[ 
https://issues.apache.org/jira/browse/METRON-363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15501235#comment-15501235
 ] 

Kyle Richardson commented on METRON-363:
----------------------------------------

I'm currently testing with ASA v9.1.x and should be able to contribute some 
anonymized test data back to the project.

One issue I'm running into is there are some events which do not contain all of 
the standard fields defined at 
https://cwiki.apache.org/confluence/display/METRON/Metron+Architecture. For 
example, ASA-4-733100 events are logged for basic threat detections but do not 
include source and destination (more information can be found at 
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html).

My question is how do we want to handle these situations? Here are a few 
options.

# Drop the events entirely; no enrichment or indexing
# Provide normalized JSON events without the ip_src_addr and ip_dst_addr fields
# Provide normalized JSON events with null values for the ip_arc_addr and 
ip_dst_addr fields

To some extent this decision depends on how the enrichment and indexing code 
handles missing or null values.

I'll also pose this question to the dev mailing list.


> Fix Cisco ASA Parser
> --------------------
>
>                 Key: METRON-363
>                 URL: https://issues.apache.org/jira/browse/METRON-363
>             Project: Metron
>          Issue Type: Improvement
>            Reporter: Kyle Richardson
>            Priority: Minor
>
> The current ASA parser is broken. This effort is to rework the current parser 
> to support the variety of syslog messages produced by Cisco ASA devices as 
> well as provide the necessary support files/configs for easier deployment of 
> the Storm topology.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to