From ee973682a056122dc454efcc5074ab7f0968de22 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Fri, 15 May 2020 11:56:15 +0200 Subject: [PATCH] Fix Cisco ASA/FTD msgs that use a host name as NAT address (#18376) (#18544) Sometimes the mapped source/destination IP field of an event is a hostname instead of an IP address. This caused ingestion of the event to fail. This patch makes the asa-ftd-pipeline to only populate those fields when a valid IP address is found. In the future we may want to revisit this if .nat.domain or .nat.address fields become available. (cherry picked from commit b24ed9715cbf5078f22ca3f7954f44f3ccbdae01) --- CHANGELOG.next.asciidoc | 1 + filebeat/docs/fields.asciidoc | 40 +++++++ .../module/cisco/asa/_meta/fields.yml | 12 ++ .../filebeat/module/cisco/asa/test/not-ip.log | 2 + .../cisco/asa/test/not-ip.log-expected.json | 71 ++++++++++++ x-pack/filebeat/module/cisco/fields.go | 2 +- .../module/cisco/ftd/_meta/fields.yml | 14 ++- .../filebeat/module/cisco/ftd/test/not-ip.log | 3 + .../cisco/ftd/test/not-ip.log-expected.json | 103 ++++++++++++++++++ .../cisco/shared/ingest/asa-ftd-pipeline.yml | 49 ++++++--- 10 files changed, 277 insertions(+), 20 deletions(-) create mode 100644 x-pack/filebeat/module/cisco/ftd/test/not-ip.log create mode 100644 x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index e89af5e5225..a534e10cf74 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -167,6 +167,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix PANW module wrong mappings for bytes and packets counters. {issue}18522[18522] {pull}18525[18525] - Fix `googlecloud.audit` pipeline to only take in fields that are explicitly defined by the dataset. {issue}18465[18465] {pull}18472[18472] - Fix a rate limit related issue in httpjson input for Okta module. {issue}18530[18530] {pull}18534[18534] +- Fixed ingestion of some Cisco ASA and FTD messages when a hostname was used instead of an IP for NAT fields. {issue}14034[14034] {pull}18376[18376] *Heartbeat* diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 17abe87eed5..5817b2807e0 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -9519,6 +9519,16 @@ type: ip -- +*`cisco.asa.mapped_source_host`*:: ++ +-- +The translated source host. + + +type: keyword + +-- + *`cisco.asa.mapped_source_port`*:: + -- @@ -9539,6 +9549,16 @@ type: ip -- +*`cisco.asa.mapped_destination_host`*:: ++ +-- +The translated destination host. + + +type: keyword + +-- + *`cisco.asa.mapped_destination_port`*:: + -- @@ -9708,6 +9728,16 @@ type: ip -- +*`cisco.ftd.mapped_source_host`*:: ++ +-- +The translated source host. + + +type: keyword + +-- + *`cisco.ftd.mapped_source_port`*:: + -- @@ -9728,6 +9758,16 @@ type: ip -- +*`cisco.ftd.mapped_destination_host`*:: ++ +-- +The translated destination host. + + +type: keyword + +-- + *`cisco.ftd.mapped_destination_port`*:: + -- diff --git a/x-pack/filebeat/module/cisco/asa/_meta/fields.yml b/x-pack/filebeat/module/cisco/asa/_meta/fields.yml index 2cf9a5a5afd..5915c246ff5 100644 --- a/x-pack/filebeat/module/cisco/asa/_meta/fields.yml +++ b/x-pack/filebeat/module/cisco/asa/_meta/fields.yml @@ -44,6 +44,12 @@ description: > The translated source IP address. + - name: mapped_source_host + type: keyword + default_field: false + description: > + The translated source host. + - name: mapped_source_port type: long description: > @@ -54,6 +60,12 @@ description: > The translated destination IP address. + - name: mapped_destination_host + type: keyword + default_field: false + description: > + The translated destination host. + - name: mapped_destination_port type: long description: > diff --git a/x-pack/filebeat/module/cisco/asa/test/not-ip.log b/x-pack/filebeat/module/cisco/asa/test/not-ip.log index bf8f114e6c3..2742be4b533 100644 --- a/x-pack/filebeat/module/cisco/asa/test/not-ip.log +++ b/x-pack/filebeat/module/cisco/asa/test/not-ip.log @@ -1 +1,3 @@ <165>Oct 04 2019 15:27:55: %ASA-5-106100: access-list AL-DMZ-LB-IN denied tcp LB-DMZ/WHAT-IS-THIS-A-HOSTNAME-192.0.2.244(27218) -> OUTSIDE/203.0.113.42(53) hit-cnt 1 first hit [0x16847359, 0x00000000] +Jan 1 2020 10:42:53 localhost : %ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr mydomain.example.net/17233 laddr 192.168.132.46/17233 +Jan 2 2020 11:33:20 localhost : %ASA-4-338204: Dynamic filter dropped greylisted TCP traffic from eth0:10.10.10.1/1234 (source.example.net/11234) to wan:172.24.177.3/80 (www.example.org/80), destination malicious address resolved from dynamic list: example.org, threat-level: high, category: malware diff --git a/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json index 2d23dd21421..3ffb837b3ae 100644 --- a/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json @@ -31,5 +31,76 @@ "tags": [ "cisco-asa" ] + }, + { + "@timestamp": "2020-01-01T10:42:53.000-02:00", + "cisco.asa.mapped_source_host": "mydomain.example.net", + "cisco.asa.message_id": "302021", + "destination.address": "172.24.177.29", + "destination.ip": "172.24.177.29", + "event.action": "flow-expiration", + "event.code": 302021, + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.original": "%ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr mydomain.example.net/17233 laddr 192.168.132.46/17233", + "event.severity": 6, + "event.timezone": "-02:00", + "fileset.name": "asa", + "host.hostname": "localhost", + "input.type": "log", + "log.file.path": "not-ip.log", + "log.level": "informational", + "log.offset": 201, + "network.iana_number": 1, + "network.transport": "icmp", + "service.type": "cisco", + "source.address": "192.168.132.46", + "source.ip": "192.168.132.46", + "tags": [ + "cisco-asa" + ] + }, + { + "@timestamp": "2020-01-02T11:33:20.000-02:00", + "cisco.asa.destination_interface": "wan", + "cisco.asa.mapped_destination_host": "www.example.org", + "cisco.asa.mapped_destination_port": 80, + "cisco.asa.mapped_source_host": "source.example.net", + "cisco.asa.mapped_source_port": 11234, + "cisco.asa.message_id": "338204", + "cisco.asa.rule_name": "dynamic", + "cisco.asa.source_interface": "eth0", + "cisco.asa.threat_category": "malware", + "cisco.asa.threat_level": "high", + "destination.address": "172.24.177.3", + "destination.domain": "example.org", + "destination.ip": "172.24.177.3", + "destination.nat.port": "80", + "destination.port": 80, + "event.action": "firewall-rule", + "event.code": 338204, + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.original": "%ASA-4-338204: Dynamic filter dropped greylisted TCP traffic from eth0:10.10.10.1/1234 (source.example.net/11234) to wan:172.24.177.3/80 (www.example.org/80), destination malicious address resolved from dynamic list: example.org, threat-level: high, category: malware", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "-02:00", + "fileset.name": "asa", + "host.hostname": "localhost", + "input.type": "log", + "log.file.path": "not-ip.log", + "log.level": "warning", + "log.offset": 360, + "network.iana_number": 6, + "network.transport": "tcp", + "server.domain": "example.org", + "service.type": "cisco", + "source.address": "10.10.10.1", + "source.ip": "10.10.10.1", + "source.nat.port": "11234", + "source.port": 1234, + "tags": [ + "cisco-asa" + ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/fields.go b/x-pack/filebeat/module/cisco/fields.go index cee10776bcc..58624e92659 100644 --- a/x-pack/filebeat/module/cisco/fields.go +++ b/x-pack/filebeat/module/cisco/fields.go @@ -19,5 +19,5 @@ func init() { // AssetCisco returns asset data. // This is the base64 encoded gzipped contents of module/cisco. func AssetCisco() string { - return "eJzsmcFu4zYQhu95irkUaAHHvftQwHASIECTGPVugZ6MCTm0uKFIlRzZ67cvSMm2LCiOjCiLbGEdgpiS5v84JIc/oWt4oe0EhA7CXQGwZkMTmNU/JQXhdcHa2Qn8cQUA8OBkaQiU85ChlUbbVfU4WOKN8y8gaa0FgXGrML4CUJqMDJP08jVYzOkgFy/eFjSBlXdlUbd0qMbrLgUC5V1eK+4k4tWUaUphwH1bl9gJwaao87XmdDGFO+1pg8aMG4+29Q8EOYWAK1pqeRS5Qnmh7cb54zsncAC+ZNQgqWODlmRZK03+wNSBEkql9PeeGPQd8yLOhkAhaGf7Mz6ldjS1HqBi8vBLBO4L6kovaKktk1coaIjMLVJM2MdMg8oZgTJuA84DrcnySSxJgbXFGH9YtptD4HcB+tLQMv47BNQj5gROJYSpEBQCzJxl7wz8qQMnMeAMGXJkkZEEznToQVmPbhnIfwRrjFtx6ZAaKr06nb0ImwP9wzAbouew5lgUJJe7JVN0cLYa3yww7NEGg0xyl7v7OaCUnkI4g6VwnjtojLOr9/LE0H1IjlbswKlpjtd5+WlSfUSSmmRvZoozT8hLQ2syw+xQMR6keGke52g26Al+h2fHljiSKqXFGJ5sWg1r8ttr4zYjiH9a4XInySPTCDK9ymIZTI/HH326JZBp5fx2iJ7N6lj7wvx6z+5iud5toGvtyzCqn2n3j737hnYExOJkf4SzlkQ1kQdxEl+t/rdsWofULUy7zUkSLfJiGUU7KELWns4nGe5nD/P05tuCwsmhBGOovrl+pZ/d2VZYGl4mKzgBhSbQeUv47/ljQxuOtLt2KSyWnoTzMpwH8g7viSHolSUJN9M5tMV3YIrloKY7Gu7CbcjvissNKbKBPokTv/ty83M58Qh8ceIXJ35x4j+1E4evgeB2tqhvjS3yWBefyKB3AX5i577Hbdw/I6k/3NW/ynvx/BfPf/H8R4Jvev5AovSauyaNe/5G4nXBltxfuKk9aEruoo4Lt3H/CE2n+v87eXwkYq+Th3Zh0JPH/dPi6DMDnDxgYPJmS6NDV/F/l0eJ21Tl/GL0kzNZodCmeyafPF0sbmfnjchOCNjBJtMiqwpkfRLypMgH+FUdyuIIFo8P8xEs/lmMAG00C62wynnOfhvD9BBcoIVnAoQMvUylt/rCNAKEwjt2wpkRpDKWVx+nnGrX22g9t4Eph+AUxyBjuGeQZB3TkTWtq7zAMuxzX73a3qOqbo6v/gsAAP//XBVT9g==" + return "eJzsmU1v4zYQhu/5FXMp0AKOe/ehQOAkQIDmA/VugZ4Mhhxa3FAclRzF639fkJJtWVBkuVHaDWAdglgf8z7k0MN5rUt4wc0MpAmSLgDYsMUZzOuPCoP0pmBDbga/XQAA3JMqLYImD5lwyhq3qm4Hh7wm/wIKX41EsLQK0wsAbdCqMEsPX4ITOe7l4sGbAmew8lQW9ZkO1XjcpkCgPeW14lYiHk2ZppQIYneuS6xHsClKvta8WlzBrfG4FtZOG7e29fcEOYYgVrg06iByhfKCmzX5wys9OABfMmyQ1LHBKHRstEG/Z+pACaXW5vtADPwu8iKuhoAhGHLDGR/TeWFrPRCa0cNPEXgoKJVe4tI4Rq+FxDFmbpFiwi5mSipnCNrSGsgDvqLjXiyFgY0TMf64bNf7wO8C9KXFZfx3DKgHkSOQTghXUmIIMCfHniz8bgInMeBMMOSCZYYKODNhAGWd3TKg/wjWGLfiMiGdqPTq6RxE2Ez0f4bZED2FNRdFgWq5/coUHZytk0cLDHvhghWMajt3d08glPIYwgksGQUePGtalJaXqYzOQAsb8L3MUf4E2oJ8F60lt3ovSQw9hOSgvoycyObqOi2bTar/K6VN+qF5bXJ/RHKbTEczzJlHwUuLr2jH6QNiPEjxUrXIhV0Lj/ArPBM75EiqtZFTeHSp5ryi31xaWk8g/mmFy0mhF4wTyMwqi5tNuj1+GDIsKRhX5DdjjGxex9ptf2+P7DZuits25dX4Mkzqe9rjY0/fhJsAsuwdjyTnUFZfwFH6ta/O/F02G7Q0LJH29F4SI/NiGUU7KELWXs69DHfz+6f05HFBSWoswRhq6Fy/Mc6PKSt/Pj00tOFAu6sXEMXSoySvwmkg7+jwRQhm5VDB9dUTtMW3YJrVqNYm2pqC1ui3xeUaNbqAP4jfuf1y/bn8TgQ++52z3zn7nU/td+BrQLiZL+pLUyd4aoqzDfqXNqhrOn9gf7TDbVw/YQmcvdNxpsNl0Z7ns7M6O6uzszoQPOqsAsrSG+5aNPT8DeXbgi25P8S67vTT5C7quHATd+n+H48+ubv7SMRB7s5QGNXd3T0uDl6YQa+JE6n/XVpzwpY1sA+Mm2vVXcfovWtIC2ls9zrudXCLm/lpGdkKAROsMyOzqjzWbtOjRh/gZ70vihNYPNw/TWDx12ICwsUWpxVWk+fslylc7YNL4eAZQUAmvEqFt3pXOgEBhScmSXYCqYjl1WtW0u1qG9v7TWDMIZDmGGQKdwwKHTEetP91jZeiDLu5rx5t71DVMKcX/wQAAP//vCMXEQ==" } diff --git a/x-pack/filebeat/module/cisco/ftd/_meta/fields.yml b/x-pack/filebeat/module/cisco/ftd/_meta/fields.yml index e1356d78886..e6db84b9385 100644 --- a/x-pack/filebeat/module/cisco/ftd/_meta/fields.yml +++ b/x-pack/filebeat/module/cisco/ftd/_meta/fields.yml @@ -44,6 +44,12 @@ description: > The translated source IP address. Use ECS source.nat.ip. + - name: mapped_source_host + type: keyword + default_field: false + description: > + The translated source host. + - name: mapped_source_port type: long description: > @@ -54,6 +60,12 @@ description: > The translated destination IP address. Use ECS destination.nat.ip. + - name: mapped_destination_host + type: keyword + default_field: false + description: > + The translated destination host. + - name: mapped_destination_port type: long description: > @@ -90,7 +102,7 @@ type: object description: Raw fields for Security Events. - + - name: connection_type type: keyword default_field: false diff --git a/x-pack/filebeat/module/cisco/ftd/test/not-ip.log b/x-pack/filebeat/module/cisco/ftd/test/not-ip.log new file mode 100644 index 00000000000..2742be4b533 --- /dev/null +++ b/x-pack/filebeat/module/cisco/ftd/test/not-ip.log @@ -0,0 +1,3 @@ +<165>Oct 04 2019 15:27:55: %ASA-5-106100: access-list AL-DMZ-LB-IN denied tcp LB-DMZ/WHAT-IS-THIS-A-HOSTNAME-192.0.2.244(27218) -> OUTSIDE/203.0.113.42(53) hit-cnt 1 first hit [0x16847359, 0x00000000] +Jan 1 2020 10:42:53 localhost : %ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr mydomain.example.net/17233 laddr 192.168.132.46/17233 +Jan 2 2020 11:33:20 localhost : %ASA-4-338204: Dynamic filter dropped greylisted TCP traffic from eth0:10.10.10.1/1234 (source.example.net/11234) to wan:172.24.177.3/80 (www.example.org/80), destination malicious address resolved from dynamic list: example.org, threat-level: high, category: malware diff --git a/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json new file mode 100644 index 00000000000..c5a4c9a8bf9 --- /dev/null +++ b/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json @@ -0,0 +1,103 @@ +[ + { + "@timestamp": "2019-10-04T15:27:55.000-02:00", + "cisco.ftd.destination_interface": "OUTSIDE", + "cisco.ftd.message_id": "106100", + "cisco.ftd.rule_name": "AL-DMZ-LB-IN", + "cisco.ftd.source_interface": "LB-DMZ", + "destination.address": "203.0.113.42", + "destination.ip": "203.0.113.42", + "destination.port": 53, + "event.action": "firewall-rule", + "event.code": 106100, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-5-106100: access-list AL-DMZ-LB-IN denied tcp LB-DMZ/WHAT-IS-THIS-A-HOSTNAME-192.0.2.244(27218) -> OUTSIDE/203.0.113.42(53) hit-cnt 1 first hit [0x16847359, 0x00000000]", + "event.outcome": "deny", + "event.severity": 5, + "event.timezone": "-02:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "notification", + "log.offset": 0, + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.address": "WHAT-IS-THIS-A-HOSTNAME-192.0.2.244", + "source.domain": "WHAT-IS-THIS-A-HOSTNAME-192.0.2.244", + "source.port": 27218, + "syslog.facility": 165, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2020-01-01T10:42:53.000-02:00", + "cisco.ftd.mapped_source_host": "mydomain.example.net", + "cisco.ftd.message_id": "302021", + "destination.address": "172.24.177.29", + "destination.ip": "172.24.177.29", + "event.action": "flow-expiration", + "event.code": 302021, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr mydomain.example.net/17233 laddr 192.168.132.46/17233", + "event.severity": 6, + "event.timezone": "-02:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 201, + "network.iana_number": 1, + "network.transport": "icmp", + "service.type": "cisco", + "source.address": "192.168.132.46", + "source.ip": "192.168.132.46", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2020-01-02T11:33:20.000-02:00", + "cisco.ftd.destination_interface": "wan", + "cisco.ftd.mapped_destination_host": "www.example.org", + "cisco.ftd.mapped_destination_port": 80, + "cisco.ftd.mapped_source_host": "source.example.net", + "cisco.ftd.mapped_source_port": 11234, + "cisco.ftd.message_id": "338204", + "cisco.ftd.rule_name": "dynamic", + "cisco.ftd.source_interface": "eth0", + "cisco.ftd.threat_category": "malware", + "cisco.ftd.threat_level": "high", + "destination.address": "172.24.177.3", + "destination.domain": "example.org", + "destination.ip": "172.24.177.3", + "destination.nat.port": "80", + "destination.port": 80, + "event.action": "firewall-rule", + "event.code": 338204, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-4-338204: Dynamic filter dropped greylisted TCP traffic from eth0:10.10.10.1/1234 (source.example.net/11234) to wan:172.24.177.3/80 (www.example.org/80), destination malicious address resolved from dynamic list: example.org, threat-level: high, category: malware", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "-02:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "warning", + "log.offset": 360, + "network.iana_number": 6, + "network.transport": "tcp", + "server.domain": "example.org", + "service.type": "cisco", + "source.address": "10.10.10.1", + "source.ip": "10.10.10.1", + "source.nat.port": "11234", + "source.port": 1234, + "tags": [ + "cisco-ftd" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml index f09c5673577..732f21a4d1a 100644 --- a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml +++ b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml @@ -291,7 +291,7 @@ processors: - dissect: if: "ctx._temp_.cisco.message_id == '313009'" field: "message" - pattern: "%{event.outcome} invalid %{network.transport} code %{_temp_.cisco.icmp_code} , for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}" + pattern: "%{event.outcome} invalid %{network.transport} code %{_temp_.cisco.icmp_code} , for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}" - dissect: if: "ctx._temp_.cisco.message_id == '322001'" field: "message" @@ -299,7 +299,7 @@ processors: - dissect: if: "ctx._temp_.cisco.message_id == '338001'" field: "message" - pattern: "Dynamic filter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + pattern: "Dynamic filter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - set: if: "ctx._temp_.cisco.message_id == '338001'" field: "server.domain" @@ -307,7 +307,7 @@ processors: - dissect: if: "ctx._temp_.cisco.message_id == '338002'" field: "message" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}" - set: if: "ctx._temp_.cisco.message_id == '338002'" field: "server.domain" @@ -315,15 +315,15 @@ processors: - dissect: if: "ctx._temp_.cisco.message_id == '338003'" field: "message" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - dissect: if: "ctx._temp_.cisco.message_id == '338004'" field: "message" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - dissect: if: "ctx._temp_.cisco.message_id == '338005'" field: "message" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - set: if: "ctx._temp_.cisco.message_id == '338005'" field: "server.domain" @@ -331,7 +331,7 @@ processors: - dissect: if: "ctx._temp_.cisco.message_id == '338006'" field: "message" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - set: if: "ctx._temp_.cisco.message_id == '338006'" field: "server.domain" @@ -339,15 +339,15 @@ processors: - dissect: if: "ctx._temp_.cisco.message_id == '338007'" field: "message" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - dissect: if: "ctx._temp_.cisco.message_id == '338008'" field: "message" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - dissect: if: "ctx._temp_.cisco.message_id == '338101'" field: "message" - pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}" + pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}" - set: if: "ctx._temp_.cisco.message_id == '338101'" field: "server.domain" @@ -355,7 +355,7 @@ processors: - dissect: if: "ctx._temp_.cisco.message_id == '338102'" field: "message" - pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}" + pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}" - set: if: "ctx._temp_.cisco.message_id == '338102'" field: "server.domain" @@ -363,15 +363,15 @@ processors: - dissect: if: "ctx._temp_.cisco.message_id == '338103'" field: "message" - pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}" + pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}" - dissect: if: "ctx._temp_.cisco.message_id == '338104'" field: "message" - pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}" + pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}" - dissect: if: "ctx._temp_.cisco.message_id == '338201'" field: "message" - pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - set: if: "ctx._temp_.cisco.message_id == '338201'" field: "server.domain" @@ -379,7 +379,7 @@ processors: - dissect: if: "ctx._temp_.cisco.message_id == '338202'" field: "message" - pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - set: if: "ctx._temp_.cisco.message_id == '338202'" field: "server.domain" @@ -387,7 +387,7 @@ processors: - dissect: if: "ctx._temp_.cisco.message_id == '338203'" field: "message" - pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - set: if: "ctx._temp_.cisco.message_id == '338203'" field: "server.domain" @@ -395,7 +395,7 @@ processors: - dissect: if: "ctx._temp_.cisco.message_id == '338204'" field: "message" - pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - set: if: "ctx._temp_.cisco.message_id == '338204'" field: "server.domain" @@ -446,7 +446,7 @@ processors: NOTCOLON: "[^:]*" ECSSOURCEIPORHOST: "(?:%{IP:source.address}|%{HOSTNAME:source.domain})" ECSDESTIPORHOST: "(?:%{IP:destination.address}|%{HOSTNAME:destination.domain})" - MAPPEDSRC: "(?:%{DATA:_temp_.cisco.mapped_source_ip}|%{HOSTNAME})" + MAPPEDSRC: "(?:%{DATA:_temp_.natsrcip}|%{HOSTNAME})" # # Decode FTD's Security Event Syslog Messages @@ -1209,6 +1209,19 @@ processors: ignore_missing: true # + # Set mapped_{src|dst}_ip fields only if they consist of a valid IP address. + # + - grok: + field: _temp_.natsrcip + patterns: + - "(?:%{IP:_temp_.cisco.mapped_source_ip}|%{GREEDYDATA:_temp_.cisco.mapped_source_host})" + ignore_failure: true + - grok: + field: _temp_.natdstip + patterns: + - "(?:%{IP:_temp_.cisco.mapped_destination_ip}|%{GREEDYDATA:_temp_.cisco.mapped_destination_host})" + ignore_failure: true + # # NAT fields # # The firewall always populates mapped ip and port even if there was no NAT.