Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Synce changes from eastic/beats#26879 #1740

Closed
wants to merge 2 commits into from
Closed

Synce changes from eastic/beats#26879 #1740

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
93cf0d0
Synce changes from eastic/beats#26879
legoguy1000 Sep 18, 2021
ca25f77
fix formatting
legoguy1000 Sep 20, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions packages/cisco_asa/changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "1.0.2"
changes:
- description: sync package with module changes (Beats PR 26879)
type: enhancement
link: https://github.com/elastic/integrations/pull/1740
- version: "1.0.1"
changes:
- description: Adding missing ECS fields
Expand Down
9 changes: 8 additions & 1 deletion packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ May 5 18:29:32 dev01: %ASA-6-302020: Built inbound ICMP connection for faddr 10
May 5 18:29:32 dev01: %ASA-6-302020: Built outbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 3
May 5 18:29:32 dev01: %ASA-6-302014: Teardown TCP connection 2960892904 for out111:10.10.10.10/443 to fw111:192.168.2.2/55225 duration 0:00:00 bytes 0 TCP Reset-I
May 5 18:29:32 dev01: %ASA-6-302013: Built outbound TCP connection 1588662 for intfacename:192.168.2.2/80 (8.8.8.8/80) to net:10.10.10.10/54839 (8.8.8.8/54839)
May 5 18:29:32 dev01: %ASA-6-302012: Teardown dynamic UDP translation from fw111:10.10.10.10/54230 to out111:192.168.2.2/54230 duration 0:00:00
May 5 18:29:32 dev01: %ASA-6-305012: Teardown dynamic UDP translation from fw111:10.10.10.10/54230 to out111:192.168.2.2/54230 duration 0:00:00
May 5 18:40:50 dev01: %ASA-4-313004: Denied ICMP type=0, from laddr 10.10.10.10 on interface fw502 to 192.168.2.2: no matching session
May 5 18:40:50 dev01: %ASA-6-305011: Built dynamic TCP translation from fw111:10.10.10.10/57006 to out111:192.168.2.2/57006
May 5 18:40:50 dev01: %ASA-2-106001: Inbound TCP connection denied from 192.168.2.2/43803 to 10.10.10.10/14322 flags SYN on interface out111
Expand Down Expand Up @@ -83,3 +83,10 @@ Apr 27 2020 02:03:03 dev01: %ASA-6-713904: All IPSec SA proposals found unaccept
Apr 27 2020 02:03:03 dev01: %ASA-6-713903: IP = 192.128.1.1, All IPSec SA proposals found unacceptable!
Apr 27 2020 02:03:03 dev01: %ASA-6-713902: Group = 100.60.140.10, All IPSec SA proposals found unacceptable!
Apr 27 2020 02:03:03 dev01: %ASA-6-713901: Group = 100.60.140.10, IP = 192.128.1.1, All IPSec SA proposals found unacceptable!
Apr 27 2020 02:03:03 dev01: %ASA-4-106023: Deny protocol 47 src outside:100.66.124.24 dst inside:172.31.98.44 by access-group "inbound"
Apr 27 2020 02:03:03 dev01: %ASA-4-106023: Deny icmp src OUTSIDE:2a05:d016:add:4002:91f2:a9b2:e09a:6fc6 dst OUTSIDE:fe00:afa0::1 (type 128, code 0) by access-group "OUTSIDE_in"
Apr 27 2020 02:03:03 dev01: %ASA-4-302016: Teardown UDP connection 123364823 for OUTSIDE:82.0.0.1/500 to identity:85.0.0.1/500 duration 92:24:20 bytes 4671944
May 5 19:02:25 dev01: %ASA-4-733100: [ Scanning] drop rate-2 exceeded. Current burst rate is 0 per second, max configured rate is 8; Current average rate is 5 per second, max configured rate is 4; Cumulative total count is 19269
May 5 19:02:25 dev01: %ASA-4-733100: [ 192.168.0.1] drop rate-1 exceeded. Current burst rate is 0 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 6018
May 5 19:02:25 dev01: %ASA-4-733100: [ Port-5432 5432] drop rate-1 exceeded. Current burst rate is 8 per second, max configured rate is 10; Current average rate is 20 per second, max configured rate is 5; Cumulative total count is 12466
May 5 19:02:25 dev01: %ASA-4-733100: [ RDP 3389] drop rate-1 exceeded. Current burst rate is 63 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 3054
751 changes: 641 additions & 110 deletions ...s/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log-expected.json
View file
Open in desktop

Large diffs are not rendered by default.

55 changes: 38 additions & 17 deletions packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-fix.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,17 +10,21 @@
"ip": "10.233.123.123"
},
"source": {
"port": 53723,
"address": "10.123.123.123",
"port": 53723,
"user": {
"name": "Elastic"
},
"ip": "10.123.123.123"
},
"tags": [
"preserve_original_event"
],
"network": {
"community_id": "1:9aBQ+NznvYals1agEGRVJm37dvQ=",
"transport": "udp",
"bytes": 148,
"iana_number": "17",
"transport": "udp"
"iana_number": "17"
},
"observer": {
"ingress": {
Expand All @@ -43,6 +47,9 @@
"version": "1.11.0"
},
"related": {
"user": [
"Elastic"
],
"hosts": [
"SNL-ASA-VPN-A01"
],
Expand All @@ -57,7 +64,7 @@
"event": {
"severity": 6,
"duration": 0,
"ingested": "2021-09-07T09:05:53.884473600Z",
"ingested": "2021-09-18T20:35:45.721879282Z",
"original": "Apr 17 2020 14:08:08 SNL-ASA-VPN-A01 : %ASA-6-302016: Teardown UDP connection 110577675 for Outside:10.123.123.123/53723(LOCAL\\Elastic) to Inside:10.233.123.123/53 duration 0:00:00 bytes 148 (zzzzzz)",
"code": "302016",
"kind": "event",
Expand All @@ -74,7 +81,7 @@
},
"cisco": {
"asa": {
"source_username": "(LOCAL\\Elastic)",
"source_username": "LOCAL\\Elastic",
"destination_interface": "Inside",
"termination_user": "zzzzzz",
"connection_id": "110577675",
Expand All @@ -98,6 +105,7 @@
"preserve_original_event"
],
"network": {
"community_id": "1:kV/6Jt4iMhVyUT1AW+UO0itOhqU=",
"iana_number": "1",
"transport": "icmp"
},
Expand Down Expand Up @@ -134,7 +142,7 @@
},
"event": {
"severity": 4,
"ingested": "2021-09-07T09:05:53.884491300Z",
"ingested": "2021-09-18T20:35:45.721884195Z",
"original": "Apr 17 2020 14:00:31 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny icmp src Inside:10.123.123.123 dst Outside:10.123.123.123 (type 11, code 0) by access-group \"Inside_access_in\" [0x0, 0x0]",
"code": "106023",
"kind": "event",
Expand Down Expand Up @@ -174,6 +182,7 @@
"preserve_original_event"
],
"network": {
"community_id": "1:7nrIUULEgk5A+nhbh4kNmEkwL3o=",
"iana_number": "6",
"transport": "tcp"
},
Expand Down Expand Up @@ -203,7 +212,7 @@
},
"event": {
"severity": 4,
"ingested": "2021-09-07T09:05:53.884495600Z",
"ingested": "2021-09-18T20:35:45.721886186Z",
"original": "Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.123.123.123/6316 dst outside:10.123.123.123/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3afb522, 0x0]",
"code": "106023",
"kind": "event",
Expand Down Expand Up @@ -235,14 +244,18 @@
"ip": "10.123.123.123"
},
"source": {
"port": 57621,
"address": "10.123.123.123",
"port": 57621,
"user": {
"name": "Elastic"
},
"ip": "10.123.123.123"
},
"tags": [
"preserve_original_event"
],
"network": {
"community_id": "1:LM0R4Wi8tEf+1pe2ukofXQKxfMc=",
"iana_number": "17",
"transport": "udp"
},
Expand All @@ -267,6 +280,9 @@
"version": "1.11.0"
},
"related": {
"user": [
"Elastic"
],
"hosts": [
"SNL-ASA-VPN-A01"
],
Expand All @@ -279,7 +295,7 @@
},
"event": {
"severity": 4,
"ingested": "2021-09-07T09:05:53.884499200Z",
"ingested": "2021-09-18T20:35:45.721888057Z",
"original": "Apr 17 2020 14:16:20 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny udp src Inside:10.123.123.123/57621(LOCAL\\Elastic) dst Outside:10.123.123.123/57621 by access-group \"Inside_access_in\" [0x0, 0x0]",
"code": "106023",
"kind": "event",
Expand All @@ -295,7 +311,7 @@
},
"cisco": {
"asa": {
"source_username": "(LOCAL\\Elastic)",
"source_username": "LOCAL\\Elastic",
"destination_interface": "Outside",
"rule_name": "Inside_access_in",
"source_interface": "Inside"
Expand Down Expand Up @@ -340,7 +356,7 @@
},
"event": {
"severity": 2,
"ingested": "2021-09-07T09:05:53.884502500Z",
"ingested": "2021-09-18T20:35:45.721889891Z",
"original": "Apr 17 2020 14:15:07 SNL-ASA-VPN-A01 : %ASA-2-106017: Deny IP due to Land Attack from 10.123.123.123 to 10.123.123.123",
"code": "106017",
"kind": "event",
Expand Down Expand Up @@ -401,7 +417,7 @@
},
"event": {
"severity": 3,
"ingested": "2021-09-07T09:05:53.884505500Z",
"ingested": "2021-09-18T20:35:45.721891708Z",
"original": "Apr 17 2020 14:15:07 SNL-ASA-VPN-A01 : %ASA-3-313008: Denied IPv6-ICMP type=134, code=0 from fe80::1ff:fe23:4567:890a on interface ISP1",
"code": "313008",
"kind": "event",
Expand Down Expand Up @@ -441,6 +457,7 @@
"preserve_original_event"
],
"network": {
"community_id": "1:/zjqku0IM1BTHL37aH0DvJSecYY=",
"iana_number": "1",
"transport": "icmp"
},
Expand Down Expand Up @@ -471,7 +488,7 @@
},
"event": {
"severity": 4,
"ingested": "2021-09-07T09:05:53.884508200Z",
"ingested": "2021-09-18T20:35:45.721893488Z",
"original": "Jun 08 2020 12:59:57: %ASA-4-313009: Denied invalid ICMP code 9, for Inside:10.255.0.206/8795 (10.255.0.206/8795) to identity:10.12.31.51/0 (10.12.31.51/0), ICMP id 295, ICMP type 8",
"code": "313009",
"kind": "event",
Expand Down Expand Up @@ -515,6 +532,7 @@
"preserve_original_event"
],
"network": {
"community_id": "1:F0lY+M777B6QL2SDSKa9RfuUJ7s=",
"iana_number": "17",
"transport": "udp"
},
Expand Down Expand Up @@ -545,7 +563,7 @@
},
"event": {
"severity": 6,
"ingested": "2021-09-07T09:05:53.884511200Z",
"ingested": "2021-09-18T20:35:45.721895270Z",
"original": "Oct 20 2019 15:42:53: %ASA-6-106100: access-list incoming permitted udp dmz2/127.2.3.4(56575) -\u003e inside/127.3.4.5(53) hit-cnt 1 first hit [0x93d0e533, 0x578ef52f]",
"code": "106100",
"kind": "event",
Expand Down Expand Up @@ -585,6 +603,7 @@
"preserve_original_event"
],
"network": {
"community_id": "1:F0lY+M777B6QL2SDSKa9RfuUJ7s=",
"iana_number": "17",
"transport": "udp"
},
Expand Down Expand Up @@ -615,7 +634,7 @@
},
"event": {
"severity": 6,
"ingested": "2021-09-07T09:05:53.884514Z",
"ingested": "2021-09-18T20:35:45.721897074Z",
"original": "Oct 20 2019 15:42:54: %ASA-6-106100: access-list incoming permitted udp dmz2/127.2.3.4(56575)(LOCAL\\\\username) -\u003e inside/127.3.4.5(53) hit-cnt 1 first hit [0x93d0e533, 0x578ef52f]",
"code": "106100",
"kind": "event",
Expand Down Expand Up @@ -655,6 +674,7 @@
"preserve_original_event"
],
"network": {
"community_id": "1:kRCfRJ9T/IeRNAhAhzOsF6EjIV4=",
"iana_number": "17",
"transport": "udp"
},
Expand Down Expand Up @@ -688,7 +708,7 @@
},
"event": {
"severity": 3,
"ingested": "2021-09-07T09:05:53.884516800Z",
"ingested": "2021-09-18T20:35:45.721898861Z",
"original": "Aug 6 2020 11:01:37: %ASA-session-3-106102: access-list dev_inward_client permitted udp for user redacted outside/10.123.123.20(49721) -\u003e inside/10.223.223.40(53) hit-cnt 1 first hit [0x3c8b88c1, 0xbee595c3]",
"code": "106102",
"kind": "event",
Expand Down Expand Up @@ -743,6 +763,7 @@
"preserve_original_event"
],
"network": {
"community_id": "1:cJpy7sqGDQbchRUXDtR8k10HinM=",
"iana_number": "1",
"transport": "icmp"
},
Expand Down Expand Up @@ -776,7 +797,7 @@
},
"event": {
"severity": 1,
"ingested": "2021-09-07T09:05:53.884519600Z",
"ingested": "2021-09-18T20:35:45.721900666Z",
"original": "Aug 6 2020 11:01:38: %ASA-1-106103: access-list filter denied icmp for user joe inside/10.1.2.3(64321) -\u003e outside/1.2.33.40(8080) hit-cnt 1 first hit [0x3c8b88c1, 0xbee595c3]",
"code": "106103",
"kind": "event",
Expand Down
Loading