All Apps and Add-ons

Splunk Add-on for Cisco ASA - Warning: Need to modify the "transforms.conf" file if you have someone with "Deny" in their name or e-mail.

cchimento
Path Finder

Hello - I come with a warning from an issue I just had recently and resolved. Hopefully this will get some visibility and possibly fixed in a later release of the add-on. This was tested with the latest version of this add-on (ver 3.4.0) and in reference to the log entry: %ASA-5-746012: user-identity: Add IP-User mapping IP Address - domain_name \user_name result - reason

If you are using this Add-On - please make a note to check if you have anyone in your org with the string "Deny" (Capital D) as part of their name or e-mail address. This would likely be someone named Denys or similar. As well as part of a last name, likely the leading characters.

ex:  
Cisco_ASA_user = LOCAL\Denys.Somelastname@yourdomain.com
Cisco_ASA_user = LOCAL\Bob.Denyan@yourdomain.com 

I have found that due to two weak regex entries in the transforms.conf file for the add-on, it will look for a "Deny" string (capital D) in the log entry from your ASAs to populate the [cisco_asa_vendor_action] and [vendor_action] fields. This results in a deny vendor action even when the actual result reason shows succeeded; per the logs.

[cisco_asa_vendor_action]
REGEX=([Aa]uthentication [Ss]ucceeded|[Aa]uthorization [Pp]ermitted|authentication Successful|passed authentication|Login permitted|Authentication failed|Authorization denied|Can't find authorization|Authentication Failed|authentication Rejected|credentials rejected|Authentication:Dropping|login warning|login failed|failed authentication|[Cc]onnection denied|Deny inbound|Deny|Terminating|action locally|Unable to Pre-allocate|denied\s[tcp|udp|icmp]+|access denied|access requested|access permitted|limit exceeded|Dropped|Dropping|[B|b]uilt|[pP]ermitted|whitelisted|Pre-allocated|Rebuilt|redirected|discarded)
FORMAT=vendor_action::$1

[cisco_asa_vendor_action_for_performance]
REGEX=([Aa]uthentication [Ss]ucceeded|[Aa]uthorization [Pp]ermitted|authentication Successful|passed authentication|Login permitted|Authentication failed|Authorization denied|Can't find authorization|Authentication Failed|authentication Rejected|credentials rejected|Authentication:Dropping|login warning|login failed|failed authentication|[Cc]onnection denied|Deny inbound|Deny|Terminating|action locally|Unable to Pre-allocate|denied\s[tcp|udp|icmp]+|access denied|access requested|access permitted|limit exceeded|Dropped|Dropping|[B|b]uilt|[pP]ermitted|whitelisted|Pre-allocated|Rebuilt|redirected|discarded)
FORMAT=Cisco_ASA_vendor_action::$1

You can see in the regex that it is looking through OR | statements to find Deny.

To resolve this I have found that throwing a \s after the Deny in the two stanzas listed above, will process the fields correctly for those people that have the string as part of their name or email. So |Deny\s| will fix it. The corrected regex is below. Be sure not to make the change under the default folder 😉

REGEX=([Aa]uthentication [Ss]ucceeded|[Aa]uthorization [Pp]ermitted|authentication Successful|passed authentication|Login permitted|Authentication failed|Authorization denied|Can't find authorization|Authentication Failed|authentication Rejected|credentials rejected|Authentication:Dropping|login warning|login failed|failed authentication|[Cc]onnection denied|Deny inbound|Deny\s|Terminating|action locally|Unable to Pre-allocate|denied\s[tcp|udp|icmp]+|access denied|access requested|access permitted|limit exceeded|Dropped|Dropping|[B|b]uilt|[pP]ermitted|whitelisted|Pre-allocated|Rebuilt|redirected|discarded)

Hope this helps!
-Chris

1 Solution

cchimento
Path Finder

To resolve this I have found that throwing a \s after the Deny in the two stanzas listed above, will process the fields correctly for those people that have the string as part of their name or email. So |Deny\s| will fix it. The corrected regex is below. Be sure not to make the change under the default folder 😉

REGEX=([Aa]uthentication [Ss]ucceeded|[Aa]uthorization [Pp]ermitted|authentication Successful|passed authentication|Login permitted|Authentication failed|Authorization denied|Can't find authorization|Authentication Failed|authentication Rejected|credentials rejected|Authentication:Dropping|login warning|login failed|failed authentication|[Cc]onnection denied|Deny inbound|Deny\s|Terminating|action locally|Unable to Pre-allocate|denied\s[tcp|udp|icmp]+|access denied|access requested|access permitted|limit exceeded|Dropped|Dropping|[B|b]uilt|[pP]ermitted|whitelisted|Pre-allocated|Rebuilt|redirected|discarded)

View solution in original post

0 Karma

cchimento
Path Finder

To resolve this I have found that throwing a \s after the Deny in the two stanzas listed above, will process the fields correctly for those people that have the string as part of their name or email. So |Deny\s| will fix it. The corrected regex is below. Be sure not to make the change under the default folder 😉

REGEX=([Aa]uthentication [Ss]ucceeded|[Aa]uthorization [Pp]ermitted|authentication Successful|passed authentication|Login permitted|Authentication failed|Authorization denied|Can't find authorization|Authentication Failed|authentication Rejected|credentials rejected|Authentication:Dropping|login warning|login failed|failed authentication|[Cc]onnection denied|Deny inbound|Deny\s|Terminating|action locally|Unable to Pre-allocate|denied\s[tcp|udp|icmp]+|access denied|access requested|access permitted|limit exceeded|Dropped|Dropping|[B|b]uilt|[pP]ermitted|whitelisted|Pre-allocated|Rebuilt|redirected|discarded)
0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...