All Apps and Add-ons

Major Problem with Cisco ASA Add on

swapsplunk
Explorer

We are using Splunk enterprise 6.3 and Cisco ASA add on 3.2.6

Below is the sample log from Cisco ASA

%ASA-6-302020: Built inbound ICMP connection for faddr A.B.C.D/0 gaddr W.X.Y.Z/0 laddr W.X.Y.Z/0

Ideally src should be A.B.C.D while the destination should be W.X.Y.Z But in the results Splunk shows exactly opposite. Have any one encountered this problem? I think this is the problem with Cisco ASA add on. Normally, most of the traffic on ASA is Inbound and outbound ICMP Traffic. If we go for analysis for top traffic, the results are misleading.

Can someone please suggest any workaround on this? Or any permanent solution on this?

Daniel_K
Explorer

Anyone know if this is fixed in 3.4.0?

JHannan
Explorer

props.conf

[cisco:asa]
EXTRACT-src_ip,dest_ip = 302020.*inbound.*faddr\s+(?[^\/]*)\/.*laddr\s+(?[^\/]*)\/

@swapsplunk @mbagali_splunk

The original bug report was for regular connections like event id 302013/14 which contain session ids and interface values. Events such as ICMP (event id 302020) do not have these, so the parsing rule does not pick up the log and correct the error. Additionally, it's the INBOUND events that are reversed in 302020 logs, not the OUTBOUND connection. I've had to add the above extract to my props.conf file to correct the error.

Some sample logs for reference:

Apr 15 16:06:38 XXX.XXX.XXX.XXX %ASA-6-302013: Built inbound TCP connection 290446553 for Outside:###OUT_IP###/59187 (###OUT_IP###/59187)(LOCAL\UUUUUUUU) to Inside:###IN_IP###/443 (###IN_IP###/443)

Apr 19 2013 11:24:32 XXX.XXX.XXX.XXX %ASA-6-302020: Built inbound ICMP connection for faddr XXX.XXX.XXX.XXX/1(LOCAL\UUUUUUUU) gaddr XXX.XXX.XXX.XXX/0 laddr XXX.XXX.XXX.XXX/0 (UUUUUUUU)

By default, the address listed after faddr is assigned to dest_ip for inbound connections and the laddr address is assigned to src_ip

mbagali_splunk
Splunk Employee
Splunk Employee

This is a known issue for which JIRA " ADDON-12426 (https://jira.splunk.com/browse/ADDON-12426) " has been raised to address.

Affected Versions: 3.3.0, 3.2.6

Work-around:

Please add/ modify below stanza in ~etc/apps/Splunk_TA_cisco-asa/local/transforms.conf:

[reverse_src_dest_for_outbound] REGEX = (?:[Oo]utbound|[tT]eardown)\s+\S+\s+connection\s+\d+\s+for\s+\S+\s*:\s*([^\s\/(]+)(?:\/(\w+))?(?:((\S+)))?\s*(?([^\s\/(]+)?\/?(\d+)?)?\s+to\s+[^:]+:\s*([^\s\/(]+)(?:\/(\w+))?(?:((\S+)))?\s*(?([^\s\/(]+)?\/?(\d+)?)? FORMAT = dest_ip::$1 dest_port::$2 dest_user::$3 dest_translated_ip::$4 dest_translated_port::$5 src_ip::$6 src_port::$7 src_user::$8 src_translated_ip::$9 src_translated_port::$10

DATEVeG
Path Finder

I filed a splunk bug for this error.
Has anyone fixed this locally already?

0 Karma

Monolith
Engager

I have the same issue. Will look into changing the check locally else I will have to make my own checks.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...