Skip to content

Commit fc9de39

Browse files
mjwolfmjwolf
authored
[cisco_asa] Add support for IPv6 parsing in 302xxx messages (elastic#15606)
In 302xxx messages, add properly parse IPv6 addresses. Previously, the address could be improperly parsed into interface, as both use colon seperators. This reorders the parsing to do IPv6 first, so that these addresses will be correctly parsed, while still parsing the interface if the field isn't IPv6.
1 parent ffc8802 commit fc9de39

File tree

5 files changed

+350
-14
lines changed

5 files changed

+350
-14
lines changed

packages/cisco_asa/changelog.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,9 @@
11
# newer versions go on top
2+
- version: "2.43.10"
3+
changes:
4+
- description: Parse IPv6 addresses correctly in 302020/302021 messages
5+
type: bugfix
6+
link: https://github.com/elastic/integrations/pull/15606
27
- version: "2.43.9"
38
changes:
49
- description: Allow empty access-group in message id 106023.

packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa.log

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -277,3 +277,6 @@ Feb 12 11:37:00 myhost.example.com : Feb 12 11:37:00 EST: %ASA-auth-4-113011: AA
277277
Feb 12 11:48:23 myhost.example.com : Feb 12 11:48:23 EST: %ASA-svc-4-722041: TunnelGroup <MY_TUNGROUP> GroupPolicy <GroupPolicy_USER_SET> User <[email protected]> IP <10.2.3.4> No IPv6 address available for SVC connection
278278
Feb 3 10:07:37 myhost.example.com : Feb 03 10:07:37 EST: %ASA-svc-3-722035: Group <GroupPolicy_USER_SET> User <[email protected]> IP <10.1.2.3> Received large packet 1224 (threshold 1200).
279279
Feb 3 10:07:51 myhost.example.com : Feb 03 10:07:50 EST: %ASA-4-733100: [ LOCAL\[email protected]#012 ] drop rate-1 exceeded. Current burst rate is 40 per second, max configured rate is 40; Current average rate is 2 per second, max configured rate is 20; Cumulative total count is 1486
280+
<166>10.1.1.1 %ASA-6-302021: Teardown ICMP connection for faddr 2001:db8:85a3::8a2e:370:7334/9 gaddr 2001:db8:85a3::8a2e:370:7335/0 laddr 2001:db8:85a3::8a2e:370:7335/0 type 128 code 0 \n
281+
<166>10.1.1.1 %ASA-6-302020: Built outbound ICMP connection for faddr 2001:db8:85a3::8a2e:370:7334/0 gaddr ::ffff:10.10.4.4/0 laddr ::ffff:10.10.10.4/0 type 3 code 0 Internal-Data0/0:RX[29]
282+
<166>10.1.1.1 %ASA-6-302018: Teardown GRE connection 472592149 from Outside:81.2.69.142 to Inside:89.160.20.156/0 duration 0:02:01 bytes 1344 0 26

packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa.log-expected.json

Lines changed: 323 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23275,6 +23275,329 @@
2327523275
"tags": [
2327623276
"preserve_original_event"
2327723277
]
23278+
},
23279+
{
23280+
"cisco": {
23281+
"asa": {
23282+
"icmp_code": 0,
23283+
"icmp_type": 128,
23284+
"mapped_source_ip": "2001:db8:85a3::8a2e:370:7335"
23285+
}
23286+
},
23287+
"destination": {
23288+
"address": "2001:db8:85a3::8a2e:370:7334",
23289+
"as": {
23290+
"number": 65551,
23291+
"organization": {
23292+
"name": "Documentation ASN"
23293+
}
23294+
},
23295+
"geo": {
23296+
"city_name": "Greenwich",
23297+
"continent_name": "Europe",
23298+
"country_iso_code": "GB",
23299+
"country_name": "United Kingdom",
23300+
"location": {
23301+
"lat": 51.47687,
23302+
"lon": -4.1E-4
23303+
},
23304+
"region_iso_code": "GB-ENG",
23305+
"region_name": "England"
23306+
},
23307+
"ip": "2001:db8:85a3::8a2e:370:7334"
23308+
},
23309+
"ecs": {
23310+
"version": "8.17.0"
23311+
},
23312+
"event": {
23313+
"action": "flow-expiration",
23314+
"category": [
23315+
"network"
23316+
],
23317+
"code": "302021",
23318+
"kind": "event",
23319+
"original": "<166>10.1.1.1 %ASA-6-302021: Teardown ICMP connection for faddr 2001:db8:85a3::8a2e:370:7334/9 gaddr 2001:db8:85a3::8a2e:370:7335/0 laddr 2001:db8:85a3::8a2e:370:7335/0 type 128 code 0 \\n",
23320+
"outcome": "success",
23321+
"severity": 6,
23322+
"timezone": "UTC",
23323+
"type": [
23324+
"connection",
23325+
"end"
23326+
]
23327+
},
23328+
"host": {
23329+
"hostname": "10.1.1.1"
23330+
},
23331+
"log": {
23332+
"level": "informational",
23333+
"syslog": {
23334+
"facility": {
23335+
"code": 20
23336+
},
23337+
"priority": 166,
23338+
"severity": {
23339+
"code": 6
23340+
}
23341+
}
23342+
},
23343+
"network": {
23344+
"community_id": "1:YLPCdXv9CS+jZQhvBiW9dK/G6IM=",
23345+
"iana_number": "1",
23346+
"transport": "icmp"
23347+
},
23348+
"observer": {
23349+
"hostname": "10.1.1.1",
23350+
"product": "asa",
23351+
"type": "firewall",
23352+
"vendor": "Cisco"
23353+
},
23354+
"related": {
23355+
"hosts": [
23356+
"10.1.1.1"
23357+
],
23358+
"ip": [
23359+
"2001:db8:85a3::8a2e:370:7335",
23360+
"2001:db8:85a3::8a2e:370:7334"
23361+
]
23362+
},
23363+
"source": {
23364+
"address": "2001:db8:85a3::8a2e:370:7335",
23365+
"as": {
23366+
"number": 65551,
23367+
"organization": {
23368+
"name": "Documentation ASN"
23369+
}
23370+
},
23371+
"geo": {
23372+
"city_name": "Greenwich",
23373+
"continent_name": "Europe",
23374+
"country_iso_code": "GB",
23375+
"country_name": "United Kingdom",
23376+
"location": {
23377+
"lat": 51.47687,
23378+
"lon": -4.1E-4
23379+
},
23380+
"region_iso_code": "GB-ENG",
23381+
"region_name": "England"
23382+
},
23383+
"ip": "2001:db8:85a3::8a2e:370:7335"
23384+
},
23385+
"tags": [
23386+
"preserve_original_event"
23387+
]
23388+
},
23389+
{
23390+
"cisco": {
23391+
"asa": {
23392+
"icmp_code": 0,
23393+
"icmp_type": 3,
23394+
"mapped_source_ip": "::ffff:10.10.4.4"
23395+
}
23396+
},
23397+
"destination": {
23398+
"address": "2001:db8:85a3::8a2e:370:7334",
23399+
"as": {
23400+
"number": 65551,
23401+
"organization": {
23402+
"name": "Documentation ASN"
23403+
}
23404+
},
23405+
"geo": {
23406+
"city_name": "Greenwich",
23407+
"continent_name": "Europe",
23408+
"country_iso_code": "GB",
23409+
"country_name": "United Kingdom",
23410+
"location": {
23411+
"lat": 51.47687,
23412+
"lon": -4.1E-4
23413+
},
23414+
"region_iso_code": "GB-ENG",
23415+
"region_name": "England"
23416+
},
23417+
"ip": "2001:db8:85a3::8a2e:370:7334"
23418+
},
23419+
"ecs": {
23420+
"version": "8.17.0"
23421+
},
23422+
"event": {
23423+
"action": "flow-creation",
23424+
"category": [
23425+
"network"
23426+
],
23427+
"code": "302020",
23428+
"kind": "event",
23429+
"original": "<166>10.1.1.1 %ASA-6-302020: Built outbound ICMP connection for faddr 2001:db8:85a3::8a2e:370:7334/0 gaddr ::ffff:10.10.4.4/0 laddr ::ffff:10.10.10.4/0 type 3 code 0 Internal-Data0/0:RX[29]",
23430+
"outcome": "success",
23431+
"severity": 6,
23432+
"timezone": "UTC",
23433+
"type": [
23434+
"connection",
23435+
"start"
23436+
]
23437+
},
23438+
"host": {
23439+
"hostname": "10.1.1.1"
23440+
},
23441+
"log": {
23442+
"level": "informational",
23443+
"syslog": {
23444+
"facility": {
23445+
"code": 20
23446+
},
23447+
"priority": 166,
23448+
"severity": {
23449+
"code": 6
23450+
}
23451+
}
23452+
},
23453+
"network": {
23454+
"direction": "outbound",
23455+
"type": "icmp"
23456+
},
23457+
"observer": {
23458+
"hostname": "10.1.1.1",
23459+
"product": "asa",
23460+
"type": "firewall",
23461+
"vendor": "Cisco"
23462+
},
23463+
"related": {
23464+
"hosts": [
23465+
"10.1.1.1"
23466+
],
23467+
"ip": [
23468+
"::ffff:10.10.10.4",
23469+
"::ffff:10.10.4.4",
23470+
"2001:db8:85a3::8a2e:370:7334"
23471+
]
23472+
},
23473+
"source": {
23474+
"address": "::ffff:10.10.10.4",
23475+
"ip": "::ffff:10.10.10.4",
23476+
"nat": {
23477+
"ip": "::ffff:10.10.4.4"
23478+
}
23479+
},
23480+
"tags": [
23481+
"preserve_original_event"
23482+
]
23483+
},
23484+
{
23485+
"@timestamp": "2025-01-01T12:00:00.000Z",
23486+
"cisco": {
23487+
"asa": {
23488+
"connection_id": "472592149",
23489+
"destination_interface": "Inside",
23490+
"source_interface": "Outside"
23491+
}
23492+
},
23493+
"destination": {
23494+
"address": "89.160.20.156",
23495+
"as": {
23496+
"number": 29518,
23497+
"organization": {
23498+
"name": "Bredband2 AB"
23499+
}
23500+
},
23501+
"geo": {
23502+
"city_name": "Linköping",
23503+
"continent_name": "Europe",
23504+
"country_iso_code": "SE",
23505+
"country_name": "Sweden",
23506+
"location": {
23507+
"lat": 58.4167,
23508+
"lon": 15.6167
23509+
},
23510+
"region_iso_code": "SE-E",
23511+
"region_name": "Östergötland County"
23512+
},
23513+
"ip": "89.160.20.156",
23514+
"port": 0
23515+
},
23516+
"ecs": {
23517+
"version": "8.17.0"
23518+
},
23519+
"event": {
23520+
"action": "flow-expiration",
23521+
"category": [
23522+
"network"
23523+
],
23524+
"code": "302018",
23525+
"duration": 121000000000,
23526+
"kind": "event",
23527+
"original": "<166>10.1.1.1 %ASA-6-302018: Teardown GRE connection 472592149 from Outside:81.2.69.142 to Inside:89.160.20.156/0 duration 0:02:01 bytes 1344 0 26",
23528+
"outcome": "success",
23529+
"severity": 6,
23530+
"timezone": "UTC",
23531+
"type": [
23532+
"connection",
23533+
"end"
23534+
]
23535+
},
23536+
"host": {
23537+
"hostname": "10.1.1.1"
23538+
},
23539+
"log": {
23540+
"level": "informational",
23541+
"syslog": {
23542+
"facility": {
23543+
"code": 20
23544+
},
23545+
"priority": 166,
23546+
"severity": {
23547+
"code": 6
23548+
}
23549+
}
23550+
},
23551+
"network": {
23552+
"bytes": 1344,
23553+
"community_id": "1:G+7NhVep/VU/WFsZ87fgaCpx6Ks=",
23554+
"iana_number": "47",
23555+
"transport": "gre"
23556+
},
23557+
"observer": {
23558+
"egress": {
23559+
"interface": {
23560+
"name": "Inside"
23561+
}
23562+
},
23563+
"hostname": "10.1.1.1",
23564+
"ingress": {
23565+
"interface": {
23566+
"name": "Outside"
23567+
}
23568+
},
23569+
"product": "asa",
23570+
"type": "firewall",
23571+
"vendor": "Cisco"
23572+
},
23573+
"related": {
23574+
"hosts": [
23575+
"10.1.1.1"
23576+
],
23577+
"ip": [
23578+
"81.2.69.142",
23579+
"89.160.20.156"
23580+
]
23581+
},
23582+
"source": {
23583+
"address": "81.2.69.142",
23584+
"geo": {
23585+
"city_name": "London",
23586+
"continent_name": "Europe",
23587+
"country_iso_code": "GB",
23588+
"country_name": "United Kingdom",
23589+
"location": {
23590+
"lat": 51.5142,
23591+
"lon": -0.0931
23592+
},
23593+
"region_iso_code": "GB-ENG",
23594+
"region_name": "England"
23595+
},
23596+
"ip": "81.2.69.142"
23597+
},
23598+
"tags": [
23599+
"preserve_original_event"
23600+
]
2327823601
}
2327923602
]
2328023603
}

0 commit comments

Comments
 (0)