All Apps and Add-ons

Cisco ASA with APP Splunk_TA_cisco-asa - wrong parsing of IPv6 address

tmayer
Explorer

Hi,
I am using the Splunk_TA_cisco-asa in the latest Version 3.1.0 and feeding ASA Syslogs.
As I run my ASA in Dual Stack with both IPv4 and IPv6, i saw that the following fields are not parsed correctly for some syslogs messages:
src_ipv6
dst_ipv6

The issue is that the IPv6 addresses are loosing the first part (here it is the "2001"):

the SYSLOG IDs in question are 302020 and 302021

Dec 17 13:10:00 172.16.10.220 Dec 17 2014 13:10:09 munlab-spyker1 : %ASA-6-302021: Teardown ICMP connection for faddr fe80::c671:feff:fe67:5e48/0 gaddr 2001:420:44e6:2010::2013/0 laddr 2001:420:44e6:2010::2013/0

dest_ipv6 = fe80::c671:feff:fe67:5e48
dvc = 172.16.10.220
host = 172.16.10.220
src_ipv6 = 420:44e6:2010::2013
transport = ICMP

Dec 17 13:09:58 172.16.10.220 Dec 17 2014 13:10:07 munlab-spyker1 : %ASA-6-302020: Built outbound ICMP connection for faddr fe80::c671:feff:fe67:5e48/0 gaddr 2001:420:44e6:2010::2013/0 laddr 2001:420:44e6:2010::2013/0

dest_ipv6 = fe80::c671:feff:fe67:5e48
direction = outbound
dvc = 172.16.10.220
host = 172.16.10.220
src_ipv6 = 420:44e6:2010::2013
transport = ICMP

Is this a known bug?

Thanks,
Toby

mikaelbje
Motivator

I've taken a stab at this and I believe I have a working solution. It will work until IANA starts allocating additional IPv6 blocks AND/OR someone starts naming their Cisco ASA interfaces in digits. Whenever the former happens, just update the regex for the cisco_source_ipv6 and cisco_destination_ipv6 stanzas. When the latter happens, abandon all hope.

Splunk_TA_cisco-asa/local/transforms.conf:

# Exclude IANA allocated blocks from src_zone and dest_zone
# https://www.iana.org/assignments/ipv6-unicast-address-assignments/ipv6-unicast-address-assignments.xhtml
# Tested and verified with Splunk_TA_cisco-asa v3.3.0
[cisco_source_ipv6]
REGEX = \s+(?:from|for|src(?! user)) (?:(?:(?!faddr|2001|2002|2003|240[0-f]|260[0-f]|2610|2620|280[0-f]|2a0[0-f]|2c0[0-f])([^:]+)):)?((?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{0,4}|:[0-9A-Fa-f]{1,4})?|(?::[0-9A-Fa-f]{1,4}){0,2})|(?::[0-9A-Fa-f]{1,4}){0,3})|(?::[0-9A-Fa-f]{1,4}){0,4})|:(?::[0-9A-Fa-f]{1,4}){0,5})(?:(?::[0-9A-Fa-f]{1,4}){2}|:(?:25[0-5]|(?:2[0-4]|1[0-9]|[1-9])?[0-9])(?:\.(?:25[0-5]|(?:2[0-4]|1[0-9]|[1-9])?[0-9])){3})|(?:(?:[0-9A-Fa-f]{1,4}:){1,6}|:):[0-9A-Fa-f]{0,4}|(?:[0-9A-Fa-f]{1,4}:){7}:)(?:\/(\S+))?\s*
FORMAT = src_zone::$1 src_ipv6::$2 src_port::$3

[cisco_destination_ipv6]
REGEX = \s+(?:to|dst(?! user)) (?:(?:(?!2001|2002|2003|240[0-f]|260[0-f]|2610|2620|280[0-f]|2a0[0-f]|2c0[0-f])([^:]+)):)?((?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{0,4}|:[0-9A-Fa-f]{1,4})?|(?::[0-9A-Fa-f]{1,4}){0,2})|(?::[0-9A-Fa-f]{1,4}){0,3})|(?::[0-9A-Fa-f]{1,4}){0,4})|:(?::[0-9A-Fa-f]{1,4}){0,5})(?:(?::[0-9A-Fa-f]{1,4}){2}|:(?:25[0-5]|(?:2[0-4]|1[0-9]|[1-9])?[0-9])(?:\.(?:25[0-5]|(?:2[0-4]|1[0-9]|[1-9])?[0-9])){3})|(?:(?:[0-9A-Fa-f]{1,4}:){1,6}|:):[0-9A-Fa-f]{0,4}|(?:[0-9A-Fa-f]{1,4}:){7}:)(?:\/(\S+))?\s*
FORMAT = dest_zone::$1 dest_ipv6::$2 dest_port::$3

[cisco_foreign_addr_port_ipv6]
REGEX = \sfaddr\s((?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{0,4}|:[0-9A-Fa-f]{1,4})?|(?::[0-9A-Fa-f]{1,4}){0,2})|(?::[0-9A-Fa-f]{1,4}){0,3})|(?::[0-9A-Fa-f]{1,4}){0,4})|:(?::[0-9A-Fa-f]{1,4}){0,5})(?:(?::[0-9A-Fa-f]{1,4}){2}|:(?:25[0-5]|(?:2[0-4]|1[0-9]|[1-9])?[0-9])(?:\.(?:25[0-5]|(?:2[0-4]|1[0-9]|[1-9])?[0-9])){3})|(?:(?:[0-9A-Fa-f]{1,4}:){1,6}|:):[0-9A-Fa-f]{0,4}|(?:[0-9A-Fa-f]{1,4}:){7}:)\/?(\d*)
FORMAT = dest_ipv6::$1 dest_port::$2

[cisco_local_addr_port_ipv6]
REGEX = \sladdr\s((?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{0,4}|:[0-9A-Fa-f]{1,4})?|(?::[0-9A-Fa-f]{1,4}){0,2})|(?::[0-9A-Fa-f]{1,4}){0,3})|(?::[0-9A-Fa-f]{1,4}){0,4})|:(?::[0-9A-Fa-f]{1,4}){0,5})(?:(?::[0-9A-Fa-f]{1,4}){2}|:(?:25[0-5]|(?:2[0-4]|1[0-9]|[1-9])?[0-9])(?:\.(?:25[0-5]|(?:2[0-4]|1[0-9]|[1-9])?[0-9])){3})|(?:(?:[0-9A-Fa-f]{1,4}:){1,6}|:):[0-9A-Fa-f]{0,4}|(?:[0-9A-Fa-f]{1,4}:){7}:)\/?(\d*)
FORMAT = src_ipv6::$1 src_port::$2

Splunk_TA_cisco-asa/local/props.conf:

[cisco:asa]
EVAL-dest = coalesce(dest,dest_ipv6,dest_ip)
EVAL-dest_ip = coalesce(dest,dest_ipv6,dest_ip)
0 Karma

olavandreas
Explorer

Screen dumpof IPv6 misparsing

I am also having this issue, where the parser is not interpreting the legal '::' in IPv6 addresses correctly. This issue is exacerbated (made worse) by Cisco's use of a colon in front of the IP address.

The prefix of the colon is the hostname, which is a random string, and can contain the legal a-f hex characters.

regex in cisco_destination_ipv6: \s+(?:to|dst(?! user)) (?:(\S+):)?((?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{0,4}|:[0-9A-Fa-f]{1,4})?|(?::[0-9A-Fa-f]{1,4}){0,2})|(?::[0-9A-Fa-f]{1,4}){0,3})|(?::[0-9A-Fa-f]{1,4}){0,4})|:(?::[0-9A-Fa-f]{1,4}){0,5})(?:(?::[0-9A-Fa-f]{1,4}){2}|:(?:25[0-5]|(?:2[0-4]|1[0-9]|[1-9])?[0-9])(?:.(?:25[0-5]|(?:2[0-4]|1[0-9]|[1-9])?[0-9])){3})|(?:(?:[0-9A-Fa-f]{1,4}:){1,6}|:):[0-9A-Fa-f]{0,4}|(?:[0-9A-Fa-f]{1,4}:){7}:)(?:/(\S+))?\s*

  • according to regex101.com this contains one error; an unescaped '/'.

regex in cisco_dest_ipv6: \s->\s(?:(\S+)/)?((?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{0,4}|:[0-9A-Fa-f]{1,4})?|(?::[0-9A-Fa-f]{1,4}){0,2})|(?::[0-9A-Fa-f]{1,4}){0,3})|(?::[0-9A-Fa-f]{1,4}){0,4})|:(?::[0-9A-Fa-f]{1,4}){0,5})(?:(?::[0-9A-Fa-f]{1,4}){2}|:(?:25[0-5]|(?:2[0-4]|1[0-9]|[1-9])?[0-9])(?:.(?:25[0-5]|(?:2[0-4]|1[0-9]|[1-9])?[0-9])){3})|(?:(?:[0-9A-Fa-f]{1,4}:){1,6}|:):[0-9A-Fa-f]{0,4}|(?:[0-9A-Fa-f]{1,4}:){7}:)((\d*))

suggested regex \s+(?:to|dst(?! user))\s+(?:([^\x3a]+)\x3a)?([0-9A-Fa-f:]{3,38})(?:\x2f(\d{1,5}))?
Just look for all chars exept ':' when capturing dest_zone.

0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

Sorry, it doesn't support IPv6 at this time.

0 Karma

mikaelbje
Motivator

Ding dong. Nearly 3 years later - still no IPv6?

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...