-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix: Dissect Cisco ASA 302013 message usernames #21196
Conversation
Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually? |
1 similar comment
Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually? |
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
💚 Flaky test reportTests succeeded. Expand to view the summary
Test stats 🧪
|
Pinging @elastic/siem (Team:SIEM) |
Hi! We're labeling this issue as |
We are using this change for our ASA logs, would be nice if it gets pulled into the official releases. Let me know if you need anything else. |
Hi! We're labeling this issue as |
+1 |
jenkins run tests |
@C0FFEEC0FFEE thanks for contributing, could you please update your branch with master? it seems to be outdated |
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
I updated my branch with master. |
jenkins run tests |
This is failing the test suite because it cannot parse the log sample at
The error is
|
This allows logs like this to parse %ASA-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)
17f17ec
to
f70b89a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I pushed two updates to this PR:
- Add a test case with a 302013 log that has the AAA user name.
- Change the grok
IP
fields toNOTSPACE
because there was a test case that hadOCSP_server
as the address value. I'm not sure of the origin of this log sample to know if it is valid. - Removed a test log that had the port value as
80port>
. That looked like some kind of developer error when creating sample logs.
My only question is where client.user.name
is the correct place for the user name to go.
"cisco.asa.message_id": "302013", | ||
"cisco.asa.source_interface": "internet", | ||
"cisco.asa.source_username": "LOCAL\\username", | ||
"client.user.name": "username", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Perhaps this should go to user.name
instead?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure. Maybe this should go to both client.user.name and user.name, as well as related.user?
In my interpretation of the ECS it fits best to client.user.name since the user initiates a TCP connection:
For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s).
ECS docs
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
According to https://www.elastic.co/guide/en/ecs/1.x/ecs-user-usage.html:
In order to align with ECS' design of having user at the root of the event as the user performing the action, all source.user fields should be copied to user at the root.
I guess it should be copied to user.name and also kept in client.user.name if we understand client is equivalent to source in here.
PS: what @C0FFEEC0FFEE said, was writing it while you posted it also 😄
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, I pushed an update. I think the new user name that is being parsed from this message is actually associated with the destination so I set destination.user.name
. Then I set the user.name
with that value if it wasn't already set. Then I setup related.user with user.name
+ destination.user.name
(no duplicates).
Copy destination.user.name to user.name. Set related.user to user.name + destination.user.name.
run tests |
- Add test log containing the AAA user field - Set destination.user.name - Copy destination.user.name to user.name. - Set related.user to user.name + destination.user.name. This allows logs like this to parse %ASA-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678) Co-authored-by: Andrew Kroh <[email protected]> (cherry picked from commit d6a5f17)
…pack-when-oss-changes * upstream/master: [DOCS] Add setup content to Kubernetes and Cloud Foundry docs (elastic#23580) [CI] Mandatory windows support for all the versions (elastic#23615) Add check when retrieving the worker process id using performance counters (elastic#23647) Remove 4912 evtx from testing (elastic#23669) Add missing SSL settings (elastic#23632) Update X-Pack Packetbeat config (elastic#23666) Use hostname check from verify.go to handle patterns in TLS certs (elastic#23661) Fix: Dissect Cisco ASA 302013 message usernames (elastic#21196) Add FAQ entry for MADV settings in older versions (elastic#23429) Sync fixes from Integration Package Testing (elastic#23424) [Filebeat] Add Cisco ASA message '302023' parsing (elastic#23092) [Elastic Log Driver] Change hosts config flag (elastic#23628) Audit and Authentication Policy Change Events (elastic#20684)
- Add test log containing the AAA user field - Set destination.user.name - Copy destination.user.name to user.name. - Set related.user to user.name + destination.user.name. This allows logs like this to parse %ASA-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678) Co-authored-by: Andrew Kroh <[email protected]> (cherry picked from commit d6a5f17) Co-authored-by: Michael Koch <[email protected]>
Fixes ingest pipeline filebeat-7.9.1-cisco-asa-asa-ftd-pipeline to dissect messages of the following format (optional usernames):
Built inbound TCP connection 27215708 for internet:10.2.3.4/49926 (1.2.3.4/49926)(LOCAL\username) to vlan-42:1.2.3.4/80 (1.2.3.4/80) (username)\n
Currently one can only dissect this format:
Built inbound TCP connection 27215708 for internet:10.2.3.4/49926 (1.2.3.4/49926) to vlan-42:1.2.3.4/80 (1.2.3.4/80)\n