Re: Extracting a network address from a trap messa...

smithjnick · ‎11-22-2013

Hi All

I am trying to create an alert that triggers whenever i receive a high risk notification from my IPS. I have my splunk search term below that returns the correct trap message, but i need to know how i can filter further by the victims network address. The victims IP is contained in the following line:

      cidsAlertVictimAddress:= osIdSource="unknown" osRelevance="relevant" osType="unknown" 10.37.99.223:161

I would like to trigger my alert whenever this trap message comes in from any 10.37.0.0 source. I had a bash at regex but couldnt get past:

      | rex field=cidsAlertVictimAddress

My Splunk query is this:

      index=myindex source=ips  sourcetype=ips_threat

What do i need to append my query with in order to only alert on the victimaddress sitting on network 10.37.0.0

The trap message looks like this:

 11/22/2013 4:13 PM 123.123.123.123:123.123.123.123  CISCO-CIDS-MIB:ciscoCidsAlert  SNMP Trap
 Received Time:11/22/2013 4:13:58 PM
 Source:456.456.456.456(456.456.456.456)
 Community:public
 Variable Bindings
      sysUpTime:= 112 days 19 hours 59 minutes 37.05 seconds (974877705)
      snmpTrapOID:= CISCO-CIDS-MIB:ciscoCidsAlert (1.3.6.1.4.1.9.9.383.0.1)
      cidsGeneralEventId:= 1323036804139549916
      cidsGeneralLocalTime:= 11/22/2013 4:13:58 PM (B90LFhANOgA=)
      cidsGeneralUTCTime:= 11/22/2013 4:13:58 PM (B90LFhANOgA=)
      cidsGeneralOriginatorHostId:= ZBTDCSRMP002
      cidsAlertSeverity:= high
      cidsAlertAlarmTraits:= 2147483648
      cidsAlertSignature:= Community Invalid Length
      cidsAlertSignatureSigName:= SNMP Protocol Violation
      cidsAlertSignatureSigId:= 4507
      cidsAlertSignatureSubSigId:= 6
      cidsAlertSignatureVersion:= S17
      cidsAlertInterfaceGroup:= 0
      cidsAlertVlan:= 0
      cidsAlertAttackerAddress:= 192.168.188.20:50556
      cidsAlertVictimAddress:= osIdSource="unknown" osRelevance="relevant" osType="unknown" 10.37.99.223:161
      cidsAlertDetails:= InterfaceAttributes:  context="single_vf" physical="Unknown" backplane="GigabitEthernet0/1" ; 
      cidsAlertEventRiskRating:= 100
      cidsAlert.26:= 3
      cidsAlert.27:= 17
      cidsAlert.42:= 65
      cidsAlert.46:= 1

any help appreciated
ta

somesoni2 · ‎11-22-2013

Try following.

index=myindex source=ips  sourcetype=ips_threat
| rex  "(?<victim_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | eval shouldAlert=if(match(victim_ip, "10\.37\.\d{1,3}\.\d{1,3}$"), "Yes", "No") | where shouldAlert="Yes"

Alert should be raised if above search returns rows.

This search is searching all the IPs in the form 10.37.XXX.XXX.
To search 10.37.0.XXX, use

"10\.37\.0\.\d{1,3}$".

Updated Search

There should work for you (tested with sample data you posted [should have done this earlier])

index=myindex source=ips  sourcetype=ips_threat
    | rex  "cidsAlertVictimAddress.* (?<victim_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | eval shouldAlert=if(match(victim_ip, "10\.37\.\d{1,3}\.\d{1,3}$"), "Yes", "No") | where shouldAlert="Yes"

somesoni2 · ‎11-25-2013

You can add all thos in the shouldAlert eval command.e.g.
if(match(victim_ip, "10\.37\.\d{1,3}\.\d{1,3}$") OR match(victim_ip, "10\.28\.\d{1,3}\.\d{1,3}$"), "Yes", "No")

smithjnick · ‎11-25-2013

many thanks S - this worked a treat and does exactly what i need it to do. Without pushing you too much, how could i refine this search to include other network addresses i.e. 10.37 OR 10.28 OR 10.20.30 etc...

somesoni2 · ‎11-24-2013

updated the answer.

smithjnick · ‎11-23-2013

thanks for your reply S
this search also produced no hits for me. Would your regex above search the whole trap message for a network address beginning 10.37? Reason i ask is that i do not see any reference directed at line cidsAlertVictimAddress? This is the line i need to focus on for generating an alert or search result.

From your post though i am gaining a better understanding of the regex query and i find the ability to change the victim ip search query quite useful as this is also a requirement of mine. cheers.

pradeepkumarg · ‎11-22-2013

Your query should be something like this

index=myindex source=ips  sourcetype=ips_threat | rex "(?m)osType=\W\S*\W\s(?P.*?)\:" | search VICTIM_IP="10.37.0.0"

pradeepkumarg · ‎11-23-2013

Try this

index=myindex source=ips  sourcetype=ips_threat | rex "(?i)(?P.*?\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})\:\d+" | search VICTIM_IP="10.37*"

Make sure the case of VICTIM_IP is same in the both the places in the query. For some reason this page is converting to lower case on the regex

smithjnick · ‎11-23-2013

thanks for the reply G
this did not produce any results i'm afraid. I notice your regex includes a reference to the osType. This could differ depending on the message coming in and may not be present in some trap messages.

From the following line:

cidsAlertVictimAddress:= osIdSource="unknown" osRelevance="relevant" osType="unknown" 10.37.99.223:161

I only need to search on the victim ip network address 10.37. i would just need to ignore all other characters on this line if possible.

Extracting a network address from a trap message

Updated Search

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation

Extracting a network address from a trap message

Updated Search

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability