Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Additional patterns request for CISCO ASA message ids #240

Open
JasperJuergensen opened this issue Jan 24, 2019 · 1 comment
Open

Additional patterns request for CISCO ASA message ids #240

JasperJuergensen opened this issue Jan 24, 2019 · 1 comment

Comments

@JasperJuergensen
Copy link

Patterns for CISCO ASA-7-609001, ASA-6-604103, ASA-6-303002, ASA-6-607001 are missing.

ASA-6-303002 has already been requested in issue #208 and an implementation has been provided in #226

Sample Data:

<123>asa %ASA-7-609001: Built local-host outside:192.0.2.42
<123>asa %ASA-6-604103: DHCP daemon interface WLAN_Guests:  address granted abcd.abcd.abcd.e7 (192.0.2.42)
<123>asa %ASA-6-604103: DHCP daemon interface WLAN_Guests:  address granted abcd.abcd.abcd (192.0.2.42)
<123>asa %ASA-6-303002: FTP connection from inside:203.0.113.42/54321 to outside:192.0.2.42/21, user testuser Stored file test-file
<123>asa %ASA-6-607001: Pre-allocate SIP NOTIFY UDP secondary channel for DMZ:192.0.2.42/12006 to inside:203.0.113.42 from 200 message

Possible implementation for ASA-7-609001:

CISCOFW7609001 Built local-host %{DATA:interface}:%{IP:dst_ip}

Possible implementation for ASA-6-607001:

CISCOFW6607001 Pre-allocate %{WORD:protocol} NOTIFY UDP secondary channel for %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IP:dst_ip} from %{POSINT:message_count} message

Possible implementation for ASA-6-604103:

CISCOFW6604103 DHCP daemon interface %{GREEDYDATA:interface}:  address granted %{MAC:dst_mac}(?:\.[A-Da-f0-9]{2})? \(%{IP:dst_ip}\)

Possible implementation for ASA-6-303002 (from #226 ):

CISCOFW303002 FTP connection from %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port}, user %{DATA:dst_user} %{DATA:ftp_action} file %{DATA:filename}
@MakoWish
Copy link

MakoWish commented Jul 10, 2019
edited
Loading

I found this page from a Google search for "ASA-7-609001" and was hoping for a solution. I have tried a custom pattern file, and I still get a grok parse failure.

<123>asa %ASA-7-609001: Built local-host outside:192.0.2.42\n
<123>asa %ASA-7-609002: Teardown local-host outside:192.0.2.42 duration 0:02:25\n

This pattern works in grok debugger, but it does not seem to work in production:

CISCOFW609001_609002 %{CISCO_ACTION:action} %{WORD} %{DATA:src_interface}:%{IP:src_ip}?(\\n)?( duration %{TIME:duration})?(\\n)

Any suggestions?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@JasperJuergensen @MakoWish