props.conf

[cisco:asa]
EXTRACT-src_ip,dest_ip = 302020.*inbound.*faddr\s+(?[^\/]*)\/.*laddr\s+(?[^\/]*)\/

@swapsplunk @mbagali_splunk

The original bug report was for regular connections like event id 302013/14 which contain session ids and interface values. Events such as ICMP (event id 302020) do not have these, so the parsing rule does not pick up the log and correct the error. Additionally, it's the INBOUND events that are reversed in 302020 logs, not the OUTBOUND connection. I've had to add the above extract to my props.conf file to correct the error.

Some sample logs for reference:

Apr 15 16:06:38 XXX.XXX.XXX.XXX %ASA-6-302013: Built inbound TCP connection 290446553 for Outside:###OUT_IP###/59187 (###OUT_IP###/59187)(LOCAL\UUUUUUUU) to Inside:###IN_IP###/443 (###IN_IP###/443)

Apr 19 2013 11:24:32 XXX.XXX.XXX.XXX %ASA-6-302020: Built inbound ICMP connection for faddr XXX.XXX.XXX.XXX/1(LOCAL\UUUUUUUU) gaddr XXX.XXX.XXX.XXX/0 laddr XXX.XXX.XXX.XXX/0 (UUUUUUUU)

By default, the address listed after faddr is assigned to dest_ip for inbound connections and the laddr address is assigned to src_ip

This is a known issue for which JIRA " ADDON-12426 (https://jira.splunk.com/browse/ADDON-12426) " has been raised to address.

Affected Versions: 3.3.0, 3.2.6

Work-around:

Please add/ modify below stanza in ~etc/apps/Splunk_TA_cisco-asa/local/transforms.conf:

[reverse_src_dest_for_outbound] REGEX = (?:[Oo]utbound|[tT]eardown)\s+\S+\s+connection\s+\d+\s+for\s+\S+\s*:\s*([^\s\/(]+)(?:\/(\w+))?(?:((\S+)))?\s*(?([^\s\/(]+)?\/?(\d+)?)?\s+to\s+[^:]+:\s*([^\s\/(]+)(?:\/(\w+))?(?:((\S+)))?\s*(?([^\s\/(]+)?\/?(\d+)?)? FORMAT = dest_ip::$1 dest_port::$2 dest_user::$3 dest_translated_ip::$4 dest_translated_port::$5 src_ip::$6 src_port::$7 src_user::$8 src_translated_ip::$9 src_translated_port::$10

I filed a splunk bug for this error.
Has anyone fixed this locally already?

I have the same issue. Will look into changing the check locally else I will have to make my own checks.