-
Notifications
You must be signed in to change notification settings - Fork 1
/
cisco-asa.json
80 lines (80 loc) · 3.59 KB
/
cisco-asa.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
{
"extractors": [
{
"title": "ASA TCP Denies",
"extractor_type": "grok",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "message",
"extractor_config": {
"grok_pattern": "%{CISCOTIMESTAMP:asa_timestamp} %{IPORHOST:asa_dev} \\: %ASA-\\d-(?<asa_messageid>106023): (?<asa_action>Deny) (?<asa_proto>tcp) src %{NOTSPACE:asa_interface_in}:%{IPV4:asa_src_ip}/%{BASE10NUM:asa_src_port} dst %{NOTSPACE:asa_interface_out}:%{IPV4:asa_dst_ip}/%{BASE10NUM:asa_dst_port}(\\(LOCAL\\\\%{USERNAME:asa_username}\\))? by access-group %{QUOTEDSTRING:asa_accesslist}",
"named_captures_only": true
},
"condition_type": "regex",
"condition_value": "%ASA-\\d-106023: Deny tcp"
},
{
"title": "ASA UDP Denies",
"extractor_type": "grok",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "message",
"extractor_config": {
"grok_pattern": "%{CISCOTIMESTAMP:asa_timestamp} %{IPORHOST:asa_dev} \\: %ASA-\\d-(?<asa_messageid>106023): (?<asa_action>Deny) (?<asa_proto>udp) src %{NOTSPACE:asa_interface_in}:%{IPV4:asa_src_ip}/%{BASE10NUM:asa_src_port} dst %{NOTSPACE:asa_interface_out}:%{IPV4:asa_dst_ip}/%{BASE10NUM:asa_dst_port} by access-group %{QUOTEDSTRING:asa_accesslist}",
"named_captures_only": true
},
"condition_type": "regex",
"condition_value": "%ASA-\\d-106023: Deny udp"
},
{
"title": "ASA TCP Drops",
"extractor_type": "grok",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "message",
"extractor_config": {
"grok_pattern": "%{CISCOTIMESTAMP:asa_timestamp} %{IPORHOST:asa_dev} \\: %ASA-\\d-(?<asa_messageid>106015): (?<asa_action>Deny) (?<asa_proto>TCP) %{DATA:asa_message} from %{IPV4:asa_src_ip}/%{BASE10NUM:asa_src_port} to %{IPV4:asa_dst_ip}/%{BASE10NUM:asa_dst_port} flags %{DATA:tcpflags} on interface %{DATA:asa_interface_in}$",
"named_captures_only": true
},
"condition_type": "regex",
"condition_value": "%ASA-\\d-106015: Deny TCP"
},
{
"title": "ASA UDP Discards",
"extractor_type": "grok",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "message",
"extractor_config": {
"grok_pattern": "%{CISCOTIMESTAMP:asa_timestamp} %{IPORHOST:asa_dev} \\: %ASA-\\d-(?<asa_messageid>710005): (?<asa_proto>UDP) request (?<asa_action>discarded) from %{IPV4:asa_src_ip}/%{BASE10NUM:asa_src_port} to %{DATA:asa_interface_in}:%{IPV4:asa_dst_ip}/%{BASE10NUM:asa_dst_port}$",
"named_captures_only": true
},
"condition_type": "regex",
"condition_value": "%ASA-\\d-710005: UDP request discarded"
},
{
"title": "ASA TCP Discards",
"extractor_type": "grok",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "message",
"extractor_config": {
"grok_pattern": "%{CISCOTIMESTAMP:asa_timestamp} %{IPORHOST:asa_dev} \\: %{IPORHOST:asa_dev} %ASA-\\d-(?<asa_messageid>710005): (?<asa_proto>TCP) request (?<asa_action>discarded) from %{IPV4:asa_src_ip}/%{BASE10NUM:asa_src_port} to %{DATA:asa_interface_in}:%{IPV4:asa_dst_ip}/%{BASE10NUM:asa_dst_port}$",
"named_captures_only": true
},
"condition_type": "regex",
"condition_value": "%ASA-\\d-710005: TCP request discarded"
}
],
"version": "2.2.0-SNAPSHOT"
}