Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix: Dissect Cisco ASA 302013 message usernames #21196

Merged
merged 6 commits into from
Jan 25, 2021

Conversation

C0FFEEC0FFEE
Copy link
Contributor

Fixes ingest pipeline filebeat-7.9.1-cisco-asa-asa-ftd-pipeline to dissect messages of the following format (optional usernames):
Built inbound TCP connection 27215708 for internet:10.2.3.4/49926 (1.2.3.4/49926)(LOCAL\username) to vlan-42:1.2.3.4/80 (1.2.3.4/80) (username)\n

Currently one can only dissect this format:
Built inbound TCP connection 27215708 for internet:10.2.3.4/49926 (1.2.3.4/49926) to vlan-42:1.2.3.4/80 (1.2.3.4/80)\n

@elasticmachine
Copy link
Collaborator

Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually?

1 similar comment
@elasticmachine
Copy link
Collaborator

Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually?

@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Sep 21, 2020
@elasticmachine
Copy link
Collaborator

elasticmachine commented Sep 21, 2020

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

  • Build Cause: andrewkroh commented: run tests

    • Start Time: 2021-01-25T15:54:16.540+0000
  • Duration: 46 min 13 sec

  • Commit: 7d53226

Test stats 🧪

Test Results
Failed 0
Passed 5135
Skipped 574
Total 5709

💚 Flaky test report

Tests succeeded.

Expand to view the summary

Test stats 🧪

Test Results
Failed 0
Passed 5135
Skipped 574
Total 5709

@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Sep 21, 2020
@botelastic
Copy link

botelastic bot commented Oct 21, 2020

Hi!
We just realized that we haven't looked into this PR in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it in as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1.
Thank you for your contribution!

@botelastic botelastic bot added the Stalled label Oct 21, 2020
@C0FFEEC0FFEE
Copy link
Contributor Author

We are using this change for our ASA logs, would be nice if it gets pulled into the official releases. Let me know if you need anything else.

@botelastic
Copy link

botelastic bot commented Nov 20, 2020

Hi!
We just realized that we haven't looked into this PR in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it in as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1.
Thank you for your contribution!

@botelastic botelastic bot added the Stalled label Nov 20, 2020
@C0FFEEC0FFEE
Copy link
Contributor Author

+1

@botelastic botelastic bot removed the Stalled label Nov 20, 2020
@marc-gr
Copy link
Contributor

marc-gr commented Dec 16, 2020

jenkins run tests

@marc-gr marc-gr self-assigned this Dec 16, 2020
@marc-gr
Copy link
Contributor

marc-gr commented Dec 16, 2020

@C0FFEEC0FFEE thanks for contributing, could you please update your branch with master? it seems to be outdated

@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@C0FFEEC0FFEE
Copy link
Contributor Author

@C0FFEEC0FFEE thanks for contributing, could you please update your branch with master? it seems to be outdated

I updated my branch with master.

@andrewkroh
Copy link
Member

jenkins run tests

@andrewkroh
Copy link
Member

This is failing the test suite because it cannot parse the log sample at

module/cisco/asa/test/sample.log:43:Dec 11 2018 08:01:31 <IP>: %ASA-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)

The error is

The related error message is: ['Provided Grok expressions do not match field value: [Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)]']

@C0FFEEC0FFEE C0FFEEC0FFEE requested review from a team as code owners January 13, 2021 23:52
@botelastic botelastic bot added the Team:Automation Label for the Observability productivity team label Jan 13, 2021
This allows logs like this to parse

    %ASA-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)
@andrewkroh andrewkroh force-pushed the C0FFEEC0FFEE-patch-1 branch from 17f17ec to f70b89a Compare January 13, 2021 23:53
Copy link
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I pushed two updates to this PR:

  • Add a test case with a 302013 log that has the AAA user name.
  • Change the grok IP fields to NOTSPACE because there was a test case that had OCSP_server as the address value. I'm not sure of the origin of this log sample to know if it is valid.
  • Removed a test log that had the port value as 80port>. That looked like some kind of developer error when creating sample logs.

My only question is where client.user.name is the correct place for the user name to go.

"cisco.asa.message_id": "302013",
"cisco.asa.source_interface": "internet",
"cisco.asa.source_username": "LOCAL\\username",
"client.user.name": "username",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps this should go to user.name instead?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure. Maybe this should go to both client.user.name and user.name, as well as related.user?

In my interpretation of the ECS it fits best to client.user.name since the user initiates a TCP connection:
For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). ECS docs

Copy link
Contributor

@marc-gr marc-gr Jan 14, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

According to https://www.elastic.co/guide/en/ecs/1.x/ecs-user-usage.html:

In order to align with ECS' design of having user at the root of the event as the user performing the action, all source.user fields should be copied to user at the root.

I guess it should be copied to user.name and also kept in client.user.name if we understand client is equivalent to source in here.

PS: what @C0FFEEC0FFEE said, was writing it while you posted it also 😄

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, I pushed an update. I think the new user name that is being parsed from this message is actually associated with the destination so I set destination.user.name. Then I set the user.name with that value if it wasn't already set. Then I setup related.user with user.name + destination.user.name (no duplicates).

@andrewkroh andrewkroh added enhancement Filebeat Filebeat and removed Team:Automation Label for the Observability productivity team labels Jan 14, 2021
Copy destination.user.name to user.name.
Set related.user to user.name + destination.user.name.
@andrewkroh
Copy link
Member

run tests

@andrewkroh andrewkroh merged commit d6a5f17 into elastic:master Jan 25, 2021
andrewkroh pushed a commit to andrewkroh/beats that referenced this pull request Jan 25, 2021
- Add test log containing the AAA user field
- Set destination.user.name
- Copy destination.user.name to user.name.
- Set related.user to user.name + destination.user.name.

This allows logs like this to parse

    %ASA-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)

Co-authored-by: Andrew Kroh <[email protected]>
(cherry picked from commit d6a5f17)
v1v added a commit to v1v/beats that referenced this pull request Jan 26, 2021
…pack-when-oss-changes

* upstream/master:
  [DOCS] Add setup content to Kubernetes and Cloud Foundry docs (elastic#23580)
  [CI] Mandatory windows support for all the versions (elastic#23615)
  Add check when retrieving the worker process id using performance counters  (elastic#23647)
  Remove 4912 evtx from testing (elastic#23669)
  Add missing SSL settings (elastic#23632)
  Update X-Pack Packetbeat config (elastic#23666)
  Use hostname check from verify.go to handle patterns in TLS certs (elastic#23661)
  Fix: Dissect Cisco ASA 302013 message usernames (elastic#21196)
  Add FAQ entry for MADV settings in older versions (elastic#23429)
  Sync fixes from Integration Package Testing (elastic#23424)
  [Filebeat] Add Cisco ASA message '302023' parsing (elastic#23092)
  [Elastic Log Driver] Change hosts config flag (elastic#23628)
  Audit and Authentication Policy Change Events (elastic#20684)
@C0FFEEC0FFEE C0FFEEC0FFEE deleted the C0FFEEC0FFEE-patch-1 branch January 27, 2021 08:02
andrewkroh added a commit that referenced this pull request Feb 1, 2021
- Add test log containing the AAA user field
- Set destination.user.name
- Copy destination.user.name to user.name.
- Set related.user to user.name + destination.user.name.

This allows logs like this to parse

    %ASA-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)

Co-authored-by: Andrew Kroh <[email protected]>
(cherry picked from commit d6a5f17)

Co-authored-by: Michael Koch <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants