[Enhancement] Cisco FTD differentiating between inbound and outbound

[WildDogOne]

What does this PR do?

I noticed some very odd Logs in FTD

Nov 01 16:42:22 UTC: %FTD-session-6-302013: Built inbound TCP connection 1488052803 for intranet:192.168.22.10/59864 (192.168.22.10/59864) to internet:216.160.83.56/1433 (216.160.83.56/1433)

The current extraction is:
network.direction: inbound (makes sense as it's extracted from log)
source.ip: 192.168.22.10
destination.ip: 216.160.83.56

In my opinion the source and destination IPs are flipped.
So this PR is to check if flipping them makes sense in the view of the community.
The main problem that I see, this change could potentially affect a lot of users who have already adapted to this way of life.

Cisco Documentation on this issue:
If inbound is specified, the original control connection was initiated from the outside. For example, for FTP, all data transfer channels are inbound if the original control channel is inbound. If outbound is specified, the original control connection was initiated from the inside.

Event Codes with this issue:

• 302013
• 302015
• 302017

This change covers 302013 and 302015. I have sadly no sample logs for 302017

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2022-11-07T01:21:10.223+0000

• Duration: 17 min 4 sec

Test stats 🧪

Test	Results
Failed	0
Passed	20
Skipped	0
Total	20

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[efd6]

/test

[elasticmachine]

🚀 Benchmarks report

Package cisco_ftd 👍(0) 💚(0) 💔(1)

Expand to view

Data stream	Previous EPS	New EPS	Diff (%)	Result
log	823.72	228.36	-595.36 (-72.28%)	💔

To see the full report comment with /test benchmark fullreport

[elasticmachine]

🌐 Coverage report

Name	Metrics % (covered/total)	Diff
Packages	100.0% (1/1)	💚
Files	100.0% (1/1)	💚 2.622
Classes	100.0% (1/1)	💚 2.622
Methods	100.0% (18/18)	💚 9.153
Lines	66.001% (1223/1853)	👎 -25.292
Conditionals	100.0% (0/0)	💚

[efd6]

Do we have a good idea about what Cisco mean when they include "to" in the connection description? Does it really mean "between"?

[WildDogOne]

honestly I think cisco themselves already have no actual idea what to means.
What I have noticed with Cisco FTD logs, everything seems quite unified until you come to the 300k eventcodes, which are part of the more modern modules of the FTD appliance and they have a totally different way of logging,

My interpretation so far is: if no direction is specified, X to Y means, X is source and Y is destination. If a direction is specified, which luckily is only in 3 event codes, X to Y is dependant on the direction

[P1llus]

I can confirm this is indeed the correct assumption, at least based on their documentation of these specific event codes, a bit of a weird way to log this.

From my perspective this change is 👍