Add detection of ASA access list events

[candlerb]

• Rename 0210-pix_decoders to move it before 0065-cisco-ios_decoders
• Add detection of ASA access list events
• Extend 0060-firewall_rules so that it recognises "Deny" and "denied" as well as "DROP"
  Note: this also changes recognition of "%SEC-6-IPACCESSLOGP ... denied" which is now recognised as a 'Firewall drop event', rather than just 'Firewall rules grouped'
• Add test cases for ASA and PIX messages

Fixes #269

[candlerb]

Rebased to current master

[joselopezrio]

Hello Team,
this PR presents conflicts.
When renaming and changing the position of the pix_decoders.xml file from 0210-pix_decoders.xml to 0062-pix_decoders.xml it breaks the 0065-cisco-ios_decoders.xml since logs that should be decoded by the cisco decoders are being decoded by the pix decoders instead.
Here there is an example:

------------------------------------------------------------
Failed: Exit code = 3
        Alert     = 3
        Rule      = 64004
        Decoder   = cisco-asa
        Section   = cisco asa: warning message
        line name = log 5 pass

2020/03/11 15:33:51 ossec-testrule: INFO: Started (pid: 9702).
ossec-testrule: Type one log per line.



**Phase 1: Completed pre-decoding.
       full event: '%ASA-4-500004: Invalid transport field for protocol=UDP, from 10.235.91.49/45682 to 80.98.44.227/0'
       timestamp: '(null)'
       hostname: 'centos-7-16'
       program_name: '(null)'
       log: '%ASA-4-500004: Invalid transport field for protocol=UDP, from 10.235.91.49/45682 to 80.98.44.227/0'

**Phase 2: Completed decoding.
       decoder: 'pix'
       id: '4-500004'

**Phase 3: Completed filtering (rules).
       Rule id: '4313'
       Level: '4'
       Description: 'PIX warning message.'
**Alert to be generated.


lf->decoder_info->name: 'pix'
ut_decoder_name       : 'cisco-asa'
decoder matched : 'pix'
decoder expected: 'cisco-asa'

Regards,
Jose Manuel Lopez

[candlerb]

this PR presents conflicts.
When renaming and changing the position of the pix_decoders.xml file from 0210-pix_decoders.xml to 0062-pix_decoders.xml it breaks the 0065-cisco-ios_decoders.xml since logs that should be decoded by the cisco decoders are being decoded by the pix decoders instead.

Is this still an issue?

Checking current git head, the ruleset has:

• rules/0065-pix_rules.xml - with <decoded_as>pix</decoded_as>
• rules/0075-cisco-ios_rules.xml - with <decoded_as>cisco-ios</decoded_as>
• rules/0625-cisco-asa_rules.xml with <decoded_as>cisco-asa</decoded_as> and also explicitly matches %ASA

Now, decoders/0210-pix_decoders.xml has:

<decoder name="pix">
  <prematch>^%PIX-|^\w\w\w \d\d \d\d\d\d \d\d:\d\d:\d\d: %PIX-|</prematch>
  <prematch>^%ASA-|^\w\w\w \d\d \d\d\d\d \d\d:\d\d:\d\d: %ASA-|</prematch>
  <prematch>^%FWSM-|^\w\w\w \d\d \d\d\d\d \d\d:\d\d:\d\d: %FWSM-</prematch>
</decoder>

%ASA probably shouldn't be there. However decoders/0064-cisco-asa_decoders.xml comes before this, and it has

<decoder name="cisco-asa">
    <prematch>^%ASA-</prematch>
</decoder>

So AFAICS this should be working now, except perhaps a match like ^\w\w\w \d\d \d\d\d\d \d\d:\d\d:\d\d: %ASA- would be treated as pix rather than asa. I don't have a current test setup to try this with.

[jcruzlp]

Closing this, it is manage by "wazuh-ruleset: Cisco rules and decoders improvements" wazuh/wazuh#7278