[filteradd] Cisco FWSM and PIX legacy products (#653)

CSVD · Aug 21, 2020 · e772e06 · e772e06
1 parent 3543499
commit e772e06
Show file tree

Hide file tree

Showing 8 changed files with 210 additions and 1 deletion.
diff --git a/docs/sources/Cisco/index.md b/docs/sources/Cisco/index.md
@@ -106,9 +106,11 @@ Verify timestamp, and host values match as expected
 
 ## Product - ASA AND FTD (Firepower)
 
+Including Legacy FWSM and PIX
+
 | Ref            | Link                                                                                                    |
 |----------------|---------------------------------------------------------------------------------------------------------|
-| Splunk Add-on for ASA | https://splunkbase.splunk.com/app/1620/                                                          |
+| Splunk Add-on for ASA (No long supports FWSM and PIX) | https://splunkbase.splunk.com/app/1620/                                                          |
 | Cisco eStreamer for Splunk | https://splunkbase.splunk.com/app/1629/                                                     |
 | Product Manual | https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/monitor_syslog.html |
 
@@ -118,13 +120,17 @@ Verify timestamp, and host values match as expected
 | sourcetype     | notes                                                                                                   |
 |----------------|---------------------------------------------------------------------------------------------------------|
 | cisco:asa      | cisco FTD Firepower will also use this source type except those noted below                                                      |
+| cisco:fwsm      | Splunk has   |
+| cisco:pix      | cisco PIX will also use this source type except those noted below                                                      |
 | cisco:firepower:syslog | FTD Unified events see https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide.pdf |
 
 ### Sourcetype and Index Configuration
 
 | key            | sourcetype     | index          | notes          |
 |----------------|----------------|----------------|----------------|
 | cisco_asa      | cisco:asa      | netfw          | none           |
+| cisco_fwsm      | cisco:fwsm      | netfw          | none           |
+| cisco_pix      | cisco:pix      | netfw          | none           |
 | cisco_ftd      | cisco:firepower:syslog      | netfw          | none           |
 
 

diff --git a/package/etc/conf.d/filters/cisco/fwsm.conf b/package/etc/conf.d/filters/cisco/fwsm.conf
@@ -0,0 +1,5 @@
+
+filter f_cisco_fwsm {
+    message('^%FWSM-\d+-\d{1,10}: ') or
+    match('^%FWSM-\d+-\d{1,10}:', value("LEGACY_MSGHDR"));
+};
diff --git a/package/etc/conf.d/filters/cisco/pix.conf b/package/etc/conf.d/filters/cisco/pix.conf
@@ -0,0 +1,4 @@
+filter f_cisco_pix {
+    message('^%PIX-\d+-\d{1,10}: ') or
+    match('^%PIX-\d+-\d{1,10}:', value("LEGACY_MSGHDR"));
+};
diff --git a/package/etc/conf.d/log_paths/lp-cisco_fwsm.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_fwsm.conf.tmpl
@@ -0,0 +1,49 @@
+# Cisco FWSM
+{{- /* The following provides a unique port source configuration if env var(s) are set */}}
+{{- $context := dict "port_id" "CISCO_FWSM" "parser" "common" }}
+{{- tmpl.Exec "t/source_network.t" $context }}
+
+log {
+    junction {
+{{- if or (or (getenv  (print "SC4S_LISTEN_CISCO_FWSM_TCP_PORT")) (getenv  (print "SC4S_LISTEN_CISCO_FWSM_UDP_PORT"))) (getenv  (print "SC4S_LISTEN_CISCO_FWSM_TLS_PORT")) }}
+        channel {
+        # Listen on the specified dedicated port(s) for CISCO_FWSM traffic
+            source (s_CISCO_FWSM);
+            flags (final);
+	    };
+{{- end}}
+        channel {
+        # Listen on the default port (typically 514) for CISCO_FWSM traffic
+            source (s_DEFAULT);
+            filter(f_cisco_fwsm);
+            flags(final);
+        };
+    };
+
+    rewrite {
+        set("cisco_fwsm", value("fields.sc4s_vendor_product"));
+        r_set_splunk_dest_default(sourcetype("cisco:fwsm"))
+    };
+    parser {p_add_context_splunk(key("cisco_fwsm")); };
+    parser (compliance_meta_by_source);
+
+    rewrite { set("$(template ${.splunk.sc4s_template} $(template t_legacy_hdr_msg))" value("MSG")); };
+
+{{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_CISCO_FWSM_HEC" "no")) }}
+    destination(d_hec);
+{{- end}}
+
+{{- if or (conv.ToBool (getenv "SC4S_ARCHIVE_GLOBAL" "no")) (conv.ToBool (getenv "SC4S_ARCHIVE_CISCO_FWSM" "no")) }}
+    destination(d_archive);
+{{- end}}
+
+{{- if (print (getenv "SC4S_DEST_GLOBAL_ALTERNATES")) }}
+    {{ getenv "SC4S_DEST_GLOBAL_ALTERNATES" | regexp.ReplaceLiteral "^" "destination(" | regexp.ReplaceLiteral "[, ]+" ");\n    destination(" }});
+{{- end }}
+
+{{- if (print (getenv "SC4S_DEST_CISCO_FWSM_ALTERNATES")) }}
+    {{ getenv "SC4S_DEST_CISCO_FWSM_ALTERNATES" | regexp.ReplaceLiteral "^" "destination(" | regexp.ReplaceLiteral "[, ]+" ");\n    destination(" }});
+{{- end }}
+
+    flags(flow-control,final);
+};
diff --git a/package/etc/conf.d/log_paths/lp-cisco_pix.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_pix.conf.tmpl
@@ -0,0 +1,49 @@
+# Cisco PIX
+{{- /* The following provides a unique port source configuration if env var(s) are set */}}
+{{- $context := dict "port_id" "CISCO_PIX" "parser" "common" }}
+{{- tmpl.Exec "t/source_network.t" $context }}
+
+log {
+    junction {
+{{- if or (or (getenv  (print "SC4S_LISTEN_CISCO_PIX_TCP_PORT")) (getenv  (print "SC4S_LISTEN_CISCO_PIX_UDP_PORT"))) (getenv  (print "SC4S_LISTEN_CISCO_PIX_TLS_PORT")) }}
+        channel {
+        # Listen on the specified dedicated port(s) for CISCO_PIX traffic
+            source (s_CISCO_PIX);
+            flags (final);
+	    };
+{{- end}}
+        channel {
+        # Listen on the default port (typically 514) for CISCO_PIX traffic
+            source (s_DEFAULT);
+            filter(f_cisco_pix);
+            flags(final);
+        };
+    };
+
+    rewrite {
+        set("cisco_pix", value("fields.sc4s_vendor_product"));
+        r_set_splunk_dest_default(sourcetype("cisco:pix"))
+    };
+    parser {p_add_context_splunk(key("cisco_pix")); };
+    parser (compliance_meta_by_source);
+
+    rewrite { set("$(template ${.splunk.sc4s_template} $(template t_legacy_hdr_msg))" value("MSG")); };
+
+{{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_CISCO_PIX_HEC" "no")) }}
+    destination(d_hec);
+{{- end}}
+
+{{- if or (conv.ToBool (getenv "SC4S_ARCHIVE_GLOBAL" "no")) (conv.ToBool (getenv "SC4S_ARCHIVE_CISCO_PIX" "no")) }}
+    destination(d_archive);
+{{- end}}
+
+{{- if (print (getenv "SC4S_DEST_GLOBAL_ALTERNATES")) }}
+    {{ getenv "SC4S_DEST_GLOBAL_ALTERNATES" | regexp.ReplaceLiteral "^" "destination(" | regexp.ReplaceLiteral "[, ]+" ");\n    destination(" }});
+{{- end }}
+
+{{- if (print (getenv "SC4S_DEST_CISCO_PIX_ALTERNATES")) }}
+    {{ getenv "SC4S_DEST_CISCO_PIX_ALTERNATES" | regexp.ReplaceLiteral "^" "destination(" | regexp.ReplaceLiteral "[, ]+" ");\n    destination(" }});
+{{- end }}
+
+    flags(flow-control,final);
+};
diff --git a/package/etc/context_templates/splunk_metadata.csv.example b/package/etc/context_templates/splunk_metadata.csv.example
@@ -24,10 +24,12 @@ Cisco_C100V Email Security Virtual Appliance_ESA_CONSOLIDATED_LOG_EVENT,source,e
 Cisco_C100V Email Security Virtual Appliance_ESA_CONSOLIDATED_LOG_EVENT,sourcetype,cisco:esa:cef
 cisco_esa,index,email
 cisco_ftd,index,netfw
+cisco_fwsm,index,netfw
 cisco_ios,index,netops
 cisco_ise,index,netauth
 cisco_meraki,index,netfw
 cisco_nx_os,index,netops
+cisco_pix,index,netfw
 cisco_ucm,index,main
 cisco_wsa,index,netproxy
 citrix_netscaler,index,netfw

diff --git a/tests/test_cisco_fwsm.py b/tests/test_cisco_fwsm.py
@@ -0,0 +1,47 @@
+# Copyright 2019 Splunk, Inc.
+#
+# Use of this source code is governed by a BSD-2-clause-style
+# license that can be found in the LICENSE-BSD2 file or at
+# https://opensource.org/licenses/BSD-2-Clause
+import random
+
+from jinja2 import Environment
+
+from .sendmessage import *
+from .splunkutils import *
+from .timeutils import *
+
+env = Environment()
+
+
+# Apr 15 2017 00:22:42 192.168.12.1 : %FWSM-6-106100: access-list outside-access-in ##permission## ##transport## outside/XXX.XXX.XXX.XXX(##port_1##) -> inside/XXX.XXX.XXX.XXX(9997) hit-cnt 1 (first hit) [0xe0ba389d, 0x0]
+def test_cisco_fwsm_traditional(
+    record_property, setup_wordlist, setup_splunk, setup_sc4s
+):
+    host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
+
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+
+    mt = env.from_string(
+        "{{ mark }} {{ bsd }} {{ host }} : %FWSM-6-106100: access-list outside-access-in ##permission## ##transport## outside/XXX.XXX.XXX.XXX(##port_1##) -> inside/XXX.XXX.XXX.XXX(9997) hit-cnt 1 (first hit) [0xe0ba389d, 0x0]\n"
+    )
+    message = mt.render(mark="<111>", bsd=bsd, host=host)
+
+    sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
+
+    st = env.from_string(
+        'search _time={{ epoch }} index=netfw host="{{ host }}" sourcetype="cisco:fwsm"'
+    )
+    search = st.render(epoch=epoch, host=host)
+
+    resultCount, eventCount = splunk_single(setup_splunk, search)
+
+    record_property("host", host)
+    record_property("resultCount", resultCount)
+    record_property("message", message)
+
+    assert resultCount == 1
diff --git a/tests/test_cisco_pix.py b/tests/test_cisco_pix.py
@@ -0,0 +1,47 @@
+# Copyright 2019 Splunk, Inc.
+#
+# Use of this source code is governed by a BSD-2-clause-style
+# license that can be found in the LICENSE-BSD2 file or at
+# https://opensource.org/licenses/BSD-2-Clause
+import random
+
+from jinja2 import Environment
+
+from .sendmessage import *
+from .splunkutils import *
+from .timeutils import *
+
+env = Environment()
+
+
+# Apr 15 2017 00:22:42 192.168.12.1 : %FWSM-6-106100: access-list outside-access-in ##permission## ##transport## outside/XXX.XXX.XXX.XXX(##port_1##) -> inside/XXX.XXX.XXX.XXX(9997) hit-cnt 1 (first hit) [0xe0ba389d, 0x0]
+def test_cisco_pix_traditional(
+    record_property, setup_wordlist, setup_splunk, setup_sc4s
+):
+    host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
+
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+
+    mt = env.from_string(
+        "{{ mark }} {{ bsd }} {{ host }} : %PIX-3-302022: Built inbound ICMP connection for faddr XXX.XXX.XXX.XXX/1 gaddr XXX.XXX.XXX.XXX/1 laddr XXX.XXX.XXX.XXX/0\n"
+    )
+    message = mt.render(mark="<111>", bsd=bsd, host=host)
+
+    sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
+
+    st = env.from_string(
+        'search _time={{ epoch }} index=netfw host="{{ host }}" sourcetype="cisco:pix"'
+    )
+    search = st.render(epoch=epoch, host=host)
+
+    resultCount, eventCount = splunk_single(setup_splunk, search)
+
+    record_property("host", host)
+    record_property("resultCount", resultCount)
+    record_property("message", message)
+
+    assert resultCount == 1