Skip to content

Commit

Permalink
Synce changes from eastic/beats#26879
Browse files Browse the repository at this point in the history
  • Loading branch information
@legoguy1000
legoguy1000 committed Sep 18, 2021
1 parent 973a429 commit 93cf0d0
Show file tree
Hide file tree
Showing 36 changed files with 9,090 additions and 1,699 deletions.
5 changes: 5 additions & 0 deletions packages/cisco_asa/changelog.yml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "1.0.2"
changes:
- description: sync package with module changes (Beats PR 26879)
type: enhancement
link: https://github.com/elastic/integrations/pull/1740
- version: "1.0.1"
changes:
- description: Adding missing ECS fields
Expand Down
9 changes: 8 additions & 1 deletion packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ May 5 18:29:32 dev01: %ASA-6-302020: Built inbound ICMP connection for faddr 10
May 5 18:29:32 dev01: %ASA-6-302020: Built outbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 3
May 5 18:29:32 dev01: %ASA-6-302014: Teardown TCP connection 2960892904 for out111:10.10.10.10/443 to fw111:192.168.2.2/55225 duration 0:00:00 bytes 0 TCP Reset-I
May 5 18:29:32 dev01: %ASA-6-302013: Built outbound TCP connection 1588662 for intfacename:192.168.2.2/80 (8.8.8.8/80) to net:10.10.10.10/54839 (8.8.8.8/54839)
May 5 18:29:32 dev01: %ASA-6-302012: Teardown dynamic UDP translation from fw111:10.10.10.10/54230 to out111:192.168.2.2/54230 duration 0:00:00
May 5 18:29:32 dev01: %ASA-6-305012: Teardown dynamic UDP translation from fw111:10.10.10.10/54230 to out111:192.168.2.2/54230 duration 0:00:00
May 5 18:40:50 dev01: %ASA-4-313004: Denied ICMP type=0, from laddr 10.10.10.10 on interface fw502 to 192.168.2.2: no matching session
May 5 18:40:50 dev01: %ASA-6-305011: Built dynamic TCP translation from fw111:10.10.10.10/57006 to out111:192.168.2.2/57006
May 5 18:40:50 dev01: %ASA-2-106001: Inbound TCP connection denied from 192.168.2.2/43803 to 10.10.10.10/14322 flags SYN on interface out111
Expand Down Expand Up @@ -83,3 +83,10 @@ Apr 27 2020 02:03:03 dev01: %ASA-6-713904: All IPSec SA proposals found unaccept
Apr 27 2020 02:03:03 dev01: %ASA-6-713903: IP = 192.128.1.1, All IPSec SA proposals found unacceptable!
Apr 27 2020 02:03:03 dev01: %ASA-6-713902: Group = 100.60.140.10, All IPSec SA proposals found unacceptable!
Apr 27 2020 02:03:03 dev01: %ASA-6-713901: Group = 100.60.140.10, IP = 192.128.1.1, All IPSec SA proposals found unacceptable!
Apr 27 2020 02:03:03 dev01: %ASA-4-106023: Deny protocol 47 src outside:100.66.124.24 dst inside:172.31.98.44 by access-group "inbound"
Apr 27 2020 02:03:03 dev01: %ASA-4-106023: Deny icmp src OUTSIDE:2a05:d016:add:4002:91f2:a9b2:e09a:6fc6 dst OUTSIDE:fe00:afa0::1 (type 128, code 0) by access-group "OUTSIDE_in"
Apr 27 2020 02:03:03 dev01: %ASA-4-302016: Teardown UDP connection 123364823 for OUTSIDE:82.0.0.1/500 to identity:85.0.0.1/500 duration 92:24:20 bytes 4671944
May 5 19:02:25 dev01: %ASA-4-733100: [ Scanning] drop rate-2 exceeded. Current burst rate is 0 per second, max configured rate is 8; Current average rate is 5 per second, max configured rate is 4; Cumulative total count is 19269
May 5 19:02:25 dev01: %ASA-4-733100: [ 192.168.0.1] drop rate-1 exceeded. Current burst rate is 0 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 6018
May 5 19:02:25 dev01: %ASA-4-733100: [ Port-5432 5432] drop rate-1 exceeded. Current burst rate is 8 per second, max configured rate is 10; Current average rate is 20 per second, max configured rate is 5; Cumulative total count is 12466
May 5 19:02:25 dev01: %ASA-4-733100: [ RDP 3389] drop rate-1 exceeded. Current burst rate is 63 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 3054
751 changes: 641 additions & 110 deletions ...s/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log-expected.json
View file

Large diffs are not rendered by default.

55 changes: 38 additions & 17 deletions packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-fix.log-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,17 +10,21 @@
"ip": "10.233.123.123"
},
"source": {
"port": 53723,
"address": "10.123.123.123",
"port": 53723,
"user": {
"name": "Elastic"
},
"ip": "10.123.123.123"
},
"tags": [
"preserve_original_event"
],
"network": {
"community_id": "1:9aBQ+NznvYals1agEGRVJm37dvQ=",
"transport": "udp",
"bytes": 148,
"iana_number": "17",
"transport": "udp"
"iana_number": "17"
},
"observer": {
"ingress": {
Expand All @@ -43,6 +47,9 @@
"version": "1.11.0"
},
"related": {
"user": [
"Elastic"
],
"hosts": [
"SNL-ASA-VPN-A01"
],
Expand All @@ -57,7 +64,7 @@
"event": {
"severity": 6,
"duration": 0,
"ingested": "2021-09-07T09:05:53.884473600Z",
"ingested": "2021-09-18T20:35:45.721879282Z",
"original": "Apr 17 2020 14:08:08 SNL-ASA-VPN-A01 : %ASA-6-302016: Teardown UDP connection 110577675 for Outside:10.123.123.123/53723(LOCAL\\Elastic) to Inside:10.233.123.123/53 duration 0:00:00 bytes 148 (zzzzzz)",
"code": "302016",
"kind": "event",
Expand All @@ -74,7 +81,7 @@
},
"cisco": {
"asa": {
"source_username": "(LOCAL\\Elastic)",
"source_username": "LOCAL\\Elastic",
"destination_interface": "Inside",
"termination_user": "zzzzzz",
"connection_id": "110577675",
Expand All @@ -98,6 +105,7 @@
"preserve_original_event"
],
"network": {
"community_id": "1:kV/6Jt4iMhVyUT1AW+UO0itOhqU=",
"iana_number": "1",
"transport": "icmp"
},
Expand Down Expand Up @@ -134,7 +142,7 @@
},
"event": {
"severity": 4,
"ingested": "2021-09-07T09:05:53.884491300Z",
"ingested": "2021-09-18T20:35:45.721884195Z",
"original": "Apr 17 2020 14:00:31 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny icmp src Inside:10.123.123.123 dst Outside:10.123.123.123 (type 11, code 0) by access-group \"Inside_access_in\" [0x0, 0x0]",
"code": "106023",
"kind": "event",
Expand Down Expand Up @@ -174,6 +182,7 @@
"preserve_original_event"
],
"network": {
"community_id": "1:7nrIUULEgk5A+nhbh4kNmEkwL3o=",
"iana_number": "6",
"transport": "tcp"
},
Expand Down Expand Up @@ -203,7 +212,7 @@
},
"event": {
"severity": 4,
"ingested": "2021-09-07T09:05:53.884495600Z",
"ingested": "2021-09-18T20:35:45.721886186Z",
"original": "Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.123.123.123/6316 dst outside:10.123.123.123/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3afb522, 0x0]",
"code": "106023",
"kind": "event",
Expand Down Expand Up @@ -235,14 +244,18 @@
"ip": "10.123.123.123"
},
"source": {
"port": 57621,
"address": "10.123.123.123",
"port": 57621,
"user": {
"name": "Elastic"
},
"ip": "10.123.123.123"
},
"tags": [
"preserve_original_event"
],
"network": {
"community_id": "1:LM0R4Wi8tEf+1pe2ukofXQKxfMc=",
"iana_number": "17",
"transport": "udp"
},
Expand All @@ -267,6 +280,9 @@
"version": "1.11.0"
},
"related": {
"user": [
"Elastic"
],
"hosts": [
"SNL-ASA-VPN-A01"
],
Expand All @@ -279,7 +295,7 @@
},
"event": {
"severity": 4,
"ingested": "2021-09-07T09:05:53.884499200Z",
"ingested": "2021-09-18T20:35:45.721888057Z",
"original": "Apr 17 2020 14:16:20 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny udp src Inside:10.123.123.123/57621(LOCAL\\Elastic) dst Outside:10.123.123.123/57621 by access-group \"Inside_access_in\" [0x0, 0x0]",
"code": "106023",
"kind": "event",
Expand All @@ -295,7 +311,7 @@
},
"cisco": {
"asa": {
"source_username": "(LOCAL\\Elastic)",
"source_username": "LOCAL\\Elastic",
"destination_interface": "Outside",
"rule_name": "Inside_access_in",
"source_interface": "Inside"
Expand Down Expand Up @@ -340,7 +356,7 @@
},
"event": {
"severity": 2,
"ingested": "2021-09-07T09:05:53.884502500Z",
"ingested": "2021-09-18T20:35:45.721889891Z",
"original": "Apr 17 2020 14:15:07 SNL-ASA-VPN-A01 : %ASA-2-106017: Deny IP due to Land Attack from 10.123.123.123 to 10.123.123.123",
"code": "106017",
"kind": "event",
Expand Down Expand Up @@ -401,7 +417,7 @@
},
"event": {
"severity": 3,
"ingested": "2021-09-07T09:05:53.884505500Z",
"ingested": "2021-09-18T20:35:45.721891708Z",
"original": "Apr 17 2020 14:15:07 SNL-ASA-VPN-A01 : %ASA-3-313008: Denied IPv6-ICMP type=134, code=0 from fe80::1ff:fe23:4567:890a on interface ISP1",
"code": "313008",
"kind": "event",
Expand Down Expand Up @@ -441,6 +457,7 @@
"preserve_original_event"
],
"network": {
"community_id": "1:/zjqku0IM1BTHL37aH0DvJSecYY=",
"iana_number": "1",
"transport": "icmp"
},
Expand Down Expand Up @@ -471,7 +488,7 @@
},
"event": {
"severity": 4,
"ingested": "2021-09-07T09:05:53.884508200Z",
"ingested": "2021-09-18T20:35:45.721893488Z",
"original": "Jun 08 2020 12:59:57: %ASA-4-313009: Denied invalid ICMP code 9, for Inside:10.255.0.206/8795 (10.255.0.206/8795) to identity:10.12.31.51/0 (10.12.31.51/0), ICMP id 295, ICMP type 8",
"code": "313009",
"kind": "event",
Expand Down Expand Up @@ -515,6 +532,7 @@
"preserve_original_event"
],
"network": {
"community_id": "1:F0lY+M777B6QL2SDSKa9RfuUJ7s=",
"iana_number": "17",
"transport": "udp"
},
Expand Down Expand Up @@ -545,7 +563,7 @@
},
"event": {
"severity": 6,
"ingested": "2021-09-07T09:05:53.884511200Z",
"ingested": "2021-09-18T20:35:45.721895270Z",
"original": "Oct 20 2019 15:42:53: %ASA-6-106100: access-list incoming permitted udp dmz2/127.2.3.4(56575) -\u003e inside/127.3.4.5(53) hit-cnt 1 first hit [0x93d0e533, 0x578ef52f]",
"code": "106100",
"kind": "event",
Expand Down Expand Up @@ -585,6 +603,7 @@
"preserve_original_event"
],
"network": {
"community_id": "1:F0lY+M777B6QL2SDSKa9RfuUJ7s=",
"iana_number": "17",
"transport": "udp"
},
Expand Down Expand Up @@ -615,7 +634,7 @@
},
"event": {
"severity": 6,
"ingested": "2021-09-07T09:05:53.884514Z",
"ingested": "2021-09-18T20:35:45.721897074Z",
"original": "Oct 20 2019 15:42:54: %ASA-6-106100: access-list incoming permitted udp dmz2/127.2.3.4(56575)(LOCAL\\\\username) -\u003e inside/127.3.4.5(53) hit-cnt 1 first hit [0x93d0e533, 0x578ef52f]",
"code": "106100",
"kind": "event",
Expand Down Expand Up @@ -655,6 +674,7 @@
"preserve_original_event"
],
"network": {
"community_id": "1:kRCfRJ9T/IeRNAhAhzOsF6EjIV4=",
"iana_number": "17",
"transport": "udp"
},
Expand Down Expand Up @@ -688,7 +708,7 @@
},
"event": {
"severity": 3,
"ingested": "2021-09-07T09:05:53.884516800Z",
"ingested": "2021-09-18T20:35:45.721898861Z",
"original": "Aug 6 2020 11:01:37: %ASA-session-3-106102: access-list dev_inward_client permitted udp for user redacted outside/10.123.123.20(49721) -\u003e inside/10.223.223.40(53) hit-cnt 1 first hit [0x3c8b88c1, 0xbee595c3]",
"code": "106102",
"kind": "event",
Expand Down Expand Up @@ -743,6 +763,7 @@
"preserve_original_event"
],
"network": {
"community_id": "1:cJpy7sqGDQbchRUXDtR8k10HinM=",
"iana_number": "1",
"transport": "icmp"
},
Expand Down Expand Up @@ -776,7 +797,7 @@
},
"event": {
"severity": 1,
"ingested": "2021-09-07T09:05:53.884519600Z",
"ingested": "2021-09-18T20:35:45.721900666Z",
"original": "Aug 6 2020 11:01:38: %ASA-1-106103: access-list filter denied icmp for user joe inside/10.1.2.3(64321) -\u003e outside/1.2.33.40(8080) hit-cnt 1 first hit [0x3c8b88c1, 0xbee595c3]",
"code": "106103",
"kind": "event",
Expand Down
Loading

0 comments on commit 93cf0d0

Please sign in to comment.