From 2f0ce3864c704ff1d838dc3d6975d16e502f6d39 Mon Sep 17 00:00:00 2001
From: rfaircloth-splunk <rfaircloth@splunk.com>
Date: Mon, 30 Mar 2020 18:34:20 -0400
Subject: [PATCH 1/4] Change f_catch_first to f_null_queue

---
 docs/configuration.md                                         | 2 +-
 package/etc/conf.d/filters/misc/catchfirst.conf               | 4 ++--
 package/etc/conf.d/log_paths/lp-aaa-catch_first.conf.tmpl     | 2 +-
 .../context_templates/vendor_product_by_source.conf.example   | 2 +-
 .../context_templates/vendor_product_by_source.csv.example    | 2 +-
 5 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/docs/configuration.md b/docs/configuration.md
index d4e8af5..ec1569d 100644
--- a/docs/configuration.md
+++ b/docs/configuration.md
@@ -228,7 +228,7 @@ docker stack deploy --compose-file docker-compose.yml sc4s
 ## Dropping all data by ip or subnet
 
 In some cases rogue or port-probing data can be sent to SC4S from misconfigured devices or vulnerability scanners. Update
-the `vendor_product_by_source.conf` filter `f_catch_first` with one or more ip/subnet masks to drop events without
+the `vendor_product_by_source.conf` filter `f_null_queue` with one or more ip/subnet masks to drop events without
 logging. Note that drop metrics will be recorded.
 
 
diff --git a/package/etc/conf.d/filters/misc/catchfirst.conf b/package/etc/conf.d/filters/misc/catchfirst.conf
index 9005f11..f967591 100644
--- a/package/etc/conf.d/filters/misc/catchfirst.conf
+++ b/package/etc/conf.d/filters/misc/catchfirst.conf
@@ -1,5 +1,5 @@
-#f_catch_first
-filter f_catch_first {
+#f_null_queue
+filter f_null_queue {
     match("^catch_first", value("fields.sc4s_vendor_product"));
 
 };
\ No newline at end of file
diff --git a/package/etc/conf.d/log_paths/lp-aaa-catch_first.conf.tmpl b/package/etc/conf.d/log_paths/lp-aaa-catch_first.conf.tmpl
index b8fac16..41ce1ee 100644
--- a/package/etc/conf.d/log_paths/lp-aaa-catch_first.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-aaa-catch_first.conf.tmpl
@@ -2,7 +2,7 @@
 # vulnerability scanners to be ignored
 log {
 
-    filter(f_catch_first);
+    filter(f_null_queue);
 
     flags(catchall,final);
     
diff --git a/package/etc/context_templates/vendor_product_by_source.conf.example b/package/etc/context_templates/vendor_product_by_source.conf.example
index 1115e34..1eb20df 100644
--- a/package/etc/context_templates/vendor_product_by_source.conf.example
+++ b/package/etc/context_templates/vendor_product_by_source.conf.example
@@ -2,7 +2,7 @@ filter f_test_test {
     host("testvp-*" type(glob))
     #or netmask(xxx.xxx.xxx.xxx/xx)
 };
-filter f_catch_first {
+filter f_null_queue {
    netmask(169.254.100.0/24)
 };
 
diff --git a/package/etc/context_templates/vendor_product_by_source.csv.example b/package/etc/context_templates/vendor_product_by_source.csv.example
index 302b8ca..0ea93b5 100644
--- a/package/etc/context_templates/vendor_product_by_source.csv.example
+++ b/package/etc/context_templates/vendor_product_by_source.csv.example
@@ -1,6 +1,6 @@
 f_test_test,sc4s_vendor_product,"test_test"
 f_brocade_syslog,sc4s_vendor_product,"brocade_syslog"
-f_catch_first,sc4s_vendor_product,"catch_first"
+f_null_queue,sc4s_vendor_product,"catch_first"
 f_cisco_meraki,sc4s_vendor_product,"cisco_meraki"
 f_citrix_netscaler,sc4s_vendor_product,"citrix_netscaler"
 f_dell_rsa_secureid,sc4s_vendor_product,"dell_rsa_secureid"

From a287d5e9c2248b5e2002dc9d89cc78f0e708ca54 Mon Sep 17 00:00:00 2001
From: rfaircloth-splunk <rfaircloth@splunk.com>
Date: Mon, 30 Mar 2020 21:35:17 -0400
Subject: [PATCH 2/4] rename file to match

---
 .../{lp-aaa-catch_first.conf.tmpl => lp-aaa-null_queue.conf.tmpl} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename package/etc/conf.d/log_paths/{lp-aaa-catch_first.conf.tmpl => lp-aaa-null_queue.conf.tmpl} (100%)

diff --git a/package/etc/conf.d/log_paths/lp-aaa-catch_first.conf.tmpl b/package/etc/conf.d/log_paths/lp-aaa-null_queue.conf.tmpl
similarity index 100%
rename from package/etc/conf.d/log_paths/lp-aaa-catch_first.conf.tmpl
rename to package/etc/conf.d/log_paths/lp-aaa-null_queue.conf.tmpl

From 8c13eab92f9eacffcc265fc6935c157ba53ef94f Mon Sep 17 00:00:00 2001
From: rfaircloth-splunk <rfaircloth@splunk.com>
Date: Tue, 31 Mar 2020 12:05:47 -0400
Subject: [PATCH 3/4] Support cisco FTD as Cisco ASA

---
 docs/sources/Cisco/index.md               | 4 ++--
 package/etc/conf.d/filters/cisco/asa.conf | 7 +++++--
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/docs/sources/Cisco/index.md b/docs/sources/Cisco/index.md
index ae72697..bec8942 100644
--- a/docs/sources/Cisco/index.md
+++ b/docs/sources/Cisco/index.md
@@ -97,7 +97,7 @@ index=<asconfigured> sourcetype=cisco:apic:*
 
 Verify timestamp, and host values match as expected    
 
-## Product - ASA (Pre Firepower)
+## Product - ASA AND FTD (Firepower)
 
 | Ref            | Link                                                                                                    |
 |----------------|---------------------------------------------------------------------------------------------------------|
@@ -109,7 +109,7 @@ Verify timestamp, and host values match as expected
 
 | sourcetype     | notes                                                                                                   |
 |----------------|---------------------------------------------------------------------------------------------------------|
-| cisco:asa      | None                                                                                                    |
+| cisco:asa      | cisco FTD Firepower will also use this source type                                                      |
 | cisco:pix      | Not supported                                                                                           |
 | cisco:fwsm     | Not supported                                                                                           |
 
diff --git a/package/etc/conf.d/filters/cisco/asa.conf b/package/etc/conf.d/filters/cisco/asa.conf
index a7ac9b7..cda9eed 100644
--- a/package/etc/conf.d/filters/cisco/asa.conf
+++ b/package/etc/conf.d/filters/cisco/asa.conf
@@ -1,8 +1,11 @@
 filter f_cisco_asa {
     message('^%ASA-\d+-\d{1,10}: ') or
-    match('^%ASA-\d+-\d{1,10}:', value("LEGACY_MSGHDR"));
+    match('^%ASA-\d+-\d{1,10}:', value("LEGACY_MSGHDR")) or
+    message('^%FTD-\d+-\d{1,10}: ') or
+    match('^%FTD-\d+-\d{1,10}:', value("LEGACY_MSGHDR"));
 };
 
 filter f_cisco_asa_nohost {
-    match('^%ASA-\d+-\d{1,10}:', value("LEGACY_MSGHDR"));
+    match('^%ASA-\d+-\d{1,10}:', value("LEGACY_MSGHDR"))
+    or match('^%FTD-\d+-\d{1,10}:', value("LEGACY_MSGHDR"));
 };

From d4b90d3d691ce98b706e86e5bb0638536e73dabe Mon Sep 17 00:00:00 2001
From: rfaircloth-splunk <rfaircloth@splunk.com>
Date: Tue, 31 Mar 2020 12:08:49 -0400
Subject: [PATCH 4/4] fix

---
 package/etc/conf.d/filters/misc/catchfirst.conf | 5 -----
 package/etc/conf.d/filters/misc/null_queue.conf | 5 +++++
 2 files changed, 5 insertions(+), 5 deletions(-)
 delete mode 100644 package/etc/conf.d/filters/misc/catchfirst.conf
 create mode 100644 package/etc/conf.d/filters/misc/null_queue.conf

diff --git a/package/etc/conf.d/filters/misc/catchfirst.conf b/package/etc/conf.d/filters/misc/catchfirst.conf
deleted file mode 100644
index f967591..0000000
--- a/package/etc/conf.d/filters/misc/catchfirst.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-#f_null_queue
-filter f_null_queue {
-    match("^catch_first", value("fields.sc4s_vendor_product"));
-
-};
\ No newline at end of file
diff --git a/package/etc/conf.d/filters/misc/null_queue.conf b/package/etc/conf.d/filters/misc/null_queue.conf
new file mode 100644
index 0000000..561a2a8
--- /dev/null
+++ b/package/etc/conf.d/filters/misc/null_queue.conf
@@ -0,0 +1,5 @@
+#f_null_queue
+filter f_null_queue {
+    match("^null_queue", value("fields.sc4s_vendor_product"));
+
+};
\ No newline at end of file