[cisco asa] grok processor warnings shown to user after installing assets

[jsvd]

Users installing the cisco asa integration assets will see a ton of warnings from the grok processors of the ingest pipeline like these:

{"@timestamp":"2024-04-02T08:31:15.388Z", "log.level": "WARN", "message":"character class has '-' without escape", "ecs.version": "1.2.0","service.name":"ES_ECS","event.dataset":"elasticsearch.server","process.thread.name":"elasticsearch[842c754572cb][clusterApplierService#updateTask][T#1]","log.logger":"org.elasticsearch.ingest.common.GrokProcessor","trace.id":"d5081cdf94809442f375412f6cc67640","elasticsearch.cluster.uuid":"VAsFZ8L2QguoE-lnApbNWA","elasticsearch.node.id":"UkMqtRt-RsScdsarV3IAxw","elasticsearch.node.name":"842c754572cb","elasticsearch.cluster.name":"elasticsearch"}
{"@timestamp":"2024-04-02T08:31:15.391Z", "log.level": "WARN", "message":"nested repeat operator '+' and '?' was replaced with '*' in regular expression /(?:(?<CISCO_DOMAIN_USER:_temp_.cisco.source_username>((?:(LOCAL\\\\)?((?:\\b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\\b))\\\\)?))?(?:[^,$)]+)?)\\$?\\)?(?:(, *((?:((?<NUMBER:_temp_.cisco.source_user_security_group_tag>(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\\.[0-9]+)?)|(?:\\.[0-9]+)))))))):(?:((?<WORD:_temp_.cisco.source_user_security_group_tag_name>\\b\\w+\\b)))|(?:((?<NUMBER:_temp_.cisco.source_user_security_group_tag>(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\\.[0-9]+)?)|(?:\\.[0-9]+))))))))))|((?:((?<NUMBER:_temp_.cisco.source_user_security_group_tag>(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\\.[0-9]+)?)|(?:\\.[0-9]+)))))))):(?:((?<WORD:_temp_.cisco.source_user_security_group_tag_name>\\b\\w+\\b))))))|(?:(?<CISCO_DOMAIN_USER:_temp_.cisco.source_username>((?:(LOCAL\\\\)?((?:\\b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\\b))\\\\)?))?(?:[^,$)]+)?)\\$?\\)?)/", "ecs.version": "1.2.0","service.name":"ES_ECS","event.dataset":"elasticsearch.server","process.thread.name":"elasticsearch[842c754572cb][clusterApplierService#updateTask][T#1]","log.logger":"org.elasticsearch.ingest.common.GrokProcessor","trace.id":"d5081cdf94809442f375412f6cc67640","elasticsearch.cluster.uuid":"VAsFZ8L2QguoE-lnApbNWA","elasticsearch.node.id":"UkMqtRt-RsScdsarV3IAxw","elasticsearch.node.name":"842c754572cb","elasticsearch.cluster.name":"elasticsearch"}

Seems related to elastic/beats#36326, and overall lack of escaping of certain characters and non-optimal design of the regexes.

[elasticmachine]

Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)

[pkoutsovasilis]

So after investigating this one, I can see why regex engine on Elasticsearch side is throwing the respective warnings

so a basic regex example

regex ([^,$)]+)?:

• with + we match the previous token between one and unlimited times
• with ? we match the previous token between zero and one times

so essentially the regex engine is saying to us hey I will replace the combo of +)? with * as it is effectively the same.

about the hyphen warning this is not escaped inside the [...] so again it makes total sense

Preparing a fix to mitigate the warnings

[elasticmachine]

Package cisco_asa - 2.32.1 containing this change is available at https://epr.elastic.co/search?package=cisco_asa