Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Filebeat] Module to Cisco ASA Firewall Logs #9200

Closed
andrewkroh opened this issue Nov 21, 2018 · 4 comments
Closed

[Filebeat] Module to Cisco ASA Firewall Logs #9200

andrewkroh opened this issue Nov 21, 2018 · 4 comments
Assignees
@adriansr
Labels
enhancement Filebeat Filebeat module

Comments

@andrewkroh
Copy link
Member

andrewkroh commented Nov 21, 2018
edited by adriansr
Loading

As a user I'd like to easily be able to ingest syslog data coming from Cisco ASA device. In particular I'm interesting log messages related to firewall activity (access-list deny/allow, spoofing detected, etc).

Cisco publishes the format of their syslog messages on their website.

We should define a list of message IDs that we want included in the first version of the module.

  • 106001 - %ASA-2-106001: Inbound TCP connection denied from IP_address/port to IP_address/port flags tcp_flags on interface interface_name
  • 106006 - %ASA-2-106006: Deny inbound UDP from outside_address/outside_port to inside_address/inside_port on interface interface_name.
  • 106007 - %ASA-2-106007: Deny inbound UDP from outside_address/outside_port to inside_address/inside_port due to DNS {Response|Query}.
  • 106010 - %ASA-3-106010: Deny inbound protocol src [interface_name : source_address/source_port ] [([idfw_user | FQDN_string ], sg_info )] dst [interface_name : dest_address /dest_port }[([idfw_user | FQDN_string ], sg_info )]
  • 106013 - %ASA-2-106013: Dropping echo request from IP_address to PAT address IP_address
  • 106014 - %ASA-3-106014: Deny inbound icmp src interface_name : IP_address [([idfw_user | FQDN_string ], sg_info )] dst interface_name : IP_address [([idfw_user | FQDN_string ], sg_info )] (type dec , code dec )
  • 106015 - %ASA-6-106015: Deny TCP (no connection) from IP_address /port to IP_address /port flags tcp_flags on interface interface_name.
  • 106021 - %ASA-1-106021: Deny protocol reverse path check from source_address to dest_address on interface interface_name
  • And more... Please feel free to edit this list and add additional.

Added a few more. I tried to keep it basic L3 stuff, there's a lot of obscure kinds of traffic, tunneling features and most of it are warning about blocked traffic. Too bad there is not a lot of information about allowed traffic.

It's still pending a second review and I have yet to compare with some log files I found.

- %ASA-2-106002: {protocol} Connection denied by outbound list acl_ID src inside_address dest outside_address`
- %ASA-2-106016: Deny IP spoof from ({IP_address} ) to {IP_address} on interface interface_name.`
- %ASA-2-106017: Deny IP due to Land Attack from {IP_address} to {IP_address}
- %ASA-2-106018: ICMP packet type ICMP_type denied by outbound list acl_ID src inside_address dest outside_address
- "%ASA-2-106020: Deny IP teardrop fragment (size = number, offset = number) from {IP_address} to {IP_address}"
- %ASA-1-106022: Deny protocol connection spoof from source_address to dest_address on interface interface_name
- "%ASA-4-106023: Deny protocol src [{interface_name} :{source_address} /{source_port} ] [([{idfw_user} |{FQDN_string} ], {sg_info} )] dst {interface_name} :{dest_address} /{dest_port} [([{idfw_user} |{FQDN_string} ], {sg_info} )] [type {{string} }, code {{code} }] by {access_group acl_ID} [0x8ed66b60, 0xf8852875]"
- "%ASA-4-106027:acl_ID: Deny src [source address] dst [destination address] by access-group “access-list name"""
- "%ASA-6-106100: access-list {acl_ID} {permitted | denied | est-allowed}{protocol} {interface_name} /{source_address} ({source_port} ) ({idfw_user} , {sg_info} ) {interface_name} /{dest_address} ({dest_port} ) ({idfw_user} , {sg_info} ) hit-cnt {number} ({first hit | {number} -second interval}) hash codes"
- %ASA-6-106102: access-list {acl_ID} {permitted|denied} protocol for user {username} {interface_name} /{source_address} {source_port} {interface_name} /{dest_address dest_port} hit-cnt {number} {first hit|{number} -second interval} hash codes
- %ASA-4-106103: access-list {acl_ID} denied protocol for user {username} {interface_name} /{source_address} {source_port interface_name} /{dest_address dest_port} hit-cnt {number} first hit hash codes
- "%ASA-3-313001: Denied ICMP type={number} , code={code} from {IP_address} on interface {interface_name}"
- "%ASA-4-313004:Denied ICMP type={icmp_type} , from {source_address} on interface {interface_name} to {dest_address} :no matching session"
- "%ASA-4-313005: No matching connection for ICMP error message: {icmp_msg_info} on {interface_name} interface. Original IP payload: {embedded_frame_info icmp_msg_info =} icmp{src src_interface_name} :{src_address} [([{idfw_user} | {FQDN_string} ],{sg_info} )] {dst dest_interface_name} :{dest_address} [([{idfw_user} |{FQDN_string} ],{sg_info} )]{} (type{icmp_type,} code{icmp_code} ){embedded_frame_info =} prot{src source_address} /{source_port} [([{idfw_user} | {FQDN_string} ], {sg_info} )] {dst dest_address} /{dest_port} [({idfw_user} |{FQDN_string} ),{sg_info} ]
- %ASA-3-313008: Denied ICMPv6 type={number} , code={code} from {IP_address} on interface {interface_name}
- %ASA-4-313009: Denied invalid ICMP code {icmp-code} , for {src-ifc} :{src-address} /{src-port} (mapped-src-address/mapped-src-port) to {dest-ifc} :{dest-address} /{dest-port} (mapped-dest-address/mapped-dest-port) [{user} ], ICMP id {icmp-id} , ICMP type {icmp-type}
- "%ASA-3-322001: Deny MAC address MAC_address, possible spoof attempt on interface {interface}"
- "%ASA-3-322002: ARP inspection check failed for arp {request|response} received from host MAC_address on interface {interface} . This host is advertising MAC Address {MAC_address_1} for IP Address {IP_address} , which is {statically|dynamically} bound to MAC Address {MAC_address_2} ."
- "%ASA-3-322003:ARP inspection check failed for arp {request|response} received from host MAC_address on interface {interface} . This host is advertising MAC Address {MAC_address_1} for IP Address {IP_address} , which is not bound to any MAC Address."

This ones report flows termination, including duration:


%ASA-6-302014: Teardown TCP connection id for interface :real-address /real-port [(idfw_user )] to interface :real-address /real-port [(idfw_user )] duration hh:mm:ss bytes bytes [reason [from teardown-initiator]] [(user )]
%ASA-6-302016: Teardown UDP connection {number} for {interface} :{real-address} /{real-port} [({idfw_user} )] to {interface} :{real-address} /{real-port} [({idfw_user} )] duration {hh} :{mm} :{ss} bytes {bytes} [({user} )]
%ASA-6-302018: Teardown GRE connection {id} from {interface} :{real_address} ({translated_address} ) [({idfw_user} )] to {interface} :{real_address} /{real_cid} ({translated_address} /{translated_cid} ) [({idfw_user} )] duration {hh} :{mm} :{ss} bytes {bytes} [({user} )]
%ASA-6-302021: Teardown ICMP connection for faddr {{faddr} | {icmp_seq_num} } [({idfw_user} )] gaddr {{gaddr} | {cmp_type} } laddr {laddr} [({idfw_user} )] (981) type {{type} } code {{code} }
"%ASA-6-302036: Teardown SCTP connection {conn_id} for {outside_interface} :{outside_ip} /{outside_port} [([{outside_idfw_user} ],[{outside_sg_info} ])] to {inside_interface} :{inside_ip} /{inside_port} [([{inside_idfw_user} ],[{inside_sg_info} ])] duration {time} bytes {bytes} {reason} [({user} )]"
"%ASA-6-302304: Teardown TCP state-bypass connection {conn_id} from {initiator_interface} :ip/port to {responder_interface} :ip/port {duration} , {bytes} , {teardown reason}"
"%ASA-6-302306: Teardown SCTP state-bypass connection {conn_id} for {outside_interface} :{outside_ip} /{outside_port} [([{outside_idfw_user} ],[{outside_sg_info} ])] to {inside_interface} :{inside_ip} /{inside_port} [([{inside_idfw_user} ],[{inside_sg_info} ])] duration {time} bytes {bytes} {reason}"
@webmat webmat added the SecOps label Nov 21, 2018
@elasticmachine
Copy link
Collaborator

Pinging @elastic/secops

@adriansr adriansr self-assigned this Feb 6, 2019
@adriansr
Copy link
Contributor

Here's a CSV file with the messages extracted from the web docs using a custom scrapper. I've tried to also extract the parameters in the hopes of creating a pipeline generator out of it, but the format on Cisco's website is inconsistent at best.

cisco-asa.zip

@adriansr
Copy link
Contributor

I forgot to link this ones (already partially mapped to ECS fields):


338001,4,"%ASA-4-338001: Dynamic filter {action} blacklisted {network.transport} traffic from {cisco.asa.source_interface}:{source.ip}/{source.port} ({cisco.asa.mapped_source_ip}/{cisco.asa.mapped_source_port}) to {cisco.asa.destination_interface}:{destination.ip}/{destination.port} ({cisco.asa.mapped_destination_ip}/{cisco.asa.mapped_destination_port}) source {} resolved from {cisco.asa.list_id} list: {source.domain}, threat-level:{level_value,} category:{category_name}"
338002,4,"%ASA-4-338002: Dynamic filter {action} blacklisted {network.transport} traffic from {cisco.asa.source_interface}:{source.ip}/{source.port} ({cisco.asa.mapped_source_ip}/{cisco.asa.mapped_source_port}) to {cisco.asa.destination_interface}:{destination.ip}/{destination.port} ({cisco.asa.mapped_destination_ip}/{cisco.asa.mapped_destination_port}) destination {} resolved from {cisco.asa.list_id} list: {destination.domain}, threat-level:{level_value,} category:{category_name}"
338003,4,"%ASA-4-338003: Dynamic filter {action} blacklisted {network.transport} traffic from {cisco.asa.source_interface}:{source.ip}/{source.port} ({cisco.asa.mapped_source_ip}/{cisco.asa.mapped_source_port}) to {cisco.asa.destination_interface}:{destination.ip}/{destination.port} ({cisco.asa.mapped_destination_ip}/{cisco.asa.mapped_destination_port}) source {} resolved from {cisco.asa.list_id} list: {ip address/netmask,} threat-level:{level_value,} category:{category_name}"
338004,4,"%ASA-4-338004: Dynamic filter {action} blacklisted {network.transport} traffic from {cisco.asa.source_interface}:{source.ip}/{source.port} ({cisco.asa.mapped_source_ip}/{cisco.asa.mapped_source_port}) to {cisco.asa.destination_interface}:{destination.ip}/{destination.port} ({cisco.asa.mapped_destination_ip}/{cisco.asa.mapped_destination_port}) destination {} resolved from {cisco.asa.list_id} list: {ip address/netmask,} threat-level:{level_value,} category:{category_name}"
338005,4,"%ASA-4-338005: Dynamic filter {action} blacklisted {network.transport} traffic from {cisco.asa.source_interface}:{source.ip}/{source.port} ({cisco.asa.mapped_source_ip}/{cisco.asa.mapped_source_port}) to {cisco.asa.destination_interface}:{destination.ip}/{destination.port} ({cisco.asa.mapped_destination_ip}/{cisco.asa.mapped_destination_port}) source {} resolved from {cisco.asa.list_id} list: {source.domain}, threat-level:{level_value,} category:{category_name}"
338006,4,"%ASA-4-338006: Dynamic filter {action} blacklisted {network.transport} traffic from {cisco.asa.source_interface}:{source.ip}/{source.port} ({cisco.asa.mapped_source_ip}/{cisco.asa.mapped_source_port}) to {cisco.asa.destination_interface}:{destination.ip}/{destination.port} ({cisco.asa.mapped_destination_ip}/{cisco.asa.mapped_destination_port}) destination {} resolved from {cisco.asa.list_id} list: {destination.domain}, threat-level:{level_value,} category:{category_name}"
338007,4,"%ASA-4-338007: Dynamic filter {action} blacklisted {network.transport} traffic from {cisco.asa.source_interface}:{source.ip}/{source.port} ({cisco.asa.mapped_source_ip}/{cisco.asa.mapped_source_port}) to {cisco.asa.destination_interface}:{destination.ip}/{destination.port} ({cisco.asa.mapped_destination_ip}/{cisco.asa.mapped_destination_port}) source {} resolved from {cisco.asa.list_id} list: {ip address/netmask,} threat-level:{level_value,} category:{category_name}"
338008,4,"%ASA-4-338008: Dynamic filter {action} blacklisted {network.transport} traffic from {cisco.asa.source_interface}:{source.ip}/{source.port} ({cisco.asa.mapped_source_ip}/{cisco.asa.mapped_source_port}) to {cisco.asa.destination_interface}:{destination.ip}/{destination.port} ({cisco.asa.mapped_destination_ip}/{cisco.asa.mapped_destination_port}) destination {} resolved from {cisco.asa.list_id} list: {ip address/netmask,} threat-level:{level_value,} category:{category_name}"
338101,4,"%ASA-4-338101: Dynamic filter {action} whitelisted {network.transport} traffic from {cisco.asa.source_interface}:{source.ip}/{source.port} ({cisco.asa.mapped_source_ip}/{cisco.asa.mapped_source_port}) to {cisco.asa.destination_interface}:{destination.ip}/{destination.port} ({cisco.asa.mapped_destination_ip}/{cisco.asa.mapped_destination_port}) source {} resolved from {cisco.asa.list_id} list: {source.domain}"
338102,4,"%ASA-4-338102: Dynamic filter {action} whitelisted {network.transport} traffic from {cisco.asa.source_interface}:{source.ip}/{source.port} ({cisco.asa.mapped_source_ip}/{cisco.asa.mapped_source_port}) to {cisco.asa.destination_interface}:{destination.ip}/{destination.port} ({cisco.asa.mapped_destination_ip}/{cisco.asa.mapped_destination_port}) destination {} resolved from {cisco.asa.list_id} list: {destination.domain}"
338103,4,"%ASA-4-338103: Dynamic filter {action} whitelisted {network.transport} traffic from {cisco.asa.source_interface}:{source.ip}/{source.port} ({cisco.asa.mapped_source_ip}/{cisco.asa.mapped_source_port}) to {cisco.asa.destination_interface}:{destination.ip}/{destination.port} ({cisco.asa.mapped_destination_ip}/{cisco.asa.mapped_destination_port}) source {} resolved from {cisco.asa.list_id} list: {ip address/netmask}"
338104,4,"%ASA-4-338104: Dynamic filter {action} whitelisted {network.transport} traffic from {cisco.asa.source_interface}:{source.ip}/{source.port} ({cisco.asa.mapped_source_ip}/{cisco.asa.mapped_source_port}) to {cisco.asa.destination_interface}:{destination.ip}/{destination.port} ({cisco.asa.mapped_destination_ip}/{cisco.asa.mapped_destination_port}) destination {} resolved from {cisco.asa.list_id} list: {ip address/netmask}"
338201,4,"%ASA-4-338201: Dynamic filter {action} greylisted {network.transport} traffic from {cisco.asa.source_interface}:{source.ip}/{source.port} ({cisco.asa.mapped_source_ip}/{cisco.asa.mapped_source_port}) to {cisco.asa.destination_interface}:{destination.ip}/{destination.port} ({cisco.asa.mapped_destination_ip}/{cisco.asa.mapped_destination_port}) source {} resolved from {cisco.asa.list_id} list: {source.domain}, threat-level:{cisco.asa.threat_level}, category:{cisco.asa.threat_category}"
338202,4,"%ASA-4-338202: Dynamic filter {action} greylisted {network.transport} traffic from {cisco.asa.source_interface}:{source.ip}/{source.port} ({cisco.asa.mapped_source_ip}/{cisco.asa.mapped_source_port}) to {cisco.asa.destination_interface}:{destination.ip}/{destination.port} ({cisco.asa.mapped_destination_ip}/{cisco.asa.mapped_destination_port}) destination {} resolved from {cisco.asa.list_id} list: {destination.domain}, threat-level:{cisco.asa.threat_level}, category:{cisco.asa.threat_category}"
338203,4,"%ASA-4-338203: Dynamic filter {action} greylisted {network.transport} traffic from {cisco.asa.source_interface}:{source.ip}/{source.port} ({cisco.asa.mapped_source_ip}/{cisco.asa.mapped_source_port}) to {cisco.asa.destination_interface}:{destination.ip}/{destination.port} ({cisco.asa.mapped_destination_ip}/{cisco.asa.mapped_destination_port}) source {} resolved from {cisco.asa.list_id} list: {source.domain}, threat-level:{cisco.asa.threat_level}, category:{cisco.asa.threat_category}"
338204,4,"%ASA-4-338204: Dynamic filter {action} greylisted {network.transport} traffic from {cisco.asa.source_interface}:{source.ip}/{source.port} ({cisco.asa.mapped_source_ip}/{cisco.asa.mapped_source_port}) to {cisco.asa.destination_interface}:{destination.ip}/{destination.port} ({cisco.asa.mapped_destination_ip}/{cisco.asa.mapped_destination_port}) destination {} resolved from {cisco.asa.list_id} list: {destination.domain}, threat-level:{cisco.asa.threat_level}, category:{cisco.asa.threat_category}"

@andrewkroh
Copy link
Member Author

I found samples for a few of these.

%ASA-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798 (209.165.201.1/7890) to outside:209.165.202.129/80 (209.165.202.129/80), destination 209.165.202.129 resolved from dynamic list: bad.example.com
https://www.cisco.com/c/en/us/td/docs/security/asa/special/botnet/guide/asa-botnet.html

%ASA-4-338004: Dynamic Filter monitored blacklisted TCP traffic from inside:10.1.1.1/0 (10.2.1.1/0) to outsidet:x.x.x.x/0 (x.x.x.x/0), destination x.x.x.x resolved from dynamic list: x.x.x.x/255.255.255.255, threat-level: very-high, category: Malware
https://quickview.cloudapps.cisco.com/quickview/bug/CSCtg14750

%ASA-4-338008: Dynamic Filter dropped blacklisted TCP traffic from inside:10.1.1.1/0 (10.2.1.1/0) to outsidet:x.x.x.x/0 (x.x.x.x/0), destination x.x.x.x resolved from dynamic list: x.x.x.x/255.255.255.255, threat-level: very-high, category: Malware
https://quickview.cloudapps.cisco.com/quickview/bug/CSCtg14750

@adriansr adriansr mentioned this issue Mar 8, 2019
Merged
adriansr added a commit to adriansr/beats that referenced this issue Mar 26, 2019
@adriansr
[Filebeat][WIP] Cisco ASA module
6523ff9 
This is is a draft.

Documentation and dashboards are missing.

Closes elastic#9200
adriansr added a commit that referenced this issue Mar 28, 2019
@adriansr
[Filebeat] Cisco ASA module (#11171)
32eb8d1 
This adds a cisco module to x-pack/filebeat. The only fileset currently, asa, will ingest Cisco ASA logs received over syslog.

Closes #9200
@B4S71 B4S71 mentioned this issue Jun 26, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@adriansr adriansr

Labels
enhancement Filebeat Filebeat module
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@webmat @andrewkroh @adriansr @elasticmachine