Extracting a network address from a trap message

smithjnick · ‎11-22-2013

Hi All

I am trying to create an alert that triggers whenever i receive a high risk notification from my IPS. I have my splunk search term below that returns the correct trap message, but i need to know how i can filter further by the victims network address. The victims IP is contained in the following line:

      cidsAlertVictimAddress:= osIdSource="unknown" osRelevance="relevant" osType="unknown" 10.37.99.223:161

I would like to trigger my alert whenever this trap message comes in from any 10.37.0.0 source. I had a bash at regex but couldnt get past:

      | rex field=cidsAlertVictimAddress

My Splunk query is this:

      index=myindex source=ips  sourcetype=ips_threat

What do i need to append my query with in order to only alert on the victimaddress sitting on network 10.37.0.0

The trap message looks like this:

 11/22/2013 4:13 PM 123.123.123.123:123.123.123.123  CISCO-CIDS-MIB:ciscoCidsAlert  SNMP Trap
 Received Time:11/22/2013 4:13:58 PM
 Source:456.456.456.456(456.456.456.456)
 Community:public
 Variable Bindings
      sysUpTime:= 112 days 19 hours 59 minutes 37.05 seconds (974877705)
      snmpTrapOID:= CISCO-CIDS-MIB:ciscoCidsAlert (1.3.6.1.4.1.9.9.383.0.1)
      cidsGeneralEventId:= 1323036804139549916
      cidsGeneralLocalTime:= 11/22/2013 4:13:58 PM (B90LFhANOgA=)
      cidsGeneralUTCTime:= 11/22/2013 4:13:58 PM (B90LFhANOgA=)
      cidsGeneralOriginatorHostId:= ZBTDCSRMP002
      cidsAlertSeverity:= high
      cidsAlertAlarmTraits:= 2147483648
      cidsAlertSignature:= Community Invalid Length
      cidsAlertSignatureSigName:= SNMP Protocol Violation
      cidsAlertSignatureSigId:= 4507
      cidsAlertSignatureSubSigId:= 6
      cidsAlertSignatureVersion:= S17
      cidsAlertInterfaceGroup:= 0
      cidsAlertVlan:= 0
      cidsAlertAttackerAddress:= 192.168.188.20:50556
      cidsAlertVictimAddress:= osIdSource="unknown" osRelevance="relevant" osType="unknown" 10.37.99.223:161
      cidsAlertDetails:= InterfaceAttributes:  context="single_vf" physical="Unknown" backplane="GigabitEthernet0/1" ; 
      cidsAlertEventRiskRating:= 100
      cidsAlert.26:= 3
      cidsAlert.27:= 17
      cidsAlert.42:= 65
      cidsAlert.46:= 1

any help appreciated
ta

somesoni2 · ‎11-22-2013

Try following.

index=myindex source=ips  sourcetype=ips_threat
| rex  "(?<victim_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | eval shouldAlert=if(match(victim_ip, "10\.37\.\d{1,3}\.\d{1,3}$"), "Yes", "No") | where shouldAlert="Yes"

Alert should be raised if above search returns rows.

This search is searching all the IPs in the form 10.37.XXX.XXX.
To search 10.37.0.XXX, use

"10\.37\.0\.\d{1,3}$".

Updated Search

There should work for you (tested with sample data you posted [should have done this earlier])

index=myindex source=ips  sourcetype=ips_threat
    | rex  "cidsAlertVictimAddress.* (?<victim_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | eval shouldAlert=if(match(victim_ip, "10\.37\.\d{1,3}\.\d{1,3}$"), "Yes", "No") | where shouldAlert="Yes"

somesoni2 · ‎11-25-2013

You can add all thos in the shouldAlert eval command.e.g.
if(match(victim_ip, "10\.37\.\d{1,3}\.\d{1,3}$") OR match(victim_ip, "10\.28\.\d{1,3}\.\d{1,3}$"), "Yes", "No")

smithjnick · ‎11-25-2013

many thanks S - this worked a treat and does exactly what i need it to do. Without pushing you too much, how could i refine this search to include other network addresses i.e. 10.37 OR 10.28 OR 10.20.30 etc...

somesoni2 · ‎11-24-2013

updated the answer.

smithjnick · ‎11-23-2013

thanks for your reply S
this search also produced no hits for me. Would your regex above search the whole trap message for a network address beginning 10.37? Reason i ask is that i do not see any reference directed at line cidsAlertVictimAddress? This is the line i need to focus on for generating an alert or search result.

From your post though i am gaining a better understanding of the regex query and i find the ability to change the victim ip search query quite useful as this is also a requirement of mine. cheers.

pradeepkumarg · ‎11-22-2013

Your query should be something like this

index=myindex source=ips  sourcetype=ips_threat | rex "(?m)osType=\W\S*\W\s(?P.*?)\:" | search VICTIM_IP="10.37.0.0"

pradeepkumarg · ‎11-23-2013

Try this

index=myindex source=ips  sourcetype=ips_threat | rex "(?i)(?P.*?\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})\:\d+" | search VICTIM_IP="10.37*"

Make sure the case of VICTIM_IP is same in the both the places in the query. For some reason this page is converting to lower case on the regex

smithjnick · ‎11-23-2013

thanks for the reply G
this did not produce any results i'm afraid. I notice your regex includes a reference to the osType. This could differ depending on the message coming in and may not be present in some trap messages.

From the following line:

cidsAlertVictimAddress:= osIdSource="unknown" osRelevance="relevant" osType="unknown" 10.37.99.223:161

I only need to search on the victim ip network address 10.37. i would just need to ignore all other characters on this line if possible.