All Apps and Add-ons

Splunk Add-on for Cisco ASA - Warning: Need to modify the "transforms.conf" file if you have someone with "Deny" in their name or e-mail.

Path Finder

Hello - I come with a warning from an issue I just had recently and resolved. Hopefully this will get some visibility and possibly fixed in a later release of the add-on. This was tested with the latest version of this add-on (ver 3.4.0) and in reference to the log entry: %ASA-5-746012: user-identity: Add IP-User mapping IP Address - domain_name \user_name result - reason

If you are using this Add-On - please make a note to check if you have anyone in your org with the string "Deny" (Capital D) as part of their name or e-mail address. This would likely be someone named Denys or similar. As well as part of a last name, likely the leading characters.

ex:  
Cisco_ASA_user = LOCAL\Denys.Somelastname@yourdomain.com
Cisco_ASA_user = LOCAL\Bob.Denyan@yourdomain.com 

I have found that due to two weak regex entries in the transforms.conf file for the add-on, it will look for a "Deny" string (capital D) in the log entry from your ASAs to populate the [cisco_asa_vendor_action] and [vendor_action] fields. This results in a deny vendor action even when the actual result reason shows succeeded; per the logs.

[cisco_asa_vendor_action]
REGEX=([Aa]uthentication [Ss]ucceeded|[Aa]uthorization [Pp]ermitted|authentication Successful|passed authentication|Login permitted|Authentication failed|Authorization denied|Can't find authorization|Authentication Failed|authentication Rejected|credentials rejected|Authentication:Dropping|login warning|login failed|failed authentication|[Cc]onnection denied|Deny inbound|Deny|Terminating|action locally|Unable to Pre-allocate|denied\s[tcp|udp|icmp]+|access denied|access requested|access permitted|limit exceeded|Dropped|Dropping|[B|b]uilt|[pP]ermitted|whitelisted|Pre-allocated|Rebuilt|redirected|discarded)
FORMAT=vendor_action::$1

[cisco_asa_vendor_action_for_performance]
REGEX=([Aa]uthentication [Ss]ucceeded|[Aa]uthorization [Pp]ermitted|authentication Successful|passed authentication|Login permitted|Authentication failed|Authorization denied|Can't find authorization|Authentication Failed|authentication Rejected|credentials rejected|Authentication:Dropping|login warning|login failed|failed authentication|[Cc]onnection denied|Deny inbound|Deny|Terminating|action locally|Unable to Pre-allocate|denied\s[tcp|udp|icmp]+|access denied|access requested|access permitted|limit exceeded|Dropped|Dropping|[B|b]uilt|[pP]ermitted|whitelisted|Pre-allocated|Rebuilt|redirected|discarded)
FORMAT=Cisco_ASA_vendor_action::$1

You can see in the regex that it is looking through OR | statements to find Deny.

To resolve this I have found that throwing a \s after the Deny in the two stanzas listed above, will process the fields correctly for those people that have the string as part of their name or email. So |Deny\s| will fix it. The corrected regex is below. Be sure not to make the change under the default folder 😉

REGEX=([Aa]uthentication [Ss]ucceeded|[Aa]uthorization [Pp]ermitted|authentication Successful|passed authentication|Login permitted|Authentication failed|Authorization denied|Can't find authorization|Authentication Failed|authentication Rejected|credentials rejected|Authentication:Dropping|login warning|login failed|failed authentication|[Cc]onnection denied|Deny inbound|Deny\s|Terminating|action locally|Unable to Pre-allocate|denied\s[tcp|udp|icmp]+|access denied|access requested|access permitted|limit exceeded|Dropped|Dropping|[B|b]uilt|[pP]ermitted|whitelisted|Pre-allocated|Rebuilt|redirected|discarded)

Hope this helps!
-Chris

1 Solution

Path Finder

To resolve this I have found that throwing a \s after the Deny in the two stanzas listed above, will process the fields correctly for those people that have the string as part of their name or email. So |Deny\s| will fix it. The corrected regex is below. Be sure not to make the change under the default folder 😉

REGEX=([Aa]uthentication [Ss]ucceeded|[Aa]uthorization [Pp]ermitted|authentication Successful|passed authentication|Login permitted|Authentication failed|Authorization denied|Can't find authorization|Authentication Failed|authentication Rejected|credentials rejected|Authentication:Dropping|login warning|login failed|failed authentication|[Cc]onnection denied|Deny inbound|Deny\s|Terminating|action locally|Unable to Pre-allocate|denied\s[tcp|udp|icmp]+|access denied|access requested|access permitted|limit exceeded|Dropped|Dropping|[B|b]uilt|[pP]ermitted|whitelisted|Pre-allocated|Rebuilt|redirected|discarded)

View solution in original post

0 Karma

Path Finder

To resolve this I have found that throwing a \s after the Deny in the two stanzas listed above, will process the fields correctly for those people that have the string as part of their name or email. So |Deny\s| will fix it. The corrected regex is below. Be sure not to make the change under the default folder 😉

REGEX=([Aa]uthentication [Ss]ucceeded|[Aa]uthorization [Pp]ermitted|authentication Successful|passed authentication|Login permitted|Authentication failed|Authorization denied|Can't find authorization|Authentication Failed|authentication Rejected|credentials rejected|Authentication:Dropping|login warning|login failed|failed authentication|[Cc]onnection denied|Deny inbound|Deny\s|Terminating|action locally|Unable to Pre-allocate|denied\s[tcp|udp|icmp]+|access denied|access requested|access permitted|limit exceeded|Dropped|Dropping|[B|b]uilt|[pP]ermitted|whitelisted|Pre-allocated|Rebuilt|redirected|discarded)

View solution in original post

0 Karma