Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Cisco FTD]: 430003 Incorrect Time Calculation #11657

Open
sarrgi opened this issue Nov 7, 2024 · 1 comment
Open

[Cisco FTD]: 430003 Incorrect Time Calculation #11657

sarrgi opened this issue Nov 7, 2024 · 1 comment
Labels
Integration:cisco_ftd Cisco FTD needs:triage Team:Security-Deployment and Devices Deployment and Devices Security team [elastic/sec-deployment-and-devices]

Comments

@sarrgi
Copy link

sarrgi commented Nov 7, 2024

Integration Name

Cisco FTD [cisco_ftd]

Dataset Name

cisco.ftd

Integration Version

3.4.3

Agent Version

8.7.1

Agent Output Type

elasticsearch

Elasticsearch Version

8.12.1

OS Version and Architecture

Ubuntu 22.04 LTS (x86_64)

Software/API Version

No response

Error Message

No response

Event Original

%FTD-6-430003: EventPriority: Low, DeviceUUID: 00000000-0000-0000-0000-000000000000, InstanceID: 0, FirstPacketSecond: 2024-10-30T05:07:41Z, ConnectionID: 0, AccessControlRuleAction: Allow, SrcIP: 0.0.0.0, DstIP: 0.0.0.0, SrcPort: 0, DstPort: 0, Protocol: tcp, IngressInterface: redacted, EgressInterface: redacted, IngressZone: redacted, EgressZone: redacted, IngressVRF: redacted, EgressVRF: redacted, ACPolicy: redacted, AccessControlRuleName: redacted, Prefilter Policy: redacted, User: Not Found, ConnectionDuration: 429384, InitiatorPackets: 1507065, ResponderPackets: 2092306, InitiatorBytes: 378041802, ResponderBytes: 1365498843, NAPPolicy: redacted, ClientAppDetector: AppID

What did you do?

Standard configuration - not too relevant is this is specifically related to the Ingest Pipeline.

What did you see?

The values for event.start and event.end are incorrectly calculated, specifically observed for the FTD event syslog message 430003" This is further explained below (What did you expect to see?)

What I see:
Image

What did you expect to see?

According to Cisco Secure Firewall Threat Defense Syslog Messages , FirstPacketSecond is "the time the system encountered the first packet", and ConnectionDuration is "the number of seconds between the first packet and the last packet". As such, we would expect the time of event.start to match FirstPacketSecond, and event.end to match event.start plus ConnectionDuration. However, event.end matches FirstPacketSecond, and event.start is equal to FirstPacketSecond minus ConnectionDuration.

What I expected to see:
Image

Anything else?

I have adjusted the relevant script processor in my local instance of Elasticsearch. This is how I generated the "What I expect to see" image.

I am happy to implement the changes in the appropriate pull request here too.
@andrewkroh andrewkroh added Integration:cisco_ftd Cisco FTD Team:Security-Deployment and Devices Deployment and Devices Security team [elastic/sec-deployment-and-devices] labels Nov 7, 2024
@elasticmachine
Copy link

Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Integration:cisco_ftd Cisco FTD needs:triage Team:Security-Deployment and Devices Deployment and Devices Security team [elastic/sec-deployment-and-devices]
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@andrewkroh @elasticmachine @sarrgi