topic Re: Splunk 6.2.4, TA-tippingpoint 3.3.0 - Failed extractions in Splunk Search

Splunk 6.2.4, TA-tippingpoint 3.3.0 - Failed extractions

may_aaron — Fri, 11 Sep 2015 01:18:58 GMT

I have TA-tippingpoint 3.3.0 app installed on Enterprise Splunk 6.2.4, but there are no field extractions for the IPS data. Are there any known bugs that would cause the extractions to fail? Also, I searched the Splunk app store for the TippingPoint app with the intention of reinstalling it, but I couldnt find anything related to Tipping Point. Is there somewhere else that I should look for this app? Thanks.

Re: Splunk 6.2.4, TA-tippingpoint 3.3.0 - Failed extractions

filou — Tue, 27 Dec 2016 09:12:31 GMT

Hi,
I had the same problem regarding field-extraction. The regular expression is buggy => Sometimes it works and sometimes not, depending of the date (day of the month, single oder double digit).

I changed the regex in transforms.conf like this (I also added new fields for ReputationDV Feed):

[tab_kv_for_tippingpoint]
REGEX = ^\w{3}\s+\d+\s+\d{2}:\d{2}:\d{2}\s+\S+\s+(?:\w{3}\s+\d{2}\s+\d{2}:\d{2}:\d{2}\s+)?([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t\"?\d+:\s+([^\t"]+)\"?\t([^\t]+)\t\"?([^\t"]+)\"?\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]
+)\t([^\t]+)\t\"?([^\t"]+)\"?\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)
FORMAT = vendor_action::$1 severity_id::$2 policy_uuid::$3 signature_uuid::$4 signature::$5 signature_id::$6 app::$7 src_ip::$8 src_port::$9 dest_ip::$10 dest_port::$11 hit_count::$12 dvc_slot::$13 dvc_segment::$14 dvc::$15 category_id::
$16 ioc::$20

[pipe_kv_for_tippingpoint]
REGEX = ^\w{3}\s+\d+\s+\d{2}:\d{2}:\d{2}\s+\S+\s+(?:\w{3}\s+\d{2}\s+\d{2}:\d{2}:\d{2}\s+)?([^|]+)\|([^|]+)\|([^|]+)\|([^|]+)\|\"(?:\d+:\s)?([^|]+)\"\|([^|]+)\|\"?([^|"]+)\"?\|([^|]+)\|([^|]+)\|([^|]+)\|([^|]+)\|([^|]+)\|([^|]+)\|([^|]+)\
|\"?([^|"]+)\"?\|([^|]+)\|([^|]+)\|([^|]+)\|([^|]+)\|([^|]+)\|([^|]+)
FORMAT = vendor_action::$1 severity_id::$2 policy_uuid::$3 signature_uuid::$4 signature::$5 signature_id::$6 app::$7 src_ip::$8 src_port::$9 dest_ip::$10 dest_port::$11 hit_count::$12 dvc_slot::$13 dvc_segment::$14 dvc::$15 category_id::
$16 ips_host::$17 ioc::$20

I hope this helps. Let me know if it works for you.
Regards,
filou

Re: Splunk 6.2.4, TA-tippingpoint 3.3.0 - Failed extractions

dailv1808 — Wed, 08 Feb 2017 10:11:08 GMT

I changed the regex in transforms.conf like you did but nothing happend 😞

Re: Splunk 6.2.4, TA-tippingpoint 3.3.0 - Failed extractions

evinasco — Wed, 27 Mar 2019 22:11:33 GMT

would you mind telling me which apps you used for capturing logs from Tipping Point??

Re: Splunk 6.2.4, TA-tippingpoint 3.3.0 - Failed extractions

filou — Thu, 28 Mar 2019 05:45:01 GMT

i still use the old TA-tippingpoint v4.7.2,I still use the old TA-tippingpoint v4.7.2

Re: Splunk 6.2.4, TA-tippingpoint 3.3.0 - Failed extractions

evinasco — Mon, 08 Apr 2019 19:35:11 GMT

where can i get that? do you have the link?

Re: Splunk 6.2.4, TA-tippingpoint 3.3.0 - Failed extractions

filou — Tue, 09 Apr 2019 11:52:06 GMT

if i'm not wrong, Trend Micro bought TippingPoint. that's why the SPLUNK-add-on for TippingPoint does not exist anymore. Now the logs from tippingpoint appliances should be parsed with the Trend Micro SPLUNK add-on, perhaps Something like that https://splunkbase.splunk.com/app/1936/
I hope it helps...