From daa8937546e9fc0c44bbb433b5fa924295165551 Mon Sep 17 00:00:00 2001 From: Leandro Maciel Date: Fri, 17 Jun 2022 11:34:31 -0300 Subject: [PATCH 1/6] fix CISCOFW302013_302014_302015_302016 grok pattern this pattern has a wrong reference to the field source.user.name --- patterns/ecs-v1/firewalls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/patterns/ecs-v1/firewalls b/patterns/ecs-v1/firewalls index 938ea1e8..ae683c71 100644 --- a/patterns/ecs-v1/firewalls +++ b/patterns/ecs-v1/firewalls @@ -60,7 +60,7 @@ CISCOFW110002 %{CISCO_REASON:[event][reason]} for %{WORD:[cisco][asa][network][t # ASA-6-302010 CISCOFW302010 %{INT:[cisco][asa][connections][in_use]:int} in use, %{INT:[cisco][asa][connections][most_used]:int} most used # ASA-6-302013, ASA-6-302014, ASA-6-302015, ASA-6-302016 -CISCOFW302013_302014_302015_302016 %{CISCO_ACTION:[cisco][asa][outcome]}(?: %{CISCO_DIRECTION:[cisco][asa][network][direction]})? %{WORD:[cisco][asa][network][transport]} connection %{INT:[cisco][asa][connection_id]} for %{NOTSPACE:[observer][ingress][interface][name]}:%{IP:[source][ip]}/%{INT:[source][port]:int}(?: \(%{IP:[source][nat][ip]}/%{INT:[source][nat][port]:int}\))?(?:\(%{DATA:[source][user][name?]}\))? to %{NOTSPACE:[observer][egress][interface][name]}:%{IP:[destination][ip]}/%{INT:[destination][port]:int}( \(%{IP:[destination][nat][ip]}/%{INT:[destination][nat][port]:int}\))?(?:\(%{DATA:[destination][user][name]}\))?( duration %{TIME:[cisco][asa][duration]} bytes %{INT:[network][bytes]:int})?(?: %{CISCO_REASON:[event][reason]})?(?: \(%{DATA:[user][name]}\))? +CISCOFW302013_302014_302015_302016 %{CISCO_ACTION:[cisco][asa][outcome]}(?: %{CISCO_DIRECTION:[cisco][asa][network][direction]})? %{WORD:[cisco][asa][network][transport]} connection %{INT:[cisco][asa][connection_id]} for %{NOTSPACE:[observer][ingress][interface][name]}:%{IP:[source][ip]}/%{INT:[source][port]:int}(?: \(%{IP:[source][nat][ip]}/%{INT:[source][nat][port]:int}\))?(?:\(%{DATA:[source][user][name]}\))? to %{NOTSPACE:[observer][egress][interface][name]}:%{IP:[destination][ip]}/%{INT:[destination][port]:int}( \(%{IP:[destination][nat][ip]}/%{INT:[destination][nat][port]:int}\))?(?:\(%{DATA:[destination][user][name]}\))?( duration %{TIME:[cisco][asa][duration]} bytes %{INT:[network][bytes]:int})?(?: %{CISCO_REASON:[event][reason]})?(?: \(%{DATA:[user][name]}\))? # :long - %{INT:[network][bytes]:int} # ASA-6-302020, ASA-6-302021 CISCOFW302020_302021 %{CISCO_ACTION:[cisco][asa][outcome]}(?: %{CISCO_DIRECTION:[cisco][asa][network][direction]})? %{WORD:[cisco][asa][network][transport]} connection for faddr %{IP:[destination][ip]}/%{INT:[cisco][asa][icmp_seq]:int}(?:\(%{DATA:[destination][user][name]}\))? gaddr %{IP:[source][nat][ip]}/%{INT:[cisco][asa][icmp_type]:int} laddr %{IP:[source][ip]}/%{INT}(?: \(%{DATA:[source][user][name]}\))? From e8dbc61f790e352d33fe993c9a0a43a9f306cc31 Mon Sep 17 00:00:00 2001 From: logstashmachine <43502315+logstashmachine@users.noreply.github.com> Date: Fri, 17 Jun 2022 14:52:59 +0000 Subject: [PATCH 2/6] bump to 4.3.4 --- CHANGELOG.md | 3 +++ logstash-patterns-core.gemspec | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7857f3f0..f90ca61f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +## 4.3.4 + - fix CISCOFW302013_302014_302015_302016 grok pattern [#313](https://api.github.com/repos/logstash-plugins/logstash-patterns-core/pulls/313) + ## 4.3.3 - Fix: parsing x-edge-location in CLOUDFRONT_ACCESS_LOG (ECS mode) [#311](https://github.com/logstash-plugins/logstash-patterns-core/pull/311) diff --git a/logstash-patterns-core.gemspec b/logstash-patterns-core.gemspec index e3e9a6d0..cd900348 100644 --- a/logstash-patterns-core.gemspec +++ b/logstash-patterns-core.gemspec @@ -1,7 +1,7 @@ Gem::Specification.new do |s| s.name = 'logstash-patterns-core' - s.version = '4.3.3' + s.version = '4.3.4' s.licenses = ['Apache License (2.0)'] s.summary = "Patterns to be used in logstash" s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program" From 5b314ef7bbfa4a33cc109a6da5a380e5bb5c4d4a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Duarte?= Date: Fri, 17 Jun 2022 15:53:50 +0100 Subject: [PATCH 3/6] Update CHANGELOG.md --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f90ca61f..197200ab 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,5 @@ ## 4.3.4 - - fix CISCOFW302013_302014_302015_302016 grok pattern [#313](https://api.github.com/repos/logstash-plugins/logstash-patterns-core/pulls/313) + - fix CISCOFW302013_302014_302015_302016 grok pattern [#313](https://github.com/logstash-plugins/logstash-patterns-core/pull/313) ## 4.3.3 From c048fbe7401137a10b3ee5f172d85e625208bb08 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Duarte?= Date: Fri, 17 Jun 2022 15:54:30 +0100 Subject: [PATCH 4/6] Update CHANGELOG.md --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 197200ab..565faffd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,5 @@ ## 4.3.4 - - fix CISCOFW302013_302014_302015_302016 grok pattern [#313](https://github.com/logstash-plugins/logstash-patterns-core/pull/313) + - Fix: typo in CISCOFW302013_302014_302015_302016 grok pattern [#313](https://github.com/logstash-plugins/logstash-patterns-core/pull/313) ## 4.3.3 From bc2e39cb5e2e7c553e050c956caa6a150e3bf33c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Duarte?= Date: Fri, 17 Jun 2022 16:12:24 +0100 Subject: [PATCH 5/6] add test to user name in CISCOFW302013_302014_302015_302016 --- spec/patterns/firewalls_spec.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/spec/patterns/firewalls_spec.rb b/spec/patterns/firewalls_spec.rb index ce59241d..b58bdb84 100644 --- a/spec/patterns/firewalls_spec.rb +++ b/spec/patterns/firewalls_spec.rb @@ -278,13 +278,13 @@ describe_pattern "CISCOFW302013_302014_302015_302016", ['legacy', 'ecs-v1'] do - let(:message) { "ASA-6-302013: Built outbound TCP connection 11757 for outside:100.66.205.104/80 (100.66.205.104/80) to inside:172.31.98.44/1772 (172.31.98.44/1772)" } + let(:message) { "ASA-6-302013: Built outbound TCP connection 11757 for outside:100.66.205.104/80 (100.66.205.104/80) to inside:172.31.98.44/1772 (172.31.98.44/1772)(some.user)" } include_examples 'top-level namespaces', CISCOFW_ALLOWED_TOP_LEVEL_NAMESPACES, if: -> { ecs_compatibility? } it 'matches' do if ecs_compatibility? - expect(subject).to include "source"=>{"ip"=>"100.66.205.104", "port"=>80, "nat"=>{"ip"=>"100.66.205.104", "port"=>80}} + expect(subject).to include "source"=>{"ip"=>"100.66.205.104", "port"=>80, "nat"=>{"ip"=>"100.66.205.104", "port"=>80}, "user"=>{"name"=> "some.user"}} expect(subject).to include "cisco"=>{"asa"=>{"network"=>{"direction"=>"outbound", "transport"=>"TCP"}, "outcome"=>"Built", "connection_id"=>"11757"}} expect(subject).to include "observer"=>{"egress"=>{"interface"=>{"name"=>"inside"}}, "ingress"=>{"interface"=>{"name"=>"outside"}}} else From f2487ccf15f0c2966b258d902480499fd387bde1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Duarte?= Date: Fri, 17 Jun 2022 16:24:51 +0100 Subject: [PATCH 6/6] Update firewalls_spec.rb --- spec/patterns/firewalls_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec/patterns/firewalls_spec.rb b/spec/patterns/firewalls_spec.rb index b58bdb84..19b4a694 100644 --- a/spec/patterns/firewalls_spec.rb +++ b/spec/patterns/firewalls_spec.rb @@ -278,7 +278,7 @@ describe_pattern "CISCOFW302013_302014_302015_302016", ['legacy', 'ecs-v1'] do - let(:message) { "ASA-6-302013: Built outbound TCP connection 11757 for outside:100.66.205.104/80 (100.66.205.104/80) to inside:172.31.98.44/1772 (172.31.98.44/1772)(some.user)" } + let(:message) { "ASA-6-302013: Built outbound TCP connection 11757 for outside:100.66.205.104/80 (100.66.205.104/80)(some.user) to inside:172.31.98.44/1772 (172.31.98.44/1772)" } include_examples 'top-level namespaces', CISCOFW_ALLOWED_TOP_LEVEL_NAMESPACES, if: -> { ecs_compatibility? }