-
Notifications
You must be signed in to change notification settings - Fork 4.9k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix Cisco ASA/FTD msgs that use a host name as NAT address (#18376)
Sometimes the mapped source/destination IP field of an event is a hostname instead of an IP address. This caused ingestion of the event to fail. This patch makes the asa-ftd-pipeline to only populate those fields when a valid IP address is found. In the future we may want to revisit this if .nat.domain or .nat.address fields become available.
- Loading branch information
Showing
10 changed files
with
277 additions
and
20 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1,3 @@ | ||
<165>Oct 04 2019 15:27:55: %ASA-5-106100: access-list AL-DMZ-LB-IN denied tcp LB-DMZ/WHAT-IS-THIS-A-HOSTNAME-192.0.2.244(27218) -> OUTSIDE/203.0.113.42(53) hit-cnt 1 first hit [0x16847359, 0x00000000] | ||
Jan 1 2020 10:42:53 localhost : %ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr mydomain.example.net/17233 laddr 192.168.132.46/17233 | ||
Jan 2 2020 11:33:20 localhost : %ASA-4-338204: Dynamic filter dropped greylisted TCP traffic from eth0:10.10.10.1/1234 (source.example.net/11234) to wan:172.24.177.3/80 (www.example.org/80), destination malicious address resolved from dynamic list: example.org, threat-level: high, category: malware |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
<165>Oct 04 2019 15:27:55: %ASA-5-106100: access-list AL-DMZ-LB-IN denied tcp LB-DMZ/WHAT-IS-THIS-A-HOSTNAME-192.0.2.244(27218) -> OUTSIDE/203.0.113.42(53) hit-cnt 1 first hit [0x16847359, 0x00000000] | ||
Jan 1 2020 10:42:53 localhost : %ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr mydomain.example.net/17233 laddr 192.168.132.46/17233 | ||
Jan 2 2020 11:33:20 localhost : %ASA-4-338204: Dynamic filter dropped greylisted TCP traffic from eth0:10.10.10.1/1234 (source.example.net/11234) to wan:172.24.177.3/80 (www.example.org/80), destination malicious address resolved from dynamic list: example.org, threat-level: high, category: malware |
103 changes: 103 additions & 0 deletions
103
x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,103 @@ | ||
[ | ||
{ | ||
"@timestamp": "2019-10-04T15:27:55.000-02:00", | ||
"cisco.ftd.destination_interface": "OUTSIDE", | ||
"cisco.ftd.message_id": "106100", | ||
"cisco.ftd.rule_name": "AL-DMZ-LB-IN", | ||
"cisco.ftd.source_interface": "LB-DMZ", | ||
"destination.address": "203.0.113.42", | ||
"destination.ip": "203.0.113.42", | ||
"destination.port": 53, | ||
"event.action": "firewall-rule", | ||
"event.code": 106100, | ||
"event.dataset": "cisco.ftd", | ||
"event.module": "cisco", | ||
"event.original": "%ASA-5-106100: access-list AL-DMZ-LB-IN denied tcp LB-DMZ/WHAT-IS-THIS-A-HOSTNAME-192.0.2.244(27218) -> OUTSIDE/203.0.113.42(53) hit-cnt 1 first hit [0x16847359, 0x00000000]", | ||
"event.outcome": "deny", | ||
"event.severity": 5, | ||
"event.timezone": "-02:00", | ||
"fileset.name": "ftd", | ||
"input.type": "log", | ||
"log.level": "notification", | ||
"log.offset": 0, | ||
"network.iana_number": 6, | ||
"network.transport": "tcp", | ||
"service.type": "cisco", | ||
"source.address": "WHAT-IS-THIS-A-HOSTNAME-192.0.2.244", | ||
"source.domain": "WHAT-IS-THIS-A-HOSTNAME-192.0.2.244", | ||
"source.port": 27218, | ||
"syslog.facility": 165, | ||
"tags": [ | ||
"cisco-ftd" | ||
] | ||
}, | ||
{ | ||
"@timestamp": "2020-01-01T10:42:53.000-02:00", | ||
"cisco.ftd.mapped_source_host": "mydomain.example.net", | ||
"cisco.ftd.message_id": "302021", | ||
"destination.address": "172.24.177.29", | ||
"destination.ip": "172.24.177.29", | ||
"event.action": "flow-expiration", | ||
"event.code": 302021, | ||
"event.dataset": "cisco.ftd", | ||
"event.module": "cisco", | ||
"event.original": "%ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr mydomain.example.net/17233 laddr 192.168.132.46/17233", | ||
"event.severity": 6, | ||
"event.timezone": "-02:00", | ||
"fileset.name": "ftd", | ||
"host.hostname": "localhost", | ||
"input.type": "log", | ||
"log.level": "informational", | ||
"log.offset": 201, | ||
"network.iana_number": 1, | ||
"network.transport": "icmp", | ||
"service.type": "cisco", | ||
"source.address": "192.168.132.46", | ||
"source.ip": "192.168.132.46", | ||
"tags": [ | ||
"cisco-ftd" | ||
] | ||
}, | ||
{ | ||
"@timestamp": "2020-01-02T11:33:20.000-02:00", | ||
"cisco.ftd.destination_interface": "wan", | ||
"cisco.ftd.mapped_destination_host": "www.example.org", | ||
"cisco.ftd.mapped_destination_port": 80, | ||
"cisco.ftd.mapped_source_host": "source.example.net", | ||
"cisco.ftd.mapped_source_port": 11234, | ||
"cisco.ftd.message_id": "338204", | ||
"cisco.ftd.rule_name": "dynamic", | ||
"cisco.ftd.source_interface": "eth0", | ||
"cisco.ftd.threat_category": "malware", | ||
"cisco.ftd.threat_level": "high", | ||
"destination.address": "172.24.177.3", | ||
"destination.domain": "example.org", | ||
"destination.ip": "172.24.177.3", | ||
"destination.nat.port": "80", | ||
"destination.port": 80, | ||
"event.action": "firewall-rule", | ||
"event.code": 338204, | ||
"event.dataset": "cisco.ftd", | ||
"event.module": "cisco", | ||
"event.original": "%ASA-4-338204: Dynamic filter dropped greylisted TCP traffic from eth0:10.10.10.1/1234 (source.example.net/11234) to wan:172.24.177.3/80 (www.example.org/80), destination malicious address resolved from dynamic list: example.org, threat-level: high, category: malware", | ||
"event.outcome": "deny", | ||
"event.severity": 4, | ||
"event.timezone": "-02:00", | ||
"fileset.name": "ftd", | ||
"host.hostname": "localhost", | ||
"input.type": "log", | ||
"log.level": "warning", | ||
"log.offset": 360, | ||
"network.iana_number": 6, | ||
"network.transport": "tcp", | ||
"server.domain": "example.org", | ||
"service.type": "cisco", | ||
"source.address": "10.10.10.1", | ||
"source.ip": "10.10.10.1", | ||
"source.nat.port": "11234", | ||
"source.port": 1234, | ||
"tags": [ | ||
"cisco-ftd" | ||
] | ||
} | ||
] |
Oops, something went wrong.