.0.0.8", + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 4, + "fileset.name": "asa", + "input.type": "log", + "log.level": "warning", + "log.offset": 139, + "log.original": "Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3aab522, 0x0]", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.1.2.30", + "source.port": 63016, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2014-04-15T13:34:34.000Z", + "cisco.asa.destination_interface": "outside", + "cisco.asa.list_id": "acl_in", + "cisco.asa.message_id": "106100", + "cisco.asa.source_interface": "inside", + "cisco.asa.suffix": "session", + "destination.ip": "192.0.0.89", + "destination.port": 2000, + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "allow", + "event.severity": 5, + "fileset.name": "asa", + "input.type": "log", + "log.level": "notification", + "log.offset": 294, + "log.original": "access-list acl_in permitted tcp inside/10.1.2.16(2241) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.1.2.16", + "source.port": 2241, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2013-04-24T16:00:28.000Z", + "cisco.asa.destination_interface": "outside", + "cisco.asa.list_id": "inside", + "cisco.asa.message_id": "106100", + "cisco.asa.source_interface": "inside", + "destination.ip": "192.0.2.10", + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 465, + "log.original": "access-list inside denied udp inside/172.29.2.101(1039) -> outside/192.0.2.10(53) hit-cnt 1 first hit [0xd820e56a, 0x0]", + "network.transport": "udp", + "service.type": "cisco", + "source.ip": "172.29.2.101", + "source.port": 1039, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2013-04-24T16:00:27.000Z", + "cisco.asa.destination_interface": "outside", + "cisco.asa.list_id": "inside", + "cisco.asa.message_id": "106100", + "cisco.asa.source_interface": "inside", + "destination.ip": "192.0.2.57", + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "allow", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 632, + "log.original": "access-list inside permitted udp inside/172.29.2.3(1065) -> outside/192.0.2.57(53) hit-cnt 144 300-second interval [0xe982c7a4, 0x0]", + "network.transport": "udp", + "service.type": "cisco", + "source.ip": "172.29.2.3", + "source.port": 1065, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2013-04-29T12:59:50.000Z", + "cisco.asa.message_id": "305011", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 812, + "log.original": "Built dynamic TCP translation from outside:10.123.3.42/4952 to outside:192.0.2.130/12834", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2013-04-29T12:59:50.000Z", + "cisco.asa.message_id": "302013", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 938, + "log.original": "Built outbound TCP connection 89743274 for outside:192.0.2.43/443 (192.0.2.43/443) to outside:10.123.3.42/4952 (10.123.3.42.130/12834)", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2013-04-29T12:59:50.000Z", + "cisco.asa.message_id": "305011", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 1110, + "log.original": "Built dynamic UDP translation from outside:10.123.1.35/52925 to outside:192.0.2.130/25882", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2013-04-29T12:59:50.000Z", + "cisco.asa.message_id": "302015", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 1237, + "log.original": "Built outbound UDP connection 89743275 for outside:192.0.2.222/53 (192.0.2.43/53) to outside:10.123.1.35/52925 (10.123.1.35/25882)", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2013-04-29T12:59:50.000Z", + "cisco.asa.message_id": "305011", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 1405, + "log.original": "Built dynamic TCP translation from outside:10.123.3.42/4953 to outside:192.0.2.130/45392", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2013-04-29T12:59:50.000Z", + "cisco.asa.message_id": "302013", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 1531, + "log.original": "Built outbound TCP connection 89743276 for outside:192.0.2.1/80 (192.0.2.1/80) to outside:10.123.3.42/4953 (10.123.3.130/45392)", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2013-04-29T12:59:50.000Z", + "cisco.asa.connection_id": "89743275", + "cisco.asa.destination_interface": "inside", + "cisco.asa.message_id": "302016", + "cisco.asa.source_interface": "outside", + "destination.ip": "10.123.1.35", + "destination.port": 52925, + "ecs.version": "1.0.0", + "event.action": "flow-expiration", + "event.dataset": "cisco.asa", + "event.duration": 5025000000000, + "event.end": "2013-04-29T12:59:50.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2013-04-29T11:36:05.000Z", + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 1696, + "log.original": "Teardown UDP connection 89743275 for outside:192.0.2.222/53 to inside:10.123.1.35/52925 duration 1:23:45 bytes 140", + "network.bytes": 140, + "network.transport": "udp", + "service.type": "cisco", + "source.ip": "192.0.2.222", + "source.port": 53, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2013-04-29T12:59:50.000Z", + "cisco.asa.connection_id": "666", + "cisco.asa.destination_interface": "inside", + "cisco.asa.destination_username": "user2", + "cisco.asa.message_id": "302016", + "cisco.asa.source_interface": "outside", + "cisco.asa.source_username": "user1", + "destination.ip": "10.123.1.35", + "destination.port": 52925, + "ecs.version": "1.0.0", + "event.action": "flow-expiration", + "event.dataset": "cisco.asa", + "event.duration": 36000000000000, + "event.end": "2013-04-29T12:59:50.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2013-04-29T02:59:50.000Z", + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 1848, + "log.original": "Teardown UDP connection 666 for outside:192.0.2.222/53 user1 to inside:10.123.1.35/52925 user2 duration 10:00:00 bytes 9999999", + "network.bytes": 9999999, + "network.transport": "udp", + "service.type": "cisco", + "source.ip": "192.0.2.222", + "source.port": 53, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2011-06-04T21:59:52.000Z", + "cisco.asa.message_id": "302021", + "destination.ip": "192.168.132.46", + "destination.port": 17233, + "ecs.version": "1.0.0", + "event.action": "flow-expiration", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 2012, + "log.original": "Teardown ICMP connection for faddr 172.24.177.29/0 gaddr 192.168.132.46/17233 laddr 192.168.132.46/17233", + "network.transport": "icmp", + "service.type": "cisco", + "source.ip": "172.24.177.29", + "source.port": 0, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2013-04-29T12:59:50.000Z", + "cisco.asa.message_id": "305011", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 2167, + "log.original": "Built dynamic TCP translation from inside:192.168.3.42/4954 to outside:192.0.0.130/10879", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2013-04-29T12:59:50.000Z", + "cisco.asa.message_id": "302013", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 2293, + "log.original": "Built outbound TCP connection 89743277 for outside:192.0.0.17/80 (192.0.0.17/80) to inside:192.168.3.42/4954 (10.0.0.130/10879)", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2013-04-30T09:22:33.000Z", + "cisco.asa.message_id": "106007", + "destination.ip": "10.1.2.60", + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 2, + "fileset.name": "asa", + "input.type": "log", + "log.level": "critical", + "log.offset": 2458, + "log.original": "Deny inbound UDP from 192.0.0.66/12981 to 10.1.2.60/53 due to DNS Query", + "network.direction": "inbound", + "network.protocol": "dns", + "network.transport": "udp", + "service.type": "cisco", + "source.ip": "192.0.0.66", + "source.port": 12981, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2013-04-30T09:22:38.000Z", + "cisco.asa.destination_interface": "outside", + "cisco.asa.list_id": "acl_in", + "cisco.asa.message_id": "106100", + "cisco.asa.source_interface": "inside", + "destination.ip": "192.0.0.89", + "destination.port": 2000, + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "allow", + "event.severity": 5, + "fileset.name": "asa", + "input.type": "log", + "log.level": "notification", + "log.offset": 2567, + "log.original": "access-list acl_in permitted tcp inside/10.0.0.16(2006) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.0.16", + "source.port": 2006, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2013-04-30T09:22:38.000Z", + "cisco.asa.destination_interface": "outside", + "cisco.asa.list_id": "acl_in", + "cisco.asa.message_id": "106100", + "cisco.asa.source_interface": "inside", + "destination.ip": "192.0.0.88", + "destination.port": 40443, + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "allow", + "event.severity": 5, + "fileset.name": "asa", + "input.type": "log", + "log.level": "notification", + "log.offset": 2726, + "log.original": "access-list acl_in permitted tcp inside/10.0.0.46(49734) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.0.46", + "source.port": 49734, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2013-04-30T09:22:39.000Z", + "cisco.asa.destination_interface": "outside", + "cisco.asa.list_id": "acl_in", + "cisco.asa.message_id": "106100", + "cisco.asa.source_interface": "inside", + "destination.ip": "192.0.0.88", + "destination.port": 40443, + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "allow", + "event.severity": 5, + "fileset.name": "asa", + "input.type": "log", + "log.level": "notification", + "log.offset": 2887, + "log.original": "access-list acl_in permitted tcp inside/10.0.0.46(49735) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.0.46", + "source.port": 49735, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2013-04-30T09:22:39.000Z", + "cisco.asa.destination_interface": "outside", + "cisco.asa.list_id": "acl_in", + "cisco.asa.message_id": "106100", + "cisco.asa.source_interface": "inside", + "destination.ip": "192.0.0.88", + "destination.port": 40443, + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "allow", + "event.severity": 5, + "fileset.name": "asa", + "input.type": "log", + "log.level": "notification", + "log.offset": 3048, + "log.original": "access-list acl_in permitted tcp inside/10.0.0.46(49736) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.0.46", + "source.port": 49736, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2013-04-30T09:22:39.000Z", + "cisco.asa.destination_interface": "outside", + "cisco.asa.list_id": "acl_in", + "cisco.asa.message_id": "106100", + "cisco.asa.source_interface": "inside", + "destination.ip": "192.0.0.88", + "destination.port": 40443, + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "allow", + "event.severity": 5, + "fileset.name": "asa", + "input.type": "log", + "log.level": "notification", + "log.offset": 3209, + "log.original": "access-list acl_in permitted tcp inside/10.0.0.46(49737) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.0.46", + "source.port": 49737, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2013-04-30T09:22:40.000Z", + "cisco.asa.destination_interface": "outside", + "cisco.asa.list_id": "acl_in", + "cisco.asa.message_id": "106100", + "cisco.asa.source_interface": "inside", + "destination.ip": "192.0.0.88", + "destination.port": 40443, + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "allow", + "event.severity": 5, + "fileset.name": "asa", + "input.type": "log", + "log.level": "notification", + "log.offset": 3370, + "log.original": "access-list acl_in permitted tcp inside/10.0.0.46(49738) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.0.46", + "source.port": 49738, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2013-04-30T09:22:41.000Z", + "cisco.asa.destination_interface": "outside", + "cisco.asa.list_id": "acl_in", + "cisco.asa.message_id": "106100", + "cisco.asa.source_interface": "inside", + "destination.ip": "192.0.0.88", + "destination.port": 40443, + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "allow", + "event.severity": 5, + "fileset.name": "asa", + "input.type": "log", + "log.level": "notification", + "log.offset": 3531, + "log.original": "access-list acl_in permitted tcp inside/10.0.0.46(49746) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.0.46", + "source.port": 49746, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2013-04-30T09:22:47.000Z", + "cisco.asa.destination_interface": "outside", + "cisco.asa.list_id": "acl_in", + "cisco.asa.message_id": "106100", + "cisco.asa.source_interface": "inside", + "destination.ip": "192.0.0.89", + "destination.port": 2000, + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "allow", + "event.severity": 5, + "fileset.name": "asa", + "input.type": "log", + "log.level": "notification", + "log.offset": 3692, + "log.original": "access-list acl_in permitted tcp inside/10.0.0.16(2007) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.0.16", + "source.port": 2007, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2013-04-30T09:22:48.000Z", + "cisco.asa.destination_interface": "dmz", + "cisco.asa.list_id": "acl_in", + "cisco.asa.message_id": "106100", + "cisco.asa.source_interface": "inside", + "destination.ip": "192.168.33.31", + "destination.port": 25, + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "allow", + "event.severity": 5, + "fileset.name": "asa", + "input.type": "log", + "log.level": "notification", + "log.offset": 3851, + "log.original": "access-list acl_in permitted tcp inside/10.0.0.13(43013) -> dmz/192.168.33.31(25) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.0.13", + "source.port": 43013, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2013-04-30T09:22:56.000Z", + "cisco.asa.destination_interface": "outside", + "cisco.asa.list_id": "acl_in", + "cisco.asa.message_id": "106100", + "cisco.asa.source_interface": "inside", + "destination.ip": "192.0.0.89", + "destination.port": 2000, + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "allow", + "event.severity": 5, + "fileset.name": "asa", + "input.type": "log", + "log.level": "notification", + "log.offset": 4008, + "log.original": "access-list acl_in permitted tcp inside/10.0.0.16(2008) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.0.16", + "source.port": 2008, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2013-04-30T09:23:02.000Z", + "cisco.asa.message_id": "106006", + "cisco.asa.source_interface": "inside", + "destination.ip": "10.1.2.42", + "destination.port": 137, + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 2, + "fileset.name": "asa", + "input.type": "log", + "log.level": "critical", + "log.offset": 4167, + "log.original": "Deny inbound UDP from 192.0.2.66/137 to 10.1.2.42/137 on interface inside", + "network.direction": "inbound", + "network.transport": "udp", + "service.type": "cisco", + "source.ip": "192.0.2.66", + "source.port": 137, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2013-04-30T09:23:03.000Z", + "cisco.asa.message_id": "106007", + "destination.ip": "10.1.5.60", + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 2, + "fileset.name": "asa", + "input.type": "log", + "log.level": "critical", + "log.offset": 4278, + "log.original": "Deny inbound UDP from 192.0.2.66/12981 to 10.1.5.60/53 due to DNS Query", + "network.direction": "inbound", + "network.protocol": "dns", + "network.transport": "udp", + "service.type": "cisco", + "source.ip": "192.0.2.66", + "source.port": 12981, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2013-04-30T09:23:06.000Z", + "cisco.asa.destination_interface": "outside", + "cisco.asa.list_id": "acl_in", + "cisco.asa.message_id": "106100", + "cisco.asa.source_interface": "inside", + "destination.ip": "192.0.0.89", + "destination.port": 2000, + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "allow", + "event.severity": 5, + "fileset.name": "asa", + "input.type": "log", + "log.level": "notification", + "log.offset": 4387, + "log.original": "access-list acl_in permitted tcp inside/10.0.0.16(2009) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.0.16", + "source.port": 2009, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2013-04-30T09:23:08.000Z", + "cisco.asa.destination_interface": "outside", + "cisco.asa.list_id": "acl_in", + "cisco.asa.message_id": "106100", + "cisco.asa.source_interface": "inside", + "destination.ip": "192.0.0.88", + "destination.port": 40443, + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "allow", + "event.severity": 5, + "fileset.name": "asa", + "input.type": "log", + "log.level": "notification", + "log.offset": 4546, + "log.original": "access-list acl_in permitted tcp inside/10.0.0.46(49776) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.0.46", + "source.port": 49776, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2013-04-30T09:23:15.000Z", + "cisco.asa.destination_interface": "outside", + "cisco.asa.list_id": "acl_in", + "cisco.asa.message_id": "106100", + "cisco.asa.source_interface": "inside", + "destination.ip": "192.0.0.89", + "destination.port": 2000, + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "allow", + "event.severity": 5, + "fileset.name": "asa", + "input.type": "log", + "log.level": "notification", + "log.offset": 4707, + "log.original": "access-list acl_in permitted tcp inside/10.0.0.16(2010) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.0.16", + "source.port": 2010, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2013-04-30T09:23:24.000Z", + "cisco.asa.destination_interface": "outside", + "cisco.asa.list_id": "acl_in", + "cisco.asa.message_id": "106100", + "cisco.asa.source_interface": "inside", + "destination.ip": "192.0.0.89", + "destination.port": 2000, + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 5, + "fileset.name": "asa", + "input.type": "log", + "log.level": "notification", + "log.offset": 4866, + "log.original": "access-list acl_in denied tcp inside/10.0.0.16(2011) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.0.16", + "source.port": 2011, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2013-04-30T09:23:34.000Z", + "cisco.asa.destination_interface": "outside", + "cisco.asa.list_id": "acl_in", + "cisco.asa.message_id": "106100", + "cisco.asa.source_interface": "inside", + "destination.ip": "192.0.0.89", + "destination.port": 2000, + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 5, + "fileset.name": "asa", + "input.type": "log", + "log.level": "notification", + "log.offset": 5022, + "log.original": "access-list acl_in denied tcp inside/10.0.0.16(2012) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.0.16", + "source.port": 2012, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2013-04-30T09:23:40.000Z", + "cisco.asa.destination_interface": "inside", + "cisco.asa.list_id": "acl_out", + "cisco.asa.message_id": "106023", + "cisco.asa.source_interface": "outside", + "destination.ip": "10.0.0.132", + "destination.port": 8111, + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 4, + "fileset.name": "asa", + "input.type": "log", + "log.level": "warning", + "log.offset": 5178, + "log.original": "Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "192.0.2.126", + "source.port": 53638, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2013-04-30T09:23:41.000Z", + "cisco.asa.destination_interface": "inside", + "cisco.asa.list_id": "acl_out", + "cisco.asa.message_id": "106023", + "cisco.asa.source_interface": "outside", + "destination.ip": "10.0.0.132", + "destination.port": 8111, + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 4, + "fileset.name": "asa", + "input.type": "log", + "log.level": "warning", + "log.offset": 5325, + "log.original": "Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "192.0.2.126", + "source.port": 53638, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2013-04-30T09:23:43.000Z", + "cisco.asa.destination_interface": "outside", + "cisco.asa.list_id": "acl_in", + "cisco.asa.message_id": "106100", + "cisco.asa.source_interface": "inside", + "destination.ip": "192.0.0.88", + "destination.port": 40443, + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "allow", + "event.severity": 5, + "fileset.name": "asa", + "input.type": "log", + "log.level": "notification", + "log.offset": 5472, + "log.original": "access-list acl_in est-allowed tcp inside/10.0.0.46(49840) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.0.46", + "source.port": 49840, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2013-04-30T09:23:43.000Z", + "cisco.asa.destination_interface": "outside", + "cisco.asa.list_id": "acl_in", + "cisco.asa.message_id": "106100", + "cisco.asa.source_interface": "inside", + "destination.ip": "192.0.0.89", + "destination.port": 2000, + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "allow", + "event.severity": 5, + "fileset.name": "asa", + "input.type": "log", + "log.level": "notification", + "log.offset": 5635, + "log.original": "access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.0.16", + "source.port": 2013, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-04-15T13:34:34.000Z", + "cisco.asa.destination_interface": "outside", + "cisco.asa.list_id": "acl_in", + "cisco.asa.message_id": "106100", + "cisco.asa.source_interface": "inside", + "cisco.asa.suffix": "session", + "destination.ip": "192.0.0.99", + "destination.port": 2000, + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "allow", + "event.severity": 5, + "fileset.name": "asa", + "input.type": "log", + "log.level": "notification", + "log.offset": 5796, + "log.original": "access-list acl_in permitted tcp inside/10.0.0.16(2241) -> outside/192.0.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.0.16", + "source.port": 2241, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-12-11T08:01:24.000Z", + "cisco.asa.message_id": "302015", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 5967, + "log.original": "Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80 (10.0.13.13/80)", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-12-11T08:01:24.000Z", + "cisco.asa.message_id": "302015", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 6141, + "log.original": "Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80port> (10.0.13.13/80)", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-12-11T08:01:24.000Z", + "cisco.asa.destination_interface": "outside", + "cisco.asa.list_id": "dmz", + "cisco.asa.message_id": "106023", + "cisco.asa.source_interface": "dmz", + "destination.ip": "192.0.0.12", + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 4, + "fileset.name": "asa", + "input.type": "log", + "log.level": "warning", + "log.offset": 6320, + "log.original": "Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", + "network.transport": "udp", + "service.type": "cisco", + "source.ip": "192.168.1.33", + "source.port": 5555, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-12-11T08:01:24.000Z", + "cisco.asa.destination_interface": "outside", + "cisco.asa.list_id": "dmz", + "cisco.asa.message_id": "106023", + "cisco.asa.source_interface": "dmz", + "destination.ip": "192.0.0.12", + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 4, + "fileset.name": "asa", + "input.type": "log", + "log.level": "warning", + "log.offset": 6469, + "log.original": "Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", + "network.transport": "udp", + "service.type": "cisco", + "source.ip": "192.168.1.33", + "source.port": 5555, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-12-11T08:01:31.000Z", + "cisco.asa.message_id": "302013", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 6618, + "log.original": "Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-12-11T08:01:31.000Z", + "cisco.asa.message_id": "302013", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 6787, + "log.original": "Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-12-11T08:01:31.000Z", + "cisco.asa.connection_id": "447236", + "cisco.asa.destination_interface": "dmz", + "cisco.asa.message_id": "302014", + "cisco.asa.source_interface": "outside", + "destination.ip": "192.168.1.34", + "destination.port": 5678, + "ecs.version": "1.0.0", + "event.action": "flow-expiration", + "event.dataset": "cisco.asa", + "event.duration": 0, + "event.end": "2018-12-11T08:01:31.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-12-11T08:01:31.000Z", + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 6956, + "log.original": "Teardown TCP connection 447236 for outside:192.0.2.222/1234 to dmz:192.168.1.34/5678 duration 0:00:00 bytes 14804 TCP FINs", + "network.bytes": 14804, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "192.0.2.222", + "source.port": 1234, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-12-11T08:01:38.000Z", + "cisco.asa.connection_id": "447234", + "cisco.asa.destination_interface": "dmz", + "cisco.asa.message_id": "302014", + "cisco.asa.source_interface": "outside", + "destination.ip": "192.168.1.35", + "destination.port": 5678, + "ecs.version": "1.0.0", + "event.action": "flow-expiration", + "event.dataset": "cisco.asa", + "event.duration": 68000000000, + "event.end": "2018-12-11T08:01:38.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-12-11T08:00:30.000Z", + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 7120, + "log.original": "Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", + "network.bytes": 134781, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "192.0.2.222", + "source.port": 1234, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-12-11T08:01:38.000Z", + "cisco.asa.connection_id": "447234", + "cisco.asa.destination_interface": "dmz", + "cisco.asa.message_id": "302014", + "cisco.asa.source_interface": "outside", + "destination.ip": "192.168.1.35", + "destination.port": 5678, + "ecs.version": "1.0.0", + "event.action": "flow-expiration", + "event.dataset": "cisco.asa", + "event.duration": 68000000000, + "event.end": "2018-12-11T08:01:38.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-12-11T08:00:30.000Z", + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 7285, + "log.original": "Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", + "network.bytes": 134781, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "192.0.2.222", + "source.port": 1234, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-12-11T08:01:38.000Z", + "cisco.asa.message_id": "106015", + "cisco.asa.source_interface": "outside", + "destination.ip": "192.168.1.34", + "destination.port": 5679, + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 7450, + "log.original": "Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "192.0.2.222", + "source.port": 1234, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-12-11T08:01:38.000Z", + "cisco.asa.message_id": "106015", + "cisco.asa.source_interface": "outside", + "destination.ip": "192.168.1.34", + "destination.port": 5679, + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 7591, + "log.original": "Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "192.0.2.222", + "source.port": 1234, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-12-11T08:01:39.000Z", + "cisco.asa.destination_interface": "outside", + "cisco.asa.list_id": "dmz", + "cisco.asa.message_id": "106023", + "cisco.asa.source_interface": "dmz", + "destination.ip": "192.0.0.12", + "destination.port": 5000, + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 4, + "fileset.name": "asa", + "input.type": "log", + "log.level": "warning", + "log.offset": 7732, + "log.original": "Deny udp src dmz:192.168.1.34/5679 dst outside:192.0.0.12/5000 by access-group \"dmz\" [0x123a465e, 0x8c20f21]", + "network.transport": "udp", + "service.type": "cisco", + "source.ip": "192.168.1.34", + "source.port": 5679, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-12-11T08:01:53.000Z", + "cisco.asa.message_id": "302013", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 7882, + "log.original": "Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-12-11T08:01:53.000Z", + "cisco.asa.message_id": "302013", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.severity": 6, + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 8055, + "log.original": "Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", + "service.type": "cisco", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2018-12-11T08:01:53.000Z", + "cisco.asa.connection_id": "447237", + "cisco.asa.destination_interface": "dmz", + "cisco.asa.message_id": "302014", + "cisco.asa.source_interface": "outside", + "destination.ip": "10.10.10.10", + "destination.port": 1235, + "ecs.version": "1.0.0", + "event.action": "flow-expiration", + "event.dataset": "cisco.asa", + "event.duration": 86399000000000, + "event.end": "2018-12-11T08:01:53.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-12-10T08:01:54.000Z", + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 8228, + "log.original": "Teardown TCP connection 447237 for outside:192.0.2.222/1234 to dmz:10.10.10.10/1235 duration 23:59:59 bytes 11420 TCP FINs", + "network.bytes": 11420, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "192.0.2.222", + "source.port": 1234, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2012-08-15T23:30:09.000Z", + "cisco.asa.connection_id": "40", + "cisco.asa.destination_interface": "inside", + "cisco.asa.message_id": "302016", + "cisco.asa.source_interface": "outside", + "destination.ip": "10.44.2.2", + "destination.port": 500, + "ecs.version": "1.0.0", + "event.action": "flow-expiration", + "event.dataset": "cisco.asa", + "event.duration": 122000000000, + "event.end": "2012-08-15T23:30:09.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2012-08-15T23:28:07.000Z", + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 8392, + "log.original": "Teardown UDP connection 40 for outside:10.44.4.4/500 to inside:10.44.2.2/500 duration 0:02:02 bytes 1416", + "network.bytes": 1416, + "network.transport": "udp", + "service.type": "cisco", + "source.ip": "10.44.4.4", + "source.port": 500, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2014-09-12T06:50:53.000Z", + "cisco.asa.message_id": "106016", + "cisco.asa.source_interface": "Mobile_Traffic", + "destination.ip": "192.88.99.47", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 2, + "fileset.name": "asa", + "input.type": "log", + "log.level": "critical", + "log.offset": 8533, + "log.original": "Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", + "service.type": "cisco", + "source.ip": "0.0.0.0", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2014-09-12T06:51:01.000Z", + "cisco.asa.message_id": "106016", + "cisco.asa.source_interface": "Mobile_Traffic", + "destination.ip": "192.88.99.57", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 2, + "fileset.name": "asa", + "input.type": "log", + "log.level": "critical", + "log.offset": 8654, + "log.original": "Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", + "service.type": "cisco", + "source.ip": "0.0.0.0", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2014-09-12T06:51:05.000Z", + "cisco.asa.message_id": "106016", + "cisco.asa.source_interface": "Mobile_Traffic", + "destination.ip": "192.88.99.47", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 2, + "fileset.name": "asa", + "input.type": "log", + "log.level": "critical", + "log.offset": 8775, + "log.original": "Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", + "service.type": "cisco", + "source.ip": "0.0.0.0", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2014-09-12T06:51:05.000Z", + "cisco.asa.message_id": "106016", + "cisco.asa.source_interface": "Mobile_Traffic", + "destination.ip": "192.88.99.47", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 2, + "fileset.name": "asa", + "input.type": "log", + "log.level": "critical", + "log.offset": 8896, + "log.original": "Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", + "service.type": "cisco", + "source.ip": "0.0.0.0", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2014-09-12T06:51:06.000Z", + "cisco.asa.message_id": "106016", + "cisco.asa.source_interface": "Mobile_Traffic", + "destination.ip": "192.88.99.57", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 2, + "fileset.name": "asa", + "input.type": "log", + "log.level": "critical", + "log.offset": 9017, + "log.original": "Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", + "service.type": "cisco", + "source.ip": "0.0.0.0", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2014-09-12T06:51:17.000Z", + "cisco.asa.message_id": "106016", + "cisco.asa.source_interface": "Mobile_Traffic", + "destination.ip": "192.88.99.57", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 2, + "fileset.name": "asa", + "input.type": "log", + "log.level": "critical", + "log.offset": 9138, + "log.original": "Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", + "service.type": "cisco", + "source.ip": "0.0.0.0", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2014-09-12T06:52:48.000Z", + "cisco.asa.message_id": "106016", + "cisco.asa.source_interface": "Mobile_Traffic", + "destination.ip": "192.168.1.255", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 2, + "fileset.name": "asa", + "input.type": "log", + "log.level": "critical", + "log.offset": 9259, + "log.original": "Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", + "service.type": "cisco", + "source.ip": "0.0.0.0", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2014-09-12T06:53:00.000Z", + "cisco.asa.message_id": "106016", + "cisco.asa.source_interface": "Mobile_Traffic", + "destination.ip": "192.168.1.255", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 2, + "fileset.name": "asa", + "input.type": "log", + "log.level": "critical", + "log.offset": 9381, + "log.original": "Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", + "service.type": "cisco", + "source.ip": "0.0.0.0", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2014-09-12T06:53:01.000Z", + "cisco.asa.destination_interface": "inside", + "cisco.asa.list_id": "PERMIT_IN", + "cisco.asa.message_id": "106023", + "cisco.asa.source_interface": "outside", + "destination.ip": "10.32.112.125", + "destination.port": 25, + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 4, + "fileset.name": "asa", + "input.type": "log", + "log.level": "warning", + "log.offset": 9503, + "log.original": "Deny tcp src outside:192.0.2.95/24069 dst inside:10.32.112.125/25 by access-group \"PERMIT_IN\" [0x0, 0x0]\"", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "192.0.2.95", + "source.port": 24069, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2014-09-12T06:53:02.000Z", + "cisco.asa.icmp_code": 3, + "cisco.asa.icmp_type": 3, + "cisco.asa.message_id": "313001", + "cisco.asa.source_interface": "Outside", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 3, + "fileset.name": "asa", + "input.type": "log", + "log.level": "error", + "log.offset": 9657, + "log.original": "Denied ICMP type=3, code=3 from 10.2.3.5 on interface Outside", + "network.transport": "icmp", + "service.type": "cisco", + "source.ip": "10.2.3.5", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2015-01-14T13:16:13.000Z", + "cisco.asa.icmp_type": 0, + "cisco.asa.message_id": "313004", + "cisco.asa.source_interface": "inside", + "destination.ip": "172.16.1.10", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 4, + "fileset.name": "asa", + "input.type": "log", + "log.level": "warning", + "log.offset": 9767, + "log.original": "Denied ICMP type=0, from laddr 172.16.30.2 on interface inside to 172.16.1.10: no matching session", + "network.transport": "icmp", + "service.type": "cisco", + "source.ip": "172.16.30.2", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2015-01-14T13:16:14.000Z", + "cisco.asa.destination_interface": "outside", + "cisco.asa.list_id": "dynamic", + "cisco.asa.mapped_destination_ip": "192.88.99.129", + "cisco.asa.mapped_destination_port": 80, + "cisco.asa.mapped_source_ip": "192.88.99.1", + "cisco.asa.mapped_source_port": 7890, + "cisco.asa.message_id": "338002", + "cisco.asa.source_interface": "inside", + "destination.domain": "bad.example.com", + "destination.ip": "192.88.99.129", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "allow", + "event.severity": 4, + "fileset.name": "asa", + "input.type": "log", + "log.level": "warning", + "log.offset": 9903, + "log.original": "Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798 (192.88.99.1/7890) to outside:192.88.99.129/80 (192.88.99.129/80), destination 192.88.99.129 resolved from dynamic list: bad.example.com", + "network.transport": "tcp", + "server.domain": "bad.example.com", + "service.type": "cisco", + "source.ip": "10.1.1.45", + "source.port": 6798, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2015-01-14T13:16:14.000Z", + "cisco.asa.destination_interface": "outsidet", + "cisco.asa.list_id": "dynamic", + "cisco.asa.mapped_destination_ip": "192.0.2.223", + "cisco.asa.mapped_destination_port": 80, + "cisco.asa.mapped_source_ip": "10.2.1.1", + "cisco.asa.mapped_source_port": 33340, + "cisco.asa.message_id": "338004", + "cisco.asa.source_interface": "inside", + "cisco.asa.threat_category": "Malware", + "cisco.asa.threat_level": "very-high", + "destination.ip": "192.0.2.223", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "monitored", + "event.severity": 4, + "fileset.name": "asa", + "input.type": "log", + "log.level": "warning", + "log.offset": 10154, + "log.original": "Dynamic Filter monitored blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.223/80), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.1.1.1", + "source.port": 33340, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2015-01-14T13:16:14.000Z", + "cisco.asa.destination_interface": "outsidet", + "cisco.asa.list_id": "dynamic", + "cisco.asa.mapped_destination_ip": "192.0.2.223", + "cisco.asa.mapped_destination_port": 80, + "cisco.asa.mapped_source_ip": "10.2.1.1", + "cisco.asa.mapped_source_port": 33340, + "cisco.asa.message_id": "338008", + "cisco.asa.source_interface": "inside", + "cisco.asa.threat_category": "Malware", + "cisco.asa.threat_level": "very-high", + "destination.ip": "192.0.2.223", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 4, + "fileset.name": "asa", + "input.type": "log", + "log.level": "warning", + "log.offset": 10453, + "log.original": "Dynamic Filter dropped blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.223/80), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.1.1.1", + "source.port": 33340, + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2009-11-16T14:12:35.000Z", + "cisco.asa.message_id": "304001", + "destination.ip": "192.0.2.1", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "allow", + "event.severity": 5, + "fileset.name": "asa", + "input.type": "log", + "log.level": "notification", + "log.offset": 10750, + "log.original": "10.30.30.30 Accessed URL 192.0.2.1:/app", + "service.type": "cisco", + "source.ip": "10.30.30.30", + "tags": [ + "cisco-asa" + ], + "url.original": "/app" + }, + { + "@timestamp": "2009-11-16T14:12:36.000Z", + "cisco.asa.message_id": "304001", + "destination.ip": "192.0.2.32", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "allow", + "event.severity": 5, + "fileset.name": "asa", + "input.type": "log", + "log.level": "notification", + "log.offset": 10827, + "log.original": "10.5.111.32 Accessed URL 192.0.2.32:http://example.com", + "service.type": "cisco", + "source.ip": "10.5.111.32", + "tags": [ + "cisco-asa" + ], + "url.original": "http://example.com" + }, + { + "@timestamp": "2009-11-16T14:12:37.000Z", + "cisco.asa.message_id": "304002", + "cisco.asa.source_interface": "inside", + "destination.ip": "192.0.0.19", + "ecs.version": "1.0.0", + "event.action": "firewall-rule", + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 5, + "fileset.name": "asa", + "input.type": "log", + "log.level": "notification", + "log.offset": 10919, + "log.original": "Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.0.0.19 on interface inside", + "service.type": "cisco", + "source.ip": "10.69.6.39", + "tags": [ + "cisco-asa" + ], + "url.original": "http://www.example.net/images/favicon.ico" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/fields.go b/x-pack/filebeat/module/cisco/fields.go new file mode 100644 index 000000000000..fa1a83ef6b37 --- /dev/null +++ b/x-pack/filebeat/module/cisco/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package cisco + +import ( + "github.com/elastic/beats/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "cisco", asset.ModuleFieldsPri, AssetCisco); err != nil { + panic(err) + } +} + +// AssetCisco returns asset data. +// This is the base64 encoded gzipped contents of module/cisco. +func AssetCisco() string { + return "eJy8lkFv2zwMhu/5Fbx8tzTfPYcBRYYCBda1QLdzoEmUzVUWPYpOmn8/SHEaN8hSF/WmQwAz8vs+pCTKV/CEuyVYSpZnAEoacAmr/tFhskKtEsclfJoBANyx6wKCZ4HaRBcoVvvpEFG3LE/gcEMWIXCVFjMATxhcWpaXryCaBo92eeiuxSVUwl3bR8645nFThMALN73jwSKPoc3QyiTzEjtndsFwaMrSe14/XsMNCW5NCIvB1FP/I0GDKZkK1+ReKe9RnnC3ZXn9zwUcgG81Dkh6bSCHUckTypHpDErqvKfnkRj4bJo274aEKRHH8Yz3JW5C7wfGKwr8l4HHgnInFtcUFcUbi1NU7rFowotmWVStEXzgLbAAbjDqRSyHSSmarD8t2+ej8IcAAyWdaKN9NQ0C+wJwbS2mBCuOKhzgCyUFrY1CY9TW6EBrSiPw+mXtEkoOTI2ZdfdclEpg79fXcRThcIX/GebA9D2sjWlbdOvDWWnPcJ4E3+wsKiamYBTdoXa3D2CcE0zpHSwti56hCRyrj/Jk6TEkr47qxKUZrtf76jOk+htFGpK9WSmtBY2uA24wTHM1ZT0oemUfNyZsjSD8Dz9YI2om9Z7sAu5jOQ0blN1V4O0c8s+JXMMOxSjOoaaqzv2vTM8PY9KyRrFi2U2R2arXeunIf87sJvfpw825IenSvJ9zmp8K/zRxDqj2Yj6WY0S738iTdPbvkX51w2+GkpYp18xFErJNu86mZyhSfbqdLzLcru4eyptvG1p2UxlmqcXsdwAAAP//GtXx0Q==" +} diff --git a/x-pack/filebeat/module/cisco/module.yml b/x-pack/filebeat/module/cisco/module.yml new file mode 100644 index 000000000000..b3a9249a617d --- /dev/null +++ b/x-pack/filebeat/module/cisco/module.yml @@ -0,0 +1,3 @@ +dashboards: +- id: a555b160-4987-11e9-b8ce-ed898b5ef295 + file: Filebeat-Cisco-ASA.json