Skip to content

Commit

Permalink
Support Cisco ASA and misc fixes (#17)
Browse files Browse the repository at this point in the history
* Support Cisco ASA and misc fixes

Fixes #14
Fixes #15
Fixes #16

* fix typo in rfc number
  • Loading branch information
Ryan Faircloth authored and GitHub committed Jul 12, 2019
1 parent 8f20ae0 commit 84b1f84
Show file tree
Hide file tree
Showing 4 changed files with 72 additions and 3 deletions.
24 changes: 24 additions & 0 deletions package/etc/conf.d/filters/cisco_asa_tradditional.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
log {
source(s_default-ports);

filter {tags("cisco:asa")
or message('^.{10,60} : %ASA-\d+-\d{1,10}: ')
;};

#Cisco ASA can send 3164 or 5424 either way we are good with basic parsing
parser {
#basic parsing
syslog-parser(time-zone(`default-timezone`));
};

#set the source type based on program field and lookup index from the splunk context csv
parser {p_add_context_splunk(key("cisco:asa")); };

#rewrite the final message for splunk json
#sourcetype and index are set in the filter defaults won't be used
rewrite {r_set_splunk_basic(template("t_msg_only")) }; #--HEC--

destination(d_hec); #--HEC--

flags(final);
};
2 changes: 1 addition & 1 deletion package/etc/conf.d/filters/paloalto_networks.conf
Original file line number Diff line number Diff line change
Expand Up @@ -57,5 +57,5 @@ log {

destination(d_hec); #--HEC--

#flags(final);
flags(final);
};
2 changes: 2 additions & 0 deletions package/etc/context/splunk_index.csv
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
cisco:asa,index,main
cisco:asa,sourcetype,cisco:asa
pan:traffic,index,main
pan:threat,index,main
pan:system,index,main
Expand Down
47 changes: 45 additions & 2 deletions tests/test_poc.py
Original file line number Diff line number Diff line change
Expand Up @@ -113,7 +113,7 @@ def test_defaultroute(record_property, setup_wordlist, setup_splunk):
def test_palo_alto_traffic(record_property, setup_wordlist, setup_splunk):
host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))

mt = env.from_string("{{ mark }} {% now 'utc', '%b %d 01:02:03' %} {{ host }} 1,{% now 'utc', '%Y/%m/%d %H:%M:%S' %},007200001056,TRAFFIC,end,1,{% now 'utc', '%Y/%m/%d %H:%M:%S' %},192.168.41.30,192.168.41.255,10.193.16.193,192.168.41.255,allow-all,,,netbios-ns,vsys1,Trust,Untrust,ethernet1/1,ethernet1/2,To-Panorama,2014/01/28 01:28:34,8720,1,137,137,11637,137,0x400000,udp,allow,276,276,0,3,2014/01/28 01:28:02,2,any,0,2076326,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,3,0\n")
mt = env.from_string("{{ mark }} {% now 'utc', '%b %d %H:%M:%S' %} {{ host }} 1,{% now 'utc', '%Y/%m/%d %H:%M:%S' %},007200001056,TRAFFIC,end,1,{% now 'utc', '%Y/%m/%d %H:%M:%S' %},192.168.41.30,192.168.41.255,10.193.16.193,192.168.41.255,allow-all,,,netbios-ns,vsys1,Trust,Untrust,ethernet1/1,ethernet1/2,To-Panorama,2014/01/28 01:28:34,8720,1,137,137,11637,137,0x400000,udp,allow,276,276,0,3,2014/01/28 01:28:02,2,any,0,2076326,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,3,0\n")
message = mt.render(mark="<111>", host=host)

sendsingle(message)
Expand All @@ -134,7 +134,7 @@ def test_palo_alto_traffic(record_property, setup_wordlist, setup_splunk):
def test_palo_alto_threat(record_property, setup_wordlist, setup_splunk):
host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))

mt = env.from_string("{{ mark }} {% now 'utc', '%b %d 01:02:03' %} {{ host }} 1,{% now 'utc', '%Y/%m/%d %H:%M:%S' %},01606001116,THREAT,url,1,{% now 'utc', '%Y/%m/%d %H:%M:%S' %},192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,22860,1,59303,80,0,0,0x208000,tcp,alert,\"litetopdetect.cn/index.php\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html\n")
mt = env.from_string("{{ mark }} {% now 'utc', '%b %d %H:%M:%S' %} {{ host }} 1,{% now 'utc', '%Y/%m/%d %H:%M:%S' %},01606001116,THREAT,url,1,{% now 'utc', '%Y/%m/%d %H:%M:%S' %},192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,22860,1,59303,80,0,0,0x208000,tcp,alert,\"litetopdetect.cn/index.php\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html\n")
message = mt.render(mark="<111>", host=host)

sendsingle(message)
Expand All @@ -150,3 +150,46 @@ def test_palo_alto_threat(record_property, setup_wordlist, setup_splunk):

assert resultCount == 1

#Apr 15 2017 00:21:14 192.168.12.1 : %ASA-5-111010: User 'john', running 'CLI' from IP 0.0.0.0, executed 'dir disk0:/dap.xml'
#Apr 15 2017 00:22:27 192.168.12.1 : %ASA-4-313005: No matching connection for ICMP error message: icmp src outside:81.24.28.226 dst inside:72.142.17.10 (type 3, code 0) on outside interface. Original IP payload: udp src 72.142.17.10/40998 dst 194.153.237.66/53.
#Apr 15 2017 00:22:42 192.168.12.1 : %ASA-3-710003: TCP access denied by ACL from 179.236.133.160/8949 to outside:72.142.18.38/23
@flaky(max_runs=3, min_passes=2)
def test_cisco_asa_tradditional(record_property, setup_wordlist, setup_splunk):
host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))

mt = env.from_string("{{ mark }} {% now 'utc', '%b %d %H:%M:%S' %} {{ host }} : %ASA-3-710003: TCP access denied by ACL from 179.236.133.160/3624 to outside:72.142.18.38/23\n")
message = mt.render(mark="<111>", host=host)

sendsingle(message)

st = env.from_string("search index=main host=\"{{ host }}\" sourcetype=\"cisco:asa\" | head 2")
search = st.render(host=host)

resultCount, eventCount = splunk_single(setup_splunk, search)

record_property("host", host)
record_property("resultCount", resultCount)
record_property("message", message)

assert resultCount == 1

#<166>2018-06-27T12:17:46Z asa : %ASA-3-710003: TCP access denied by ACL from 179.236.133.160/8949 to outside:72.142.18.38/23
def test_cisco_asa_rfc5424(record_property, setup_wordlist, setup_splunk):
host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))

mt = env.from_string("{{ mark }} {% now 'utc', '%Y-%m-%dT%H:%M:%SZ' %} {{ host }} : %ASA-3-710003: TCP access denied by ACL from 179.236.133.160/5424 to outside:72.142.18.38/23\n")
message = mt.render(mark="<166>", host=host)

sendsingle(message)

st = env.from_string("search index=main host=\"{{ host }}\" sourcetype=\"cisco:asa\" | head 2")
search = st.render(host=host)

resultCount, eventCount = splunk_single(setup_splunk, search)

record_property("host", host)
record_property("resultCount", resultCount)
record_property("message", message)

assert resultCount == 1

0 comments on commit 84b1f84

Please sign in to comment.