Cisco ASA Pack

This is a pack that allows for processing of Cisco ASA logs. This pack includes identifying the code, matching such code to a predefined list to determine if the event should be dropped, or if data can be extracted from it

  4 minute read  

Edge Delta Pipeline Pack for Cisco ASA

Overview

The Edge Delta Cisco ASA pack is designed to process Cisco ASA logs. Processing includes identifying the code, matching such code to a predefined list to determine if the event should be dropped, or if data can be extracted from it. Once the event has been processed by the pack it will have crucial metadata which helps further manipulation.

Pack Description

1. Data Ingestion

The data flow starts with the Input node as the entry point into the pack where all logs begin their processing journey.

2. Add ASA Code

Logs are processed by the Add_Code node, which is an OTTL Transform node. This node extracts the ASA code from the log body using a regex pattern.

- name: Add_Code
  type: ottl_transform
  statements: set(attributes["asa_code"], ExtractPatterns(Decode(body, "utf-8"), "ASA-\S*-(?P<asa_code>\d+)")["asa_code"])

This node decodes the log body as UTF-8 and extracts the ASA code using a regex pattern. The extracted code is stored in the asa_code attribute. If a code is not found then the log is sent to NonApplicable output.

3. Add_Drop_Message

The code (attributes.asa_code) is used in the Lookup table (asa_drop.csv) to add a comment to this log in attributes.drop_message. The presence of the comment classifies this log to be dropped. The comment has the information as to why it will be dropped.

In case of a failure while processing, the log is sent to Dropped output.

4. Filter Messages

The logs are then routed using the Filter_Messages node, a Route Node. It directs log entries to different paths based on the presence of a drop message.

- name: Filter_Messages
  type: route
  paths:
    - path: keep
      condition: '!has(item.attributes.drop_message)'
      exit_if_matched: true

Logs without a drop message are routed on the keep path for further processing. The logs with attributes.drop_message are sent to the Dropped output.

5. Add Regex

Logs on the keep path flow to the Add_Regex node, another Lookup Node.

- name: Add_Regex
  type: lookup
  location_path: ed://asa_parse.csv
  reload_period: 5m0s
  match_mode: exact
  regex_option: first
  key_fields:
    - event_field: item.attributes.asa_code
      lookup_field: asa_code
  out_fields:
    - event_field: item.attributes.asa_regex
      lookup_field: regex

This node uses a lookup table to find a regex pattern associated with the ASA code and adds it to the log attributes. Logs are then sent to the Extract Fields node. In case of a failure while processing, the log is sent to the Failed output.

6. Extract Fields

Logs flow to the Extract_Fields node, an OTTL Transform node. This node extracts additional fields from the log body using the regex pattern added previously.

- name: Extract_Fields
  type: ottl_transform
  statements: |-
    set(attributes["vendor"], "Cisco")
    set(attributes["product"], "ASA")
    set(attributes["vendor_product"], "Cisco ASA")
    merge_maps(attributes, EDXExtractPatterns(Decode(body, "utf-8"), attributes["asa_regex"]), "upsert")

This node decodes the log body and uses the regex pattern to extract fields, which are then merged into the log attributes. This enriches the logs with detailed information, aiding in comprehensive monitoring and troubleshooting.

Successful processing means the log is sent to Extracted output. In case of a failure while processing, the log is sent to Failed output.

7. Extracted Logs

The processed logs are routed to the Extracted output node for further processing or storage.

8. Failed Logs

Logs that fail processing at Add_Regex and Extract_Fields are routed to the Failed output node. A failure to be processed includes, but it is not limited to, an incorrect regex provided in asa_parse.csv for the ASA code.

9. Dropped Logs

Logs that are identified as unnecessary or irrelevant by Add_Drop_Message or Filter_Messages are routed to the Dropped output node.

10. Non-Applicable Logs

Output receives events for which an ASA code was not found by Add_Code.

Sample Input

2024-10-24 16:03:02: %ASA-2-106017: Deny IP due to Land Attack from 128.246.10.209 to 128.246.10.209

2024-10-24 16:03:03: %ASA-3-313008: Denied ICMPv6 type=0, code=0 from ffb7:413e:4faa:8ded:337e:8fed:70a2:b6ae on interface GnFH

2024-10-24 16:03:04: %ASA-6-106100: access-list deny_external_access permitted icmp gbNP/111.160.52.52(65250) snqH/97.64.200.149(59556) hit-cnt 1 first hit [0x660ea8b2, 0x1dd23d07]

2024-10-24 16:03:07: %ASA-6-106100: access-list allow_vpn_users permitted tcp jlDW/181.100.204.211(60852) MjDX/213.74.117.18(53890) hit-cnt 1 first hit [0x10c8e6f2, 0x358c723a]

2024-10-24 16:03:09: %ASA-4-313009: Denied invalid ICMP code 4, for aqDLIK:35.129.134.190/50198 to ZDZVzd:3.87.191.51/59381, ICMP id 55, ICMP type 2

2024-10-24 16:03:13: %ASA-4-106023: Deny icmp src TOEU:252.15.60.235/53201 dst BdXV:52.156.210.178/50625 (type 6, code 4) by access_group allow_vpn_users [0x24b9c840, 0x6e66886e]

2024-10-24 16:03:13: %ASA-4-106023: Deny icmp src TOEU:252.15.60.235/53201 dst BdXV:52.156.210.178/50625 (type 6, code 4) by access_group allow_vpn_users [0x24b9c840, 0x6e66886e]

2024-10-24 16:03:19: %ASA-2-106017: Deny IP due to Land Attack from 129.67.180.128 to 129.67.180.128

2024-10-24 16:03:33: %ASA-4-313009: Denied invalid ICMP code 9, for lkEdSW:7.60.166.130/59638 to YnQGZs:228.136.80.1/54546, ICMP id 217, ICMP type 3

2024-10-24 16:03:33: %ASA-4-313009: Denied invalid ICMP code 8, for gRkYGN:97.75.233.254/51008 to epjUrd:88.254.224.135/52579, ICMP id 299, ICMP type 8