[Filebeat] Module to Cisco ASA Firewall Logs

[andrewkroh]

As a user I'd like to easily be able to ingest syslog data coming from Cisco ASA device. In particular I'm interesting log messages related to firewall activity (access-list deny/allow, spoofing detected, etc).

Cisco publishes the format of their syslog messages on their website.

We should define a list of message IDs that we want included in the first version of the module.

• 106001 - %ASA-2-106001: Inbound TCP connection denied from IP_address/port to IP_address/port flags tcp_flags on interface interface_name
• 106006 - %ASA-2-106006: Deny inbound UDP from outside_address/outside_port to inside_address/inside_port on interface interface_name.
• 106007 - %ASA-2-106007: Deny inbound UDP from outside_address/outside_port to inside_address/inside_port due to DNS {Response|Query}.
• 106010 - %ASA-3-106010: Deny inbound protocol src [interface_name : source_address/source_port ] [([idfw_user | FQDN_string ], sg_info )] dst [interface_name : dest_address /dest_port }[([idfw_user | FQDN_string ], sg_info )]
• 106013 - %ASA-2-106013: Dropping echo request from IP_address to PAT address IP_address
• 106014 - %ASA-3-106014: Deny inbound icmp src interface_name : IP_address [([idfw_user | FQDN_string ], sg_info )] dst interface_name : IP_address [([idfw_user | FQDN_string ], sg_info )] (type dec , code dec )
• 106015 - %ASA-6-106015: Deny TCP (no connection) from IP_address /port to IP_address /port flags tcp_flags on interface interface_name.
• 106021 - %ASA-1-106021: Deny protocol reverse path check from source_address to dest_address on interface interface_name
• And more... Please feel free to edit this list and add additional.

Added a few more. I tried to keep it basic L3 stuff, there's a lot of obscure kinds of traffic, tunneling features and most of it are warning about blocked traffic. Too bad there is not a lot of information about allowed traffic.

It's still pending a second review and I have yet to compare with some log files I found.

- %ASA-2-106002: {protocol} Connection denied by outbound list acl_ID src inside_address dest outside_address`
- %ASA-2-106016: Deny IP spoof from ({IP_address} ) to {IP_address} on interface interface_name.`
- %ASA-2-106017: Deny IP due to Land Attack from {IP_address} to {IP_address}
- %ASA-2-106018: ICMP packet type ICMP_type denied by outbound list acl_ID src inside_address dest outside_address
- "%ASA-2-106020: Deny IP teardrop fragment (size = number, offset = number) from {IP_address} to {IP_address}"
- %ASA-1-106022: Deny protocol connection spoof from source_address to dest_address on interface interface_name
- "%ASA-4-106023: Deny protocol src [{interface_name} :{source_address} /{source_port} ] [([{idfw_user} |{FQDN_string} ], {sg_info} )] dst {interface_name} :{dest_address} /{dest_port} [([{idfw_user} |{FQDN_string} ], {sg_info} )] [type {{string} }, code {{code} }] by {access_group acl_ID} [0x8ed66b60, 0xf8852875]"
- "%ASA-4-106027:acl_ID: Deny src [source address] dst [destination address] by access-group “access-list name"""
- "%ASA-6-106100: access-list {acl_ID} {permitted | denied | est-allowed}{protocol} {interface_name} /{source_address} ({source_port} ) ({idfw_user} , {sg_info} ) {interface_name} /{dest_address} ({dest_port} ) ({idfw_user} , {sg_info} ) hit-cnt {number} ({first hit | {number} -second interval}) hash codes"
- %ASA-6-106102: access-list {acl_ID} {permitted|denied} protocol for user {username} {interface_name} /{source_address} {source_port} {interface_name} /{dest_address dest_port} hit-cnt {number} {first hit|{number} -second interval} hash codes
- %ASA-4-106103: access-list {acl_ID} denied protocol for user {username} {interface_name} /{source_address} {source_port interface_name} /{dest_address dest_port} hit-cnt {number} first hit hash codes
- "%ASA-3-313001: Denied ICMP type={number} , code={code} from {IP_address} on interface {interface_name}"
- "%ASA-4-313004:Denied ICMP type={icmp_type} , from {source_address} on interface {interface_name} to {dest_address} :no matching session"
- "%ASA-4-313005: No matching connection for ICMP error message: {icmp_msg_info} on {interface_name} interface. Original IP payload: {embedded_frame_info icmp_msg_info =} icmp{src src_interface_name} :{src_address} [([{idfw_user} | {FQDN_string} ],{sg_info} )] {dst dest_interface_name} :{dest_address} [([{idfw_user} |{FQDN_string} ],{sg_info} )]{} (type{icmp_type,} code{icmp_code} ){embedded_frame_info =} prot{src source_address} /{source_port} [([{idfw_user} | {FQDN_string} ], {sg_info} )] {dst dest_address} /{dest_port} [({idfw_user} |{FQDN_string} ),{sg_info} ]
- %ASA-3-313008: Denied ICMPv6 type={number} , code={code} from {IP_address} on interface {interface_name}
- %ASA-4-313009: Denied invalid ICMP code {icmp-code} , for {src-ifc} :{src-address} /{src-port} (mapped-src-address/mapped-src-port) to {dest-ifc} :{dest-address} /{dest-port} (mapped-dest-address/mapped-dest-port) [{user} ], ICMP id {icmp-id} , ICMP type {icmp-type}
- "%ASA-3-322001: Deny MAC address MAC_address, possible spoof attempt on interface {interface}"
- "%ASA-3-322002: ARP inspection check failed for arp {request|response} received from host MAC_address on interface {interface} . This host is advertising MAC Address {MAC_address_1} for IP Address {IP_address} , which is {statically|dynamically} bound to MAC Address {MAC_address_2} ."
- "%ASA-3-322003:ARP inspection check failed for arp {request|response} received from host MAC_address on interface {interface} . This host is advertising MAC Address {MAC_address_1} for IP Address {IP_address} , which is not bound to any MAC Address."

This ones report flows termination, including duration:

%ASA-6-302014: Teardown TCP connection id for interface :real-address /real-port [(idfw_user )] to interface :real-address /real-port [(idfw_user )] duration hh:mm:ss bytes bytes [reason [from teardown-initiator]] [(user )]
%ASA-6-302016: Teardown UDP connection {number} for {interface} :{real-address} /{real-port} [({idfw_user} )] to {interface} :{real-address} /{real-port} [({idfw_user} )] duration {hh} :{mm} :{ss} bytes {bytes} [({user} )]
%ASA-6-302018: Teardown GRE connection {id} from {interface} :{real_address} ({translated_address} ) [({idfw_user} )] to {interface} :{real_address} /{real_cid} ({translated_address} /{translated_cid} ) [({idfw_user} )] duration {hh} :{mm} :{ss} bytes {bytes} [({user} )]
%ASA-6-302021: Teardown ICMP connection for faddr {{faddr} | {icmp_seq_num} } [({idfw_user} )] gaddr {{gaddr} | {cmp_type} } laddr {laddr} [({idfw_user} )] (981) type {{type} } code {{code} }
"%ASA-6-302036: Teardown SCTP connection {conn_id} for {outside_interface} :{outside_ip} /{outside_port} [([{outside_idfw_user} ],[{outside_sg_info} ])] to {inside_interface} :{inside_ip} /{inside_port} [([{inside_idfw_user} ],[{inside_sg_info} ])] duration {time} bytes {bytes} {reason} [({user} )]"
"%ASA-6-302304: Teardown TCP state-bypass connection {conn_id} from {initiator_interface} :ip/port to {responder_interface} :ip/port {duration} , {bytes} , {teardown reason}"
"%ASA-6-302306: Teardown SCTP state-bypass connection {conn_id} for {outside_interface} :{outside_ip} /{outside_port} [([{outside_idfw_user} ],[{outside_sg_info} ])] to {inside_interface} :{inside_ip} /{inside_port} [([{inside_idfw_user} ],[{inside_sg_info} ])] duration {time} bytes {bytes} {reason}"

[elasticmachine]

Pinging @elastic/secops

[adriansr]

Here's a CSV file with the messages extracted from the web docs using a custom scrapper. I've tried to also extract the parameters in the hopes of creating a pipeline generator out of it, but the format on Cisco's website is inconsistent at best.

cisco-asa.zip

[adriansr]

I forgot to link this ones (already partially mapped to ECS fields):

338001,4,"%ASA-4-338001: Dynamic filter {action} blacklisted {network.transport} traffic from {cisco.asa.source_interface}:{source.ip}/{source.port} ({cisco.asa.mapped_source_ip}/{cisco.asa.mapped_source_port}) to {cisco.asa.destination_interface}:{destination.ip}/{destination.port} ({cisco.asa.mapped_destination_ip}/{cisco.asa.mapped_destination_port}) source {} resolved from {cisco.asa.list_id} list: {source.domain}, threat-level:{level_value,} category:{category_name}"
338002,4,"%ASA-4-338002: Dynamic filter {action} blacklisted {network.transport} traffic from {cisco.asa.source_interface}:{source.ip}/{source.port} ({cisco.asa.mapped_source_ip}/{cisco.asa.mapped_source_port}) to {cisco.asa.destination_interface}:{destination.ip}/{destination.port} ({cisco.asa.mapped_destination_ip}/{cisco.asa.mapped_destination_port}) destination {} resolved from {cisco.asa.list_id} list: {destination.domain}, threat-level:{level_value,} category:{category_name}"
338003,4,"%ASA-4-338003: Dynamic filter {action} blacklisted {network.transport} traffic from {cisco.asa.source_interface}:{source.ip}/{source.port} ({cisco.asa.mapped_source_ip}/{cisco.asa.mapped_source_port}) to {cisco.asa.destination_interface}:{destination.ip}/{destination.port} ({cisco.asa.mapped_destination_ip}/{cisco.asa.mapped_destination_port}) source {} resolved from {cisco.asa.list_id} list: {ip address/netmask,} threat-level:{level_value,} category:{category_name}"
338004,4,"%ASA-4-338004: Dynamic filter {action} blacklisted {network.transport} traffic from {cisco.asa.source_interface}:{source.ip}/{source.port} ({cisco.asa.mapped_source_ip}/{cisco.asa.mapped_source_port}) to {cisco.asa.destination_interface}:{destination.ip}/{destination.port} ({cisco.asa.mapped_destination_ip}/{cisco.asa.mapped_destination_port}) destination {} resolved from {cisco.asa.list_id} list: {ip address/netmask,} threat-level:{level_value,} category:{category_name}"
338005,4,"%ASA-4-338005: Dynamic filter {action} blacklisted {network.transport} traffic from {cisco.asa.source_interface}:{source.ip}/{source.port} ({cisco.asa.mapped_source_ip}/{cisco.asa.mapped_source_port}) to {cisco.asa.destination_interface}:{destination.ip}/{destination.port} ({cisco.asa.mapped_destination_ip}/{cisco.asa.mapped_destination_port}) source {} resolved from {cisco.asa.list_id} list: {source.domain}, threat-level:{level_value,} category:{category_name}"
338006,4,"%ASA-4-338006: Dynamic filter {action} blacklisted {network.transport} traffic from {cisco.asa.source_interface}:{source.ip}/{source.port} ({cisco.asa.mapped_source_ip}/{cisco.asa.mapped_source_port}) to {cisco.asa.destination_interface}:{destination.ip}/{destination.port} ({cisco.asa.mapped_destination_ip}/{cisco.asa.mapped_destination_port}) destination {} resolved from {cisco.asa.list_id} list: {destination.domain}, threat-level:{level_value,} category:{category_name}"
338007,4,"%ASA-4-338007: Dynamic filter {action} blacklisted {network.transport} traffic from {cisco.asa.source_interface}:{source.ip}/{source.port} ({cisco.asa.mapped_source_ip}/{cisco.asa.mapped_source_port}) to {cisco.asa.destination_interface}:{destination.ip}/{destination.port} ({cisco.asa.mapped_destination_ip}/{cisco.asa.mapped_destination_port}) source {} resolved from {cisco.asa.list_id} list: {ip address/netmask,} threat-level:{level_value,} category:{category_name}"
338008,4,"%ASA-4-338008: Dynamic filter {action} blacklisted {network.transport} traffic from {cisco.asa.source_interface}:{source.ip}/{source.port} ({cisco.asa.mapped_source_ip}/{cisco.asa.mapped_source_port}) to {cisco.asa.destination_interface}:{destination.ip}/{destination.port} ({cisco.asa.mapped_destination_ip}/{cisco.asa.mapped_destination_port}) destination {} resolved from {cisco.asa.list_id} list: {ip address/netmask,} threat-level:{level_value,} category:{category_name}"
338101,4,"%ASA-4-338101: Dynamic filter {action} whitelisted {network.transport} traffic from {cisco.asa.source_interface}:{source.ip}/{source.port} ({cisco.asa.mapped_source_ip}/{cisco.asa.mapped_source_port}) to {cisco.asa.destination_interface}:{destination.ip}/{destination.port} ({cisco.asa.mapped_destination_ip}/{cisco.asa.mapped_destination_port}) source {} resolved from {cisco.asa.list_id} list: {source.domain}"
338102,4,"%ASA-4-338102: Dynamic filter {action} whitelisted {network.transport} traffic from {cisco.asa.source_interface}:{source.ip}/{source.port} ({cisco.asa.mapped_source_ip}/{cisco.asa.mapped_source_port}) to {cisco.asa.destination_interface}:{destination.ip}/{destination.port} ({cisco.asa.mapped_destination_ip}/{cisco.asa.mapped_destination_port}) destination {} resolved from {cisco.asa.list_id} list: {destination.domain}"
338103,4,"%ASA-4-338103: Dynamic filter {action} whitelisted {network.transport} traffic from {cisco.asa.source_interface}:{source.ip}/{source.port} ({cisco.asa.mapped_source_ip}/{cisco.asa.mapped_source_port}) to {cisco.asa.destination_interface}:{destination.ip}/{destination.port} ({cisco.asa.mapped_destination_ip}/{cisco.asa.mapped_destination_port}) source {} resolved from {cisco.asa.list_id} list: {ip address/netmask}"
338104,4,"%ASA-4-338104: Dynamic filter {action} whitelisted {network.transport} traffic from {cisco.asa.source_interface}:{source.ip}/{source.port} ({cisco.asa.mapped_source_ip}/{cisco.asa.mapped_source_port}) to {cisco.asa.destination_interface}:{destination.ip}/{destination.port} ({cisco.asa.mapped_destination_ip}/{cisco.asa.mapped_destination_port}) destination {} resolved from {cisco.asa.list_id} list: {ip address/netmask}"
338201,4,"%ASA-4-338201: Dynamic filter {action} greylisted {network.transport} traffic from {cisco.asa.source_interface}:{source.ip}/{source.port} ({cisco.asa.mapped_source_ip}/{cisco.asa.mapped_source_port}) to {cisco.asa.destination_interface}:{destination.ip}/{destination.port} ({cisco.asa.mapped_destination_ip}/{cisco.asa.mapped_destination_port}) source {} resolved from {cisco.asa.list_id} list: {source.domain}, threat-level:{cisco.asa.threat_level}, category:{cisco.asa.threat_category}"
338202,4,"%ASA-4-338202: Dynamic filter {action} greylisted {network.transport} traffic from {cisco.asa.source_interface}:{source.ip}/{source.port} ({cisco.asa.mapped_source_ip}/{cisco.asa.mapped_source_port}) to {cisco.asa.destination_interface}:{destination.ip}/{destination.port} ({cisco.asa.mapped_destination_ip}/{cisco.asa.mapped_destination_port}) destination {} resolved from {cisco.asa.list_id} list: {destination.domain}, threat-level:{cisco.asa.threat_level}, category:{cisco.asa.threat_category}"
338203,4,"%ASA-4-338203: Dynamic filter {action} greylisted {network.transport} traffic from {cisco.asa.source_interface}:{source.ip}/{source.port} ({cisco.asa.mapped_source_ip}/{cisco.asa.mapped_source_port}) to {cisco.asa.destination_interface}:{destination.ip}/{destination.port} ({cisco.asa.mapped_destination_ip}/{cisco.asa.mapped_destination_port}) source {} resolved from {cisco.asa.list_id} list: {source.domain}, threat-level:{cisco.asa.threat_level}, category:{cisco.asa.threat_category}"
338204,4,"%ASA-4-338204: Dynamic filter {action} greylisted {network.transport} traffic from {cisco.asa.source_interface}:{source.ip}/{source.port} ({cisco.asa.mapped_source_ip}/{cisco.asa.mapped_source_port}) to {cisco.asa.destination_interface}:{destination.ip}/{destination.port} ({cisco.asa.mapped_destination_ip}/{cisco.asa.mapped_destination_port}) destination {} resolved from {cisco.asa.list_id} list: {destination.domain}, threat-level:{cisco.asa.threat_level}, category:{cisco.asa.threat_category}"

[andrewkroh]

I found samples for a few of these.

%ASA-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798 (209.165.201.1/7890) to outside:209.165.202.129/80 (209.165.202.129/80), destination 209.165.202.129 resolved from dynamic list: bad.example.com https://www.cisco.com/c/en/us/td/docs/security/asa/special/botnet/guide/asa-botnet.html

%ASA-4-338004: Dynamic Filter monitored blacklisted TCP traffic from inside:10.1.1.1/0 (10.2.1.1/0) to outsidet:x.x.x.x/0 (x.x.x.x/0), destination x.x.x.x resolved from dynamic list: x.x.x.x/255.255.255.255, threat-level: very-high, category: Malware
https://quickview.cloudapps.cisco.com/quickview/bug/CSCtg14750

%ASA-4-338008: Dynamic Filter dropped blacklisted TCP traffic from inside:10.1.1.1/0 (10.2.1.1/0) to outsidet:x.x.x.x/0 (x.x.x.x/0), destination x.x.x.x resolved from dynamic list: x.x.x.x/255.255.255.255, threat-level: very-high, category: Malware
https://quickview.cloudapps.cisco.com/quickview/bug/CSCtg14750