From c2f835896226615e98fbdf46eeea82cf0ab0e907 Mon Sep 17 00:00:00 2001
From: Brian Candler <b.candler@pobox.com>
Date: Tue, 22 Jan 2019 20:27:48 +0000
Subject: [PATCH] Decode ASA sourcefire (in-built IDS) drops

---
 decoders/0062-cisco-pix_decoders.xml    | 10 ++++++++++
 tools/rules-testing/tests/cisco_pix.ini |  9 ++++++++-
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/decoders/0062-cisco-pix_decoders.xml b/decoders/0062-cisco-pix_decoders.xml
index e7709933b..a9b245ad3 100644
--- a/decoders/0062-cisco-pix_decoders.xml
+++ b/decoders/0062-cisco-pix_decoders.xml
@@ -39,6 +39,7 @@
   - %ASA-4-106100: access-list Service_access_in permitted tcp Service/10.0.0.19(22787) -> TestDMZ/192.0.2.44(445) hit-cnt 1 first hit [0xa9f307d2, 0x2e5c606f]
   - %ASA-2-106001: Inbound TCP connection denied from 1.2.3.4/1234 to 213.207.99.248/445 flags SYN on interface outside (Message repeated 2 times)
   - %ASA-4-313004: Denied ICMP type=0, from laddr 192.0.2.144 on interface DMZ to 10.0.0.22: no matching session
+  - %ASA-4-434002: SFR requested to drop TCP packet from outside:169.254.246.80/40188 to TestDMZ:192.0.2.104/22
   -->
 <decoder name="pix">
   <prematch>^%PIX-|^\w\w\w \d\d \d\d\d\d \d\d:\d\d:\d\d: %PIX-|</prematch>
@@ -145,6 +146,15 @@
   <order>id, action, protocol, srcip, dstip</order>
 </decoder>
 
+<decoder name="pix-sfr1">
+  <parent>pix</parent>
+  <type>ids</type>
+  <prematch offset="after_parent">^\d-434002</prematch>
+  <regex offset="after_parent">^(\S+): SFR requested to drop (\w+) packet</regex>
+  <regex> from \w+:(\S+)/(\d+) from \w+:(\S+)/(\d+)</regex>
+  <order>id, protocol, srcip, srcport, dstip, dstport</order>
+</decoder>
+
 <decoder name="pix-url-success">
   <parent>pix</parent>
   <prematch offset="after_parent">^5-304001: </prematch>
diff --git a/tools/rules-testing/tests/cisco_pix.ini b/tools/rules-testing/tests/cisco_pix.ini
index 5520d48ea..e4beedbb1 100644
--- a/tools/rules-testing/tests/cisco_pix.ini
+++ b/tools/rules-testing/tests/cisco_pix.ini
@@ -27,10 +27,17 @@ rule = 4104
 alert = 5
 decoder = pix
 
-[cisco pix asa: permitted]
+[cisco pix: permitted]
 log 1 pass = %PIX-7-710002: UDP access permitted from 33.33.33.4/943 to inside:33.33.33.15/snmp
 log 2 pass = %ASA-4-106100: access-list Service_access_in permitted tcp Service/10.0.0.19(22787) -> TestDMZ/192.0.2.44(445) hit-cnt 1 first hit [0xa9f307d2, 0x2e5c606f]
 
 rule = 4100
 alert = 0
 decoder = pix
+
+[cisco pix: sourcefire IDS]
+log 1 pass = %ASA-4-434002: SFR requested to drop TCP packet from outside:169.254.246.80/40188 to TestDMZ:192.0.2.104/22
+
+rule = 20101
+alert = 6
+decoder = pix