[cisco_asa] sync with beats cisco module (#2820)

* import beats changes 26879 * import beats changes 26975 * import beats changes 29698
elastic · Mar 16, 2022 · ee4ecc7 · ee4ecc7
1 parent 28fd9fa
commit ee4ecc7
Show file tree

Hide file tree

Showing 16 changed files with 4,072 additions and 445 deletions.
diff --git a/packages/cisco_asa/changelog.yml b/packages/cisco_asa/changelog.yml
@@ -1,4 +1,15 @@
 # newer versions go on top
+- version: "2.2.0"
+  changes:
+    - description: Add community_id processor, update 805001, 304001, 106023 and 602304 message parsing. elastic/beats#26879
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2820
+    - description: Add user.name field to ASA Security negotiation log line. elastic/beats#26975
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2820
+    - description: Change event.outcome and event.type handling to be more ECS compliant. elastic/beats#29698
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2820
 - version: "2.1.0"
   changes:
     - description: Add parsing for event code 113029-113040

diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log
@@ -17,7 +17,7 @@ May  5 18:29:32 dev01: %ASA-6-302020: Built inbound ICMP connection for faddr 10
 May  5 18:29:32 dev01: %ASA-6-302020: Built outbound ICMP connection for faddr 10.10.10.10/0 gaddr 81.2.69.144/0 laddr 192.168.2.2/0 type 3 code 3
 May  5 18:29:32 dev01: %ASA-6-302014: Teardown TCP connection 2960892904 for out111:10.10.10.10/443 to fw111:192.168.2.2/55225 duration 0:00:00 bytes 0 TCP Reset-I
 May  5 18:29:32 dev01: %ASA-6-302013: Built outbound TCP connection 1588662 for intfacename:192.168.2.2/80 (81.2.69.144/80) to net:10.10.10.10/54839 (81.2.69.144/54839)
-May  5 18:29:32 dev01: %ASA-6-302012: Teardown dynamic UDP translation from fw111:10.10.10.10/54230 to out111:192.168.2.2/54230 duration 0:00:00
+May  5 18:29:32 dev01: %ASA-6-305012: Teardown dynamic UDP translation from fw111:10.10.10.10/54230 to out111:192.168.2.2/54230 duration 0:00:00
 May  5 18:40:50 dev01: %ASA-4-313004: Denied ICMP type=0, from laddr 10.10.10.10 on interface fw502 to 192.168.2.2: no matching session
 May  5 18:40:50 dev01: %ASA-6-305011: Built dynamic TCP translation from fw111:10.10.10.10/57006 to out111:192.168.2.2/57006
 May  5 18:40:50 dev01: %ASA-2-106001: Inbound TCP connection denied from 192.168.2.2/43803 to 10.10.10.10/14322 flags SYN  on interface out111
@@ -83,3 +83,11 @@ Apr 27 2020 02:03:03 dev01: %ASA-6-713904: All IPSec SA proposals found unaccept
 Apr 27 2020 02:03:03 dev01: %ASA-6-713903: IP = 192.168.1.1, All IPSec SA proposals found unacceptable!
 Apr 27 2020 02:03:03 dev01: %ASA-6-713902: Group = 100.60.140.10, All IPSec SA proposals found unacceptable!
 Apr 27 2020 02:03:03 dev01: %ASA-6-713901: Group = 100.60.140.10, IP = 192.168.1.1, All IPSec SA proposals found unacceptable!
+Apr 27 02:03:03 dev01: %ASA-5-713049: Group = 100.60.140.10, Username = test_user, IP = 81.2.69.143, Security negotiation complete for User (test_user) Responder, Inbound SPI = 0x0000000, Outbound SPI = 0x0000000
+Apr 27 2020 02:03:03 dev01: %ASA-4-106023: Deny protocol 47 src outside:81.2.69.144 dst inside:172.31.98.44 by access-group "inbound"
+Apr 27 2020 02:03:03 dev01: %ASA-4-106023: Deny icmp src OUTSIDE:2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 dst OUTSIDE:2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 (type 128, code 0) by access-group "OUTSIDE_in"
+Apr 27 2020 02:03:03 dev01: %ASA-4-302016: Teardown UDP connection 123364823 for OUTSIDE:67.43.156.13/500 to identity:216.160.83.61/500 duration 92:24:20 bytes 4671944
+May  5 19:02:25 dev01: %ASA-4-733100: [ Scanning] drop rate-2 exceeded. Current burst rate is 0 per second, max configured rate is 8; Current average rate is 5 per second, max configured rate is 4; Cumulative total count is 19269
+May  5 19:02:25 dev01: %ASA-4-733100: [   192.168.0.1] drop rate-1 exceeded. Current burst rate is 0 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 6018
+May  5 19:02:25 dev01: %ASA-4-733100: [     Port-5432 5432] drop rate-1 exceeded. Current burst rate is 8 per second, max configured rate is 10; Current average rate is 20 per second, max configured rate is 5; Cumulative total count is 12466
+May  5 19:02:25 dev01: %ASA-4-733100: [           RDP 3389] drop rate-1 exceeded. Current burst rate is 63 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 3054