cisco decoder
103 views
Skip to first unread message
G Gao
Nov 1, 2023, 5:44:17 PM11/1/23
to Wazuh | Mailing List
Hi,
I am using the 0064-cisco-asa_decoders.xml for my cisco asa. Today I just realized that one specific sibling decoder is not working as expected, this is what is in the original cisco-asa decoder:
<decoder name="cisco-asa">
<prematch>%ASA-|\w\w\w \d\d \d\d\d\d \d\d:\d\d:\d\d: %ASA-</prematch>
</decoder>
<prematch>%ASA-|\w\w\w \d\d \d\d\d\d \d\d:\d\d:\d\d: %ASA-</prematch>
</decoder>
<!--
%ASA-6-106015: Deny TCP (no connection) from 192.168.0.1/11 to 192.168.0.2/22 flags tcp_flags on interface interface_name
-->
<decoder name="cisco-asa-fw6">
<parent>cisco-asa</parent>
<prematch offset="after_parent">6-106015</prematch>
<regex offset="after_parent">(\w+): (\w+) (\w+) \.+ from (\S+)/(\S+) to (\S+)/(\S+) flags (\S+) on interface (\S+)</regex>
<order>id, action, protocol, srcip, srcport, dstip, dstport, flags, interface</order>
</decoder>
%ASA-6-106015: Deny TCP (no connection) from 192.168.0.1/11 to 192.168.0.2/22 flags tcp_flags on interface interface_name
-->
<decoder name="cisco-asa-fw6">
<parent>cisco-asa</parent>
<prematch offset="after_parent">6-106015</prematch>
<regex offset="after_parent">(\w+): (\w+) (\w+) \.+ from (\S+)/(\S+) to (\S+)/(\S+) flags (\S+) on interface (\S+)</regex>
<order>id, action, protocol, srcip, srcport, dstip, dstport, flags, interface</order>
</decoder>
my log file from cisco asa is:
Nov 01 2023 15:50:23: %ASA-6-106015: Deny TCP (no connection) from 10.50.20.XX/39204 to 8.XX.XX.1/443 flags RST on interface inside
the decoder result is:
**Messages:
WARNING: (7003): '89b81e6f' token expires
INFO: (7202): Session initialized with token 'c2481d76'
**Phase 1: Completed pre-decoding.
full event: 'Nov 01 2023 15:50:23: %ASA-6-106015: Deny TCP (no connection) from 10.50.20.XX/39204 to 8.XX.XX.1/443 flags RST on interface inside'
**Phase 2: Completed decoding.
name: 'cisco-asa'
parent: 'cisco-asa'
**Phase 3: Completed filtering (rules).
id: '100002'
level: '3'
description: 'Raw JSON event Cisco - '
groups: '["local"]'
firedtimes: '1'
mail: 'false'
**Alert to be generated.
so the decoder is not decoding properly for %ASA-6-106015. But it seems "most" of other sibling decoders are working fine.
What am I missing here?
Message has been deleted
Fabian Ruiz
Nov 1, 2023, 8:20:47 PM11/1/23
to Wazuh | Mailing List
Hi G Gao
**Phase 3: Completed filtering (rules).
In your case the log you send has a problem, this is because you have an extra space between the RST flag and "on interface inside", this causes the regex that parses the log not to match the decoder:
Incorrect:
Nov 01 2023 15:50:23: %ASA-6-106015: Deny TCP (no connection) from 10.50.20.XX/39204 to 8.XX.XX.1/443 flags RST on interface inside
Correct:
Nov 01 2023 15:50:23: %ASA-6-106015: Deny TCP (no connection) from 10.50.20.XX/39204 to 8.XX.XX.1/443 flags RST on interface inside
By making this setting, the ruleset test generates a good match with the log:
**Phase 1: Completed pre-decoding.
full event: 'Nov 01 2023 15:50:23: %ASA-6-106015: Deny TCP (no connection) from 10.50.20.XX/39204 to 8.XX.XX.1/443 flags RST on interface inside'
**Phase 2: Completed decoding.
name: 'cisco-asa'
parent: 'cisco-asa'
full event: 'Nov 01 2023 15:50:23: %ASA-6-106015: Deny TCP (no connection) from 10.50.20.XX/39204 to 8.XX.XX.1/443 flags RST on interface inside'
**Phase 2: Completed decoding.
name: 'cisco-asa'
parent: 'cisco-asa'
action: 'Deny'
dstip: '8.XX.XX.1'
dstport: '443'
flags: 'RST'
id: '6-106015'
interface: 'inside'
protocol: 'TCP'
srcip: '10.50.20.XX'
srcport: '39204'
dstip: '8.XX.XX.1'
dstport: '443'
flags: 'RST'
id: '6-106015'
interface: 'inside'
protocol: 'TCP'
srcip: '10.50.20.XX'
srcport: '39204'
**Phase 3: Completed filtering (rules).
id: '64005'
level: '0'
description: 'ASA notification/informational message.'
groups: '["syslog","cisco","cisco-asa"]'
firedtimes: '6'
mail: 'false'
level: '0'
description: 'ASA notification/informational message.'
groups: '["syslog","cisco","cisco-asa"]'
firedtimes: '6'
mail: 'false'
Thanks for using Wazuh,
Regards.
G Gao
Nov 2, 2023, 12:01:15 PM11/2/23
to Wazuh | Mailing List
thank you very much for the quick response. it is indeed something simple I missed.
G Gao
Nov 2, 2023, 12:45:18 PM11/2/23
to Wazuh | Mailing List
Actually I got another question. Today I've found that it appeared to have another format of log under the same id from the Cisco ASA, like the following:
Nov 02 2023 12:03:45: %ASA-6-302015: Built inbound UDP connection 388058449 for outside:10.50.100.40/55287 (XXX.XXX.XXX.98/55287)(LOCAL\LLLL.g) to outside:75.75.76.76/53 (75.75.76.76/53) (LLLL.g)
so this format is different than the first one I had. How do I capture two different format of logs but with the same prematch condition?
Thank you.
G Gao
Nov 2, 2023, 2:50:16 PM11/2/23
to Wazuh | Mailing List
my apologies, I meant to say for a different ASA log ID, 6-302015, I have two different format:
thank you.
Nov 02 2023 14:37:00: %ASA-6-302015: Built outbound UDP connection 388261780 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.50.0.72/56498 (
XXX.XXX.XXX .98/56498)
and
Nov 02 2023 12:03:45: %ASA-6-302015: Built inbound UDP connection 388058449 for outside:10.50.100.40/55287 (XXX.XXX.XXX.98/55287)(LOCAL\LLLL.g) to outside:75.75.76.76/53 (75.75.76.76/53) (LLLL.g)
I modified the following in the cisco-asa decoder for the first example, but how to do another one for the second example? they have the same prematch condition 6-302015
<decoder name="cisco-asa-built-connection">
<parent>cisco-asa</parent>
<prematch offset="after_parent">6-302015</prematch>
<regex offset="after_parent">(\w+): (\.+) (\d+) for (\S+):(\S+)/(\S+) \p(\S+)/(\S+)\p to (\S+):(\S+)/(\S+) \p(\S+)/(\S+)\p</regex>
<order>id, description, connection, src, src_ip, src_port, mapped_src_ip, mapped_src_port, dst, dst_ip, dst_port, mapped_dst_ip, mapped_dst_port</order>
</decoder>
<parent>cisco-asa</parent>
<prematch offset="after_parent">6-302015</prematch>
<regex offset="after_parent">(\w+): (\.+) (\d+) for (\S+):(\S+)/(\S+) \p(\S+)/(\S+)\p to (\S+):(\S+)/(\S+) \p(\S+)/(\S+)\p</regex>
<order>id, description, connection, src, src_ip, src_port, mapped_src_ip, mapped_src_port, dst, dst_ip, dst_port, mapped_dst_ip, mapped_dst_port</order>
</decoder>
thank you.
G Gao
Nov 3, 2023, 7:11:27 PM11/3/23
to Wazuh | Mailing List
Just an update.
I've solved my problem by making the prematch more specific to the entire log structure, and adjust the child decoder to fit for each of the scenarios.
Fabian Ruiz
Nov 4, 2023, 9:31:48 PM11/4/23
to Wazuh | Mailing List
Hi G Gao,
I am sorry for my late reply, I understand that you solved your problem, if you have any more questions you can let me know.
Regards.
Reply all
Reply to author
Forward
0 new messages