Skip to content

Commit

Permalink
Add Cisco ASA "nohost" test
Browse files Browse the repository at this point in the history
* Add Cisco ASA test for events with no hostname set
  • Loading branch information
Mark Bonsack committed Jan 31, 2020
1 parent f32c9a1 commit d5f68b1
Showing 1 changed file with 21 additions and 0 deletions.
21 changes: 21 additions & 0 deletions tests/test_cisco_asa.py
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,27 @@ def test_cisco_asa_traditional(record_property, setup_wordlist, setup_splunk):

assert resultCount == 1

# <164>Jan 31 2020 17:24:03: %ASA-4-402119: IPSEC: Received an ESP packet (SPI= 0x0C190BF9, sequence number= 0x598243) from 192.0.0.1 (user= 192.0.0.1) to 192.0.0.2 that failed anti-replay checking.
def test_cisco_asa_traditional_nohost(record_property, setup_wordlist, setup_splunk):
host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))

mt = env.from_string(
"{{ mark }} {% now 'utc', '%b %d %H:%M:%S' %}: %ASA-4-402119: IPSEC: Received an ESP packet (SPI= 0x0C190BF9, sequence number= 0x598243) from 192.0.0.1 (user= 192.0.0.1) to 192.0.0.2 that failed anti-replay checking.\n")
message = mt.render(mark="<111>", host=host)

sendsingle(message)

st = env.from_string("search index=netfw sourcetype=\"cisco:asa\" \"%ASA-4-402119\" | head 1")
search = st.render(host=host)

resultCount, eventCount = splunk_single(setup_splunk, search)

record_property("host", host)
record_property("resultCount", resultCount)
record_property("message", message)

assert resultCount == 1


# <166>2018-06-27T12:17:46Z asa : %ASA-3-710003: TCP access denied by ACL from 179.236.133.160/8949 to outside:72.142.18.38/23
def test_cisco_asa_rfc5424(record_property, setup_wordlist, setup_splunk):
Expand Down

0 comments on commit d5f68b1

Please sign in to comment.