Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cherry-pick #18376 to 7.7: Fix Cisco ASA/FTD msgs that use a host name as NAT address #18546

Merged
merged 2 commits into from
May 15, 2020
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Improve cisco asa and ftd pipelines' failure handler to avoid mapping temporary fields. {issue}18391[18391] {pull}18392[18392]
- Fix `googlecloud.audit` pipeline to only take in fields that are explicitly defined by the dataset. {issue}18465[18465] {pull}18472[18472]
- Fix a rate limit related issue in httpjson input for Okta module. {issue}18530[18530] {pull}18534[18534]
- Fixed ingestion of some Cisco ASA and FTD messages when a hostname was used instead of an IP for NAT fields. {issue}14034[14034] {pull}18376[18376]

*Heartbeat*

Expand Down
40 changes: 40 additions & 0 deletions filebeat/docs/fields.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -5469,6 +5469,16 @@ type: ip

--

*`cisco.asa.mapped_source_host`*::
+
--
The translated source host.


type: keyword

--

*`cisco.asa.mapped_source_port`*::
+
--
Expand All @@ -5489,6 +5499,16 @@ type: ip

--

*`cisco.asa.mapped_destination_host`*::
+
--
The translated destination host.


type: keyword

--

*`cisco.asa.mapped_destination_port`*::
+
--
Expand Down Expand Up @@ -5658,6 +5678,16 @@ type: ip

--

*`cisco.ftd.mapped_source_host`*::
+
--
The translated source host.


type: keyword

--

*`cisco.ftd.mapped_source_port`*::
+
--
Expand All @@ -5678,6 +5708,16 @@ type: ip

--

*`cisco.ftd.mapped_destination_host`*::
+
--
The translated destination host.


type: keyword

--

*`cisco.ftd.mapped_destination_port`*::
+
--
Expand Down
12 changes: 12 additions & 0 deletions x-pack/filebeat/module/cisco/asa/_meta/fields.yml
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,12 @@
description: >
The translated source IP address.

- name: mapped_source_host
type: keyword
default_field: false
description: >
The translated source host.

- name: mapped_source_port
type: long
description: >
Expand All @@ -54,6 +60,12 @@
description: >
The translated destination IP address.

- name: mapped_destination_host
type: keyword
default_field: false
description: >
The translated destination host.

- name: mapped_destination_port
type: long
description: >
Expand Down
2 changes: 2 additions & 0 deletions x-pack/filebeat/module/cisco/asa/test/not-ip.log
Original file line number Diff line number Diff line change
@@ -1 +1,3 @@
<165>Oct 04 2019 15:27:55: %ASA-5-106100: access-list AL-DMZ-LB-IN denied tcp LB-DMZ/WHAT-IS-THIS-A-HOSTNAME-192.0.2.244(27218) -> OUTSIDE/203.0.113.42(53) hit-cnt 1 first hit [0x16847359, 0x00000000]
Jan 1 2020 10:42:53 localhost : %ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr mydomain.example.net/17233 laddr 192.168.132.46/17233
Jan 2 2020 11:33:20 localhost : %ASA-4-338204: Dynamic filter dropped greylisted TCP traffic from eth0:10.10.10.1/1234 (source.example.net/11234) to wan:172.24.177.3/80 (www.example.org/80), destination malicious address resolved from dynamic list: example.org, threat-level: high, category: malware
71 changes: 71 additions & 0 deletions x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json
Original file line number Diff line number Diff line change
Expand Up @@ -31,5 +31,76 @@
"tags": [
"cisco-asa"
]
},
{
"@timestamp": "2020-01-01T10:42:53.000-02:00",
"cisco.asa.mapped_source_host": "mydomain.example.net",
"cisco.asa.message_id": "302021",
"destination.address": "172.24.177.29",
"destination.ip": "172.24.177.29",
"event.action": "flow-expiration",
"event.code": 302021,
"event.dataset": "cisco.asa",
"event.module": "cisco",
"event.original": "%ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr mydomain.example.net/17233 laddr 192.168.132.46/17233",
"event.severity": 6,
"event.timezone": "-02:00",
"fileset.name": "asa",
"host.hostname": "localhost",
"input.type": "log",
"log.file.path": "not-ip.log",
"log.level": "informational",
"log.offset": 201,
"network.iana_number": 1,
"network.transport": "icmp",
"service.type": "cisco",
"source.address": "192.168.132.46",
"source.ip": "192.168.132.46",
"tags": [
"cisco-asa"
]
},
{
"@timestamp": "2020-01-02T11:33:20.000-02:00",
"cisco.asa.destination_interface": "wan",
"cisco.asa.mapped_destination_host": "www.example.org",
"cisco.asa.mapped_destination_port": 80,
"cisco.asa.mapped_source_host": "source.example.net",
"cisco.asa.mapped_source_port": 11234,
"cisco.asa.message_id": "338204",
"cisco.asa.rule_name": "dynamic",
"cisco.asa.source_interface": "eth0",
"cisco.asa.threat_category": "malware",
"cisco.asa.threat_level": "high",
"destination.address": "172.24.177.3",
"destination.domain": "example.org",
"destination.ip": "172.24.177.3",
"destination.nat.port": "80",
"destination.port": 80,
"event.action": "firewall-rule",
"event.code": 338204,
"event.dataset": "cisco.asa",
"event.module": "cisco",
"event.original": "%ASA-4-338204: Dynamic filter dropped greylisted TCP traffic from eth0:10.10.10.1/1234 (source.example.net/11234) to wan:172.24.177.3/80 (www.example.org/80), destination malicious address resolved from dynamic list: example.org, threat-level: high, category: malware",
"event.outcome": "deny",
"event.severity": 4,
"event.timezone": "-02:00",
"fileset.name": "asa",
"host.hostname": "localhost",
"input.type": "log",
"log.file.path": "not-ip.log",
"log.level": "warning",
"log.offset": 360,
"network.iana_number": 6,
"network.transport": "tcp",
"server.domain": "example.org",
"service.type": "cisco",
"source.address": "10.10.10.1",
"source.ip": "10.10.10.1",
"source.nat.port": "11234",
"source.port": 1234,
"tags": [
"cisco-asa"
]
}
]
2 changes: 1 addition & 1 deletion x-pack/filebeat/module/cisco/fields.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

14 changes: 13 additions & 1 deletion x-pack/filebeat/module/cisco/ftd/_meta/fields.yml
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,12 @@
description: >
The translated source IP address. Use ECS source.nat.ip.

- name: mapped_source_host
type: keyword
default_field: false
description: >
The translated source host.

- name: mapped_source_port
type: long
description: >
Expand All @@ -54,6 +60,12 @@
description: >
The translated destination IP address. Use ECS destination.nat.ip.

- name: mapped_destination_host
type: keyword
default_field: false
description: >
The translated destination host.

- name: mapped_destination_port
type: long
description: >
Expand Down Expand Up @@ -90,7 +102,7 @@
type: object
description:
Raw fields for Security Events.

- name: connection_type
type: keyword
default_field: false
Expand Down
3 changes: 3 additions & 0 deletions x-pack/filebeat/module/cisco/ftd/test/not-ip.log
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
<165>Oct 04 2019 15:27:55: %ASA-5-106100: access-list AL-DMZ-LB-IN denied tcp LB-DMZ/WHAT-IS-THIS-A-HOSTNAME-192.0.2.244(27218) -> OUTSIDE/203.0.113.42(53) hit-cnt 1 first hit [0x16847359, 0x00000000]
Jan 1 2020 10:42:53 localhost : %ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr mydomain.example.net/17233 laddr 192.168.132.46/17233
Jan 2 2020 11:33:20 localhost : %ASA-4-338204: Dynamic filter dropped greylisted TCP traffic from eth0:10.10.10.1/1234 (source.example.net/11234) to wan:172.24.177.3/80 (www.example.org/80), destination malicious address resolved from dynamic list: example.org, threat-level: high, category: malware
103 changes: 103 additions & 0 deletions x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,103 @@
[
{
"@timestamp": "2019-10-04T15:27:55.000-02:00",
"cisco.ftd.destination_interface": "OUTSIDE",
"cisco.ftd.message_id": "106100",
"cisco.ftd.rule_name": "AL-DMZ-LB-IN",
"cisco.ftd.source_interface": "LB-DMZ",
"destination.address": "203.0.113.42",
"destination.ip": "203.0.113.42",
"destination.port": 53,
"event.action": "firewall-rule",
"event.code": 106100,
"event.dataset": "cisco.ftd",
"event.module": "cisco",
"event.original": "%ASA-5-106100: access-list AL-DMZ-LB-IN denied tcp LB-DMZ/WHAT-IS-THIS-A-HOSTNAME-192.0.2.244(27218) -> OUTSIDE/203.0.113.42(53) hit-cnt 1 first hit [0x16847359, 0x00000000]",
"event.outcome": "deny",
"event.severity": 5,
"event.timezone": "-02:00",
"fileset.name": "ftd",
"input.type": "log",
"log.level": "notification",
"log.offset": 0,
"network.iana_number": 6,
"network.transport": "tcp",
"service.type": "cisco",
"source.address": "WHAT-IS-THIS-A-HOSTNAME-192.0.2.244",
"source.domain": "WHAT-IS-THIS-A-HOSTNAME-192.0.2.244",
"source.port": 27218,
"syslog.facility": 165,
"tags": [
"cisco-ftd"
]
},
{
"@timestamp": "2020-01-01T10:42:53.000-02:00",
"cisco.ftd.mapped_source_host": "mydomain.example.net",
"cisco.ftd.message_id": "302021",
"destination.address": "172.24.177.29",
"destination.ip": "172.24.177.29",
"event.action": "flow-expiration",
"event.code": 302021,
"event.dataset": "cisco.ftd",
"event.module": "cisco",
"event.original": "%ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr mydomain.example.net/17233 laddr 192.168.132.46/17233",
"event.severity": 6,
"event.timezone": "-02:00",
"fileset.name": "ftd",
"host.hostname": "localhost",
"input.type": "log",
"log.level": "informational",
"log.offset": 201,
"network.iana_number": 1,
"network.transport": "icmp",
"service.type": "cisco",
"source.address": "192.168.132.46",
"source.ip": "192.168.132.46",
"tags": [
"cisco-ftd"
]
},
{
"@timestamp": "2020-01-02T11:33:20.000-02:00",
"cisco.ftd.destination_interface": "wan",
"cisco.ftd.mapped_destination_host": "www.example.org",
"cisco.ftd.mapped_destination_port": 80,
"cisco.ftd.mapped_source_host": "source.example.net",
"cisco.ftd.mapped_source_port": 11234,
"cisco.ftd.message_id": "338204",
"cisco.ftd.rule_name": "dynamic",
"cisco.ftd.source_interface": "eth0",
"cisco.ftd.threat_category": "malware",
"cisco.ftd.threat_level": "high",
"destination.address": "172.24.177.3",
"destination.domain": "example.org",
"destination.ip": "172.24.177.3",
"destination.nat.port": "80",
"destination.port": 80,
"event.action": "firewall-rule",
"event.code": 338204,
"event.dataset": "cisco.ftd",
"event.module": "cisco",
"event.original": "%ASA-4-338204: Dynamic filter dropped greylisted TCP traffic from eth0:10.10.10.1/1234 (source.example.net/11234) to wan:172.24.177.3/80 (www.example.org/80), destination malicious address resolved from dynamic list: example.org, threat-level: high, category: malware",
"event.outcome": "deny",
"event.severity": 4,
"event.timezone": "-02:00",
"fileset.name": "ftd",
"host.hostname": "localhost",
"input.type": "log",
"log.level": "warning",
"log.offset": 360,
"network.iana_number": 6,
"network.transport": "tcp",
"server.domain": "example.org",
"service.type": "cisco",
"source.address": "10.10.10.1",
"source.ip": "10.10.10.1",
"source.nat.port": "11234",
"source.port": 1234,
"tags": [
"cisco-ftd"
]
}
]
Loading