ASA Decoder
214 views
Skip to first unread message
TUKARAM GAONKAR
Aug 4, 2021, 1:03:16 PM8/4/21
to Wazuh mailing list
Dear Team,
I have created the below decoder for the ASA log but it won't work. Please help me to decode.
<decoder name="cisco-Custom_asa">
<prematch>^%FTD-session</prematch>
</decoder>
<decoder name="cisco-asa-filter">
<parent>cisco-Custom_asa</parent>
<prematch offset="after_parent">-2-4545613</prematch>
<regex offset="after_parent">(\w+): (\.+) (\d+) for (\S+):(\S+)/(\S+) \p(\S+)/(\S+)\p to (\S+):(\S+)/(\S+) \p(\S+)/(\S+)\p</regex>
<order>id, description, connection, src, srcip, srcport, mapped_srcip, mapped_srcport, dst, dstip, dstport, mapped_dstip, mapped_dstport</order>
</decoder>
Log To test ::
:jan 04 15:18:10 UTC: %FTD-session-2-4545613: Built inbound TCP connection 34566777 for outside:1.2.3.4/23456 (2.2.2.2/123) to inside:4.4.4.4/768 (5.6.7.8/778)
<decoder name="cisco-Custom_asa">
<prematch>^%FTD-session</prematch>
</decoder>
<decoder name="cisco-asa-filter">
<parent>cisco-Custom_asa</parent>
<prematch offset="after_parent">-2-4545613</prematch>
<regex offset="after_parent">(\w+): (\.+) (\d+) for (\S+):(\S+)/(\S+) \p(\S+)/(\S+)\p to (\S+):(\S+)/(\S+) \p(\S+)/(\S+)\p</regex>
<order>id, description, connection, src, srcip, srcport, mapped_srcip, mapped_srcport, dst, dstip, dstport, mapped_dstip, mapped_dstport</order>
</decoder>
Log To test ::
:jan 04 15:18:10 UTC: %FTD-session-2-4545613: Built inbound TCP connection 34566777 for outside:1.2.3.4/23456 (2.2.2.2/123) to inside:4.4.4.4/768 (5.6.7.8/778)
Warm Regards,
Tukaram Gaonkar
Bin Do Tuan Anh
Aug 4, 2021, 1:56:29 PM8/4/21
to Wazuh mailing list
Hi,
</decoder>
<decoder name="cisco-asa-filter">
<parent>cisco-Custom_asa</parent>
<prematch offset="after_parent">-2-4545613</prematch>
<regex offset="after_parent">(\w+): (\.+) (\d+) for (\S+):(\S+)/(\S+) \p(\S+)/(\S+)\p to (\S+):(\S+)/(\S+) \p(\S+)/(\S+)\p</regex>
<order>id, description, connection, src, srcip, srcport, mapped_srcip, mapped_srcport, dst, dstip, dstport, mapped_dstip, mapped_dstport</order>
</decoder>
Please let me know what is the log that you have? Is start with the symbol - ": "? Or it suppose to start with "jan". If it is started with "jan" the log can be catch by our default decoder.
In case it starts with ":" you will need to make some changes in your decoder. In the parent decoder please in the <prematch> section please remove the symbol "^" since the log will not start with "%FTD-session". The full decoder will look like this:
<decoder name="cisco-Custom_asa">
<prematch>%FTD-session</prematch>
<prematch>%FTD-session</prematch>
</decoder>
<decoder name="cisco-asa-filter">
<parent>cisco-Custom_asa</parent>
<prematch offset="after_parent">-2-4545613</prematch>
<regex offset="after_parent">(\w+): (\.+) (\d+) for (\S+):(\S+)/(\S+) \p(\S+)/(\S+)\p to (\S+):(\S+)/(\S+) \p(\S+)/(\S+)\p</regex>
<order>id, description, connection, src, srcip, srcport, mapped_srcip, mapped_srcport, dst, dstip, dstport, mapped_dstip, mapped_dstport</order>
</decoder>
Please let me know if you have any questions or if the issue persists.
Best regards,
Bin.
TUKARAM GAONKAR
Aug 5, 2021, 5:32:29 AM8/5/21
to Bin Do Tuan Anh, Wazuh mailing list
Hi Ben .
Logs start with
":" . I have done changes mentioned by you and its works.
For the below log I have done changes in the trail mail ASA decoder. But it not works. Can you help me to resolve this?
Logs to Test -
:Aug 05 06:17:31 UTC: %FTD--4-419002: Duplicate TCP SYN from outside:1.1.1.1/2 to inside:2.2.2.2/2 with different initial sequence number
<decoder name="cisco-Custom_asa">
<prematch>%FTD-session-|%FTD--</prematch>
</decoder>
<decoder name="cisco-asa-filter2">
<parent>cisco-Custom_asa</parent>
<prematch offset="after_parent">4-419002</prematch>
<regex offset="after_parent">(\w+): (\.+) from (\S+):(\S+)/(\S+) to (\S+):(\S+)/(\S+) with different initial sequence number</regex>
<order>id, description, src, src_ip, src_port, dst, dst_ip, dst_port</order>
</decoder>
<prematch>%FTD-session-|%FTD--</prematch>
</decoder>
<decoder name="cisco-asa-filter2">
<parent>cisco-Custom_asa</parent>
<prematch offset="after_parent">4-419002</prematch>
<regex offset="after_parent">(\w+): (\.+) from (\S+):(\S+)/(\S+) to (\S+):(\S+)/(\S+) with different initial sequence number</regex>
<order>id, description, src, src_ip, src_port, dst, dst_ip, dst_port</order>
</decoder>
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/1fc94b53-e37f-489d-be5f-4a80603d8747n%40googlegroups.com.
Bin Do Tuan Anh
Aug 5, 2021, 10:07:00 AM8/5/21
to Wazuh mailing list
Hi,
Can you please let me know what does not work in your case? I made a test on my environment and everything works well. I copy and paste your logs without any changes, and run the test with the logs you have shared with me - all the fields got decoded.
Best regards,
Bin.
TUKARAM GAONKAR
Aug 6, 2021, 8:29:17 AM8/6/21
to Bin Do Tuan Anh, Wazuh mailing list
child decoder "
cisco-asa-filter2 "does not work correctly . I am not getting filed as per order. Only showing it decoded under " cisco-Custom_asa ".
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/10783f5a-cb5f-4721-8579-6d5f487a8f6an%40googlegroups.com.
Bin Do Tuan Anh
Aug 6, 2021, 9:30:05 AM8/6/21
to Wazuh mailing list
Hi,
I have it decoded this way:
decoder: 'cisco-Custom_asa'
id: '4-419002'
description: 'Duplicate TCP SYN'
src: 'outside'
src_ip: '1.1.1.1'
src_port: '2'
dst: 'inside'
dst_ip: '2.2.2.2'
dst_port: '2'
As I can see all the fields are the same as you have here: <order>id, description, src, src_ip, src_port, dst, dst_ip, dst_port</order> (from cisco-asa-filter2). The parent decoder will always that one that is displayed as the decoded one but not the child one.
Please let me know if I have answered your question.
Best regards,
Bin.
Reply all
Reply to author
Forward
0 new messages