Skip to content

Commit

Permalink
cisco_meraki: handle blocked ARP packet, auth and port messages (#7771)
Browse files Browse the repository at this point in the history
  • Loading branch information
@efd6
efd6 committed Sep 20, 2023
1 parent 6e13a10 commit f2b80b1
Show file tree
Hide file tree
Showing 7 changed files with 297 additions and 3 deletions.
11 changes: 11 additions & 0 deletions packages/cisco_meraki/changelog.yml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,15 @@
# newer versions go on top
- version: "1.13.0"
changes:
- description: Handle blocked ARP packet messages.
type: enhancement
link: https://github.com/elastic/integrations/pull/7771
- description: Handle auth event subtype.
type: enhancement
link: https://github.com/elastic/integrations/pull/7771
- description: Handle port event subtype.
type: enhancement
link: https://github.com/elastic/integrations/pull/7771
- version: "1.12.0"
changes:
- description: Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.
Expand Down
6 changes: 6 additions & 0 deletions packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-events.log
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,3 +21,9 @@
<134>1 1639132875.360638431 1_2_AP_4 events type=disassociation radio='1' vap='1' client_mac='36:E7:E9:AE:04:3D' channel='132' reason='8' apple_da_reason='7' instigator='2' duration='40.260521941' auth_neg_dur='0.024206187' last_auth_ago='40.229666962' is_wpa='1' full_conn='0.477861916' ip_resp='1.005954707' ip_src='10.68.128.113' http_resp='0.477861916' arp_resp='0.179876562' arp_src='10.68.128.113' dns_server='10.128.128.128' dns_req_rtt='0.095675854' dns_resp='0.416596437' dhcp_lease_completed='0.182086020' dhcp_server='10.128.128.128' dhcp_server_mac='E0:CB:BC:49:F7:26' dhcp_resp='0.182086020' aid='1750957891'
<134>1 1639132903.129587239 LG2_AP_01 events type=disassociation radio='1' vap='1' client_mac='8E:2F:69:33:FA:6A' channel='36' reason='8' apple_da_reason='7' instigator='2' duration='27.641499140' auth_neg_dur='0.008153688' last_auth_ago='27.627178619' is_wpa='1' full_conn='0.395120958' ip_resp='0.520431812' ip_src='10.72.66.49' http_resp='0.395120958' arp_resp='0.132684875' arp_src='10.72.66.49' dns_server='10.128.128.128' dns_req_rtt='0.121687' dns_resp='0.335365542' dhcp_lease_completed='0.133589958' dhcp_server='10.128.128.128' dhcp_server_mac='F8:9E:28:70:1A:7C' dhcp_resp='0.133589958' aid='1899362895'
<134>1 1639132917.085087788 LG2_AP_01 events type=wpa_auth radio='1' vap='1' client_mac='8E:2F:69:33:FA:6A' aid='1546367691'
<134>1 1639132851.416656563 TCP9001 events Blocked ARP Packet from ab:01:02:03:04:05 with IP 81.2.69.144 on VLAN 123
<134>1 1694519069.914814259 TCP9001 events Port 4 changed STP role from designated to disabled
<134>1 1694519069.912939179 TCP9001 events port 4 status changed from 100fdx to down
<134>1 1694519040.863533579 TCP9001 events Port 1 changed STP role from disabled to designated
<134>1 1694519040.862946339 TCP9001 events port 1 status changed from down to 100fdx
<134>1 1694519007.104885873 TCP9001 events Auth failure resets to success
208 changes: 208 additions & 0 deletions packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-events.log-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1048,6 +1048,214 @@
"forwarded",
"preserve_original_event"
]
},
{
"@timestamp": "2021-12-10T10:40:51.416Z",
"cisco_meraki": {
"event_subtype": "arp_blocked",
"event_type": "events"
},
"ecs": {
"version": "8.9.0"
},
"event": {
"action": "arp_blocked",
"category": [
"network"
],
"original": "\u003c134\u003e1 1639132851.416656563 TCP9001 events Blocked ARP Packet from ab:01:02:03:04:05 with IP 81.2.69.144 on VLAN 123",
"type": [
"info"
]
},
"log": {
"syslog": {
"priority": 134
}
},
"observer": {
"hostname": "TCP9001",
"ingress": {
"vlan": {
"id": "123"
}
}
},
"source": {
"geo": {
"city_name": "London",
"continent_name": "Europe",
"country_iso_code": "GB",
"country_name": "United Kingdom",
"location": {
"lat": 51.5142,
"lon": -0.0931
},
"region_iso_code": "GB-ENG",
"region_name": "England"
},
"ip": "81.2.69.144",
"mac": "AB-01-02-03-04-05"
},
"tags": [
"forwarded",
"preserve_original_event"
]
},
{
"@timestamp": "2023-09-12T11:44:29.914Z",
"cisco_meraki": {
"event_subtype": "port_changed_stp_role",
"event_type": "events"
},
"ecs": {
"version": "8.9.0"
},
"event": {
"action": "port_changed_stp_role",
"category": [
"network"
],
"original": "\u003c134\u003e1 1694519069.914814259 TCP9001 events Port 4 changed STP role from designated to disabled",
"type": [
"info"
]
},
"log": {
"syslog": {
"priority": 134
}
},
"observer": {
"hostname": "TCP9001"
},
"tags": [
"forwarded",
"preserve_original_event"
]
},
{
"@timestamp": "2023-09-12T11:44:29.912Z",
"cisco_meraki": {
"event_subtype": "port_status_changed",
"event_type": "events"
},
"ecs": {
"version": "8.9.0"
},
"event": {
"action": "port_status_changed",
"category": [
"network"
],
"original": "\u003c134\u003e1 1694519069.912939179 TCP9001 events port 4 status changed from 100fdx to down",
"type": [
"info"
]
},
"log": {
"syslog": {
"priority": 134
}
},
"observer": {
"hostname": "TCP9001"
},
"tags": [
"forwarded",
"preserve_original_event"
]
},
{
"@timestamp": "2023-09-12T11:44:00.863Z",
"cisco_meraki": {
"event_subtype": "port_changed_stp_role",
"event_type": "events"
},
"ecs": {
"version": "8.9.0"
},
"event": {
"action": "port_changed_stp_role",
"category": [
"network"
],
"original": "\u003c134\u003e1 1694519040.863533579 TCP9001 events Port 1 changed STP role from disabled to designated",
"type": [
"info"
]
},
"log": {
"syslog": {
"priority": 134
}
},
"observer": {
"hostname": "TCP9001"
},
"tags": [
"forwarded",
"preserve_original_event"
]
},
{
"@timestamp": "2023-09-12T11:44:00.862Z",
"cisco_meraki": {
"event_subtype": "port_status_changed",
"event_type": "events"
},
"ecs": {
"version": "8.9.0"
},
"event": {
"action": "port_status_changed",
"category": [
"network"
],
"original": "\u003c134\u003e1 1694519040.862946339 TCP9001 events port 1 status changed from down to 100fdx",
"type": [
"info"
]
},
"log": {
"syslog": {
"priority": 134
}
},
"observer": {
"hostname": "TCP9001"
},
"tags": [
"forwarded",
"preserve_original_event"
]
},
{
"@timestamp": "2023-09-12T11:43:27.104Z",
"cisco_meraki": {
"event_subtype": "auth",
"event_type": "events"
},
"ecs": {
"version": "8.9.0"
},
"event": {
"action": "auth",
"category": [
"network"
],
"original": "\u003c134\u003e1 1694519007.104885873 TCP9001 events Auth failure resets to success",
"type": [
"info"
]
},
"observer": {
"hostname": "TCP9001"
},
"tags": [
"forwarded",
"preserve_original_event"
]
}
]
}
70 changes: 68 additions & 2 deletions packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/events.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,11 +11,23 @@ processors:
- set:
field: cisco_meraki.event_subtype
value: 'Site-to-Site VPN'
if: ctx?.msgtype.toLowerCase() == "site-to-site"
if: ctx.msgtype.toLowerCase() == "site-to-site"
- set:
field: cisco_meraki.event_subtype
value: client_vpn_connect
if: ctx?.msgtype.toLowerCase() == "client_vpn_connect"
if: ctx.msgtype.toLowerCase() == "client_vpn_connect"
- set:
field: cisco_meraki.event_subtype
value: blocked
if: ctx.msgtype.toLowerCase() == "blocked"
- set:
field: cisco_meraki.event_subtype
value: auth
if: ctx.msgtype.toLowerCase() == "auth"
- set:
field: cisco_meraki.event_subtype
value: port
if: ctx.msgtype.toLowerCase() == "port"
####################################################
# log event with type=<value> format
# these are dfs_event, association, disassocation,
Expand Down Expand Up @@ -73,6 +85,60 @@ processors:
WORDORHOST: '(?:%{WORD}|%{HOSTNAME})'
if: ctx.event.original.startsWith('<') && ctx?.cisco_meraki?.event_subtype == "Site-to-Site VPN"
####################################################
# Handle Blocked ARP
####################################################
- grok:
field: event.original
patterns:
- '%{SYSLOGHDR}%{SPACE}%{NUMBER}%{SPACE}%{WORDORHOST}%{SPACE}events%{SPACE}%{BLOCKEDARP:_temp.blocked_arp} from %{MAC:source.mac} with IP %{IP:source.ip} on %{NOTSPACE} %{GREEDYDATA:observer.ingress.vlan.id}$'
pattern_definitions:
SYSLOGPRI: '<%{NONNEGINT:log.syslog.priority:long}>'
SYSLOGVER: '\b(?:\d{1,2})\b'
SYSLOGHDR: '%{SYSLOGPRI}%{SYSLOGVER}'
WORDORHOST: '(?:%{WORD}|%{HOSTNAME})'
BLOCKEDARP: 'Blocked ARP Packet'
if: ctx.event.original.startsWith('<') && ctx?.cisco_meraki?.event_subtype == "blocked"
- gsub:
field: source.mac
pattern: '[:.]'
replacement: '-'
ignore_missing: true
- uppercase:
field: source.mac
ignore_missing: true
- set:
field: cisco_meraki.event_subtype
value: arp_blocked
if: ctx._temp?.blocked_arp != null
####################################################
# Handle Ports
####################################################
- grok:
field: event.original
patterns:
- '(?i)%{SYSLOGHDR}%{SPACE}%{NUMBER}%{SPACE}%{WORDORHOST}%{SPACE}events%{SPACE}port %{NOTSPACE} %{PORTACTION:_temp.port_action}'
pattern_definitions:
SYSLOGPRI: '<%{NONNEGINT:log.syslog.priority:long}>'
SYSLOGVER: '\b(?:\d{1,2})\b'
SYSLOGHDR: '%{SYSLOGPRI}%{SYSLOGVER}'
WORDORHOST: '(?:%{WORD}|%{HOSTNAME})'
PORTACTION: '(?:changed stp role|status changed)'
if: ctx.event.original.startsWith('<') && ctx?.cisco_meraki?.event_subtype == "port"
- gsub:
field: _temp.port_action
pattern: ' '
replacement: '_'
ignore_missing: true
- lowercase:
field: _temp.port_action
ignore_missing: true
- set:
field: cisco_meraki.event_subtype
value: 'port_{{{_temp.port_action}}}'
if: ctx._temp?.port_action != null
####################################################
# Handle dfs_event, wpa_auth, wpa_deauth,
# association or disassociation
Expand Down
2 changes: 2 additions & 0 deletions packages/cisco_meraki/data_stream/log/fields/ecs.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -146,6 +146,8 @@
name: observer.egress.interface.name
- external: ecs
name: observer.ingress.interface.name
- external: ecs
name: observer.ingress.vlan.id
- external: ecs
name: observer.product
- external: ecs
Expand Down
1 change: 1 addition & 0 deletions packages/cisco_meraki/docs/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -213,6 +213,7 @@ The `cisco_meraki.log` dataset provides events from the configured syslog server
| observer.egress.interface.name | Interface name as reported by the system. | keyword |
| observer.hostname | Hostname of the observer. | keyword |
| observer.ingress.interface.name | Interface name as reported by the system. | keyword |
| observer.ingress.vlan.id | VLAN ID as reported by the observer. | keyword |
| observer.mac | MAC addresses of the observer. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword |
| observer.product | The product name of the observer. | keyword |
| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword |
Expand Down
2 changes: 1 addition & 1 deletion packages/cisco_meraki/manifest.yml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
format_version: 2.11.0
name: cisco_meraki
title: Cisco Meraki
version: "1.12.0"
version: "1.13.0"
description: Collect logs from Cisco Meraki with Elastic Agent.
type: integration
categories:
Expand Down

0 comments on commit f2b80b1

Please sign in to comment.