Cisco Asa custom decoder
804 views
Skip to first unread message
Mark Rafa
Mar 31, 2021, 3:06:46 PM3/31/21
to Wazuh mailing list
Hi everybody,
Hope someone helps me, I can not come up with a solution.
I am trying to decode %ASA-5-722033 syslog id logs.
I have created a custom decoder, which is below:
<decoder name="cisco-asa-vpn">
<parent>cisco-asa</parent>
<prematch offset="after_parent">5-722033</prematch>
<regex offset="after_parent">(\w+): Group (\S+) User (\S+) IP (\S+) (\.+)</regex>
<order>id,group,username,src_ip,description</order>
</decoder>
When I test my decoder the log is decoded as cisco-asa. I want to be decoded as cisco-asa-vpn, which I have created.
A sample log is:
Mar 31 2021 17:39:05: %ASA-5-722033: Group <xxx_xxx> User <xxx-xxxxx> IP <x.x.x.x> First TCP SVC connection established for SVC session.
My rule is:
<group name="syslog, cisco, cisco-asa">
<rule id="100005" level="3">
<if_sid>64005</if_sid>
<id>^5-722033</id>
<description>ASA: First SVC connection established for SVC session.</description>
</rule>
</group>
The purpose is to decode the username and then creating an alert where username is a field. So I can create a dashboard based on the VPN users.
I really appreciate any support!
Regards,
Miguel Angel Cazajous
Mar 31, 2021, 10:31:31 PM3/31/21
to Wazuh mailing list
Hello Mark! Apologize for the late response.
I was able to reproduce your issue and it seems that your decoder is not matching the log your are providing it. You can see that after "Group" there's no match.
**Phase 1: Completed pre-decoding.
full event: 'Mar 31 2021 17:39:05: %ASA-5-722033: Group <xxx_xxx> User <xxx-xxxxx> IP <x.x.x.x> First TCP SVC connection established for SVC session.'
**Phase 2: Completed decoding.
name: 'cisco-asa'
parent: 'cisco-asa'
id: '5-722033'
**Phase 3: Completed filtering (rules).
id: '64005'
level: '0'
description: 'ASA notification/informational message.'
groups: '['syslog', 'cisco', 'cisco-asa']'
firedtimes: '1'
mail: 'False'
I will keep looking into this and discuss with the team in case something is causing it beyond your configuration. I found that the decoders below are not responding as I expected.
https://github.com/wazuh/wazuh/blob/master/ruleset/decoders/0064-cisco-asa_decoders.xml
Thank you for contacting us and let us know about your concerns.
I was able to reproduce your issue and it seems that your decoder is not matching the log your are providing it. You can see that after "Group" there's no match.
**Phase 1: Completed pre-decoding.
full event: 'Mar 31 2021 17:39:05: %ASA-5-722033: Group <xxx_xxx> User <xxx-xxxxx> IP <x.x.x.x> First TCP SVC connection established for SVC session.'
**Phase 2: Completed decoding.
name: 'cisco-asa'
parent: 'cisco-asa'
id: '5-722033'
**Phase 3: Completed filtering (rules).
id: '64005'
level: '0'
description: 'ASA notification/informational message.'
groups: '['syslog', 'cisco', 'cisco-asa']'
firedtimes: '1'
mail: 'False'
I will keep looking into this and discuss with the team in case something is causing it beyond your configuration. I found that the decoders below are not responding as I expected.
https://github.com/wazuh/wazuh/blob/master/ruleset/decoders/0064-cisco-asa_decoders.xml
Thank you for contacting us and let us know about your concerns.
Mark Rafa
Apr 1, 2021, 4:32:51 AM4/1/21
to Wazuh mailing list
Hello Miguel,
Thanks a lot.
Waiting for your response
Regards,
1 Nisan 2021 Perşembe tarihinde saat 05:31:31 UTC+3 itibarıyla miguel....@wazuh.com şunları yazdı:
Miguel Angel Cazajous
Apr 5, 2021, 3:37:16 PM4/5/21
to Wazuh mailing list
Hello Mark! hope you're doing well.
I have good news.
As I commented before I was noticing the same issue with other logs examples.
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html#use-own-name
But also, there was something about the regex that was not capturing anything after "Group". I thought there was something else beyond your configuration in that case.
And, in fact, that's because in the default decoder file I mentioned before.
https://github.com/wazuh/wazuh/blob/master/ruleset/decoders/0064-cisco-asa_decoders.xml
the generic decoder was capturing your log. And there was nothing left to be captured by your decoder.
The solution
From this section of the documentation.
https://documentation.wazuh.com/current/user-manual/ruleset/custom.html#changing-an-existing-decoder
We can exclude the default decoders. Basically you must include in the ossec.conf file this line.
<decoder_exclude>ruleset/decoders/0064-cisco-asa_decoders.xml</decoder_exclude>
Now, copy the /var/ossec/ruleset/decoders/0064-cisco-asa_decoders.xml file into the /var/ossec/etc/decoders directory.
And right before the generic decoder add yours. So the log will be captured first by your decoder.
The motivation to do this is because any modification to the files in /var/ossec/ruleset/decoders/ directoy will be lost after an update.
Complete configuration.
</decoder>
<decoder name="cisco-asa-generic">
<parent>cisco-asa</parent>
<prematch>%ASA-\d-\d+</prematch>
<regex>%ASA-(\d-\d+):</regex>
<order>id</order>
</decoder>
Notice your configuration before cisco-asa-generic and the addition of the option <use_own_name>true</use_own_name>
The result
parent: 'cisco-asa'
description: 'First TCP SVC connection established for SVC session.'
group: '<xxx_xxx>'
id: '5-722033'
src_ip: '<x.x.x.x>'
username: '<xxx-xxxxx>'
**Phase 3: Completed filtering (rules).
id: '100010'
level: '0'
description: 'User logged'
groups: '['local', 'syslog', 'sshd']'
firedtimes: '1'
mail: 'False'
Especial thanks to Julian Morales for helping with this. I hope this was useful for you, have a great day!
I have good news.
As I commented before I was noticing the same issue with other logs examples.
The solution to that is to add this option, so you can see the child decoder name.
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html#use-own-name
But also, there was something about the regex that was not capturing anything after "Group". I thought there was something else beyond your configuration in that case.
And, in fact, that's because in the default decoder file I mentioned before.
https://github.com/wazuh/wazuh/blob/master/ruleset/decoders/0064-cisco-asa_decoders.xml
the generic decoder was capturing your log. And there was nothing left to be captured by your decoder.
The solution
From this section of the documentation.
https://documentation.wazuh.com/current/user-manual/ruleset/custom.html#changing-an-existing-decoder
We can exclude the default decoders. Basically you must include in the ossec.conf file this line.
<decoder_exclude>ruleset/decoders/0064-cisco-asa_decoders.xml</decoder_exclude>
Inside <ruleset></ruleset>
Now, copy the /var/ossec/ruleset/decoders/0064-cisco-asa_decoders.xml file into the /var/ossec/etc/decoders directory.
And right before the generic decoder add yours. So the log will be captured first by your decoder.
The motivation to do this is because any modification to the files in /var/ossec/ruleset/decoders/ directoy will be lost after an update.
Complete configuration.
<decoder name="cisco-asa-vpn">
<parent>cisco-asa</parent>
<prematch offset="after_parent">5-722033</prematch>
<regex offset="after_parent">(\w+): Group (\S+) User (\S+) IP (\S+) (\.+)</regex>
<order>id,group,username,src_ip,description</order>
<use_own_name>true</use_own_name><parent>cisco-asa</parent>
<prematch offset="after_parent">5-722033</prematch>
<regex offset="after_parent">(\w+): Group (\S+) User (\S+) IP (\S+) (\.+)</regex>
<order>id,group,username,src_ip,description</order>
</decoder>
<decoder name="cisco-asa-generic">
<parent>cisco-asa</parent>
<prematch>%ASA-\d-\d+</prematch>
<regex>%ASA-(\d-\d+):</regex>
<order>id</order>
</decoder>
Notice your configuration before cisco-asa-generic and the addition of the option <use_own_name>true</use_own_name>
The result
Mar 31 2021 17:39:05: %ASA-5-722033: Group <xxx_xxx> User <xxx-xxxxx> IP <x.x.x.x> First TCP SVC connection established for SVC session.
**Phase 1: Completed pre-decoding.
full event: 'Mar 31 2021 17:39:05: %ASA-5-722033: Group <xxx_xxx> User <xxx-xxxxx> IP <x.x.x.x> First TCP SVC connection established for SVC session.'
**Phase 2: Completed decoding.
name: 'cisco-asa-vpn'**Phase 1: Completed pre-decoding.
full event: 'Mar 31 2021 17:39:05: %ASA-5-722033: Group <xxx_xxx> User <xxx-xxxxx> IP <x.x.x.x> First TCP SVC connection established for SVC session.'
**Phase 2: Completed decoding.
parent: 'cisco-asa'
description: 'First TCP SVC connection established for SVC session.'
group: '<xxx_xxx>'
id: '5-722033'
src_ip: '<x.x.x.x>'
username: '<xxx-xxxxx>'
**Phase 3: Completed filtering (rules).
level: '0'
description: 'User logged'
groups: '['local', 'syslog', 'sshd']'
firedtimes: '1'
mail: 'False'
Especial thanks to Julian Morales for helping with this. I hope this was useful for you, have a great day!
Mark Rafa
Apr 8, 2021, 4:52:36 AM4/8/21
to Wazuh mailing list
Hello Miguel,
It works!
Thanks a lot for your effort.
Special thanks to Julian Morales!
Regards,
5 Nisan 2021 Pazartesi tarihinde saat 22:37:16 UTC+3 itibarıyla miguel....@wazuh.com şunları yazdı:
Miguel Angel Cazajous
Apr 8, 2021, 4:44:55 PM4/8/21
to Wazuh mailing list
Glad to know that!
Regards, have a great day!
Regards, have a great day!
Reply all
Reply to author
Forward
0 new messages