SIEM & UEBA

Expand all | Collapse all

CiscoFTDParser - not parsing all fields

  • 1.  CiscoFTDParser - not parsing all fields

    Posted 10 days ago
    Hello there,

    I am currently on version 6.1.1 and noticed that "CiscoFTDParser" is not parsing all the fields.

    A little of everything is happening:
    1- For some evens the "Computer" fields is been assign to "user" field.
    2- Multiples fields as missing such as Group, Source IP, User name (showing Display name, required to removed the space and add a ".")

    See below sample logs that are having the issue:

    <165>Jul 21 2021 17:14:38 firepower : %FTD-5-722011: Group <Name-AnyConnect-Group-Policy> User <Adam Blue> IP <185.90.41.202> SVC Message: 17/WARNING: Reconnecting the VPN tunnel..

    <165>Jul 21 17:14:49 firepower : %FTD-5-722028: Group <Name-AnyConnect-Group-Policy> User <Adam Blue2> IP <185.90.41.202> Stale SVC connection closed.

    ---------------------------------------------------------------------------------
    <164>Jul 21 17:14:50 firepower : %FTD-4-313005: No matching connection for ICMP error message: icmp src Name-VPN_PO1.804:10.10.16.254(LOCAL\Adam Blue3) dst Inside_Zone:10.10.10.29 (type 3, code 3) on DName-VPN_PO1.804 interface. Original IP payload: udp src 10.10.10.29/53 dst 10.10.10.254/60321.


    I am not sure is there is something wrong with he regex expression below (that is suppose to parse the event above) or something else within the parser that is not parsing most of the events types.

    Any help will be appreciate it

    Thanks

    </when>
    <when test="$_evtId = '111009'">
    <!-- <135>Apr 09 2012 18:20:19: %ASA-7-111009: User 'joeUser' executed cmd: show startup-config -->
    <collectAndSetAttrByRegex src="$_body">
    <regex><![CDATA[User '<user:gPatStrSQ>' executed cmd:\s+<command:gPatMesgBody>]]></regex>
    </collectAndSetAttrByRegex>
    </when>


  • 2.  RE: CiscoFTDParser - not parsing all fields

    Posted 9 days ago
    Tony,

    The Events you list above 722011, 722028, and 313005 would not match the sample you posted, which is event ID 111009.  For each of those event types listed, you would need to find the relevant block, for example, look for a when block that starts with this:
    <when test="$_evtId = '722011'">

    At quick glance on my 6.1.1 instance, I don't see 722011 or 722028 created in the parser, which means you would have to add <when> blocks for those IDs.  I do see one for 313005, which doesn't seem to parse out much other than source and destination interface name:

    <when test="$_evtId = '313005'">
    <!-- <132>Feb 04 2019 02:44:46 ACFASA : %ASA-4-313005: No matching connection for ICMP error message: icmp src inside:172.20.1.1 dst outside:143.215.130.61 (type 11, code 0) on inside interface. Original IP payload: tcp src 143.215.130.61/80 dst 172.16.200.159/37616. -->
    <collectFieldsByRegex src="$_body">
    <regex><![CDATA[icmp src <srcIntfName:gPatStrEndColon>:<_srcStr:gPatStr> dst <destIntfName:gPatStrEndColon>:<_destStr:gPatStr>]]></regex>
    </collectFieldsByRegex>
    </when>



  • 3.  RE: CiscoFTDParser - not parsing all fields

    Posted 9 days ago
    Thank you so much Karn.
    Got it, I need to add multiples events types as they are not included on the parser.


  • 4.  RE: CiscoFTDParser - not parsing all fields

    Posted 2 days ago
    Karn,

    All missing events were added to the parser and now we are parsing most of the events. 
    I noticed that for some event types, for example: "%FTD-4-722041" and many others the "User" field contains "User Name" or "Computer Name". See below an example.


    <164>Jul 29 2021 20:49:34 firepower : %FTD-4-722041: TunnelGroup <XXX-AnyConnect-VPN> GroupPolicy <XXX-AnyConnect-Group-Policy> User <John Last> IP <xx.xx.xx.xx> No IPv6 address available for SVC connection

    <164>Jul 29 2021 20:49:34 firepower : %FTD-4-722041: TunnelGroup <XXX-AnyConnect-VPN> GroupPolicy <XXX-AnyConnect-Group-Policy> User <John-computer.domain.com> IP <xx.xx.x.xxx> No IPv6 address available for SVC connection

    Have you found a way to parse those fields respectively?  So when the logs contains the user name field assign the field to: "user" and when the logs contains the Computer name assign the field to "Computer Name".

    Another detail is that the user name contains an space between FirstName and LastName. Do you have that space too?
    Have you found a solution for the issues above? If the answer is yes, would you mind sharing that portion of the parser?

    Thanks,

    Tony


  • 5.  RE: CiscoFTDParser - not parsing all fields

    Posted yesterday
    Tony,

    This is a bit tough when the vendor's log is putting two different types of data into the same field.  What you have to determine first is whether or not there is always something in that field that could help you identify it as one or the other.  For instance, in your example, John-computer.domain.com in regex would be "\w+-\w+.\w+.\w+".  "John Last" would simply be "\w+ \w+" Since gPatWord is basically a \w+  (e.g. <pattern name="gPatWord"><![CDATA[\w+]]></pattern>), you could string these together to match the text or make your own pattern definition at the top of the parser.  I would then just have two CollectFieldsbyRegex statements to catch each condition.
    Now, you need to make sure it's always John[space]Last or John[dash]computer[dot]domain[dot]com, if there are other formats of data coming in, it obviously won't work.

    There may be a more elegant way to do this, but that is how I would think about it.