All Apps and Add-ons

Major Problem with Cisco ASA Add on

swapsplunk
Explorer

We are using Splunk enterprise 6.3 and Cisco ASA add on 3.2.6

Below is the sample log from Cisco ASA

%ASA-6-302020: Built inbound ICMP connection for faddr A.B.C.D/0 gaddr W.X.Y.Z/0 laddr W.X.Y.Z/0

Ideally src should be A.B.C.D while the destination should be W.X.Y.Z But in the results Splunk shows exactly opposite. Have any one encountered this problem? I think this is the problem with Cisco ASA add on. Normally, most of the traffic on ASA is Inbound and outbound ICMP Traffic. If we go for analysis for top traffic, the results are misleading.

Can someone please suggest any workaround on this? Or any permanent solution on this?

Daniel_K
Explorer

Anyone know if this is fixed in 3.4.0?

JHannan
Explorer

props.conf

[cisco:asa]
EXTRACT-src_ip,dest_ip = 302020.*inbound.*faddr\s+(?[^\/]*)\/.*laddr\s+(?[^\/]*)\/

@swapsplunk @mbagali_splunk

The original bug report was for regular connections like event id 302013/14 which contain session ids and interface values. Events such as ICMP (event id 302020) do not have these, so the parsing rule does not pick up the log and correct the error. Additionally, it's the INBOUND events that are reversed in 302020 logs, not the OUTBOUND connection. I've had to add the above extract to my props.conf file to correct the error.

Some sample logs for reference:

Apr 15 16:06:38 XXX.XXX.XXX.XXX %ASA-6-302013: Built inbound TCP connection 290446553 for Outside:###OUT_IP###/59187 (###OUT_IP###/59187)(LOCAL\UUUUUUUU) to Inside:###IN_IP###/443 (###IN_IP###/443)

Apr 19 2013 11:24:32 XXX.XXX.XXX.XXX %ASA-6-302020: Built inbound ICMP connection for faddr XXX.XXX.XXX.XXX/1(LOCAL\UUUUUUUU) gaddr XXX.XXX.XXX.XXX/0 laddr XXX.XXX.XXX.XXX/0 (UUUUUUUU)

By default, the address listed after faddr is assigned to dest_ip for inbound connections and the laddr address is assigned to src_ip

mbagali_splunk
Splunk Employee
Splunk Employee

This is a known issue for which JIRA " ADDON-12426 (https://jira.splunk.com/browse/ADDON-12426) " has been raised to address.

Affected Versions: 3.3.0, 3.2.6

Work-around:

Please add/ modify below stanza in ~etc/apps/Splunk_TA_cisco-asa/local/transforms.conf:

[reverse_src_dest_for_outbound] REGEX = (?:[Oo]utbound|[tT]eardown)\s+\S+\s+connection\s+\d+\s+for\s+\S+\s*:\s*([^\s\/(]+)(?:\/(\w+))?(?:((\S+)))?\s*(?([^\s\/(]+)?\/?(\d+)?)?\s+to\s+[^:]+:\s*([^\s\/(]+)(?:\/(\w+))?(?:((\S+)))?\s*(?([^\s\/(]+)?\/?(\d+)?)? FORMAT = dest_ip::$1 dest_port::$2 dest_user::$3 dest_translated_ip::$4 dest_translated_port::$5 src_ip::$6 src_port::$7 src_user::$8 src_translated_ip::$9 src_translated_port::$10

DATEVeG
Path Finder

I filed a splunk bug for this error.
Has anyone fixed this locally already?

0 Karma

Monolith
Engager

I have the same issue. Will look into changing the check locally else I will have to make my own checks.

0 Karma
Get Updates on the Splunk Community!

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...

Uncovering Multi-Account Fraud with Splunk Banking Analytics

Last month, I met with a Senior Fraud Analyst at a nationally recognized bank to discuss their recent success ...

Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...

What has been announced?  In the blog, “Preparing your Splunk Environment for OpensSSL3,”we announced the ...