API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Sep 28th, 2017
259
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 13.72 KB | None | 0 0
raw download clone embed print report
  1. input {
  2. udp {
  3. port => 9020
  4. type => cisco
  5. }
  6.  
  7. # stdin {
  8. # type => syslog
  9. # }
  10. }
  11.  
  12. filter {
  13. if [type] == "cisco" {
  14.  
  15. grok
  16. {
  17. match => { "message" => "%{CISCO_HEADER} (%{CISCO_IOS_EVENTID:Alert.Classification.Text}: )?%{GREEDYDATA:Alert.Analyzer.rawmessage}" }
  18. }
  19.  
  20.  
  21. grok {
  22. tag_on_failure => []
  23. #<165>%ASA-5-111001: Begin configuration: 192.168.1.21 writing to memory
  24. match => { "Alert.Analyzer.rawmessage" => "Begin configuration: %{IP:Alert.Source.Node.Address} writing to %{DATA:Alert.Target.Device}" }
  25.  
  26. #%ASA-5-111002: Begin configuration: 8.8.8.8 reading from device
  27. match => { "Alert.Analyzer.rawmessage" => "Begin configuration: %{IP:Alert.Source.Node.Address} reading from %{DATA:Alert.Target.Device}" }
  28.  
  29. #%ASA-5-111003: 8.8.8.8 Erase configuration
  30. match => { "Alert.Analyzer.rawmessage" => "%{IP:Alert.Source.Node.Address} Erase configuration" }
  31.  
  32. #%ASA-5-111004: 8.8.8.8 end configuration: {FAILED|OK}
  33. match => { "Alert.Analyzer.rawmessage" => "%{IP:Alert.Source.Node.Address} end configuration: %{DATA:Alert.Target.Status}" }
  34.  
  35. #%ASA-5-111005: IP_address end configuration: OK
  36. match => { "Alert.Analyzer.rawmessage" => "%{IP:Alert.Source.Node.Address} end configuration: OK" }
  37.  
  38. #%ASA-5-111007: Begin configuration: IP_address reading from device.
  39. match => { "Alert.Analyzer.rawmessage" => "Begin configuration: %{IP:Alert.Source.Node.Address} reading from %{DATA:Alert.Target.Device}" }
  40.  
  41. #<165>%ASA-5-111008: User 'enable_15' executed the 'write memory' command.
  42. match => { "Alert.Analyzer.rawmessage" => "User '%{DATA:Alert.Source.User.Name}' executed the '%{DATA:Alert.Source.Command}' command." }
  43.  
  44. #%ASA-7-111009:User user executed cmd: string
  45. match => { "Alert.Analyzer.rawmessage" => "User '%{DATA:Alert.Source.User.Name}' executed cmd: %{GREEDYDATA:Alert.Source.Command}" }
  46.  
  47. #%ASA-6-113008: AAA transaction status ACCEPT: user = user
  48. match => { "Alert.Analyzer.rawmessage" => "AAA transaction status %{DATA:Alert.Assessment.Action}: user = %{DATA:Alert.Source.User.Name}" }
  49.  
  50. #<166>%ASA-6-113012: AAA user authentication Successful : local database : user = admin
  51. match => { "Alert.Analyzer.rawmessage" => "AAA user authentication Successful : local database : user = %{DATA:Alert.Source.User.Name}" }
  52.  
  53. #<166>%ASA-6-113015: AAA user authentication Rejected : reason = Invalid password : local database : user = ***** : user IP = 192.168.1.21
  54. match => { "Alert.Analyzer.rawmessage" => "AAA user authentication Rejected : reason = Invalid password : local database : user = %{DATA:Alert.Source.User.Name} : user IP = %{IP:Alert.Source.Node.Address}" }
  55.  
  56. #%ASA-4-106023: Deny udp src outside:13.2.22.4/46455 dst External:12.18.3.8/68000 by access-group "outside_access_in" [0x0, 0x0]
  57. match => { "Alert.Analyzer.rawmessage" => "%{WORD:Alert.Assessment.Action} %{WORD:Alert.Analyzer.Protocol} src %{DATA}:%{IP:Alert.Source.Node.Address}/%{DATA:Alert.Source.Node.Port} dst %{DATA}:%{IP:Alert.Target.Node.Address}/%{DATA:Alert.Target.Node.Port} by access-group %{GREEDYDATA:Alert.Source.Process.Name}"}
  58.  
  59. #%ASA-4-106023:Deny icmp src outside:1.5.1.8 dst External-DMZ:2.8.3.5 (type 3, code 3) by access-group "outside_access_in" [0x0, 0x0]
  60. match => { "Alert.Analyzer.rawmessage" => "%{WORD:Alert.Assessment.Action} %{WORD:Alert.Analyzer.Protocol} src %{DATA}:%{IP:Alert.Source.Node.Address} dst %{DATA}:%{IP:Alert.Target.Node.Address} \(type %{INT}, code %{INT}\) by access-group %{GREEDYDATA:Alert.Source.Process.Name}" }
  61.  
  62. #%ASA-7-710005: TCP request discarded from 8.8.20.13/49 to outside:7.1.1.1/60
  63. match => { "Alert.Analyzer.rawmessage" => "%{WORD:Alert.Analyzer.Protocol} (?:request|access) %{WORD:Alert.Assessment.Action} from %{IP:Alert.Source.Node.Address}/%{DATA:Alert.Source.Node.Port} to %{DATA}:%{IP:Alert.Target.Node.Address}/%{WORD:Alert.Target.Node.Port}" }
  64.  
  65. # ASA-6-302013, ASA-6-302014, ASA-6-302015, ASA-6-302016
  66. match => { "Alert.Analyzer.rawmessage" => "%{CISCO_ACTION:Alert.Assessment.Action}(?: %{CISCO_DIRECTION})? %{WORD:Alert.Analyzer.Protocol} connection %{INT} for %{DATA}:%{IP:Alert.Source.Node.Address}/%{INT:Alert.Source.Node.Port}( \(%{IP}/%{INT}\))?(\(%{DATA:src_fwuser}\))? to %{DATA:}:%{IP:Alert.Target.Node.Address}/%{INT:Alert.Target.Node.Port}( \(%{IP}/%{INT}\))?(\(%{DATA:dst_fwuser}\))?( duration %{TIME:duration} bytes %{INT:bytes})?(?: %{CISCO_REASON:Alert.Analyzer.Reason})?( \(%{DATA:user}\))?" }
  67.  
  68. # ASA-6-106015
  69. match => { "Alert.Analyzer.rawmessage" => "%{CISCO_ACTION:Alert.Assessment.Action} %{WORD:Alert.Analyzer.Protocol} \(%{DATA:Alert.Source.Process.Name}\) from %{IP:Alert.Source.Node.Address}/%{INT:Alert.Source.Node.Port} to %{IP:Alert.Target.Node.Address}/%{INT:Alert.Target.Node.Port} flags %{DATA:Alert.Analyzer.tcpflags} on interface %{GREEDYDATA}" }
  70.  
  71. #%SEC-6-IPACCESSLOGP
  72. match => { "Alert.Analyzer.rawmessage" => "list %{DATA:Alert.Source.Process.Name} %{WORD:Alert.Assessment.Action} %{WORD:Alert.Analyzer.Protocol} %{IP:Alert.Source.Node.Address}\(%{DATA:Alert.Source.Node.Port}\) \(%{DATA:interface}\) -> %{IP:Alert.Target.Node.Address}\(%{WORD:Alert.Target.Node.Port}\), %{GREEDYDATA}" }
  73.  
  74. #%SEC_LOGIN-5-LOGIN_SUCCESS
  75. match => { "Alert.Analyzer.rawmessage" => "Login Success \[user: %{DATA:Alert.Source.User.Name}\] \[Source: %{IP:Alert.Source.Node.Address}\] \[localport: %{INT:Alert.Target.Node.Port}\] at %{CISCO_IOS_TIMESTAMP}" }
  76.  
  77. #%SEC_LOGIN-4-LOGIN_FAILED
  78. match => { "Alert.Analyzer.rawmessage" => "Login failed \[user: %{DATA:Alert.Source.User.Name}\] \[Source: %{IP:Alert.Source.Node.Address}\] \[localport: %{INT:Alert.Target.Node.Port}\] \[Reason: %{DATA}\] at %{CISCO_IOS_TIMESTAMP}" }
  79.  
  80. #%SEC_LOGIN-1-QUIET_MODE_ON
  81. match => { "Alert.Analyzer.rawmessage" => "Still timeleft for watching failures is %{DATA} secs, \[user: %{DATA:Alert.Source.User.Name}\] \[Source: %{IP:Alert.Source.Node.Address}\] \[localport: %{INT:Alert.Target.Node.Port}\] \[Reason: %{DATA}\] \[ACL: ${DATA}\] at %{CISCO_IOS_TIMESTAMP}" }
  82.  
  83. #%PARSER-5-CFGLOG_LOGGEDCMD
  84. #match => { "Alert.Analyzer.rawmessage" => "User\:%{DATA:Alert.Source.User.Name}\ logged command:%{DATA:Alert.Source.Command} %{WORD:Alert.Assessment.Action}" }
  85. match => { "Alert.Analyzer.rawmessage" => "User\:%{DATA:Alert.Source.User.Name}\ logged command:%{GREEDYDATA:Alert.Source.Command}" }
  86.  
  87. #%SEC-6-IPACCESSLOGDP
  88. match => { "Alert.Analyzer.rawmessage" => "list %{DATA:Alert.Source.Process.Name} %{WORD:Alert.Assessment.Action} %{WORD:Alert.Analyzer.Protocol} %{IP:Alert.Source.Node.Address} \(%{DATA:Interface}\) -> %{IP:Alert.Target.Node.Address} \(%{DATA}\), %{DATA}" }
  89.  
  90. #%SYS-6-LOGOUT
  91. match => { "Alert.Analyzer.rawmessage" => "User %{GREEDYDATA:Alert.Source.User.Name} has exited tty session %{DATA}\(%{IP:Alert.Source.Node.Address}\)" }
  92.  
  93. #%SYS-5-CONFIG_I
  94. match => { "Alert.Analyzer.rawmessage" => "Configured from %{WORD} by %{GREEDYDATA:Alert.Source.User.Name} on %{WORD} \(%{IP:Alert.Source.Node.Address}\)"}
  95.  
  96. #All other IOS events
  97.  
  98. #%ASA-5-713259
  99. match => { "Alert.Analyzer.rawmessage" => "(?:Group = %{DATA:Alert.Analyzer.Group}, )?(?:Username = %{DATA:Alert.Source.User.Name}, )?(?:IP = %{IP:Alert.Source.Node.Address}, )?Session is being torn down. Reason: %{CISCO_REASON:Alert.Analyzer.Reason}" }
  100.  
  101. #%ASA-5-713050
  102. match => { "Alert.Analyzer.rawmessage" => "Connection terminated for peer %{IP:Alert.Source.Node.Address}. Reason: %{GREEDYDATA:Alert.Analyzer.Reason} Remote Proxy %{DATA}, Local Proxy %{DATA}" }
  103.  
  104. #<167>%ASA-7-710005: TCP request discarded from 1.2.24.26/1069 to outside:7.8.8.8/50000
  105. #match => { "Alert.Analyzer.rawmessage" => "%{GREEDYDATA:Alert.Analyzer.rawmessage}" }
  106.  
  107. }
  108.  
  109.  
  110. if [Alert.Analyzer.Level] == "1" {
  111. mutate { add_field => [ "Alert.Analyzer.Level.Normalized", "13" ] }
  112. } else if [Alert.Analyzer.Level] == "2" {
  113. mutate { add_field => [ "Alert.Analyzer.Level.Normalized", "12" ] }
  114. } else if [Alert.Analyzer.Level] == "3" {
  115. mutate { add_field => [ "Alert.Analyzer.Level.Normalized", "7" ] }
  116. } else if [Alert.Analyzer.Level] == "4" {
  117. mutate { add_field => [ "Alert.Analyzer.Level.Normalized", "5" ] }
  118. } else if [Alert.Analyzer.Level] == "5" {
  119. mutate { add_field => [ "Alert.Analyzer.Level.Normalized", "2" ] }
  120. } else if [Alert.Analyzer.Level] == "6" {
  121. mutate { add_field => [ "Alert.Analyzer.Level.Normalized", "1" ] }
  122. } else if [Alert.Analyzer.Level] == "7" {
  123. mutate { add_field => [ "Alert.Analyzer.Level.Normalized", "0" ] }
  124. }
  125.  
  126. if [Alert.Classification.Ident] in ["111001", "111002", "111003", "111004", "111005", "111007", "111008"]
  127. { mutate { update => ["Alert.Analyzer.Level.Normalized", "11"] } }
  128. else if [Alert.Classification.Ident] == "111009"
  129. { mutate { update => ["Alert.Analyzer.Level.Normalized", "8"] } }
  130. else if [Alert.Classification.Ident] in ["113012", "113015"]
  131. { mutate { update => ["Alert.Analyzer.Level.Normalized", "5"] } }
  132. else if [Alert.Classification.Ident] == "106023" and [Alert.Assessment.Action] == "Deny"
  133. { mutate { update => ["Alert.Analyzer.Level.Normalized", "9"] } }
  134. else if [Alert.Classification.Ident] == "710005" and [Alert.Assessment.Action] == "discarded"
  135. { mutate { update => ["Alert.Analyzer.Level.Normalized", "9"] } }
  136. else if [Alert.Classification.Ident] in ["305012", "305011"]
  137. { mutate { update => ["Alert.Analyzer.Level.Normalized", "0"] } }
  138. else if [Alert.Classification.Ident] == "302014" and [Alert.Analyzer.Reason] == "SYN Timeout"
  139. { mutate { update => ["Alert.Analyzer.Level.Normalized", "9"] } }
  140. else if [Alert.Classification.Ident] == "106015"
  141. { mutate { update => ["Alert.Analyzer.Level.Normalized", "9"] } }
  142.  
  143. mutate {
  144. convert => [ "Alert.Analyzer.Level", "integer" ]
  145. convert => [ "Alert.Analyzer.Level.Normalized", "integer" ]
  146. add_field => [ "Alert.Analyzer.Level.Normalized.raw", "%{Alert.Analyzer.Level.Normalized}" ]
  147. }
  148.  
  149. if [syslog5424_ts] {
  150. date {
  151. #2015-03-21T01:44:27.757618+03:00
  152. match => ["syslog5424_ts", "ISO8601"]
  153. target => "Alert.CreateTime"
  154. }
  155. } else if [timestamp] {
  156. date {
  157. #Apr 19 11:55:57
  158. match => ["timestamp", "MMM dd HH:mm:ss", "MMM d HH:mm:ss", "MMM dd YYYY HH:mm:ss"]
  159. target => "Alert.CreateTime"
  160. }
  161. } else {
  162. mutate { add_field => [ "Alert.CreateTime", "%{@timestamp}" ] }
  163. }
  164.  
  165. mutate {
  166. add_field => [ "Alert.Sensor.Node.Address", "%{host}" ]
  167. add_field => [ "Alert.Analyzer.Node.Name", "%{Alert.Sensor.Node.Address}" ]
  168. add_field => [ "Alert.Analyzer.Name", "cisco" ]
  169. }
  170.  
  171.  
  172. }
  173. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!