diff --git a/packages/sonicwall_firewall/changelog.yml b/packages/sonicwall_firewall/changelog.yml index 81d6381daf0..36db47da9fa 100644 --- a/packages/sonicwall_firewall/changelog.yml +++ b/packages/sonicwall_firewall/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.1.1" + changes: + - description: Fix handling of NAT fields + type: bugfix + link: https://github.com/elastic/integrations/pull/3420 - version: "0.1.0" changes: - description: Initial beta version of the package diff --git a/packages/sonicwall_firewall/data_stream/log/_dev/test/pipeline/test-nat.log b/packages/sonicwall_firewall/data_stream/log/_dev/test/pipeline/test-nat.log new file mode 100644 index 00000000000..7a0a829cdb4 --- /dev/null +++ b/packages/sonicwall_firewall/data_stream/log/_dev/test/pipeline/test-nat.log @@ -0,0 +1,4 @@ +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:21" fw=10.0.0.96 pri=6 c=0 gcat=6 m=1235 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:54606:X1 srcZone=Untrusted natSrc=10.0.0.96 dstMac=00:17:c5:30:f9:d9 dst=169.254.169.254:80:X1 dstZone=Untrusted natDst=169.254.169.254 proto=tcp/http sent=52 app=9 msg="" note="stack traffic always trusted" n=153 fw_action="forward" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:21" fw=10.0.0.96 pri=6 c=0 gcat=6 m=1235 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:54606:X1 srcZone=Untrusted natSrcV6=2a02:cf40::1 dstMac=00:17:c5:30:f9:d9 dst=169.254.169.254:80:X1 dstZone=Untrusted natDstV6=2a02:cf40::2 proto=tcp/http sent=52 app=9 msg="" note="stack traffic always trusted" n=153 fw_action="forward" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:21" fw=10.0.0.96 pri=6 c=0 gcat=6 m=1235 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:54606:X1 srcZone=Untrusted natSrcV6=[2a02:cf40::1]:1234 dstMac=00:17:c5:30:f9:d9 dst=169.254.169.254:80:X1 dstZone=Untrusted natDstV6=[2a02:cf40::2]:5678 proto=tcp/http sent=52 app=9 msg="" note="stack traffic always trusted" n=153 fw_action="forward" +<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:21" fw=10.0.0.96 pri=6 c=0 gcat=6 m=1235 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:54606:X1 srcZone=Untrusted natSrcV6=not_an_IP dstMac=00:17:c5:30:f9:d9 dst=169.254.169.254:80:X1 dstZone=Untrusted natDstV6=not_an_IP proto=tcp/http sent=52 app=9 msg="" note="stack traffic always trusted" n=153 fw_action="forward" diff --git a/packages/sonicwall_firewall/data_stream/log/_dev/test/pipeline/test-nat.log-expected.json b/packages/sonicwall_firewall/data_stream/log/_dev/test/pipeline/test-nat.log-expected.json new file mode 100644 index 00000000000..8493751e57c --- /dev/null +++ b/packages/sonicwall_firewall/data_stream/log/_dev/test/pipeline/test-nat.log-expected.json @@ -0,0 +1,308 @@ +{ + "expected": [ + { + "@timestamp": "2022-05-16T08:19:21.000+02:00", + "destination": { + "ip": "169.254.169.254", + "mac": "00-17-C5-30-F9-D9", + "nat": { + "ip": "169.254.169.254" + }, + "port": 80 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "packet-forwarded", + "code": "1235", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:21\" fw=10.0.0.96 pri=6 c=0 gcat=6 m=1235 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:54606:X1 srcZone=Untrusted natSrc=10.0.0.96 dstMac=00:17:c5:30:f9:d9 dst=169.254.169.254:80:X1 dstZone=Untrusted natDst=169.254.169.254 proto=tcp/http sent=52 app=9 msg=\"\" note=\"stack traffic always trusted\" n=153 fw_action=\"forward\"", + "sequence": "153", + "severity": "6", + "timezone": "+02:00" + }, + "log": { + "level": "info" + }, + "message": " (stack traffic always trusted)", + "network": { + "bytes": 52, + "protocol": "http", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "169.254.169.254" + ] + }, + "sonicwall": { + "firewall": { + "app": "9", + "event_group_category": "Firewall Settings", + "gcat": "6" + } + }, + "source": { + "bytes": 52, + "ip": "10.0.0.96", + "mac": "00-06-B1-DD-4F-D4", + "nat": { + "ip": "10.0.0.96" + }, + "port": 54606 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-16T08:19:21.000+02:00", + "destination": { + "ip": "169.254.169.254", + "mac": "00-17-C5-30-F9-D9", + "nat": { + "ip": "2a02:cf40::2" + }, + "port": 80 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "packet-forwarded", + "code": "1235", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:21\" fw=10.0.0.96 pri=6 c=0 gcat=6 m=1235 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:54606:X1 srcZone=Untrusted natSrcV6=2a02:cf40::1 dstMac=00:17:c5:30:f9:d9 dst=169.254.169.254:80:X1 dstZone=Untrusted natDstV6=2a02:cf40::2 proto=tcp/http sent=52 app=9 msg=\"\" note=\"stack traffic always trusted\" n=153 fw_action=\"forward\"", + "sequence": "153", + "severity": "6", + "timezone": "+02:00" + }, + "log": { + "level": "info" + }, + "message": " (stack traffic always trusted)", + "network": { + "bytes": 52, + "protocol": "http", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "2a02:cf40::1", + "169.254.169.254", + "2a02:cf40::2" + ] + }, + "sonicwall": { + "firewall": { + "app": "9", + "event_group_category": "Firewall Settings", + "gcat": "6" + } + }, + "source": { + "bytes": 52, + "ip": "10.0.0.96", + "mac": "00-06-B1-DD-4F-D4", + "nat": { + "ip": "2a02:cf40::1" + }, + "port": 54606 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-16T08:19:21.000+02:00", + "destination": { + "ip": "169.254.169.254", + "mac": "00-17-C5-30-F9-D9", + "nat": { + "ip": "2a02:cf40::2", + "port": 5678 + }, + "port": 80 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "packet-forwarded", + "code": "1235", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:21\" fw=10.0.0.96 pri=6 c=0 gcat=6 m=1235 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:54606:X1 srcZone=Untrusted natSrcV6=[2a02:cf40::1]:1234 dstMac=00:17:c5:30:f9:d9 dst=169.254.169.254:80:X1 dstZone=Untrusted natDstV6=[2a02:cf40::2]:5678 proto=tcp/http sent=52 app=9 msg=\"\" note=\"stack traffic always trusted\" n=153 fw_action=\"forward\"", + "sequence": "153", + "severity": "6", + "timezone": "+02:00" + }, + "log": { + "level": "info" + }, + "message": " (stack traffic always trusted)", + "network": { + "bytes": 52, + "protocol": "http", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "2a02:cf40::1", + "169.254.169.254", + "2a02:cf40::2" + ] + }, + "sonicwall": { + "firewall": { + "app": "9", + "event_group_category": "Firewall Settings", + "gcat": "6" + } + }, + "source": { + "bytes": 52, + "ip": "10.0.0.96", + "mac": "00-06-B1-DD-4F-D4", + "nat": { + "ip": "2a02:cf40::1", + "port": 1234 + }, + "port": 54606 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-16T08:19:21.000+02:00", + "destination": { + "ip": "169.254.169.254", + "mac": "00-17-C5-30-F9-D9", + "port": 80 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "packet-forwarded", + "code": "1235", + "original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:21\" fw=10.0.0.96 pri=6 c=0 gcat=6 m=1235 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:54606:X1 srcZone=Untrusted natSrcV6=not_an_IP dstMac=00:17:c5:30:f9:d9 dst=169.254.169.254:80:X1 dstZone=Untrusted natDstV6=not_an_IP proto=tcp/http sent=52 app=9 msg=\"\" note=\"stack traffic always trusted\" n=153 fw_action=\"forward\"", + "sequence": "153", + "severity": "6", + "timezone": "+02:00" + }, + "log": { + "level": "info" + }, + "message": " (stack traffic always trusted)", + "network": { + "bytes": 52, + "protocol": "http", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ingress": { + "interface": { + "name": "X1" + }, + "zone": "Untrusted" + }, + "ip": "10.0.0.96", + "name": "firewall", + "product": "SonicOS", + "serial_number": "0040103CE114", + "type": "firewall", + "vendor": "SonicWall" + }, + "related": { + "ip": [ + "10.0.0.96", + "169.254.169.254" + ] + }, + "sonicwall": { + "firewall": { + "app": "9", + "event_group_category": "Firewall Settings", + "gcat": "6" + } + }, + "source": { + "bytes": 52, + "ip": "10.0.0.96", + "mac": "00-06-B1-DD-4F-D4", + "port": 54606 + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/sonicwall_firewall/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/sonicwall_firewall/data_stream/log/elasticsearch/ingest_pipeline/default.yml index 6b6b9fd49d3..63d59111601 100644 --- a/packages/sonicwall_firewall/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/sonicwall_firewall/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -391,25 +391,21 @@ processors: field: _temp_.source_nat_ip description: Extracts optional port number from src nat field ignore_missing: true + ignore_failure: true patterns: - - '^%{IPV4:source.nat.ip}:%{POSINT:source.nat.port}$' + - '^%{IPV4:source.nat.ip}(:?:%{POSINT:source.nat.port})?$' + - '^%{IPV6:source.nat.ip}$' - '^\[%{IPV6:source.nat.ip}\]:%{POSINT:source.nat.port}$' - on_failure: - - convert: - field: _temp_.source_nat_ip - type: ip - grok: field: _temp_.destination_nat_ip description: Extracts optional port number from dst nat field ignore_missing: true + ignore_failure: true patterns: - - '^%{IPV4:destination.nat.ip}:%{POSINT:destination.nat.port}$' + - '^%{IPV4:destination.nat.ip}(:?:%{POSINT:destination.nat.port})?$' + - '^%{IPV6:destination.nat.ip}$' - '^\[%{IPV6:destination.nat.ip}\]:%{POSINT:destination.nat.port}$' - on_failure: - - convert: - field: _temp_.destination_nat_ip - type: ip # # Validate integer fields diff --git a/packages/sonicwall_firewall/manifest.yml b/packages/sonicwall_firewall/manifest.yml index 6d8a79c060a..82e3b862bc9 100644 --- a/packages/sonicwall_firewall/manifest.yml +++ b/packages/sonicwall_firewall/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: sonicwall_firewall title: "SonicWall Firewall" -version: 0.1.0 +version: 0.1.1 license: basic release: beta description: "Integration for SonicWall firewall logs"