Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- input {
- udp {
- port => 9020
- type => cisco
- }
- # stdin {
- # type => syslog
- # }
- }
- filter {
- if [type] == "cisco" {
- grok
- {
- match => { "message" => "%{CISCO_HEADER} (%{CISCO_IOS_EVENTID:Alert.Classification.Text}: )?%{GREEDYDATA:Alert.Analyzer.rawmessage}" }
- }
- grok {
- tag_on_failure => []
- #<165>%ASA-5-111001: Begin configuration: 192.168.1.21 writing to memory
- match => { "Alert.Analyzer.rawmessage" => "Begin configuration: %{IP:Alert.Source.Node.Address} writing to %{DATA:Alert.Target.Device}" }
- #%ASA-5-111002: Begin configuration: 8.8.8.8 reading from device
- match => { "Alert.Analyzer.rawmessage" => "Begin configuration: %{IP:Alert.Source.Node.Address} reading from %{DATA:Alert.Target.Device}" }
- #%ASA-5-111003: 8.8.8.8 Erase configuration
- match => { "Alert.Analyzer.rawmessage" => "%{IP:Alert.Source.Node.Address} Erase configuration" }
- #%ASA-5-111004: 8.8.8.8 end configuration: {FAILED|OK}
- match => { "Alert.Analyzer.rawmessage" => "%{IP:Alert.Source.Node.Address} end configuration: %{DATA:Alert.Target.Status}" }
- #%ASA-5-111005: IP_address end configuration: OK
- match => { "Alert.Analyzer.rawmessage" => "%{IP:Alert.Source.Node.Address} end configuration: OK" }
- #%ASA-5-111007: Begin configuration: IP_address reading from device.
- match => { "Alert.Analyzer.rawmessage" => "Begin configuration: %{IP:Alert.Source.Node.Address} reading from %{DATA:Alert.Target.Device}" }
- #<165>%ASA-5-111008: User 'enable_15' executed the 'write memory' command.
- match => { "Alert.Analyzer.rawmessage" => "User '%{DATA:Alert.Source.User.Name}' executed the '%{DATA:Alert.Source.Command}' command." }
- #%ASA-7-111009:User user executed cmd: string
- match => { "Alert.Analyzer.rawmessage" => "User '%{DATA:Alert.Source.User.Name}' executed cmd: %{GREEDYDATA:Alert.Source.Command}" }
- #%ASA-6-113008: AAA transaction status ACCEPT: user = user
- match => { "Alert.Analyzer.rawmessage" => "AAA transaction status %{DATA:Alert.Assessment.Action}: user = %{DATA:Alert.Source.User.Name}" }
- #<166>%ASA-6-113012: AAA user authentication Successful : local database : user = admin
- match => { "Alert.Analyzer.rawmessage" => "AAA user authentication Successful : local database : user = %{DATA:Alert.Source.User.Name}" }
- #<166>%ASA-6-113015: AAA user authentication Rejected : reason = Invalid password : local database : user = ***** : user IP = 192.168.1.21
- match => { "Alert.Analyzer.rawmessage" => "AAA user authentication Rejected : reason = Invalid password : local database : user = %{DATA:Alert.Source.User.Name} : user IP = %{IP:Alert.Source.Node.Address}" }
- #%ASA-4-106023: Deny udp src outside:13.2.22.4/46455 dst External:12.18.3.8/68000 by access-group "outside_access_in" [0x0, 0x0]
- match => { "Alert.Analyzer.rawmessage" => "%{WORD:Alert.Assessment.Action} %{WORD:Alert.Analyzer.Protocol} src %{DATA}:%{IP:Alert.Source.Node.Address}/%{DATA:Alert.Source.Node.Port} dst %{DATA}:%{IP:Alert.Target.Node.Address}/%{DATA:Alert.Target.Node.Port} by access-group %{GREEDYDATA:Alert.Source.Process.Name}"}
- #%ASA-4-106023:Deny icmp src outside:1.5.1.8 dst External-DMZ:2.8.3.5 (type 3, code 3) by access-group "outside_access_in" [0x0, 0x0]
- match => { "Alert.Analyzer.rawmessage" => "%{WORD:Alert.Assessment.Action} %{WORD:Alert.Analyzer.Protocol} src %{DATA}:%{IP:Alert.Source.Node.Address} dst %{DATA}:%{IP:Alert.Target.Node.Address} \(type %{INT}, code %{INT}\) by access-group %{GREEDYDATA:Alert.Source.Process.Name}" }
- #%ASA-7-710005: TCP request discarded from 8.8.20.13/49 to outside:7.1.1.1/60
- match => { "Alert.Analyzer.rawmessage" => "%{WORD:Alert.Analyzer.Protocol} (?:request|access) %{WORD:Alert.Assessment.Action} from %{IP:Alert.Source.Node.Address}/%{DATA:Alert.Source.Node.Port} to %{DATA}:%{IP:Alert.Target.Node.Address}/%{WORD:Alert.Target.Node.Port}" }
- # ASA-6-302013, ASA-6-302014, ASA-6-302015, ASA-6-302016
- match => { "Alert.Analyzer.rawmessage" => "%{CISCO_ACTION:Alert.Assessment.Action}(?: %{CISCO_DIRECTION})? %{WORD:Alert.Analyzer.Protocol} connection %{INT} for %{DATA}:%{IP:Alert.Source.Node.Address}/%{INT:Alert.Source.Node.Port}( \(%{IP}/%{INT}\))?(\(%{DATA:src_fwuser}\))? to %{DATA:}:%{IP:Alert.Target.Node.Address}/%{INT:Alert.Target.Node.Port}( \(%{IP}/%{INT}\))?(\(%{DATA:dst_fwuser}\))?( duration %{TIME:duration} bytes %{INT:bytes})?(?: %{CISCO_REASON:Alert.Analyzer.Reason})?( \(%{DATA:user}\))?" }
- # ASA-6-106015
- match => { "Alert.Analyzer.rawmessage" => "%{CISCO_ACTION:Alert.Assessment.Action} %{WORD:Alert.Analyzer.Protocol} \(%{DATA:Alert.Source.Process.Name}\) from %{IP:Alert.Source.Node.Address}/%{INT:Alert.Source.Node.Port} to %{IP:Alert.Target.Node.Address}/%{INT:Alert.Target.Node.Port} flags %{DATA:Alert.Analyzer.tcpflags} on interface %{GREEDYDATA}" }
- #%SEC-6-IPACCESSLOGP
- match => { "Alert.Analyzer.rawmessage" => "list %{DATA:Alert.Source.Process.Name} %{WORD:Alert.Assessment.Action} %{WORD:Alert.Analyzer.Protocol} %{IP:Alert.Source.Node.Address}\(%{DATA:Alert.Source.Node.Port}\) \(%{DATA:interface}\) -> %{IP:Alert.Target.Node.Address}\(%{WORD:Alert.Target.Node.Port}\), %{GREEDYDATA}" }
- #%SEC_LOGIN-5-LOGIN_SUCCESS
- match => { "Alert.Analyzer.rawmessage" => "Login Success \[user: %{DATA:Alert.Source.User.Name}\] \[Source: %{IP:Alert.Source.Node.Address}\] \[localport: %{INT:Alert.Target.Node.Port}\] at %{CISCO_IOS_TIMESTAMP}" }
- #%SEC_LOGIN-4-LOGIN_FAILED
- match => { "Alert.Analyzer.rawmessage" => "Login failed \[user: %{DATA:Alert.Source.User.Name}\] \[Source: %{IP:Alert.Source.Node.Address}\] \[localport: %{INT:Alert.Target.Node.Port}\] \[Reason: %{DATA}\] at %{CISCO_IOS_TIMESTAMP}" }
- #%SEC_LOGIN-1-QUIET_MODE_ON
- match => { "Alert.Analyzer.rawmessage" => "Still timeleft for watching failures is %{DATA} secs, \[user: %{DATA:Alert.Source.User.Name}\] \[Source: %{IP:Alert.Source.Node.Address}\] \[localport: %{INT:Alert.Target.Node.Port}\] \[Reason: %{DATA}\] \[ACL: ${DATA}\] at %{CISCO_IOS_TIMESTAMP}" }
- #%PARSER-5-CFGLOG_LOGGEDCMD
- #match => { "Alert.Analyzer.rawmessage" => "User\:%{DATA:Alert.Source.User.Name}\ logged command:%{DATA:Alert.Source.Command} %{WORD:Alert.Assessment.Action}" }
- match => { "Alert.Analyzer.rawmessage" => "User\:%{DATA:Alert.Source.User.Name}\ logged command:%{GREEDYDATA:Alert.Source.Command}" }
- #%SEC-6-IPACCESSLOGDP
- match => { "Alert.Analyzer.rawmessage" => "list %{DATA:Alert.Source.Process.Name} %{WORD:Alert.Assessment.Action} %{WORD:Alert.Analyzer.Protocol} %{IP:Alert.Source.Node.Address} \(%{DATA:Interface}\) -> %{IP:Alert.Target.Node.Address} \(%{DATA}\), %{DATA}" }
- #%SYS-6-LOGOUT
- match => { "Alert.Analyzer.rawmessage" => "User %{GREEDYDATA:Alert.Source.User.Name} has exited tty session %{DATA}\(%{IP:Alert.Source.Node.Address}\)" }
- #%SYS-5-CONFIG_I
- match => { "Alert.Analyzer.rawmessage" => "Configured from %{WORD} by %{GREEDYDATA:Alert.Source.User.Name} on %{WORD} \(%{IP:Alert.Source.Node.Address}\)"}
- #All other IOS events
- #%ASA-5-713259
- match => { "Alert.Analyzer.rawmessage" => "(?:Group = %{DATA:Alert.Analyzer.Group}, )?(?:Username = %{DATA:Alert.Source.User.Name}, )?(?:IP = %{IP:Alert.Source.Node.Address}, )?Session is being torn down. Reason: %{CISCO_REASON:Alert.Analyzer.Reason}" }
- #%ASA-5-713050
- match => { "Alert.Analyzer.rawmessage" => "Connection terminated for peer %{IP:Alert.Source.Node.Address}. Reason: %{GREEDYDATA:Alert.Analyzer.Reason} Remote Proxy %{DATA}, Local Proxy %{DATA}" }
- #<167>%ASA-7-710005: TCP request discarded from 1.2.24.26/1069 to outside:7.8.8.8/50000
- #match => { "Alert.Analyzer.rawmessage" => "%{GREEDYDATA:Alert.Analyzer.rawmessage}" }
- }
- if [Alert.Analyzer.Level] == "1" {
- mutate { add_field => [ "Alert.Analyzer.Level.Normalized", "13" ] }
- } else if [Alert.Analyzer.Level] == "2" {
- mutate { add_field => [ "Alert.Analyzer.Level.Normalized", "12" ] }
- } else if [Alert.Analyzer.Level] == "3" {
- mutate { add_field => [ "Alert.Analyzer.Level.Normalized", "7" ] }
- } else if [Alert.Analyzer.Level] == "4" {
- mutate { add_field => [ "Alert.Analyzer.Level.Normalized", "5" ] }
- } else if [Alert.Analyzer.Level] == "5" {
- mutate { add_field => [ "Alert.Analyzer.Level.Normalized", "2" ] }
- } else if [Alert.Analyzer.Level] == "6" {
- mutate { add_field => [ "Alert.Analyzer.Level.Normalized", "1" ] }
- } else if [Alert.Analyzer.Level] == "7" {
- mutate { add_field => [ "Alert.Analyzer.Level.Normalized", "0" ] }
- }
- if [Alert.Classification.Ident] in ["111001", "111002", "111003", "111004", "111005", "111007", "111008"]
- { mutate { update => ["Alert.Analyzer.Level.Normalized", "11"] } }
- else if [Alert.Classification.Ident] == "111009"
- { mutate { update => ["Alert.Analyzer.Level.Normalized", "8"] } }
- else if [Alert.Classification.Ident] in ["113012", "113015"]
- { mutate { update => ["Alert.Analyzer.Level.Normalized", "5"] } }
- else if [Alert.Classification.Ident] == "106023" and [Alert.Assessment.Action] == "Deny"
- { mutate { update => ["Alert.Analyzer.Level.Normalized", "9"] } }
- else if [Alert.Classification.Ident] == "710005" and [Alert.Assessment.Action] == "discarded"
- { mutate { update => ["Alert.Analyzer.Level.Normalized", "9"] } }
- else if [Alert.Classification.Ident] in ["305012", "305011"]
- { mutate { update => ["Alert.Analyzer.Level.Normalized", "0"] } }
- else if [Alert.Classification.Ident] == "302014" and [Alert.Analyzer.Reason] == "SYN Timeout"
- { mutate { update => ["Alert.Analyzer.Level.Normalized", "9"] } }
- else if [Alert.Classification.Ident] == "106015"
- { mutate { update => ["Alert.Analyzer.Level.Normalized", "9"] } }
- mutate {
- convert => [ "Alert.Analyzer.Level", "integer" ]
- convert => [ "Alert.Analyzer.Level.Normalized", "integer" ]
- add_field => [ "Alert.Analyzer.Level.Normalized.raw", "%{Alert.Analyzer.Level.Normalized}" ]
- }
- if [syslog5424_ts] {
- date {
- #2015-03-21T01:44:27.757618+03:00
- match => ["syslog5424_ts", "ISO8601"]
- target => "Alert.CreateTime"
- }
- } else if [timestamp] {
- date {
- #Apr 19 11:55:57
- match => ["timestamp", "MMM dd HH:mm:ss", "MMM d HH:mm:ss", "MMM dd YYYY HH:mm:ss"]
- target => "Alert.CreateTime"
- }
- } else {
- mutate { add_field => [ "Alert.CreateTime", "%{@timestamp}" ] }
- }
- mutate {
- add_field => [ "Alert.Sensor.Node.Address", "%{host}" ]
- add_field => [ "Alert.Analyzer.Node.Name", "%{Alert.Sensor.Node.Address}" ]
- add_field => [ "Alert.Analyzer.Name", "cisco" ]
- }
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement