Fixes for PIX 6-308001 6-605005, and 6-605004

[crlorentzen]

Through further testing with PIX and ASA we have updated the decoder once more to support the current state of the ASA software.

It was noticed that in Cisco ASA as apposed to PIX. the username is not provided in 6-605004. We think this is a security enhancement Cisco made, if a user fails to log in it is possible that a password was improperly put into the username field and thus it shouldn't be logged. Cisco instead puts asterisks(*) in place for the user on 605004

The only way we could see to fix the decoder for this was to remove the username from being selected. Perhaps someone with a better understanding of OSSEC regex could create something better.

Some more example logs and their phase 2 output before the fix.
Examples are also in the comment section of the decoder.xml.

%ASA-6-308001: Console enable password incorrect for 3 tries (from ssh (remote 198.18.1.100))
**Phase 2: Completed decoding.
       decoder: 'pix'
       id: '6-308001'
       srcip: 'enable'


%ASA-6-605005: Login permitted from 198.18.1.100/47849 to outside:198.18.1.254/ssh for user "t@stuser123"
**Phase 2: Completed decoding.
       decoder: 'pix'
       id: '6-605004'
       action: 'denied'
       srcip: '198.18.1.100'
       srcport: '56332'
       dstuser: 't@stuser123'

%ASA-6-605004: Login denied from 198.18.1.100/56332 to outside:198.18.1.254/ssh for user "*****"

**Phase 2: Completed decoding.
       decoder: 'pix'

Log test output after the fix.

%ASA-6-308001: Console enable password incorrect for 3 tries (from ssh (remote 198.18.1.100))
**Phase 2: Completed decoding.
       decoder: 'pix'
       id: '6-308001'

%ASA-6-605005: Login permitted from 198.18.1.100/47849 to outside:198.18.1.254/ssh for user "us3rn@m3"
**Phase 2: Completed decoding.
       decoder: 'pix'
       id: '6-605005'
       action: 'permitted'
       srcip: '198.18.1.100'
       srcport: '47849'
       dstuser: 'us3rn@m3'

%ASA-6-605004: Login denied from 198.18.1.100/56332 to outside:198.18.1.254/ssh for user "*****" 
**Phase 2: Completed decoding.
       decoder: 'pix'
       id: '6-605004'
       action: 'denied'
       srcip: '198.18.1.100'
       srcport: '56332'

---

This change is 

[crlorentzen]

If someone can help me figure out how to accept either word characters, or asterisks (*) between the quotes (") then I'd be happy to update the single rule to include username in all cases.

[ddpbsd]

\S should allow any non-whitespace characters.

[crlorentzen]

While that is true, it unfortunately then chomps the " characters and fails to match properly.

[ddpbsd]

I've run into this before. Can't remember how I solved it off hand.

[Know1]

Not sure if you ever figured it out but this piece of Regex maybe what you need
works for these test cases
"*****"
"us3rn@m3"
"Testuser123"

<regex offset="after_parent">^(\S+): Login (\S+) from (\S+)/(\d+) \.+user \"([aA-zZ0-9*@]+)\"</regex>

Can also add additional punctuation if required e.g. (Not sure what chars Pix/ASA will accept, but should test for all)
\"([aA-zZ0-9*@!?&#]+)\"

[Know1]

Actually after further thinking about \S matches all non space so should work. Greediness should exclude the chomping of "
I plugged \S only into a regex tester with the above full strings and the snippet matched so I've gone back to the drawing board and come up with this that I tested against the following full strings

%ASA-6-605005: Login permitted from 198.18.1.100/47849 to outside:198.18.1.254/ssh for user "us3rn@m3"
%ASA-6-605005: Login permitted from 198.18.1.100/47849 to outside:198.18.1.254/ssh for user "t@stuser123"
%ASA-6-605004: Login denied from 198.18.1.100/56332 to outside:198.18.1.254/ssh for user "*****"

This piece of code breaks them out into $1, $2, $3, $4, $5
<regex offset="after_parent">^(\S+): Login (\S+) from (\S+)\/(\d+).*user \"(\S+)\"</regex>

[crlorentzen]

@Know1 unfortunately OSSEC does not use perl compatible regex (PCRE) #199 So while a regex tester may indicate success, the only true test for OSSEC is to use the ossec-logtest tool which comes with the installation. I may have missued the term chomp, but the \S includes the quote (") character and doesn't work. Also OSSEC regex does not appear to support creating classes (e.g. [aA-zZ0-9*@]), although I haven't retested this in awhile, and my role on the ossec project at work is over, so I may not have time to retest.

[Jupnnn]

Actually after further thinking about \S matches all non space so should work. Greediness should exclude the chomping of " I plugged \S only into a regex tester with the above full strings and the snippet matched so I've gone back to the drawing board and come up with this that I tested against the following full strings

%ASA-6-605005: Login permitted from 198.18.1.100/47849 to outside:198.18.1.254/ssh for user "us3rn@m3" %ASA-6-605005: Login permitted from 198.18.1.100/47849 to outside:198.18.1.254/ssh for user "t@stuser123" %ASA-6-605004: Login denied from 198.18.1.100/56332 to outside:198.18.1.254/ssh for user "*****"

This piece of code breaks them out into $1, $2, $3, $4, $5 <regex offset="after_parent">^(\S+): Login (\S+) from (\S+)\/(\d+).*user \"(\S+)\"</regex>

Hello Sunshine