wazuh alert fields for cisco-asa logs

[YNWA]

Hi! As you see  the suricata and cisco-asa alerts below  their is fields like src_ip|srcip &dest_ip|dstip in suricata alerts but their is no those field in cisco-asa alerts.

 

{"timestamp":"2021-01-05T08:52:34.695+0000","rule":{"level":3,"description":"Suricata: Alert - GPL NETBIOS SMB-DS Session Setup NTMLSSP asn1 overflow attempt","id":"86601","firedtimes":1789,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"002","name":"elk-server","ip":"x.x.x.x"},"manager":{"name":"Nisir1"},"id":"1609836754.29061343","decoder":{"name":"json"},"data":{"timestamp":"2021-01-05T08:52:27.038957+0000","flow_id":"252351487905997.000000","in_iface":"ens33","event_type":"alert","src_ip":"x.x.x.x","src_port":"50121","dest_ip":"x.x.x.x","dest_port":"445","proto":"TCP","alert":{"action":"allowed","gid":"1","signature_id":"2102383","rev":"21","signature":"GPL NETBIOS SMB-DS Session Setup NTMLSSP asn1 overflow attempt","category":"Generic Protocol Command Decode","severity":"3"}},"location":"/var/log/suricata/eve.json"}

{"timestamp":"2021-01-05T11:49:07.097+0300","rule":{"level":3,"description":"ASA warning message.","id":"64004","firedtimes":7,"mail":false,"groups":["syslog","cisco","cisco-asa"]},"agent":{"id":"000","name":"wazuh"},"manager":{"name":"wazuh"},"id":"1609836547.3446","full_log":"Jan 05 2021 11:44:50 172.20.3.2 : %ASA-4-106023: Deny icmp src outsid:162.255.170.138 dst Inside:x.x.x.x (type 3, code 1) by access-group \"outsid_access_in\" [0x0, 0x0]","decoder":{"name":"cisco-asa"},"location":"x.x.x.x"}

can any one help me to add src_ip|srcip and dst_ip|dstip in cisco-asa alerts field?

thank you!!!

[mauro.e...@wazuh.com]

Hi YNWA,

I've been playing around with your log message and found that we already have a decoder that gathers the fields you require, but unfortunately it requires the IPs to have the format 'A.B.C.D/port'. Here is the default decoder for reference:

<decoder name="cisco-asa-fw3">
  <parent>cisco-asa</parent>
  <prematch offset="after_parent">4-106023</prematch>
  <regex offset="after_parent">(\S+): (\w+) (\w+) src \w+:</regex>
  <regex>(\S+)/(\S+) dst \w+:(\S+)/(\S+)</regex>
  <order>id, action, protocol, srcip, srcport, dstip, dstport</order>
</decoder>

You have a couple of options here:
- If you can configure your Cisco devices to add the port number in the log messages, the default decoder should kick in and start adding ip and port numbers to your alerts.

- If all your Cisco log messages show up without the port portion, you can modify the decoder excluding them and the ips should show up (I will explain how to do this in a second).

- A third option would be to exclude the decoder file and write your own using sibling decoders to get the most out of it (this is by far the most complex and time consuming option).

In order to modify the decoder so it starts adding the ip information to your alerts, you would need to remove 'srcport' and 'dstport' from the '<order>' tag as well as the corresponding capture groups from the regex expressions, it should look something like this:

<decoder name="cisco-asa- fw3 ">
  <parent>cisco-asa</parent>
  <prematch offset="after_parent">4-106023</prematch>
  <regex offset="after_parent">(\S+): (\w+) (\w+) src \w+:</regex>
  <regex>(\S+) dst \w+:(\S+)</regex>
  <order>id, action, protocol, srcip, dstip</order>
</decoder>

You can find this decoder under '$WAZUH_INSTALL_DIR/ruleset/decoders/0064-cisco-asa_decoders.xml . In order for this change to not be lost when upgrading your manager, I heavily suggest you to read the following section in the documentation:

https://documentation.wazuh.com/4.0/user-manual/ruleset/custom.html#changing-an-existing-decoder

If you want to learn more on how to create and modify decoders and rules, you can do so by reading the following blogpost:

https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/

Best regards,

Mauro.

[mauro.e...@wazuh.com]

Hi again YNWA,

As a side note, would you be willing to share some other log messages from your cisco device? It would greatly help us to improve our decoders and rules. Feel free to censor any sensitive information such as IPs as you've done on your previous message.

[YNWA]

Hi mauro,

Thank you for your response, as you see below my cisco log contain Ips  with A.B.C.D/port format

%ASA-4-106023: Deny tcp src outsid:x.x.x.x/2439 dst Inside:x.x.x.x/55736 by access-group "outsid_access_in" [0x0, 0x0]

and ossec-logtest for the above log is:-

**Phase 1: Completed pre-decoding.

       full event: '%ASA-4-106023: Deny tcp src outsid:x.x.x.x/2439 dst Inside:x.x.x.x/55736 by access-group "outsid_access_in" [0x0, 0x0]'

       timestamp: '(null)'

       hostname: 'nisir'

       program_name: '(null)'

       log: '%ASA-4-106023: Deny tcp src outsid:x.x.x.x/2439 dst Inside:x.x.x.x/55736 by access-group "outsid_access_in" [0x0, 0x0]'

**Phase 2: Completed decoding.

       decoder: 'cisco-asa'

       id: '4-106023'

       action: 'Deny'

       protocol: 'tcp'

       srcip: 'x.x.x.x'

       srcport: '2439'

       dstip: 'x.x.x.x'

       dstport: '55736'

**Phase 3: Completed filtering (rules).

       Rule id: '64004'

       Level: '3'

       Description: 'ASA warning message.'

**Alert to be generated.

but wazuh alerts.json is as follows. their is no srcip and dstip

{"timestamp":"2021-01-06T00:00:06.653+0300","rule":{"level":3,"description":"ASA warning message.","id":"64004","firedtimes":621,"mail":false,"groups":["syslog","cisco","cisco-asa"]},"agent":{"id":"000","name":"wazuh"},"manager":{"name":"wazuh"},"id":"1609880406.368470","full_log":"Jan 05 2021 23:55:45 x.x.x.x : %ASA-4-106023: Deny tcp src outsid:x.x.x.x/2439 dst Inside:x.x.x.x/55736 by access-group \"outsid_access_in\" [0x0, 0x0]","decoder":{"name":"cisco-asa"},"location":"x.x.x.x"}

The followings are some of my cisco logs:-

%ASA-4-106023: Deny icmp src outsid:x.x.x.x dst Inside:x.x.x.x (type 3, code 13) by access-group "outsid_access_in" [0x0, 0x0]

%ASA-4-106023: Deny udp src outsid:x.x.x.x/4364 dst Inside:x.x.x.x/48916 by access-group "outsid_access_in" [0x0, 0x0]

%ASA-4-106023: Deny tcp src outsid:x.x.x.x/19895 dst Inside:x.x.x.x/55736 by access-group "outsid_access_in" [0x0, 0x0]

%ASA-2-106017: Deny IP due to Land Attack from x.x.x.x to x.x.x.x

Best regards,

YNWA.

[mauro.e...@wazuh.com]

Hi YNWA,

First of all, thanks for sharing your log messages, it's a great help for us!

With regards to your alerts, I just tested the same log on a 3.12.3 manager and got the alert with the expected fields:

{"timestamp":"2021-01-07T09:54:05.324+0000","rule":{"level":3,"description":"ASA warning message.","id":"64004","firedtimes":1,"mail":false,"groups":["syslog","cisco","cisco-asa"]},"agent":{"id":"000","name":"server"},"manager":{"name":"server"},"id":"1610013245.61921","cluster":{"name":"wazuh","node":"master"},"full_log":"%ASA-4-106023: Deny tcp src outsid:x.x.x.x/2439 dst Inside:x.x.x.x/55736 by access-group \"outsid_access_in\" [0x0, 0x0]","decoder":{"parent":"cisco-asa","name":"cisco-asa"},"data":{"protocol":"tcp","action":"Deny","srcip":"x.x.x.x","srcport":"2439","dstip":"x.x.x.x","dstport":"55736","id":"4-106023"},"location":"/home/vagrant/logcollector/test.log"}

As far as I see, your alert does not have a 'data' field which should have the required dstip and srcip but the decoder is being properly grabbed as 'cisco-asa', this situation would happen if the base decoder for cisco-asa events matches but the furtherdecoders in charge of getting information fail. It is also really wierd that logcollector gets all fields correctly. Let me ask a couple of questions so we can narrow down the problem:

- What version is the Wazuh manager running?

- Have you changed your decoders in any way? If so, remember that the manager needs to be restarted afterwards for those to take effect, it might be that logcollector is working with a change that has not been applied to the manager.

- How are you forwarding the log messages for analysis? Are you using the syslog functionality of the manager to ingest logs directly or are you forwarding into an auxiliar log locally and using <localfile> to analyse that file instead?

Best regards,

Mauro.

[YNWA]

Hi Mauro,

First of all, thanks for your support!

- It's 3.11.1

- I haven't  change any decoder

- I'm using  the syslog functionality of the manager to ingest logs directly

 Thanks,

 YNWA.

[mauro.e...@wazuh.com]

Sorry for the delay in the response,

I've been trying to use rsyslog to forward a message as similar as the one your device might be sending and I run into some trouble until I found this page on how to configure a cisco asa device and got the idea to modify the format of the message sent so it doesn't include any header whatsoever. The forwarded message looks as follows:

%ASA-4-106023: Deny tcp src outsid:x.x.x.x/2439 dst Inside:x.x.x.x/55736 by access-group "outsid_access_in" [0x0, 0x0]

And the generated alert has all the required fields:

{"timestamp":"2021-01-18T13:45:46.104+0000","rule":{"level":3,"description":"ASA warning message.","id":"64004","firedtimes":2,"mail":false,"groups":["syslog","cisco","cisco-asa"]},"agent":{"id":"000","name":"server"},"manager":{"name":"server"},"id":"1610977546.742322","cluster":{"name":"wazuh","node":"master"},"full_log":"%ASA-4-106023: Deny tcp src outsid:x.x.x.x/2439 dst Inside:x.x.x.x/55736 by access-group \"outsid_access_in\" [0x0, 0x0]\n","decoder":{"parent":"cisco-asa","name":"cisco-asa"},"data":{"protocol":"tcp","action":"Deny","srcip":"x.x.x.x","srcport":"2439","dstip":"x.x.x.x","dstport":"55736","id":"4-106023"},"location":"192.168.50.21"}

Notice how the full_log field does not have any timestamp or host information before at the start of it. Could you try to reconfigure your device's syslog functionality so that the forwarded message is as raw as it can be?

Best regards,

Mauro.