Cherry-pick #18376 to 7.7: Fix Cisco ASA/FTD msgs that use a host name as NAT address

CHANGELOG.next.asciidoc

@@ -128,6 +128,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Fixed typo in log message. {pull}17897[17897]
 - Unescape file name from SQS message. {pull}18370[18370]
 - Improve cisco asa and ftd pipelines' failure handler to avoid mapping temporary fields. {issue}18391[18391] {pull}18392[18392]
+- Fixed ingestion of some Cisco ASA and FTD messages when a hostname was used instead of an IP for NAT fields. {issue}14034[14034] {pull}18376[18376]
 
 *Heartbeat*
 

filebeat/docs/fields.asciidoc

@@ -5469,6 +5469,16 @@ type: ip
 
 --
 
+*`cisco.asa.mapped_source_host`*::
++
+--
+The translated source host.
+
+
+type: keyword
+
+--
+
 *`cisco.asa.mapped_source_port`*::
 +
 --
@@ -5489,6 +5499,16 @@ type: ip
 
 --
 
+*`cisco.asa.mapped_destination_host`*::
++
+--
+The translated destination host.
+
+
+type: keyword
+
+--
+
 *`cisco.asa.mapped_destination_port`*::
 +
 --
@@ -5658,6 +5678,16 @@ type: ip
 
 --
 
+*`cisco.ftd.mapped_source_host`*::
++
+--
+The translated source host.
+
+
+type: keyword
+
+--
+
 *`cisco.ftd.mapped_source_port`*::
 +
 --
@@ -5678,6 +5708,16 @@ type: ip
 
 --
 
+*`cisco.ftd.mapped_destination_host`*::
++
+--
+The translated destination host.
+
+
+type: keyword
+
+--
+
 *`cisco.ftd.mapped_destination_port`*::
 +
 --

x-pack/filebeat/module/cisco/asa/_meta/fields.yml

@@ -44,6 +44,12 @@
     description: >
       The translated source IP address.
 
+  - name: mapped_source_host
+    type: keyword
+    default_field: false
+    description: >
+      The translated source host.
+
   - name: mapped_source_port
     type: long
     description: >
@@ -54,6 +60,12 @@
     description: >
       The translated destination IP address.
 
+  - name: mapped_destination_host
+    type: keyword
+    default_field: false
+    description: >
+      The translated destination host.
+
   - name: mapped_destination_port
     type: long
     description: >

x-pack/filebeat/module/cisco/asa/test/not-ip.log

@@ -1 +1,3 @@
 <165>Oct 04 2019 15:27:55: %ASA-5-106100: access-list AL-DMZ-LB-IN denied tcp LB-DMZ/WHAT-IS-THIS-A-HOSTNAME-192.0.2.244(27218) -> OUTSIDE/203.0.113.42(53) hit-cnt 1 first hit [0x16847359, 0x00000000]
+Jan  1 2020 10:42:53 localhost : %ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr mydomain.example.net/17233 laddr 192.168.132.46/17233
+Jan  2 2020 11:33:20 localhost : %ASA-4-338204: Dynamic filter dropped greylisted TCP traffic from eth0:10.10.10.1/1234 (source.example.net/11234) to wan:172.24.177.3/80 (www.example.org/80), destination malicious address resolved from dynamic list: example.org, threat-level: high, category: malware

x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json

@@ -31,5 +31,76 @@
         "tags": [
             "cisco-asa"
         ]
+    },
+    {
+        "@timestamp": "2020-01-01T10:42:53.000-02:00",
+        "cisco.asa.mapped_source_host": "mydomain.example.net",
+        "cisco.asa.message_id": "302021",
+        "destination.address": "172.24.177.29",
+        "destination.ip": "172.24.177.29",
+        "event.action": "flow-expiration",
+        "event.code": 302021,
+        "event.dataset": "cisco.asa",
+        "event.module": "cisco",
+        "event.original": "%ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr mydomain.example.net/17233 laddr 192.168.132.46/17233",
+        "event.severity": 6,
+        "event.timezone": "-02:00",
+        "fileset.name": "asa",
+        "host.hostname": "localhost",
+        "input.type": "log",
+        "log.file.path": "not-ip.log",
+        "log.level": "informational",
+        "log.offset": 201,
+        "network.iana_number": 1,
+        "network.transport": "icmp",
+        "service.type": "cisco",
+        "source.address": "192.168.132.46",
+        "source.ip": "192.168.132.46",
+        "tags": [
+            "cisco-asa"
+        ]
+    },
+    {
+        "@timestamp": "2020-01-02T11:33:20.000-02:00",
+        "cisco.asa.destination_interface": "wan",
+        "cisco.asa.mapped_destination_host": "www.example.org",
+        "cisco.asa.mapped_destination_port": 80,
+        "cisco.asa.mapped_source_host": "source.example.net",
+        "cisco.asa.mapped_source_port": 11234,
+        "cisco.asa.message_id": "338204",
+        "cisco.asa.rule_name": "dynamic",
+        "cisco.asa.source_interface": "eth0",
+        "cisco.asa.threat_category": "malware",
+        "cisco.asa.threat_level": "high",
+        "destination.address": "172.24.177.3",
+        "destination.domain": "example.org",
+        "destination.ip": "172.24.177.3",
+        "destination.nat.port": "80",
+        "destination.port": 80,
+        "event.action": "firewall-rule",
+        "event.code": 338204,
+        "event.dataset": "cisco.asa",
+        "event.module": "cisco",
+        "event.original": "%ASA-4-338204: Dynamic filter dropped greylisted TCP traffic from eth0:10.10.10.1/1234 (source.example.net/11234) to wan:172.24.177.3/80 (www.example.org/80), destination malicious address resolved from dynamic list: example.org, threat-level: high, category: malware",
+        "event.outcome": "deny",
+        "event.severity": 4,
+        "event.timezone": "-02:00",
+        "fileset.name": "asa",
+        "host.hostname": "localhost",
+        "input.type": "log",
+        "log.file.path": "not-ip.log",
+        "log.level": "warning",
+        "log.offset": 360,
+        "network.iana_number": 6,
+        "network.transport": "tcp",
+        "server.domain": "example.org",
+        "service.type": "cisco",
+        "source.address": "10.10.10.1",
+        "source.ip": "10.10.10.1",
+        "source.nat.port": "11234",
+        "source.port": 1234,
+        "tags": [
+            "cisco-asa"
+        ]
     }
 ]

x-pack/filebeat/module/cisco/ftd/_meta/fields.yml

@@ -44,6 +44,12 @@
     description: >
       The translated source IP address. Use ECS source.nat.ip.
 
+  - name: mapped_source_host
+    type: keyword
+    default_field: false
+    description: >
+      The translated source host.
+
   - name: mapped_source_port
     type: long
     description: >
@@ -54,6 +60,12 @@
     description: >
       The translated destination IP address. Use ECS destination.nat.ip.
 
+  - name: mapped_destination_host
+    type: keyword
+    default_field: false
+    description: >
+      The translated destination host.
+
   - name: mapped_destination_port
     type: long
     description: >
@@ -90,7 +102,7 @@
     type: object
     description:
       Raw fields for Security Events.
-  
+
   - name: connection_type
     type: keyword
     default_field: false

x-pack/filebeat/module/cisco/ftd/test/not-ip.log

@@ -0,0 +1,3 @@
+<165>Oct 04 2019 15:27:55: %ASA-5-106100: access-list AL-DMZ-LB-IN denied tcp LB-DMZ/WHAT-IS-THIS-A-HOSTNAME-192.0.2.244(27218) -> OUTSIDE/203.0.113.42(53) hit-cnt 1 first hit [0x16847359, 0x00000000]
+Jan  1 2020 10:42:53 localhost : %ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr mydomain.example.net/17233 laddr 192.168.132.46/17233
+Jan  2 2020 11:33:20 localhost : %ASA-4-338204: Dynamic filter dropped greylisted TCP traffic from eth0:10.10.10.1/1234 (source.example.net/11234) to wan:172.24.177.3/80 (www.example.org/80), destination malicious address resolved from dynamic list: example.org, threat-level: high, category: malware

x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json

@@ -0,0 +1,103 @@
+[
+    {
+        "@timestamp": "2019-10-04T15:27:55.000-02:00",
+        "cisco.ftd.destination_interface": "OUTSIDE",
+        "cisco.ftd.message_id": "106100",
+        "cisco.ftd.rule_name": "AL-DMZ-LB-IN",
+        "cisco.ftd.source_interface": "LB-DMZ",
+        "destination.address": "203.0.113.42",
+        "destination.ip": "203.0.113.42",
+        "destination.port": 53,
+        "event.action": "firewall-rule",
+        "event.code": 106100,
+        "event.dataset": "cisco.ftd",
+        "event.module": "cisco",
+        "event.original": "%ASA-5-106100: access-list AL-DMZ-LB-IN denied tcp LB-DMZ/WHAT-IS-THIS-A-HOSTNAME-192.0.2.244(27218) -> OUTSIDE/203.0.113.42(53) hit-cnt 1 first hit [0x16847359, 0x00000000]",
+        "event.outcome": "deny",
+        "event.severity": 5,
+        "event.timezone": "-02:00",
+        "fileset.name": "ftd",
+        "input.type": "log",
+        "log.level": "notification",
+        "log.offset": 0,
+        "network.iana_number": 6,
+        "network.transport": "tcp",
+        "service.type": "cisco",
+        "source.address": "WHAT-IS-THIS-A-HOSTNAME-192.0.2.244",
+        "source.domain": "WHAT-IS-THIS-A-HOSTNAME-192.0.2.244",
+        "source.port": 27218,
+        "syslog.facility": 165,
+        "tags": [
+            "cisco-ftd"
+        ]
+    },
+    {
+        "@timestamp": "2020-01-01T10:42:53.000-02:00",
+        "cisco.ftd.mapped_source_host": "mydomain.example.net",
+        "cisco.ftd.message_id": "302021",
+        "destination.address": "172.24.177.29",
+        "destination.ip": "172.24.177.29",
+        "event.action": "flow-expiration",
+        "event.code": 302021,
+        "event.dataset": "cisco.ftd",
+        "event.module": "cisco",
+        "event.original": "%ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr mydomain.example.net/17233 laddr 192.168.132.46/17233",
+        "event.severity": 6,
+        "event.timezone": "-02:00",
+        "fileset.name": "ftd",
+        "host.hostname": "localhost",
+        "input.type": "log",
+        "log.level": "informational",
+        "log.offset": 201,
+        "network.iana_number": 1,
+        "network.transport": "icmp",
+        "service.type": "cisco",
+        "source.address": "192.168.132.46",
+        "source.ip": "192.168.132.46",
+        "tags": [
+            "cisco-ftd"
+        ]
+    },
+    {
+        "@timestamp": "2020-01-02T11:33:20.000-02:00",
+        "cisco.ftd.destination_interface": "wan",
+        "cisco.ftd.mapped_destination_host": "www.example.org",
+        "cisco.ftd.mapped_destination_port": 80,
+        "cisco.ftd.mapped_source_host": "source.example.net",
+        "cisco.ftd.mapped_source_port": 11234,
+        "cisco.ftd.message_id": "338204",
+        "cisco.ftd.rule_name": "dynamic",
+        "cisco.ftd.source_interface": "eth0",
+        "cisco.ftd.threat_category": "malware",
+        "cisco.ftd.threat_level": "high",
+        "destination.address": "172.24.177.3",
+        "destination.domain": "example.org",
+        "destination.ip": "172.24.177.3",
+        "destination.nat.port": "80",
+        "destination.port": 80,
+        "event.action": "firewall-rule",
+        "event.code": 338204,
+        "event.dataset": "cisco.ftd",
+        "event.module": "cisco",
+        "event.original": "%ASA-4-338204: Dynamic filter dropped greylisted TCP traffic from eth0:10.10.10.1/1234 (source.example.net/11234) to wan:172.24.177.3/80 (www.example.org/80), destination malicious address resolved from dynamic list: example.org, threat-level: high, category: malware",
+        "event.outcome": "deny",
+        "event.severity": 4,
+        "event.timezone": "-02:00",
+        "fileset.name": "ftd",
+        "host.hostname": "localhost",
+        "input.type": "log",
+        "log.level": "warning",
+        "log.offset": 360,
+        "network.iana_number": 6,
+        "network.transport": "tcp",
+        "server.domain": "example.org",
+        "service.type": "cisco",
+        "source.address": "10.10.10.1",
+        "source.ip": "10.10.10.1",
+        "source.nat.port": "11234",
+        "source.port": 1234,
+        "tags": [
+            "cisco-ftd"
+        ]
+    }
+]