[Filebeat] Fix cisco asa parser for message 302022 (#24697) (#24712)

* Fix cisco asa parser for message 302022 - fix parser to include mapped address and ports - add NAT addresses to related.ip Closes #24695 Closes #24405 (cherry picked from commit c685997)
elastic · Mar 23, 2021 · eb6959d · eb6959d
1 parent dbdc5aa
commit eb6959d
Show file tree

Hide file tree

Showing 6 changed files with 204 additions and 11 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -200,6 +200,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Fix Cisco ASA parser for message 722051. {pull}24410[24410]
 - Fix `google_workspace` pagination. {pull}24668[24668]
 - Fix netflow module ignoring detect_sequence_reset flag. {issue}24268[24268] {pull}24270[24270]
+- Fix Cisco ASA parser for message 302022. {issue}24405[24405] {pull}24697[24697]
 
 *Heartbeat*
 

diff --git a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json
@@ -45,7 +45,9 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "192.168.2.2"
+            "8.8.8.8",
+            "192.168.2.2",
+            "8.8.5.4"
         ],
         "service.type": "cisco",
         "source.address": "10.10.10.10",
@@ -103,7 +105,9 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "192.168.2.2"
+            "8.8.8.8",
+            "192.168.2.2",
+            "8.8.5.4"
         ],
         "service.type": "cisco",
         "source.address": "10.10.10.10",
@@ -151,6 +155,7 @@
         ],
         "related.ip": [
             "192.168.2.2",
+            "8.8.8.8",
             "10.10.10.10"
         ],
         "service.type": "cisco",
@@ -285,6 +290,7 @@
         ],
         "related.ip": [
             "192.168.2.2",
+            "8.8.8.8",
             "10.10.10.10"
         ],
         "service.type": "cisco",
@@ -340,7 +346,9 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "192.168.2.2"
+            "8.8.8.8",
+            "192.168.2.2",
+            "8.8.5.4"
         ],
         "service.type": "cisco",
         "source.address": "10.10.10.10",
@@ -615,6 +623,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
+            "8.8.8.8",
             "192.168.2.2"
         ],
         "service.type": "cisco",
@@ -749,6 +758,7 @@
         ],
         "related.ip": [
             "10.192.46.90",
+            "8.8.8.8",
             "10.10.10.10"
         ],
         "service.type": "cisco",
@@ -796,6 +806,7 @@
         ],
         "related.ip": [
             "192.168.2.2",
+            "8.8.8.8",
             "10.10.10.10"
         ],
         "service.type": "cisco",
@@ -909,6 +920,7 @@
         ],
         "related.ip": [
             "192.168.2.2",
+            "8.8.8.8",
             "10.10.10.10"
         ],
         "service.type": "cisco",
@@ -1237,7 +1249,9 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "192.168.2.2"
+            "8.8.8.4",
+            "192.168.2.2",
+            "8.8.8.8"
         ],
         "service.type": "cisco",
         "source.address": "10.10.10.10",
@@ -1295,7 +1309,9 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "192.168.2.2"
+            "8.8.8.4",
+            "192.168.2.2",
+            "8.8.8.8"
         ],
         "service.type": "cisco",
         "source.address": "10.10.10.10",
@@ -1603,6 +1619,156 @@
             "forwarded"
         ]
     },
+    {
+        "cisco.asa.destination_interface": "net",
+        "cisco.asa.message_id": "302022",
+        "cisco.asa.source_interface": "fw1111",
+        "destination.address": "192.168.2.2",
+        "destination.ip": "192.168.2.2",
+        "destination.port": 10051,
+        "event.action": "firewall-rule",
+        "event.category": [
+            "network"
+        ],
+        "event.code": 302022,
+        "event.dataset": "cisco.asa",
+        "event.kind": "event",
+        "event.module": "cisco",
+        "event.original": "%ASA-6-302022: Built director stub TCP connection for fw1111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.168.2.2/10051 (8.8.8.8/10051)",
+        "event.severity": 6,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "info"
+        ],
+        "fileset.name": "asa",
+        "host.hostname": "dev01",
+        "input.type": "log",
+        "log.level": "informational",
+        "log.offset": 4472,
+        "network.iana_number": 6,
+        "network.transport": "tcp",
+        "observer.egress.interface.name": "fw1111",
+        "observer.hostname": "dev01",
+        "observer.ingress.interface.name": "net",
+        "observer.product": "asa",
+        "observer.type": "firewall",
+        "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
+        "related.ip": [
+            "10.10.10.10",
+            "192.168.2.2"
+        ],
+        "service.type": "cisco",
+        "source.address": "10.10.10.10",
+        "source.ip": "10.10.10.10",
+        "source.port": 38540,
+        "tags": [
+            "cisco-asa",
+            "forwarded"
+        ]
+    },
+    {
+        "cisco.asa.destination_interface": "net",
+        "cisco.asa.message_id": "302022",
+        "cisco.asa.source_interface": "fw111",
+        "destination.address": "192.168.2.2",
+        "destination.ip": "192.168.2.2",
+        "destination.port": 10051,
+        "event.action": "firewall-rule",
+        "event.category": [
+            "network"
+        ],
+        "event.code": 302022,
+        "event.dataset": "cisco.asa",
+        "event.kind": "event",
+        "event.module": "cisco",
+        "event.original": "%ASA-6-302022: Built forwarder  stub TCP connection for fw111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.168.2.2/10051 (8.8.8.8/10051)",
+        "event.severity": 6,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "info"
+        ],
+        "fileset.name": "asa",
+        "host.hostname": "dev01",
+        "input.type": "log",
+        "log.level": "informational",
+        "log.offset": 4631,
+        "network.iana_number": 6,
+        "network.transport": "tcp",
+        "observer.egress.interface.name": "fw111",
+        "observer.hostname": "dev01",
+        "observer.ingress.interface.name": "net",
+        "observer.product": "asa",
+        "observer.type": "firewall",
+        "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
+        "related.ip": [
+            "10.10.10.10",
+            "192.168.2.2"
+        ],
+        "service.type": "cisco",
+        "source.address": "10.10.10.10",
+        "source.ip": "10.10.10.10",
+        "source.port": 38540,
+        "tags": [
+            "cisco-asa",
+            "forwarded"
+        ]
+    },
+    {
+        "cisco.asa.destination_interface": "net",
+        "cisco.asa.message_id": "302022",
+        "cisco.asa.source_interface": "fw111",
+        "destination.address": "192.1682.2.2",
+        "destination.domain": "192.1682.2.2",
+        "destination.port": 10051,
+        "event.action": "firewall-rule",
+        "event.category": [
+            "network"
+        ],
+        "event.code": 302022,
+        "event.dataset": "cisco.asa",
+        "event.kind": "event",
+        "event.module": "cisco",
+        "event.original": "%ASA-6-302022: Built backup  stub TCP connection for fw111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.1682.2.2/10051 (8.8.8.8/10051)",
+        "event.severity": 6,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "info"
+        ],
+        "fileset.name": "asa",
+        "host.hostname": "dev01",
+        "input.type": "log",
+        "log.level": "informational",
+        "log.offset": 4791,
+        "network.iana_number": 6,
+        "network.transport": "tcp",
+        "observer.egress.interface.name": "fw111",
+        "observer.hostname": "dev01",
+        "observer.ingress.interface.name": "net",
+        "observer.product": "asa",
+        "observer.type": "firewall",
+        "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01",
+            "192.1682.2.2"
+        ],
+        "related.ip": [
+            "10.10.10.10"
+        ],
+        "service.type": "cisco",
+        "source.address": "10.10.10.10",
+        "source.ip": "10.10.10.10",
+        "source.port": 38540,
+        "tags": [
+            "cisco-asa",
+            "forwarded"
+        ]
+    },
     {
         "cisco.asa.destination_interface": "net",
         "cisco.asa.message_id": "302023",

diff --git a/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json
@@ -36,6 +36,9 @@
             "target.destination.hostname.local",
             "Prod-host.name.addr"
         ],
+        "related.ip": [
+            "10.0.55.66"
+        ],
         "service.type": "cisco",
         "source.domain": "Prod-host.name.addr",
         "source.nat.ip": "10.0.55.66",

diff --git a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json
@@ -451,6 +451,7 @@
         "observer.vendor": "Cisco",
         "related.ip": [
             "192.0.2.222",
+            "192.0.2.43",
             "10.123.1.35"
         ],
         "service.type": "cisco",
@@ -554,7 +555,8 @@
         "observer.vendor": "Cisco",
         "related.ip": [
             "192.0.2.1",
-            "10.123.3.42"
+            "10.123.3.42",
+            "10.123.3.130"
         ],
         "service.type": "cisco",
         "source.address": "192.0.2.1",
@@ -812,7 +814,8 @@
         "observer.vendor": "Cisco",
         "related.ip": [
             "192.0.0.17",
-            "192.168.3.42"
+            "192.168.3.42",
+            "10.0.0.130"
         ],
         "service.type": "cisco",
         "source.address": "192.0.0.17",
@@ -3335,6 +3338,7 @@
         ],
         "related.ip": [
             "10.1.1.45",
+            "192.88.99.1",
             "192.88.99.129"
         ],
         "server.domain": "bad.example.com",
@@ -3393,6 +3397,7 @@
         "observer.vendor": "Cisco",
         "related.ip": [
             "10.1.1.1",
+            "10.2.1.1",
             "192.0.2.223"
         ],
         "service.type": "cisco",
@@ -3450,6 +3455,7 @@
         "observer.vendor": "Cisco",
         "related.ip": [
             "10.1.1.1",
+            "10.2.1.1",
             "192.0.2.223"
         ],
         "service.type": "cisco",

diff --git a/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json
@@ -442,6 +442,7 @@
         "observer.vendor": "Cisco",
         "related.ip": [
             "192.0.2.222",
+            "192.0.2.43",
             "10.123.1.35"
         ],
         "service.type": "cisco",
@@ -543,7 +544,8 @@
         "observer.vendor": "Cisco",
         "related.ip": [
             "192.0.2.1",
-            "10.123.3.42"
+            "10.123.3.42",
+            "10.123.3.130"
         ],
         "service.type": "cisco",
         "source.address": "192.0.2.1",
@@ -796,7 +798,8 @@
         "observer.vendor": "Cisco",
         "related.ip": [
             "192.0.0.17",
-            "192.168.3.42"
+            "192.168.3.42",
+            "10.0.0.130"
         ],
         "service.type": "cisco",
         "source.address": "192.0.0.17",
@@ -3321,6 +3324,7 @@
         ],
         "related.ip": [
             "10.1.1.45",
+            "192.88.99.1",
             "192.88.99.129"
         ],
         "server.domain": "bad.example.com",
@@ -3379,7 +3383,9 @@
         "observer.vendor": "Cisco",
         "related.ip": [
             "10.1.1.1",
-            "192.0.2.223"
+            "10.2.1.1",
+            "192.0.2.223",
+            "192.0.2.225"
         ],
         "service.type": "cisco",
         "source.address": "10.1.1.1",
@@ -3436,6 +3442,7 @@
         "observer.vendor": "Cisco",
         "related.ip": [
             "10.1.1.1",
+            "10.2.1.1",
             "192.0.2.223"
         ],
         "service.type": "cisco",