We are using Splunk enterprise 6.3 and Cisco ASA add on 3.2.6
Below is the sample log from Cisco ASA
%ASA-6-302020: Built inbound ICMP connection for faddr A.B.C.D/0 gaddr W.X.Y.Z/0 laddr W.X.Y.Z/0
Ideally src should be A.B.C.D while the destination should be W.X.Y.Z But in the results Splunk shows exactly opposite. Have any one encountered this problem? I think this is the problem with Cisco ASA add on. Normally, most of the traffic on ASA is Inbound and outbound ICMP Traffic. If we go for analysis for top traffic, the results are misleading.
Can someone please suggest any workaround on this? Or any permanent solution on this?
Anyone know if this is fixed in 3.4.0?
props.conf
[cisco:asa]
EXTRACT-src_ip,dest_ip = 302020.*inbound.*faddr\s+(?[^\/]*)\/.*laddr\s+(?[^\/]*)\/
The original bug report was for regular connections like event id 302013/14 which contain session ids and interface values. Events such as ICMP (event id 302020) do not have these, so the parsing rule does not pick up the log and correct the error. Additionally, it's the INBOUND events that are reversed in 302020 logs, not the OUTBOUND connection. I've had to add the above extract to my props.conf file to correct the error.
Some sample logs for reference:
Apr 15 16:06:38 XXX.XXX.XXX.XXX %ASA-6-302013: Built inbound TCP connection 290446553 for Outside:###OUT_IP###/59187 (###OUT_IP###/59187)(LOCAL\UUUUUUUU) to Inside:###IN_IP###/443 (###IN_IP###/443)
Apr 19 2013 11:24:32 XXX.XXX.XXX.XXX %ASA-6-302020: Built inbound ICMP connection for faddr XXX.XXX.XXX.XXX/1(LOCAL\UUUUUUUU) gaddr XXX.XXX.XXX.XXX/0 laddr XXX.XXX.XXX.XXX/0 (UUUUUUUU)
By default, the address listed after faddr is assigned to dest_ip for inbound connections and the laddr address is assigned to src_ip
This is a known issue for which JIRA " ADDON-12426 (https://jira.splunk.com/browse/ADDON-12426) " has been raised to address.
Affected Versions: 3.3.0, 3.2.6
Work-around:
Please add/ modify below stanza in ~etc/apps/Splunk_TA_cisco-asa/local/transforms.conf:
[reverse_src_dest_for_outbound] REGEX = (?:[Oo]utbound|[tT]eardown)\s+\S+\s+connection\s+\d+\s+for\s+\S+\s*:\s*([^\s\/(]+)(?:\/(\w+))?(?:((\S+)))?\s*(?([^\s\/(]+)?\/?(\d+)?)?\s+to\s+[^:]+:\s*([^\s\/(]+)(?:\/(\w+))?(?:((\S+)))?\s*(?([^\s\/(]+)?\/?(\d+)?)? FORMAT = dest_ip::$1 dest_port::$2 dest_user::$3 dest_translated_ip::$4 dest_translated_port::$5 src_ip::$6 src_port::$7 src_user::$8 src_translated_ip::$9 src_translated_port::$10
I filed a splunk bug for this error.
Has anyone fixed this locally already?
I have the same issue. Will look into changing the check locally else I will have to make my own checks.