All Apps and Add-ons

Cisco ASA with APP Splunk_TA_cisco-asa - wrong parsing of IPv6 address

tmayer
Explorer

Hi,
I am using the Splunk_TA_cisco-asa in the latest Version 3.1.0 and feeding ASA Syslogs.
As I run my ASA in Dual Stack with both IPv4 and IPv6, i saw that the following fields are not parsed correctly for some syslogs messages:
src_ipv6
dst_ipv6

The issue is that the IPv6 addresses are loosing the first part (here it is the "2001"):

the SYSLOG IDs in question are 302020 and 302021

Dec 17 13:10:00 172.16.10.220 Dec 17 2014 13:10:09 munlab-spyker1 : %ASA-6-302021: Teardown ICMP connection for faddr fe80::c671:feff:fe67:5e48/0 gaddr 2001:420:44e6:2010::2013/0 laddr 2001:420:44e6:2010::2013/0

dest_ipv6 = fe80::c671:feff:fe67:5e48
dvc = 172.16.10.220
host = 172.16.10.220
src_ipv6 = 420:44e6:2010::2013
transport = ICMP

Dec 17 13:09:58 172.16.10.220 Dec 17 2014 13:10:07 munlab-spyker1 : %ASA-6-302020: Built outbound ICMP connection for faddr fe80::c671:feff:fe67:5e48/0 gaddr 2001:420:44e6:2010::2013/0 laddr 2001:420:44e6:2010::2013/0

dest_ipv6 = fe80::c671:feff:fe67:5e48
direction = outbound
dvc = 172.16.10.220
host = 172.16.10.220
src_ipv6 = 420:44e6:2010::2013
transport = ICMP

Is this a known bug?

Thanks,
Toby

mikaelbje
Motivator

I've taken a stab at this and I believe I have a working solution. It will work until IANA starts allocating additional IPv6 blocks AND/OR someone starts naming their Cisco ASA interfaces in digits. Whenever the former happens, just update the regex for the cisco_source_ipv6 and cisco_destination_ipv6 stanzas. When the latter happens, abandon all hope.

Splunk_TA_cisco-asa/local/transforms.conf:

# Exclude IANA allocated blocks from src_zone and dest_zone
# https://www.iana.org/assignments/ipv6-unicast-address-assignments/ipv6-unicast-address-assignments.xhtml
# Tested and verified with Splunk_TA_cisco-asa v3.3.0
[cisco_source_ipv6]
REGEX = \s+(?:from|for|src(?! user)) (?:(?:(?!faddr|2001|2002|2003|240[0-f]|260[0-f]|2610|2620|280[0-f]|2a0[0-f]|2c0[0-f])([^:]+)):)?((?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{0,4}|:[0-9A-Fa-f]{1,4})?|(?::[0-9A-Fa-f]{1,4}){0,2})|(?::[0-9A-Fa-f]{1,4}){0,3})|(?::[0-9A-Fa-f]{1,4}){0,4})|:(?::[0-9A-Fa-f]{1,4}){0,5})(?:(?::[0-9A-Fa-f]{1,4}){2}|:(?:25[0-5]|(?:2[0-4]|1[0-9]|[1-9])?[0-9])(?:\.(?:25[0-5]|(?:2[0-4]|1[0-9]|[1-9])?[0-9])){3})|(?:(?:[0-9A-Fa-f]{1,4}:){1,6}|:):[0-9A-Fa-f]{0,4}|(?:[0-9A-Fa-f]{1,4}:){7}:)(?:\/(\S+))?\s*
FORMAT = src_zone::$1 src_ipv6::$2 src_port::$3

[cisco_destination_ipv6]
REGEX = \s+(?:to|dst(?! user)) (?:(?:(?!2001|2002|2003|240[0-f]|260[0-f]|2610|2620|280[0-f]|2a0[0-f]|2c0[0-f])([^:]+)):)?((?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{0,4}|:[0-9A-Fa-f]{1,4})?|(?::[0-9A-Fa-f]{1,4}){0,2})|(?::[0-9A-Fa-f]{1,4}){0,3})|(?::[0-9A-Fa-f]{1,4}){0,4})|:(?::[0-9A-Fa-f]{1,4}){0,5})(?:(?::[0-9A-Fa-f]{1,4}){2}|:(?:25[0-5]|(?:2[0-4]|1[0-9]|[1-9])?[0-9])(?:\.(?:25[0-5]|(?:2[0-4]|1[0-9]|[1-9])?[0-9])){3})|(?:(?:[0-9A-Fa-f]{1,4}:){1,6}|:):[0-9A-Fa-f]{0,4}|(?:[0-9A-Fa-f]{1,4}:){7}:)(?:\/(\S+))?\s*
FORMAT = dest_zone::$1 dest_ipv6::$2 dest_port::$3

[cisco_foreign_addr_port_ipv6]
REGEX = \sfaddr\s((?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{0,4}|:[0-9A-Fa-f]{1,4})?|(?::[0-9A-Fa-f]{1,4}){0,2})|(?::[0-9A-Fa-f]{1,4}){0,3})|(?::[0-9A-Fa-f]{1,4}){0,4})|:(?::[0-9A-Fa-f]{1,4}){0,5})(?:(?::[0-9A-Fa-f]{1,4}){2}|:(?:25[0-5]|(?:2[0-4]|1[0-9]|[1-9])?[0-9])(?:\.(?:25[0-5]|(?:2[0-4]|1[0-9]|[1-9])?[0-9])){3})|(?:(?:[0-9A-Fa-f]{1,4}:){1,6}|:):[0-9A-Fa-f]{0,4}|(?:[0-9A-Fa-f]{1,4}:){7}:)\/?(\d*)
FORMAT = dest_ipv6::$1 dest_port::$2

[cisco_local_addr_port_ipv6]
REGEX = \sladdr\s((?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{0,4}|:[0-9A-Fa-f]{1,4})?|(?::[0-9A-Fa-f]{1,4}){0,2})|(?::[0-9A-Fa-f]{1,4}){0,3})|(?::[0-9A-Fa-f]{1,4}){0,4})|:(?::[0-9A-Fa-f]{1,4}){0,5})(?:(?::[0-9A-Fa-f]{1,4}){2}|:(?:25[0-5]|(?:2[0-4]|1[0-9]|[1-9])?[0-9])(?:\.(?:25[0-5]|(?:2[0-4]|1[0-9]|[1-9])?[0-9])){3})|(?:(?:[0-9A-Fa-f]{1,4}:){1,6}|:):[0-9A-Fa-f]{0,4}|(?:[0-9A-Fa-f]{1,4}:){7}:)\/?(\d*)
FORMAT = src_ipv6::$1 src_port::$2

Splunk_TA_cisco-asa/local/props.conf:

[cisco:asa]
EVAL-dest = coalesce(dest,dest_ipv6,dest_ip)
EVAL-dest_ip = coalesce(dest,dest_ipv6,dest_ip)
0 Karma

olavandreas
Explorer

Screen dumpof IPv6 misparsing

I am also having this issue, where the parser is not interpreting the legal '::' in IPv6 addresses correctly. This issue is exacerbated (made worse) by Cisco's use of a colon in front of the IP address.

The prefix of the colon is the hostname, which is a random string, and can contain the legal a-f hex characters.

regex in cisco_destination_ipv6: \s+(?:to|dst(?! user)) (?:(\S+):)?((?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{0,4}|:[0-9A-Fa-f]{1,4})?|(?::[0-9A-Fa-f]{1,4}){0,2})|(?::[0-9A-Fa-f]{1,4}){0,3})|(?::[0-9A-Fa-f]{1,4}){0,4})|:(?::[0-9A-Fa-f]{1,4}){0,5})(?:(?::[0-9A-Fa-f]{1,4}){2}|:(?:25[0-5]|(?:2[0-4]|1[0-9]|[1-9])?[0-9])(?:.(?:25[0-5]|(?:2[0-4]|1[0-9]|[1-9])?[0-9])){3})|(?:(?:[0-9A-Fa-f]{1,4}:){1,6}|:):[0-9A-Fa-f]{0,4}|(?:[0-9A-Fa-f]{1,4}:){7}:)(?:/(\S+))?\s*

  • according to regex101.com this contains one error; an unescaped '/'.

regex in cisco_dest_ipv6: \s->\s(?:(\S+)/)?((?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{0,4}|:[0-9A-Fa-f]{1,4})?|(?::[0-9A-Fa-f]{1,4}){0,2})|(?::[0-9A-Fa-f]{1,4}){0,3})|(?::[0-9A-Fa-f]{1,4}){0,4})|:(?::[0-9A-Fa-f]{1,4}){0,5})(?:(?::[0-9A-Fa-f]{1,4}){2}|:(?:25[0-5]|(?:2[0-4]|1[0-9]|[1-9])?[0-9])(?:.(?:25[0-5]|(?:2[0-4]|1[0-9]|[1-9])?[0-9])){3})|(?:(?:[0-9A-Fa-f]{1,4}:){1,6}|:):[0-9A-Fa-f]{0,4}|(?:[0-9A-Fa-f]{1,4}:){7}:)((\d*))

suggested regex \s+(?:to|dst(?! user))\s+(?:([^\x3a]+)\x3a)?([0-9A-Fa-f:]{3,38})(?:\x2f(\d{1,5}))?
Just look for all chars exept ':' when capturing dest_zone.

0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

Sorry, it doesn't support IPv6 at this time.

0 Karma

mikaelbje
Motivator

Ding dong. Nearly 3 years later - still no IPv6?

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...