Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add decoder for vpn aaa failure to cisco asa decoders #873

Open
kai-hier opened this issue Feb 7, 2024 · 1 comment
Open

add decoder for vpn aaa failure to cisco asa decoders #873

kai-hier opened this issue Feb 7, 2024 · 1 comment

Comments

@kai-hier
Copy link

kai-hier commented Feb 7, 2024
edited
Loading

As of today all cisco "AAA user authentication Rejected" events are handled by the generic fallback cisco-asa decoder:

*Phase 1: Completed pre-decoding.
	full event: 'vpn04 %ASA-6-113005: AAA user authentication Rejected : reason = AAA failure : server = 10.157.48.36 : user = ***** : user IP = 84.118.205.121'

**Phase 2: Completed decoding.
	name: 'cisco-asa'
	parent: 'cisco-asa'
	id: '6-113005'

**Phase 3: Completed filtering (rules).
	id: '64018'
	level: '5'
	description: 'ASA: AAA (VPN) authentication failed.'
	groups: '["syslog","cisco","cisco-asa","authentication_failed"]'
	firedtimes: '1'
	gdpr: '["IV_35.7.d","IV_32.2"]'
	gpg13: '["7.1"]'
	mail: 'false'
	pci_dss: '["10.2.4","10.2.5"]'
	tsc: '["CC6.1","CC6.8","CC7.2","CC7.3"]'
**Alert to be generated.

I would like to have another decoder added which can extract the server- and user-ip for further use in the dashboards.
I made one like the following and added it to custom decoders, but it is ignored.

<decoder name="cisco-asa-aaa">
    <parent>cisco-asa</parent>
    <prematch offset="after_parent">6-13005</prematch>
    <regex offset="after_parent" type="pcre2">(\d-\w+): (AAA user authentication Rejected).:.\w+.=.(\w+\s\w+).:.\w+.=.(\d+\.\d+\.\d+\.\d+).:.*=.(\d+\.\d+\.\d+\.\d+)</regex>
    <order>id, description, reason, server_ip, scr_ip</order>
</decoder>
@htothek
Copy link

htothek commented Apr 5, 2024

Hey! After working with your example a bit I was able to accomplish this.

<!--
%ASA-6-113005: AAA user authentication Rejected : reason = AAA failure : server = 10.1.1.1 : user = htothek : user IP = 8.8.8.8
-->
<decoder name="cisco-asa-aaa">
    <parent>cisco-asa</parent>
    <prematch offset="after_parent">6-113005</prematch>
    <regex offset="after_parent">(6-113005): (AAA user authentication Rejected) : reason = (AAA failure) : server = (\S+) : user = (\w+) : user IP = (\S+)</regex>
    <order>id, description, reason, server, user, userpublic</order>
</decoder>

Apr  4 18:57:27 10.1.1.2 %ASA-6-113005: AAA user authentication Rejected : reason = AAA failure : server = 10.1.1.1 : user = htothek : user IP = 8.8.8.8

**Phase 1: Completed pre-decoding.
        full event: 'Apr  4 18:57:27 10.1.1.2 %ASA-6-113005: AAA user authentication Rejected : reason = AAA failure : server = 10.1.1.1 : user = htothek : user IP = 8.8.8.8'
        timestamp: 'Apr  4 18:57:27'
        hostname: '10.1.1.2'

**Phase 2: Completed decoding.
        name: 'cisco-asa'
        parent: 'cisco-asa'
        description: 'AAA user authentication Rejected'
        dstuser: 'htothek'
        id: '6-113005'
        reason: 'AAA failure'
        server: '10.1.1.1'
        userpublic: '8.8.8.8'

**Phase 3: Completed filtering (rules).
        id: '64018'
        level: '5'
        description: 'ASA: AAA (VPN) authentication failed.'
        groups: '['syslog', 'cisco', 'cisco-asa', 'authentication_failed']'
        firedtimes: '2'
        gdpr: '['IV_35.7.d', 'IV_32.2']'
        gpg13: '['7.1']'
        mail: 'False'
        pci_dss: '['10.2.4', '10.2.5']'
        tsc: '['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']'
**Alert to be generated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@htothek @kai-hier