SIEM & UEBA

Expand all | Collapse all

CiscoFTDParser - not parsing all fields

  • 1.  CiscoFTDParser - not parsing all fields

    Posted Jul 21, 2021 10:37 AM
    Hello there,

    I am currently on version 6.1.1 and noticed that "CiscoFTDParser" is not parsing all the fields.

    A little of everything is happening:
    1- For some evens the "Computer" fields is been assign to "user" field.
    2- Multiples fields as missing such as Group, Source IP, User name (showing Display name, required to removed the space and add a ".")

    See below sample logs that are having the issue:

    <165>Jul 21 2021 17:14:38 firepower : %FTD-5-722011: Group <Name-AnyConnect-Group-Policy> User <Adam Blue> IP <185.90.41.202> SVC Message: 17/WARNING: Reconnecting the VPN tunnel..

    <165>Jul 21 17:14:49 firepower : %FTD-5-722028: Group <Name-AnyConnect-Group-Policy> User <Adam Blue2> IP <185.90.41.202> Stale SVC connection closed.

    ---------------------------------------------------------------------------------
    <164>Jul 21 17:14:50 firepower : %FTD-4-313005: No matching connection for ICMP error message: icmp src Name-VPN_PO1.804:10.10.16.254(LOCAL\Adam Blue3) dst Inside_Zone:10.10.10.29 (type 3, code 3) on DName-VPN_PO1.804 interface. Original IP payload: udp src 10.10.10.29/53 dst 10.10.10.254/60321.


    I am not sure is there is something wrong with he regex expression below (that is suppose to parse the event above) or something else within the parser that is not parsing most of the events types.

    Any help will be appreciate it

    Thanks

    </when>
    <when test="$_evtId = '111009'">
    <!-- <135>Apr 09 2012 18:20:19: %ASA-7-111009: User 'joeUser' executed cmd: show startup-config -->
    <collectAndSetAttrByRegex src="$_body">
    <regex><![CDATA[User '<user:gPatStrSQ>' executed cmd:\s+<command:gPatMesgBody>]]></regex>
    </collectAndSetAttrByRegex>
    </when>


  • 2.  RE: CiscoFTDParser - not parsing all fields

    Posted Jul 22, 2021 09:29 AM
    Tony,

    The Events you list above 722011, 722028, and 313005 would not match the sample you posted, which is event ID 111009.  For each of those event types listed, you would need to find the relevant block, for example, look for a when block that starts with this:
    <when test="$_evtId = '722011'">

    At quick glance on my 6.1.1 instance, I don't see 722011 or 722028 created in the parser, which means you would have to add <when> blocks for those IDs.  I do see one for 313005, which doesn't seem to parse out much other than source and destination interface name:

    <when test="$_evtId = '313005'">
    <!-- <132>Feb 04 2019 02:44:46 ACFASA : %ASA-4-313005: No matching connection for ICMP error message: icmp src inside:172.20.1.1 dst outside:143.215.130.61 (type 11, code 0) on inside interface. Original IP payload: tcp src 143.215.130.61/80 dst 172.16.200.159/37616. -->
    <collectFieldsByRegex src="$_body">
    <regex><![CDATA[icmp src <srcIntfName:gPatStrEndColon>:<_srcStr:gPatStr> dst <destIntfName:gPatStrEndColon>:<_destStr:gPatStr>]]></regex>
    </collectFieldsByRegex>
    </when>



  • 3.  RE: CiscoFTDParser - not parsing all fields

    Posted Jul 22, 2021 09:54 AM
    Thank you so much Karn.
    Got it, I need to add multiples events types as they are not included on the parser.


  • 4.  RE: CiscoFTDParser - not parsing all fields

    Posted Jul 29, 2021 02:36 PM
    Karn,

    All missing events were added to the parser and now we are parsing most of the events. 
    I noticed that for some event types, for example: "%FTD-4-722041" and many others the "User" field contains "User Name" or "Computer Name". See below an example.


    <164>Jul 29 2021 20:49:34 firepower : %FTD-4-722041: TunnelGroup <XXX-AnyConnect-VPN> GroupPolicy <XXX-AnyConnect-Group-Policy> User <John Last> IP <xx.xx.xx.xx> No IPv6 address available for SVC connection

    <164>Jul 29 2021 20:49:34 firepower : %FTD-4-722041: TunnelGroup <XXX-AnyConnect-VPN> GroupPolicy <XXX-AnyConnect-Group-Policy> User <John-computer.domain.com> IP <xx.xx.x.xxx> No IPv6 address available for SVC connection

    Have you found a way to parse those fields respectively?  So when the logs contains the user name field assign the field to: "user" and when the logs contains the Computer name assign the field to "Computer Name".

    Another detail is that the user name contains an space between FirstName and LastName. Do you have that space too?
    Have you found a solution for the issues above? If the answer is yes, would you mind sharing that portion of the parser?

    Thanks,

    Tony


  • 5.  RE: CiscoFTDParser - not parsing all fields

    Posted Jul 30, 2021 10:37 AM
    Tony,

    This is a bit tough when the vendor's log is putting two different types of data into the same field.  What you have to determine first is whether or not there is always something in that field that could help you identify it as one or the other.  For instance, in your example, John-computer.domain.com in regex would be "\w+-\w+.\w+.\w+".  "John Last" would simply be "\w+ \w+" Since gPatWord is basically a \w+  (e.g. <pattern name="gPatWord"><![CDATA[\w+]]></pattern>), you could string these together to match the text or make your own pattern definition at the top of the parser.  I would then just have two CollectFieldsbyRegex statements to catch each condition.
    Now, you need to make sure it's always John[space]Last or John[dash]computer[dot]domain[dot]com, if there are other formats of data coming in, it obviously won't work.

    There may be a more elegant way to do this, but that is how I would think about it.


  • 6.  RE: CiscoFTDParser - not parsing all fields

    Posted Sep 14, 2021 05:46 PM
    Thanks Karn, It worked for me. See below a portion of the parser code for anyone who may be on the situation. 

    <!-- These patterns help to capture either the Computer Name (computer) or user name (user). They need to be declared at the beginning of the parser -->
    <pattern name="patStrcomputer"><![CDATA[\w+\-\w+]]></pattern>
    <pattern name="patStruser"><![CDATA[\w+ \w+]]></pattern>


    <when test="$_evtId = '722051'">
    <!-- Two sample events for the same event type, one shows logs containing user name with space between "First" and "Last". The second one shows computer name and domain -->
    <!-- <164>May 08 2013 12:38:06: %ASA-4-722051: Group <SBL> User <potts amber> IP <10.1.1.1> Address <10.200.20.201> assigned to session -->
    <!-- <164>May 08 2013 12:38:06: %ASA-4-722051: Group <SBL> User <potts-amber.contoso.com> IP <10.1.1.1> Address <10.200.20.201> assigned to session -->

    <switch>
    <case>
    <collectAndSetAttrByRegex src="$_body">
    <regex><![CDATA[Group \<<userGrp:gPatStr>\> User \<<user:patStruser>\> IP \<<srcIpAddr:gPatIpAddr>\> IPv4 Address \<<localVpnIpAddr:gPatIpAddr>\>]]></regex>
    </collectAndSetAttrByRegex>
    <!-- Making sure the user name space between "First Last" is replaced by a dot "First.Last" -->
    <setEventAttribute attr="user">replaceStringByRegex($user, "\s", ".")</setEventAttribute>
    </case>
    <case>
    <collectAndSetAttrByRegex src="$_body">
    <!-- Here we will be capturing "computer" and "domain" in case there are multiples domains in your organization -->
    <regex><![CDATA[Group \<<userGrp:gPatStr>\> User \<<computer:patStrcomputer>.<domain:gPatStr>\> IP \<<srcIpAddr:gPatIpAddr>\> IPv4 Address \<<localVpnIpAddr:gPatIpAddr>\>]]></regex>
    </collectAndSetAttrByRegex>
    </case>
    </switch>
    </when>

    <!-- The same concept needs to be replicated to each event type  that provides "user" and "computer" on the same event. Example: 722051, 722041, ... --->