Closed andrewkroh closed 5 years ago
Pinging @elastic/secops
Here's a CSV file with the messages extracted from the web docs using a custom scrapper. I've tried to also extract the parameters in the hopes of creating a pipeline generator out of it, but the format on Cisco's website is inconsistent at best.
I forgot to link this ones (already partially mapped to ECS fields):
338001,4,"%ASA-4-338001: Dynamic filter {action} blacklisted {network.transport} traffic from {cisco.asa.source_interface}:{source.ip}/{source.port} ({cisco.asa.mapped_source_ip}/{cisco.asa.mapped_source_port}) to {cisco.asa.destination_interface}:{destination.ip}/{destination.port} ({cisco.asa.mapped_destination_ip}/{cisco.asa.mapped_destination_port}) source {} resolved from {cisco.asa.list_id} list: {source.domain}, threat-level:{level_value,} category:{category_name}"
338002,4,"%ASA-4-338002: Dynamic filter {action} blacklisted {network.transport} traffic from {cisco.asa.source_interface}:{source.ip}/{source.port} ({cisco.asa.mapped_source_ip}/{cisco.asa.mapped_source_port}) to {cisco.asa.destination_interface}:{destination.ip}/{destination.port} ({cisco.asa.mapped_destination_ip}/{cisco.asa.mapped_destination_port}) destination {} resolved from {cisco.asa.list_id} list: {destination.domain}, threat-level:{level_value,} category:{category_name}"
338003,4,"%ASA-4-338003: Dynamic filter {action} blacklisted {network.transport} traffic from {cisco.asa.source_interface}:{source.ip}/{source.port} ({cisco.asa.mapped_source_ip}/{cisco.asa.mapped_source_port}) to {cisco.asa.destination_interface}:{destination.ip}/{destination.port} ({cisco.asa.mapped_destination_ip}/{cisco.asa.mapped_destination_port}) source {} resolved from {cisco.asa.list_id} list: {ip address/netmask,} threat-level:{level_value,} category:{category_name}"
338004,4,"%ASA-4-338004: Dynamic filter {action} blacklisted {network.transport} traffic from {cisco.asa.source_interface}:{source.ip}/{source.port} ({cisco.asa.mapped_source_ip}/{cisco.asa.mapped_source_port}) to {cisco.asa.destination_interface}:{destination.ip}/{destination.port} ({cisco.asa.mapped_destination_ip}/{cisco.asa.mapped_destination_port}) destination {} resolved from {cisco.asa.list_id} list: {ip address/netmask,} threat-level:{level_value,} category:{category_name}"
338005,4,"%ASA-4-338005: Dynamic filter {action} blacklisted {network.transport} traffic from {cisco.asa.source_interface}:{source.ip}/{source.port} ({cisco.asa.mapped_source_ip}/{cisco.asa.mapped_source_port}) to {cisco.asa.destination_interface}:{destination.ip}/{destination.port} ({cisco.asa.mapped_destination_ip}/{cisco.asa.mapped_destination_port}) source {} resolved from {cisco.asa.list_id} list: {source.domain}, threat-level:{level_value,} category:{category_name}"
338006,4,"%ASA-4-338006: Dynamic filter {action} blacklisted {network.transport} traffic from {cisco.asa.source_interface}:{source.ip}/{source.port} ({cisco.asa.mapped_source_ip}/{cisco.asa.mapped_source_port}) to {cisco.asa.destination_interface}:{destination.ip}/{destination.port} ({cisco.asa.mapped_destination_ip}/{cisco.asa.mapped_destination_port}) destination {} resolved from {cisco.asa.list_id} list: {destination.domain}, threat-level:{level_value,} category:{category_name}"
338007,4,"%ASA-4-338007: Dynamic filter {action} blacklisted {network.transport} traffic from {cisco.asa.source_interface}:{source.ip}/{source.port} ({cisco.asa.mapped_source_ip}/{cisco.asa.mapped_source_port}) to {cisco.asa.destination_interface}:{destination.ip}/{destination.port} ({cisco.asa.mapped_destination_ip}/{cisco.asa.mapped_destination_port}) source {} resolved from {cisco.asa.list_id} list: {ip address/netmask,} threat-level:{level_value,} category:{category_name}"
338008,4,"%ASA-4-338008: Dynamic filter {action} blacklisted {network.transport} traffic from {cisco.asa.source_interface}:{source.ip}/{source.port} ({cisco.asa.mapped_source_ip}/{cisco.asa.mapped_source_port}) to {cisco.asa.destination_interface}:{destination.ip}/{destination.port} ({cisco.asa.mapped_destination_ip}/{cisco.asa.mapped_destination_port}) destination {} resolved from {cisco.asa.list_id} list: {ip address/netmask,} threat-level:{level_value,} category:{category_name}"
338101,4,"%ASA-4-338101: Dynamic filter {action} whitelisted {network.transport} traffic from {cisco.asa.source_interface}:{source.ip}/{source.port} ({cisco.asa.mapped_source_ip}/{cisco.asa.mapped_source_port}) to {cisco.asa.destination_interface}:{destination.ip}/{destination.port} ({cisco.asa.mapped_destination_ip}/{cisco.asa.mapped_destination_port}) source {} resolved from {cisco.asa.list_id} list: {source.domain}"
338102,4,"%ASA-4-338102: Dynamic filter {action} whitelisted {network.transport} traffic from {cisco.asa.source_interface}:{source.ip}/{source.port} ({cisco.asa.mapped_source_ip}/{cisco.asa.mapped_source_port}) to {cisco.asa.destination_interface}:{destination.ip}/{destination.port} ({cisco.asa.mapped_destination_ip}/{cisco.asa.mapped_destination_port}) destination {} resolved from {cisco.asa.list_id} list: {destination.domain}"
338103,4,"%ASA-4-338103: Dynamic filter {action} whitelisted {network.transport} traffic from {cisco.asa.source_interface}:{source.ip}/{source.port} ({cisco.asa.mapped_source_ip}/{cisco.asa.mapped_source_port}) to {cisco.asa.destination_interface}:{destination.ip}/{destination.port} ({cisco.asa.mapped_destination_ip}/{cisco.asa.mapped_destination_port}) source {} resolved from {cisco.asa.list_id} list: {ip address/netmask}"
338104,4,"%ASA-4-338104: Dynamic filter {action} whitelisted {network.transport} traffic from {cisco.asa.source_interface}:{source.ip}/{source.port} ({cisco.asa.mapped_source_ip}/{cisco.asa.mapped_source_port}) to {cisco.asa.destination_interface}:{destination.ip}/{destination.port} ({cisco.asa.mapped_destination_ip}/{cisco.asa.mapped_destination_port}) destination {} resolved from {cisco.asa.list_id} list: {ip address/netmask}"
338201,4,"%ASA-4-338201: Dynamic filter {action} greylisted {network.transport} traffic from {cisco.asa.source_interface}:{source.ip}/{source.port} ({cisco.asa.mapped_source_ip}/{cisco.asa.mapped_source_port}) to {cisco.asa.destination_interface}:{destination.ip}/{destination.port} ({cisco.asa.mapped_destination_ip}/{cisco.asa.mapped_destination_port}) source {} resolved from {cisco.asa.list_id} list: {source.domain}, threat-level:{cisco.asa.threat_level}, category:{cisco.asa.threat_category}"
338202,4,"%ASA-4-338202: Dynamic filter {action} greylisted {network.transport} traffic from {cisco.asa.source_interface}:{source.ip}/{source.port} ({cisco.asa.mapped_source_ip}/{cisco.asa.mapped_source_port}) to {cisco.asa.destination_interface}:{destination.ip}/{destination.port} ({cisco.asa.mapped_destination_ip}/{cisco.asa.mapped_destination_port}) destination {} resolved from {cisco.asa.list_id} list: {destination.domain}, threat-level:{cisco.asa.threat_level}, category:{cisco.asa.threat_category}"
338203,4,"%ASA-4-338203: Dynamic filter {action} greylisted {network.transport} traffic from {cisco.asa.source_interface}:{source.ip}/{source.port} ({cisco.asa.mapped_source_ip}/{cisco.asa.mapped_source_port}) to {cisco.asa.destination_interface}:{destination.ip}/{destination.port} ({cisco.asa.mapped_destination_ip}/{cisco.asa.mapped_destination_port}) source {} resolved from {cisco.asa.list_id} list: {source.domain}, threat-level:{cisco.asa.threat_level}, category:{cisco.asa.threat_category}"
338204,4,"%ASA-4-338204: Dynamic filter {action} greylisted {network.transport} traffic from {cisco.asa.source_interface}:{source.ip}/{source.port} ({cisco.asa.mapped_source_ip}/{cisco.asa.mapped_source_port}) to {cisco.asa.destination_interface}:{destination.ip}/{destination.port} ({cisco.asa.mapped_destination_ip}/{cisco.asa.mapped_destination_port}) destination {} resolved from {cisco.asa.list_id} list: {destination.domain}, threat-level:{cisco.asa.threat_level}, category:{cisco.asa.threat_category}"
I found samples for a few of these.
%ASA-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798 (209.165.201.1/7890) to outside:209.165.202.129/80 (209.165.202.129/80), destination 209.165.202.129 resolved from dynamic list: bad.example.com
https://www.cisco.com/c/en/us/td/docs/security/asa/special/botnet/guide/asa-botnet.html
%ASA-4-338004: Dynamic Filter monitored blacklisted TCP traffic from inside:10.1.1.1/0 (10.2.1.1/0) to outsidet:x.x.x.x/0 (x.x.x.x/0), destination x.x.x.x resolved from dynamic list: x.x.x.x/255.255.255.255, threat-level: very-high, category: Malware
https://quickview.cloudapps.cisco.com/quickview/bug/CSCtg14750
%ASA-4-338008: Dynamic Filter dropped blacklisted TCP traffic from inside:10.1.1.1/0 (10.2.1.1/0) to outsidet:x.x.x.x/0 (x.x.x.x/0), destination x.x.x.x resolved from dynamic list: x.x.x.x/255.255.255.255, threat-level: very-high, category: Malware
https://quickview.cloudapps.cisco.com/quickview/bug/CSCtg14750
As a user I'd like to easily be able to ingest syslog data coming from Cisco ASA device. In particular I'm interesting log messages related to firewall activity (access-list deny/allow, spoofing detected, etc).
Cisco publishes the format of their syslog messages on their website.
We should define a list of message IDs that we want included in the first version of the module.
%ASA-2-106001: Inbound TCP connection denied from IP_address/port to IP_address/port flags tcp_flags on interface interface_name
%ASA-2-106006: Deny inbound UDP from outside_address/outside_port to inside_address/inside_port on interface interface_name.
%ASA-2-106007: Deny inbound UDP from outside_address/outside_port to inside_address/inside_port due to DNS {Response|Query}.
%ASA-3-106010: Deny inbound protocol src [interface_name : source_address/source_port ] [([idfw_user | FQDN_string ], sg_info )] dst [interface_name : dest_address /dest_port }[([idfw_user | FQDN_string ], sg_info )]
%ASA-2-106013: Dropping echo request from IP_address to PAT address IP_address
%ASA-3-106014: Deny inbound icmp src interface_name : IP_address [([idfw_user | FQDN_string ], sg_info )] dst interface_name : IP_address [([idfw_user | FQDN_string ], sg_info )] (type dec , code dec )
%ASA-6-106015: Deny TCP (no connection) from IP_address /port to IP_address /port flags tcp_flags on interface interface_name.
%ASA-1-106021: Deny protocol reverse path check from source_address to dest_address on interface interface_name
Added a few more. I tried to keep it basic L3 stuff, there's a lot of obscure kinds of traffic, tunneling features and most of it are warning about blocked traffic.
Too bad there is not a lot of information about allowed traffic.It's still pending a second review and I have yet to compare with some log files I found.
This ones report flows termination, including duration: