Add Cisco ASA messages to firewalls patterns. #226
Conversation
Fix issue with ASA-3-313004. Add Cisco ASA message patterns to firewalls patterns file: - ASA-2-106017 - ASA-1-106101 - ASA-6-303002 - ASA-3-303006 - ASA-5-305013 - ASA-5-713257 - ASA-4-713903 - ASA-6-725001 - ASA-6-725002 - ASA-6-725007 - ASA-6-725016 - ASA-3-746016
|
I have now signed the CLA. |
| # ASA-6-305011 | ||
| CISCOFW305011 %{CISCO_ACTION:action} %{CISCO_XLATE_TYPE:xlate_type} %{WORD:protocol} translation from %{DATA:src_interface}:%{IP:src_ip}(/%{INT:src_port})?(\(%{DATA:src_fwuser}\))? to %{DATA:src_xlated_interface}:%{IP:src_xlated_ip}/%{DATA:src_xlated_port} | ||
| # ASA-3-313001, ASA-3-313004, ASA-3-313008 |
There was a problem hiding this comment.
I'm unfamiliar with the asa firewalls, but I'd like to avoid removing patterns as that can create troubles for folks already using this CISCOFW313001_313004_313008 pattern.
|
We could leave the name as is, but that pattern does not match ASA-3-313004 properly. |
| @@ -79,8 +93,22 @@ CISCOFW602303_602304 %{WORD:protocol}: An %{CISCO_DIRECTION:direction} %{GREEDYD | |||
| CISCOFW710001_710002_710003_710005_710006 %{WORD:protocol} (?:request|access) %{CISCO_ACTION:action} from %{IP:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port} | |||
| # ASA-6-713172 | |||
| CISCOFW713172 Group = %{GREEDYDATA:group}, IP = %{IP:src_ip}, Automatic NAT Detection Status:\s+Remote end\s*%{DATA:is_remote_natted}\s*behind a NAT device\s+This\s+end\s*%{DATA:is_local_natted}\s*behind a NAT device | |||
| # ASA-5-713257 | |||
| CISCOFW713257 Phase %{INT:phase} failure: Mismatched attribute types for class %{DATA:class}: Rcv'd: %{DATA:received_attribute} Cfg'd: %{GREEDYDATA:configured_attribute} | |||
There was a problem hiding this comment.
This pattern has a few double spaces, is this intended?
There was a problem hiding this comment.
Yes.
Here is a sample log message:
Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5
There was a problem hiding this comment.
I see, my question came from doing a quick search online and finding references to that log entry with only 1 space: https://supportforums.cisco.com/t5/remote-access/ipsec-vpn-to-asa-5520/td-p/1528993
Maybe we can be safe here and replace these potential "more than one" spaces with %{SPACE} ?
There was a problem hiding this comment.
We could use '\s+' (1 or more spaces) but not %{SPACE} because it is defined as '\s*' (zero or more spaces).
Using %{SPACE} could break the pattern.
There was a problem hiding this comment.
BTW, if it sheds more light on the subject, all the ASA-5-713257 messages I have ever seen (I have been parsing Cisco ASA logs for 3 years now) have always had the 2 spaces in those places.
|
@fchouina to continue the discussion on the |
|
No there is no conflict with the new ASA-3-313004 pattern. The original CISCOFW313001_313004_313008 pattern simply does not match any ASA-3-313004 logs. |
|
Ok @fchouina thanks for confirming. So for the sake of keeping separate concerns into separate issues, could you please revert the |
|
This is great! Thanks for contributing the additional filters @fchouina! I have several more to contribute myself for these message patterns: Maybe I'll wait for this PR to be merged into master until I contribute? I don't want to submit another PR and cause anything to get lost. |
Fix issue with ASA-3-313004.
Add Cisco ASA message patterns to firewalls patterns file:
Thanks for contributing to Logstash! If you haven't already signed our CLA, here's a handy link: https://www.elastic.co/contributor-agreement/