CISCOFW106006_106007_106010 not matching

Question

CISCOFW106006_106007_106010 not matching

Opened this issue a year ago · 1 comments

example log message:

<187>Apr 30 2013 09:23:40: %ASA-3-106010: Deny inbound sctp src INET:8.8.8.8/57997 dst INET:192.168.0.1/9000

the reason why it doesn;'t match is because INET: in front of source and dst ip address isn't accounted for (which i believe is the firewall interface name).
furthermore (?:(%{DATA:[destination][user][name]}))? (?:(?:on interface %{NOTSPACE:[observer][egress][interface][name]})|(?:due to %{CISCO_REASON:[event][reason]}))` it's supposed to be fully optional but only matches up to [destination][user][name]

another failed match

%ASA-3-106010: Deny inbound protocol 47 src INET:60.41.177.74 dst INET:217.111.247.78

Answer 1 · 2023-01-03T09:15:39.000Z

according to

https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslog-messages-101001-to-199021.html#con_4768910

106010
Error Message %ASA-3-106010: Deny inbound protocol src [interface_name : source_address/source_port ] [([idfw_user | FQDN_string ], sg_info )] dst [interface_name : dest_address /dest_port }[([idfw_user | FQDN_string ], sg_info )]