Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SIEM] [Filebeat] Fix Cisco FTD/ASA parsing of msg 302021 #13476

Merged
merged 1 commit into from
Sep 9, 2019

Conversation

adriansr
Copy link
Contributor

@adriansr adriansr commented Sep 3, 2019

The pattern for ASA message 302021 contained a few errors:

  • source and destination swapped.
  • storing ICMP codes as port numbers.
  • didn't support hostnames in place of IPs.

Fixes #13259

@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem

The pattern for ASA message 302021 contained a few errors:
- source and destination swapped.
- storing ICMP codes as port numbers.
- didn't support hostnames in place of IPs.

Fixes elastic#13259
@adriansr adriansr added the needs_backport PR is waiting to be backported to other branches. label Sep 4, 2019
Copy link
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. For ECS I think we should add a field for icmp type and code.

@adriansr adriansr merged commit e0c705c into elastic:master Sep 9, 2019
adriansr added a commit to adriansr/beats that referenced this pull request Sep 9, 2019
)

The pattern for ASA message 302021 contained a few errors:
- source and destination swapped.
- storing ICMP codes as port numbers.
- didn't support hostnames in place of IPs.

Fixes elastic#13259

(cherry picked from commit e0c705c)
@adriansr adriansr added v7.4.0 and removed needs_backport PR is waiting to be backported to other branches. labels Sep 9, 2019
adriansr added a commit that referenced this pull request Sep 10, 2019
…13557)

The pattern for ASA message 302021 contained a few errors:
- source and destination swapped.
- storing ICMP codes as port numbers.
- didn't support hostnames in place of IPs.

Fixes #13259

(cherry picked from commit e0c705c)
leweafan pushed a commit to leweafan/beats that referenced this pull request Apr 28, 2023
) (elastic#13557)

The pattern for ASA message 302021 contained a few errors:
- source and destination swapped.
- storing ICMP codes as port numbers.
- didn't support hostnames in place of IPs.

Fixes elastic#13259

(cherry picked from commit b5d8842)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Cisco incomplete patterns
3 participants