-
Notifications
You must be signed in to change notification settings - Fork 6
/
asa_extractor.json
75 lines (75 loc) · 4.24 KB
/
asa_extractor.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
{
"extractors": [
{
"condition_type": "regex",
"condition_value": "(^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])|^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9])) %ASA-\\d-106023: Deny tcp",
"converters": [],
"cursor_strategy": "copy",
"extractor_config": {
"grok_pattern": "%{IPORHOST:asa_dev} %ASA-\\d-(?<asa_messageid>106023): (?<asa_action>Deny) (?<asa_proto>tcp) src %{NOTSPACE:asa_interface_in}:%{IPV4:asa_src_ip}/%{BASE10NUM:asa_src_port} dst %{NOTSPACE:asa_interface_out}:%{IPV4:asa_dst_ip}/%{BASE10NUM:asa_dst_port} by access-group %{QUOTEDSTRING:asa_accesslist}"
},
"extractor_type": "grok",
"order": 0,
"source_field": "message",
"target_field": "message",
"title": "ASA TCP Denies"
},
{
"condition_type": "regex",
"condition_value": "(^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])|^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9])) %ASA-\\d-106023: Deny udp",
"converters": [],
"cursor_strategy": "copy",
"extractor_config": {
"grok_pattern": "%{IPORHOST:asa_dev} %ASA-\\d-(?<asa_messageid>106023): (?<asa_action>Deny) (?<asa_proto>udp) src %{NOTSPACE:asa_interface_in}:%{IPV4:asa_src_ip}/%{BASE10NUM:asa_src_port} dst %{NOTSPACE:asa_interface_out}:%{IPV4:asa_dst_ip}/%{BASE10NUM:asa_dst_port} by access-group %{QUOTEDSTRING:asa_accesslist}"
},
"extractor_type": "grok",
"order": 0,
"source_field": "message",
"target_field": "message",
"title": "ASA UDP Denies"
},
{
"condition_type": "regex",
"condition_value": "(^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])|^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9])) %ASA-\\d-106015: Deny TCP",
"converters": [],
"cursor_strategy": "copy",
"extractor_config": {
"grok_pattern": "%{IPORHOST:asa_dev} %ASA-\\d-(?<asa_messageid>106015): (?<asa_action>Deny) (?<asa_proto>TCP) %{DATA:asa_message} from %{IPV4:asa_src_ip}/%{BASE10NUM:asa_src_port} to %{IPV4:asa_dst_ip}/%{BASE10NUM:asa_dst_port} flags %{DATA:tcpflags} on interface %{DATA:asa_interface_in}$"
},
"extractor_type": "grok",
"order": 0,
"source_field": "message",
"target_field": "message",
"title": "ASA TCP Drops"
},
{
"condition_type": "regex",
"condition_value": "(^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])|^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9])) %ASA-\\d-710005: UDP request discarded",
"converters": [],
"cursor_strategy": "copy",
"extractor_config": {
"grok_pattern": "^%{IPORHOST:asa_dev} %ASA-\\d-(?<asa_messageid>710005): (?<asa_proto>UDP) request (?<asa_action>discarded) from %{IPV4:asa_src_ip}/%{BASE10NUM:asa_src_port} to %{DATA:asa_interface_in}:%{IPV4:asa_dst_ip}/%{BASE10NUM:asa_dst_port}$"
},
"extractor_type": "grok",
"order": 0,
"source_field": "message",
"target_field": "message",
"title": "ASA UDP Discards"
},
{
"condition_type": "regex",
"condition_value": "(^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])|^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9])) %ASA-\\d-710005: TCP request discarded",
"converters": [],
"cursor_strategy": "copy",
"extractor_config": {
"grok_pattern": "^%{IPORHOST:asa_dev} %ASA-\\d-(?<asa_messageid>710005): (?<asa_proto>TCP) request (?<asa_action>discarded) from %{IPV4:asa_src_ip}/%{BASE10NUM:asa_src_port} to %{DATA:asa_interface_in}:%{IPV4:asa_dst_ip}/%{BASE10NUM:asa_dst_port}$"
},
"extractor_type": "grok",
"order": 0,
"source_field": "message",
"target_field": "message",
"title": "ASA TCP Discards"
}
],
"version": "1.2.2 (91c7822)"
}