Open GoogleCodeExporter opened 9 years ago
Did you write a new parser, or are you testing to see if the existing parsers
work to parse your ASA messages? You should be testing with the actual
messages (your example 1 and 2) instead of the "test_prog" and "source_ip..."
text. Make sure to use the actual program name sent like "%ASA-102030" or
whatever it is.
Original comment by mchol...@gmail.com
on 12 Mar 2013 at 5:04
I want to write new parser, but i guess i don'r fully understand how this is
done. The Cisco ASA logs i are getting are not all parsed.
Are there a online tool that can help me create the correct parser?
Original comment by jacobrav...@gmail.com
on 13 Mar 2013 at 6:15
No, there's no online tool right now to help. However, based on the examples
you listed, I've gone ahead and created three more ASA deny patterns. If you
update your log node with sh install.sh node update, your ELSA will use the
latest pattern. Please let me know if it doesn't work.
Original comment by mchol...@gmail.com
on 13 Mar 2013 at 7:10
Nice :-) , just updated, and there are some more logs that are not being parsed
Deny IP spoof from (0.0.0.0) to 10.6.128.5 on interface Management
Deny inbound icmp src TransportNet:172.27.10.42 dst TransportNet:10.0.180.1
(type 8, code 0)
Deny TCP (no connection) from 87.55.209.68/55663 to 217.28.161.203/52983 flags
FIN ACK on interface outside
Deny TCP (no connection) from 173.193.205.198/80 to 217.28.161.79/48165 flags
SYN ACK on interface outside
Deny IP from 10.0.8.49 to 239.203.13.64, IP options: "Router Alert"
Original comment by jacobrav...@gmail.com
on 13 Mar 2013 at 10:38
Ok, I've just updated the patterndb.xml to cover those as well. For
reference, the patterns I've added thus far are:
<pattern>Deny @ESTRING:i0: @@ESTRING::from
@@ESTRING:s0:-@@ESTRING:i1:-@@ESTRING::/@@ESTRING:i2:
@to @ESTRING:s1:-@@ESTRING:i3:-@@ESTRING::/@@ESTRING:i4: @</pattern>
<pattern>Deny inbound @ESTRING:i0: @from @ESTRING:i1:/@@ESTRING:i2: @to
@ESTRING:i3:/@@ESTRING:i4: @on interface @ANYSTRING:s0:@</pattern>
<pattern>Deny outbound @ESTRING:i0: @from @ESTRING:i1:/@@ESTRING:i2: @to
@ESTRING:i3:/@@ESTRING:i4: @on interface @ANYSTRING:s0:@</pattern>
<pattern>Deny IP spoof @ESTRING::to @@ESTRING:i3: @on interface
@ANYSTRING:s0:@</pattern>
<pattern>Deny inbound @ESTRING:i0: @src @ESTRING:s0::@@ESTRING:i1: @dst
@ESTRING:s1::@@ESTRING:i3: @</pattern>
<pattern>Deny @ESTRING:i0: @@ESTRING::from @@ESTRING:i1:/@@ESTRING:i2: @to
@ESTRING:i3:/@@ESTRING:i4: @@ESTRING::interface @@ANYSTRING:s0:@</pattern>
<pattern>Deny IP from @ESTRING:i1: @to @ESTRING:i3: @</pattern>
On Wed, Mar 13, 2013 at 5:38 PM, <
enterprise-log-search-and-archive@googlecode.com> wrote:
Original comment by mchol...@gmail.com
on 14 Mar 2013 at 2:22
Please create pattern for this log entry, username must be indexed
Teardown dynamic TCP translation from Inside:10.1.0.9/61894(DOMAIN\wali) to
Outside:217.28.164.241/61894 duration 0:11:32
Built outbound TCP connection 267134428 for Outside:10.16.1.21/443
(10.16.1.21/443) to Inside:10.0.209.31/63650 (10.0.209.31/63650)(DOMAIN\jbho)
Deny tcp src Inside:10.0.139.191/54620(DOMAIN\sccmclient) dst
Outside:10.0.12.164/445 by access-group "CSM_FW_ACL_Inside" [0xa900b3db, 0x0]
Deny inbound icmp src Outside:10.0.11.78(DOMAIN\angr) dst Outside:172.16.8.113
(type 8, code 0)
Original comment by jacobrav...@gmail.com
on 29 Mar 2013 at 11:40
Please check your documentation in regards to the commandline method for
testing new parsers, and past the result here.
Could you please tell me what the name is for kind of parsers, ex. RegEX. Or
point to website where i can learn more about how to create new parsers
Original comment by jacobrav...@gmail.com
on 11 Apr 2013 at 8:22
Original issue reported on code.google.com by
jacobrav...@gmail.com
on 12 Mar 2013 at 2:33