Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[cisco_asa] Fix Event code 106023 - Source/Destination IP not being parsed into respective source.ip or destination.ip field when interface nameif has a full colon (:) #10917

Merged
merged 1 commit into from
Nov 4, 2024
Merged

[cisco_asa] Fix Event code 106023 - Source/Destination IP not being parsed into respective source.ip or destination.ip field when interface nameif has a full colon (:) #10917

merged 1 commit into from
Nov 4, 2024

Conversation

aleksmaus
Copy link
Member

[cisco_asa] Fix Event code 106023 - Source/Destination IP not being parsed into respective source.ip or destination.ip field when interface nameif has a full colon (:)

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

Related issues

@aleksmaus aleksmaus added Integration:cisco_asa Cisco ASA bugfix Pull request that fixes a bug issue Team:Security-Deployment and Devices Deployment and Devices Security team [elastic/sec-deployment-and-devices] labels Aug 28, 2024
@aleksmaus aleksmaus self-assigned this Aug 28, 2024
@aleksmaus aleksmaus requested a review from a team as a code owner August 28, 2024 14:08
@elasticmachine
Copy link

Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)

pkoutsovasilis
pkoutsovasilis reviewed Aug 28, 2024
View reviewed changes
packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-106023-fix.log Outdated
@@ -0,0 +1,3 @@
Apr 17 2020 14:00:31 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny icmp src Inside:10.123.123.123 dst Outside:10.123.123.123 (type 11, code 0) by access-group "Inside_access_in" [0x0, 0x0]
LOCAL4.WARNING: fw-1 %ASA-4-106023: Deny udp src v1:outside:10.8.1.9/54864 dst inside:172.16.1.3/53 by access-group "outside_acl" [0x0, 0x0]
LOCAL4.WARNING: fw-1 %ASA-4-106023: Deny udp src v1:outside:10.8.1.9/54864 dst v2:inside:172.16.1.3/53 by access-group "outside_acl" [0x0, 0x0]
Copy link
Contributor

@pkoutsovasilis pkoutsovasilis Aug 28, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you add also an example with ipv6 ips which are full of colons (please include also the port)? just to make sure that nothing breaks in the former case

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

there is already one, search

Apr 27 2020 02:03:03 dev01: %ASA-4-106023: Deny icmp src OUTSIDE:2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 dst OUTSIDE:2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 (type 128, code 0) by access-group "OUTSIDE_in"

Copy link
Contributor

@pkoutsovasilis pkoutsovasilis Aug 28, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes one already with an iface without colon it exists, but you are fixing support for ifaces with colons in them right?! So can we add one that covers this case iface with colon + ipv6 + port?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hmmm. found another case (assuming if ipv6 was customized with prefix containing ':' ), works in grok dev tool

Screenshot 2024-08-28 at 11 28 31 AM

but breaks when regenerating with the elastic-package .... ughhh

Apr 27 2020 02:03:03 dev01: %ASA-4-106023: Deny icmp src v2:OUTSIDE:2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 dst v3:OUTSIDE:2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 (type 128, code 0) by access-group "OUTSIDE_in"

            "cisco": {
                "asa": {
                    "destination_interface": "v3:OUTSIDE:2a02:cf40:add:4002:91f2:a9b2:e09a",
                    "rule_name": "OUTSIDE_in",
                    "source_interface": "v2:OUTSIDE:2a02:cf40:add:4002:91f2:a9b2:e09a"
                }
            },

@elasticmachine
Copy link

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@aleksmaus
Copy link
Member Author

After doing some digging around, it doesn't look like we have a robust support for parsing ipv6 case if the hostname has prefix that contains ":".
Problem is recognizing the ":" for IPv6 address from the possible ":" in the the hostname. At the moment we don't have immediate cases where hostname contains ":" in the name with IPv6. So will attempt to cover the immediate case with IPv4 and then will see if IPv6 case ever materializes.

Currently having an issue with Grok. The expression works fine in the "Grok" debugger.
Sample Data:

Deny udp src outside:10.8.1.9 dst v3:inside:172.16.1.3/53 by access-group "outside_acl" [0x0, 0x0]

Grok pattern:

^Deny ((protocol %{POSINT:network.iana_number})|%{NOTSPACE:network.transport}) src %{IFACENAME:_temp_.cisco.source_interface}:%{IPV4ORHOST:source.address}(/%{NUMBER:source.port})?\s*(\(%{CISCO_USER_OR_SGT_SRC}\) )?dst %{IFACENAME:_temp_.cisco.destination_interface}:%{IPV4ORHOST:destination.address}(/%{NUMBER:destination.port})?%{DATA}by access-group "%{NOTSPACE:_temp_.cisco.list_id}"

Custom Patterns:

HOSTNAME \b(?:[0-9A-Za-z][0-9A-Za-z\-_]{0,62})(?:\.(?:[0-9A-Za-z][0-9A-Za-z\-_]{0,62}))*(\.?|\b)
IPORHOST (?:%{IP}|%{HOSTNAME})
IPV4ORHOST (?:%{IPV4}|%{HOSTNAME})
NOTCOLON [^:]*
IFACENAME (.*:)?[^:]*
USERNAME [a-zA-Z0-9._'-]+
CISCO_USER_OR_SGT_SRC (?:%{CISCO_USER:_temp_.cisco.source_user_or_sgt}|%{CISCO_SGT:_temp_.cisco.source_user_or_sgt}|\((?:%{CISCO_USER:_temp_.cisco.source_user_or_sgt}|%{CISCO_SGT:_temp_.cisco.source_user_or_sgt})\))
CISCO_USER (?:\*\*\*\*\*|(?:(?:LOCAL\\)?(?:%{HOSTNAME}\\)?%{USERNAME}\$?(?:@%{HOSTNAME})?%{CISCO_SGT}?)|[^$]+)
CISCO_SGT (?:, *)?%{NUMBER}(?::%{WORD})?

Returns:

{
  "destination": {
    "port": "53",
    "address": "172.16.1.3"
  },
  "_temp_": {
    "cisco": {
      "destination_interface": "v3:inside",
      "list_id": "outside_acl",
      "source_interface": "outside"
    }
  },
  "source": {
    "address": "10.8.1.9"
  },
  "network": {
    "transport": "udp"
  }
}

But the same thing doesn't work in the ingest pipeline, cliping the destination_interface:

            "cisco": {
                "asa": {
                    "destination_interface": "v3",
                    "rule_name": "outside_acl",
                    "source_interface": "outside"
                }
            },

It's interesting, if I add prefixes to both src and dst or only src the pipeline works fine.
It's not helpful that the same processor with ingest pipeline returns different result than the grok debugger output.

Will get back to this later.

@aleksmaus
Copy link
Member Author

KK. Figured out the problem with my previous attempt. The original regex

^Deny ((protocol %{POSINT:network.iana_number})|%{NOTSPACE:network.transport}) src %{NOTCOLON:_temp_.cisco.source_interface}:%{IPORHOST:source.address}(/%{NUMBER:source.port})?\s*(\(%{CISCO_USER_OR_SGT_SRC}\) )?dst %{NOTCOLON:_temp_.cisco.destination_interface}:%{IPORHOST:destination.address}(/%{NUMBER:destination.port})?%{DATA}by access-group "%{NOTSPACE:_temp_.cisco.list_id}"

actually matches when the dst has prefix:

Deny udp src outside:10.8.1.9 dst v3:inside:172.16.1.3/53 by access-group \"outside_acl\" [0x0, 0x0]

and doesn't match any other permutation of src or dst prefixes

That's why I saw the different result in the pipeline simulator.
Example playground

POST /_ingest/pipeline/_simulate
{
  "pipeline": {
    "description": "_description",
    "processors": [
      {
        "grok": {
          "field": "message",
          "patterns": [
            "^Deny ((protocol %{POSINT:network.iana_number})|%{NOTSPACE:network.transport}) src %{NOTCOLON:_temp_.cisco.source_interface}:%{IPORHOST:source.address}(/%{NUMBER:source.port})?\\s*(\\(%{CISCO_USER_OR_SGT_SRC}\\) )?dst %{NOTCOLON:_temp_.cisco.destination_interface}:%{IPORHOST:destination.address}(/%{NUMBER:destination.port})?%{DATA}by access-group \"%{NOTSPACE:_temp_.cisco.list_id}\""         ],
          "pattern_definitions": {
            "HOSTNAME": "\\b(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62}))*(\\.?|\\b)",
            "IPORHOST": "(?:%{IP}|%{HOSTNAME})",
            "NOTCOLON": "[^:]*",
            "IFACENAME": "(.*)?%{NOTCOLON}",
            "USERNAME": "[a-zA-Z0-9._'-]+",
            "CISCO_USER_OR_SGT_SRC": "(?:%{CISCO_USER:_temp_.cisco.source_user_or_sgt}|%{CISCO_SGT:_temp_.cisco.source_user_or_sgt}|\\((?:%{CISCO_USER:_temp_.cisco.source_user_or_sgt}|%{CISCO_SGT:_temp_.cisco.source_user_or_sgt})\\))",
            "CISCO_USER": "(?:\\*\\*\\*\\*\\*|(?:(?:LOCAL\\\\)?(?:%{HOSTNAME}\\\\)?%{USERNAME}\\$?(?:@%{HOSTNAME})?%{CISCO_SGT}?)|[^$]+)",
            "CISCO_SGT": "(?:, *)?%{NUMBER}(?::%{WORD})?"
          }
        }
      }
    ]
  },
  "docs": [
    {
      "_index": "index",
      "_id": "id",
      "_source": {
        "message0": "Deny udp src outside:10.8.1.9 dst inside:172.16.1.3/53 by access-group \"outside_acl\" [0x0, 0x0]",
        "message1": "Deny udp src v2:outside:10.8.1.9 dst inside:172.16.1.3/53 by access-group \"outside_acl\" [0x0, 0x0]",
        "message": "Deny udp src outside:10.8.1.9 dst v3:inside:172.16.1.3/53 by access-group \"outside_acl\" [0x0, 0x0]",
        "message3": "Deny udp src v2:outside:10.8.1.9 dst v3:inside:172.16.1.3/53 by access-group \"outside_acl\" [0x0, 0x0]"
      }
    }
  ]
}

Output:

{
  "docs": [
    {
      "doc": {
        "_index": "index",
        "_version": "-3",
        "_id": "id",
        "_source": {
          "_temp_": {
            "cisco": {
              "destination_interface": "v3",
              "list_id": "outside_acl",
              "source_interface": "outside"
            }
          },
          "destination": {
            "address": "inside"
          },
          "message3": """Deny udp src v2:outside:10.8.1.9 dst v3:inside:172.16.1.3/53 by access-group "outside_acl" [0x0, 0x0]""",
          "source": {
            "address": "10.8.1.9"
          },
          "message0": """Deny udp src outside:10.8.1.9 dst inside:172.16.1.3/53 by access-group "outside_acl" [0x0, 0x0]""",
          "message": """Deny udp src outside:10.8.1.9 dst v3:inside:172.16.1.3/53 by access-group "outside_acl" [0x0, 0x0]""",
          "message1": """Deny udp src v2:outside:10.8.1.9 dst inside:172.16.1.3/53 by access-group "outside_acl" [0x0, 0x0]""",
          "network": {
            "transport": "udp"
          }
        },
        "_ingest": {
          "timestamp": "2024-08-30T01:20:09.769757584Z"
        }
      }
    }
  ]
}

Will update PR shortly

@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

@aleksmaus
Copy link
Member Author

Hold on on reviewing this one. I'm not too happy that there is an additional fairly complex grok/regex for that special case, that now is checked for match first. I'll see if there is anything that can be done.

@andrewkroh andrewkroh marked this pull request as draft September 26, 2024 03:38
@aleksmaus aleksmaus requested a review from a team October 1, 2024 19:47
@aleksmaus
[cisco_asa] Fix Event code 106023 - Source/Destination IP not being p…
fc25571 
…arsed into respective source.ip or destination.ip field when interface nameif has a full colon (:)
@aleksmaus
Copy link
Member Author

Refined the existing regex to match better the existing data as well as the new logs when interface name contains :

@aleksmaus aleksmaus marked this pull request as ready for review October 1, 2024 19:51
@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

@elasticmachine
Copy link

💚 Build Succeeded

History

  • 💚 Build #15212 succeeded 771b94c249eb5d42cb1e883bb358ff532e8379f3
  • 💚 Build #15137 succeeded 4ef14996c63a0fce6208887e332d96ef3982e4f5
  • 💔 Build #15130 failed dc0f88974ffb6bcbac76abdf519b0ec8862d0f3e

cc @aleksmaus

@aleksmaus aleksmaus merged commit ca1a85c into elastic:main Nov 4, 2024
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pkoutsovasilis pkoutsovasilis pkoutsovasilis left review comments

@gogochan gogochan gogochan approved these changes

@mjwolf mjwolf mjwolf approved these changes

Assignees

@aleksmaus aleksmaus

Labels
bugfix Pull request that fixes a bug issue Integration:cisco_asa Cisco ASA Team:Security-Deployment and Devices Deployment and Devices Security team [elastic/sec-deployment-and-devices]
Projects
None yet
Milestone
No milestone
5 participants
@aleksmaus @elasticmachine @mjwolf @gogochan @pkoutsovasilis