Decode another ASA deny variant (%ASA-4-313004)

wazuh · Jan 22, 2019 · 9d3c3ef · 9d3c3ef
1 parent ed7feab
commit 9d3c3ef
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 4 deletions.
diff --git a/decoders/0062-cisco-pix_decoders.xml b/decoders/0062-cisco-pix_decoders.xml
@@ -35,6 +35,10 @@
   - %PIX-6-305011: Built dynamic UDP translation from inside:192.168.1.2/1026 to outside:192.168.2.14/1163
   - %PIX-6-305011: Built dynamic TCP translation from inside:192.168.1.3/54946 to outside:192.168.2.14/1033
   - %PIX-6-302015: Built outbound UDP connection 156 for outside:192.168.2.10/1514 (192.168.2.10/1514) to inside:192.168.1.2/1026 (192.168.2.14/1163)
+  - %ASA-3-106100: access-list global_access denied tcp TestDMZ/192.0.2.43(47074) -> Service/10.0.0.65(53) hit-cnt 3 300-second interval [0xeea701c8, 0x43c6e6bd]
+  - %ASA-4-106100: access-list Service_access_in permitted tcp Service/10.0.0.19(22787) -> TestDMZ/192.0.2.44(445) hit-cnt 1 first hit [0xa9f307d2, 0x2e5c606f]
+  - %ASA-2-106001: Inbound TCP connection denied from 1.2.3.4/1234 to 213.207.99.248/445 flags SYN on interface outside (Message repeated 2 times)
+  - %ASA-4-313004: Denied ICMP type=0, from laddr 192.0.2.144 on interface DMZ to 10.0.0.22: no matching session
   -->
 <decoder name="pix">
   <prematch>^%PIX-|^\w\w\w \d\d \d\d\d\d \d\d:\d\d:\d\d: %PIX-|</prematch>
@@ -132,6 +136,15 @@
   <order>id, action, protocol, srcip, srcport, dstip, dstport, hit-cnt</order>
 </decoder>
 
+<decoder name="pix-fw11">
+  <parent>pix</parent>
+  <type>firewall</type>
+  <prematch offset="after_parent">^\d-313004</prematch>
+  <regex offset="after_parent">^(\S+): (\w+) (\w+) \.+from laddr (\S+)</regex>
+  <regex> on interface \w+ to (\S+):</regex>
+  <order>id, action, protocol, srcip, dstip</order>
+</decoder>
+
 <decoder name="pix-url-success">
   <parent>pix</parent>
   <prematch offset="after_parent">^5-304001: </prematch>

diff --git a/rules/0060-firewall_rules.xml b/rules/0060-firewall_rules.xml
@@ -39,6 +39,14 @@
     <group>firewall_drop,pci_dss_1.4,gpg13_4.12,gdpr_IV_35.7.d,</group>
   </rule>
 
+  <rule id="4104" level="5">
+    <if_sid>4100</if_sid>
+    <action>Denied</action>
+    <options>no_log</options>
+    <description>Firewall drop event.</description>
+    <group>firewall_drop,pci_dss_1.4,gpg13_4.12,gdpr_IV_35.7.d,</group>
+  </rule>
+
   <rule id="4151" level="10" frequency="18" timeframe="45" ignore="240">
     <if_matched_sid>4101</if_matched_sid>
     <same_source_ip />

diff --git a/tools/rules-testing/tests/cisco_pix.ini b/tools/rules-testing/tests/cisco_pix.ini
@@ -1,23 +1,32 @@
 # TODO: update the test framework so that it can check the src/dst ips and ports are captured
+# Note: Would be much cleaner if we could write <action>DROP|deny|denied|Denied</action> in a single rule
 
 [cisco pix: deny]
 log 1 pass = %PIX-3-106010: Deny inbound tcp src outside:213.98.79.233/2620 dst dmz:213.98.254.145/135
 log 2 pass = %PIX-3-106011: Deny inbound (No xlate) udp src outside:192.168.2.1/137 dst outside:192.168.2.14/137
-log 5 pass = %PIX-4-106023: Deny tcp src inside:111.11.11.1/2143 dst YYY:172.11.1.11/139 by access-group "inside_inbound"
+log 3 pass = %PIX-4-106023: Deny tcp src inside:111.11.11.1/2143 dst YYY:172.11.1.11/139 by access-group "inside_inbound"
 
 rule = 4102
 alert = 5
 decoder = pix
 
 [cisco pix: denied]
-log 3 pass = %PIX-3-710003: TCP access denied by ACL from 216.39.220.130/54065 to outside:62.192.113.98/ssh
-log 4 pass = %PIX-2-106002: udp connection denied by outbound list 30 src 216.53.120.62 138 dest 169.132.10.82 138
-log 6 pass = %ASA-3-106100: access-list global_access denied tcp TestDMZ/192.0.2.43(47074) -> Service/10.0.0.65(53) hit-cnt 3 300-second interval [0xeea701c8, 0x43c6e6bd]
+log 1 pass = %PIX-3-710003: TCP access denied by ACL from 216.39.220.130/54065 to outside:62.192.113.98/ssh
+log 2 pass = %PIX-2-106002: udp connection denied by outbound list 30 src 216.53.120.62 138 dest 169.132.10.82 138
+log 3 pass = %ASA-3-106100: access-list global_access denied tcp TestDMZ/192.0.2.43(47074) -> Service/10.0.0.65(53) hit-cnt 3 300-second interval [0xeea701c8, 0x43c6e6bd]
+log 4 pass = %ASA-2-106001: Inbound TCP connection denied from 1.2.3.4/1234 to 213.207.99.248/445 flags SYN on interface outside (Message repeated 2 times)
 
 rule = 4103
 alert = 5
 decoder = pix
 
+[cisco pix: Denied]
+log 1 pass = %ASA-4-313004: Denied ICMP type=0, from laddr 192.0.2.144 on interface DMZ to 10.0.0.22: no matching session
+
+rule = 4104
+alert = 5
+decoder = pix
+
 [cisco pix asa: permitted]
 log 1 pass = %PIX-7-710002: UDP access permitted from 33.33.33.4/943 to inside:33.33.33.15/snmp
 log 2 pass = %ASA-4-106100: access-list Service_access_in permitted tcp Service/10.0.0.19(22787) -> TestDMZ/192.0.2.44(445) hit-cnt 1 first hit [0xa9f307d2, 0x2e5c606f]