Skip to content

[Sonicwall_firewall] Fix handling of NAT fields #3420

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
adriansr merged 2 commits into from
May 26, 2022
Merged

[Sonicwall_firewall] Fix handling of NAT fields #3420

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
8295629
Fix
adriansr May 24, 2022
8f98c6e
Changelog
adriansr May 24, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions packages/sonicwall_firewall/changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "0.1.1"
changes:
- description: Fix handling of NAT fields
type: bugfix
link: https://github.com/elastic/integrations/pull/3420
- version: "0.1.0"
changes:
- description: Initial beta version of the package
Expand Down
4 changes: 4 additions & 0 deletions packages/sonicwall_firewall/data_stream/log/_dev/test/pipeline/test-nat.log
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:21" fw=10.0.0.96 pri=6 c=0 gcat=6 m=1235 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:54606:X1 srcZone=Untrusted natSrc=10.0.0.96 dstMac=00:17:c5:30:f9:d9 dst=169.254.169.254:80:X1 dstZone=Untrusted natDst=169.254.169.254 proto=tcp/http sent=52 app=9 msg="" note="stack traffic always trusted" n=153 fw_action="forward"
<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:21" fw=10.0.0.96 pri=6 c=0 gcat=6 m=1235 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:54606:X1 srcZone=Untrusted natSrcV6=2a02:cf40::1 dstMac=00:17:c5:30:f9:d9 dst=169.254.169.254:80:X1 dstZone=Untrusted natDstV6=2a02:cf40::2 proto=tcp/http sent=52 app=9 msg="" note="stack traffic always trusted" n=153 fw_action="forward"
<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:21" fw=10.0.0.96 pri=6 c=0 gcat=6 m=1235 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:54606:X1 srcZone=Untrusted natSrcV6=[2a02:cf40::1]:1234 dstMac=00:17:c5:30:f9:d9 dst=169.254.169.254:80:X1 dstZone=Untrusted natDstV6=[2a02:cf40::2]:5678 proto=tcp/http sent=52 app=9 msg="" note="stack traffic always trusted" n=153 fw_action="forward"
<134> id=firewall sn=0040103CE114 time="2022-05-16 08:19:21" fw=10.0.0.96 pri=6 c=0 gcat=6 m=1235 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:54606:X1 srcZone=Untrusted natSrcV6=not_an_IP dstMac=00:17:c5:30:f9:d9 dst=169.254.169.254:80:X1 dstZone=Untrusted natDstV6=not_an_IP proto=tcp/http sent=52 app=9 msg="" note="stack traffic always trusted" n=153 fw_action="forward"
308 changes: 308 additions & 0 deletions packages/sonicwall_firewall/data_stream/log/_dev/test/pipeline/test-nat.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,308 @@
{
"expected": [
{
"@timestamp": "2022-05-16T08:19:21.000+02:00",
"destination": {
"ip": "169.254.169.254",
"mac": "00-17-C5-30-F9-D9",
"nat": {
"ip": "169.254.169.254"
},
"port": 80
},
"ecs": {
"version": "8.2.0"
},
"event": {
"action": "packet-forwarded",
"code": "1235",
"original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:21\" fw=10.0.0.96 pri=6 c=0 gcat=6 m=1235 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:54606:X1 srcZone=Untrusted natSrc=10.0.0.96 dstMac=00:17:c5:30:f9:d9 dst=169.254.169.254:80:X1 dstZone=Untrusted natDst=169.254.169.254 proto=tcp/http sent=52 app=9 msg=\"\" note=\"stack traffic always trusted\" n=153 fw_action=\"forward\"",
"sequence": "153",
"severity": "6",
"timezone": "+02:00"
},
"log": {
"level": "info"
},
"message": " (stack traffic always trusted)",
"network": {
"bytes": 52,
"protocol": "http",
"transport": "tcp"
},
"observer": {
"egress": {
"interface": {
"name": "X1"
},
"zone": "Untrusted"
},
"ingress": {
"interface": {
"name": "X1"
},
"zone": "Untrusted"
},
"ip": "10.0.0.96",
"name": "firewall",
"product": "SonicOS",
"serial_number": "0040103CE114",
"type": "firewall",
"vendor": "SonicWall"
},
"related": {
"ip": [
"10.0.0.96",
"169.254.169.254"
]
},
"sonicwall": {
"firewall": {
"app": "9",
"event_group_category": "Firewall Settings",
"gcat": "6"
}
},
"source": {
"bytes": 52,
"ip": "10.0.0.96",
"mac": "00-06-B1-DD-4F-D4",
"nat": {
"ip": "10.0.0.96"
},
"port": 54606
},
"tags": [
"preserve_original_event"
]
},
{
"@timestamp": "2022-05-16T08:19:21.000+02:00",
"destination": {
"ip": "169.254.169.254",
"mac": "00-17-C5-30-F9-D9",
"nat": {
"ip": "2a02:cf40::2"
},
"port": 80
},
"ecs": {
"version": "8.2.0"
},
"event": {
"action": "packet-forwarded",
"code": "1235",
"original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:21\" fw=10.0.0.96 pri=6 c=0 gcat=6 m=1235 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:54606:X1 srcZone=Untrusted natSrcV6=2a02:cf40::1 dstMac=00:17:c5:30:f9:d9 dst=169.254.169.254:80:X1 dstZone=Untrusted natDstV6=2a02:cf40::2 proto=tcp/http sent=52 app=9 msg=\"\" note=\"stack traffic always trusted\" n=153 fw_action=\"forward\"",
"sequence": "153",
"severity": "6",
"timezone": "+02:00"
},
"log": {
"level": "info"
},
"message": " (stack traffic always trusted)",
"network": {
"bytes": 52,
"protocol": "http",
"transport": "tcp"
},
"observer": {
"egress": {
"interface": {
"name": "X1"
},
"zone": "Untrusted"
},
"ingress": {
"interface": {
"name": "X1"
},
"zone": "Untrusted"
},
"ip": "10.0.0.96",
"name": "firewall",
"product": "SonicOS",
"serial_number": "0040103CE114",
"type": "firewall",
"vendor": "SonicWall"
},
"related": {
"ip": [
"10.0.0.96",
"2a02:cf40::1",
"169.254.169.254",
"2a02:cf40::2"
]
},
"sonicwall": {
"firewall": {
"app": "9",
"event_group_category": "Firewall Settings",
"gcat": "6"
}
},
"source": {
"bytes": 52,
"ip": "10.0.0.96",
"mac": "00-06-B1-DD-4F-D4",
"nat": {
"ip": "2a02:cf40::1"
},
"port": 54606
},
"tags": [
"preserve_original_event"
]
},
{
"@timestamp": "2022-05-16T08:19:21.000+02:00",
"destination": {
"ip": "169.254.169.254",
"mac": "00-17-C5-30-F9-D9",
"nat": {
"ip": "2a02:cf40::2",
"port": 5678
},
"port": 80
},
"ecs": {
"version": "8.2.0"
},
"event": {
"action": "packet-forwarded",
"code": "1235",
"original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:21\" fw=10.0.0.96 pri=6 c=0 gcat=6 m=1235 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:54606:X1 srcZone=Untrusted natSrcV6=[2a02:cf40::1]:1234 dstMac=00:17:c5:30:f9:d9 dst=169.254.169.254:80:X1 dstZone=Untrusted natDstV6=[2a02:cf40::2]:5678 proto=tcp/http sent=52 app=9 msg=\"\" note=\"stack traffic always trusted\" n=153 fw_action=\"forward\"",
"sequence": "153",
"severity": "6",
"timezone": "+02:00"
},
"log": {
"level": "info"
},
"message": " (stack traffic always trusted)",
"network": {
"bytes": 52,
"protocol": "http",
"transport": "tcp"
},
"observer": {
"egress": {
"interface": {
"name": "X1"
},
"zone": "Untrusted"
},
"ingress": {
"interface": {
"name": "X1"
},
"zone": "Untrusted"
},
"ip": "10.0.0.96",
"name": "firewall",
"product": "SonicOS",
"serial_number": "0040103CE114",
"type": "firewall",
"vendor": "SonicWall"
},
"related": {
"ip": [
"10.0.0.96",
"2a02:cf40::1",
"169.254.169.254",
"2a02:cf40::2"
]
},
"sonicwall": {
"firewall": {
"app": "9",
"event_group_category": "Firewall Settings",
"gcat": "6"
}
},
"source": {
"bytes": 52,
"ip": "10.0.0.96",
"mac": "00-06-B1-DD-4F-D4",
"nat": {
"ip": "2a02:cf40::1",
"port": 1234
},
"port": 54606
},
"tags": [
"preserve_original_event"
]
},
{
"@timestamp": "2022-05-16T08:19:21.000+02:00",
"destination": {
"ip": "169.254.169.254",
"mac": "00-17-C5-30-F9-D9",
"port": 80
},
"ecs": {
"version": "8.2.0"
},
"event": {
"action": "packet-forwarded",
"code": "1235",
"original": "\u003c134\u003e id=firewall sn=0040103CE114 time=\"2022-05-16 08:19:21\" fw=10.0.0.96 pri=6 c=0 gcat=6 m=1235 srcMac=00:06:b1:dd:4f:d4 src=10.0.0.96:54606:X1 srcZone=Untrusted natSrcV6=not_an_IP dstMac=00:17:c5:30:f9:d9 dst=169.254.169.254:80:X1 dstZone=Untrusted natDstV6=not_an_IP proto=tcp/http sent=52 app=9 msg=\"\" note=\"stack traffic always trusted\" n=153 fw_action=\"forward\"",
"sequence": "153",
"severity": "6",
"timezone": "+02:00"
},
"log": {
"level": "info"
},
"message": " (stack traffic always trusted)",
"network": {
"bytes": 52,
"protocol": "http",
"transport": "tcp"
},
"observer": {
"egress": {
"interface": {
"name": "X1"
},
"zone": "Untrusted"
},
"ingress": {
"interface": {
"name": "X1"
},
"zone": "Untrusted"
},
"ip": "10.0.0.96",
"name": "firewall",
"product": "SonicOS",
"serial_number": "0040103CE114",
"type": "firewall",
"vendor": "SonicWall"
},
"related": {
"ip": [
"10.0.0.96",
"169.254.169.254"
]
},
"sonicwall": {
"firewall": {
"app": "9",
"event_group_category": "Firewall Settings",
"gcat": "6"
}
},
"source": {
"bytes": 52,
"ip": "10.0.0.96",
"mac": "00-06-B1-DD-4F-D4",
"port": 54606
},
"tags": [
"preserve_original_event"
]
}
]
}
16 changes: 6 additions & 10 deletions packages/sonicwall_firewall/data_stream/log/elasticsearch/ingest_pipeline/default.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -391,25 +391,21 @@ processors:
field: _temp_.source_nat_ip
description: Extracts optional port number from src nat field
ignore_missing: true
ignore_failure: true
patterns:
- '^%{IPV4:source.nat.ip}:%{POSINT:source.nat.port}$'
- '^%{IPV4:source.nat.ip}(:?:%{POSINT:source.nat.port})?$'
- '^%{IPV6:source.nat.ip}$'
- '^\[%{IPV6:source.nat.ip}\]:%{POSINT:source.nat.port}$'
on_failure:
- convert:
field: _temp_.source_nat_ip
type: ip

- grok:
field: _temp_.destination_nat_ip
description: Extracts optional port number from dst nat field
ignore_missing: true
ignore_failure: true
patterns:
- '^%{IPV4:destination.nat.ip}:%{POSINT:destination.nat.port}$'
- '^%{IPV4:destination.nat.ip}(:?:%{POSINT:destination.nat.port})?$'
- '^%{IPV6:destination.nat.ip}$'
- '^\[%{IPV6:destination.nat.ip}\]:%{POSINT:destination.nat.port}$'
on_failure:
- convert:
field: _temp_.destination_nat_ip
type: ip

#
# Validate integer fields
Expand Down
2 changes: 1 addition & 1 deletion packages/sonicwall_firewall/manifest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
format_version: 1.0.0
name: sonicwall_firewall
title: "SonicWall Firewall"
version: 0.1.0
version: 0.1.1
license: basic
release: beta
description: "Integration for SonicWall firewall logs"
Expand Down