All Apps and Add-ons

Add-on for Infoblox and extractions for src_ip when DNS client is IPV6

wryanthomas
Contributor

We're seeing DNS events (sourcetype=infoblox:dns) where "client" has IPV6 address not getting extracted. For example, the following does not get extracted correctly -- while events with IPV4 addresses are getting extracted correctly:

2019-07-31T16:00:15+00:00 dns1.illinois.edu named[23473]: client 2001:558:fe04:a:69:252:244:142#53661 (xxxx.ad.uillinois.edu): query 'xxxx.ad.uillinois.edu/A/IN' denied

I see some add-ons have specifically addressed IPV6:
https://docs.splunk.com/Documentation/AddOns/released/CiscoASA/Extractions

Does Infoblox add-on need this done too?

1 Solution

djl
Explorer

For our purposes with ipv6 I had to create a new transform and append it to the field extraction that came with the Infoblox app. After some digging I found the primary culprit to be the infoblox_dns_extract_field_16 extraction.

Since we are on Splunk Cloud this is all done in the GUI, but you can probably imagine the local/props.conf & local/transforms.conf settings that was needed behind the scenes.

#Transforms.conf
[illinois-urbana-infoblox_dns_extract_field_16]
REGEX = client\s((?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::))#(\d{1,5})\:?\s[\S]+\s(?:query\s)?(?:\(cache\)\s)?'(\S+)'\sdenied
SOURCE_KEY = named_message
FORMAT = src_ip::$1 src_port::$2 cache_query::$3

#Props.conf
[infoblox:dns]
REPORT-dns_fields_2  = infoblox_dns_extract_field_11,infoblox_dns_extract_field_12,infoblox_dns_extract_field_13,infoblox_dns_extract_field_14,infoblox_dns_extract_field_15,infoblox_dns_extract_field_16,infoblox_dns_extract_field_17,illinois-urbana-infoblox_dns_extract_field_16

View solution in original post

djl
Explorer

For our purposes with ipv6 I had to create a new transform and append it to the field extraction that came with the Infoblox app. After some digging I found the primary culprit to be the infoblox_dns_extract_field_16 extraction.

Since we are on Splunk Cloud this is all done in the GUI, but you can probably imagine the local/props.conf & local/transforms.conf settings that was needed behind the scenes.

#Transforms.conf
[illinois-urbana-infoblox_dns_extract_field_16]
REGEX = client\s((?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::))#(\d{1,5})\:?\s[\S]+\s(?:query\s)?(?:\(cache\)\s)?'(\S+)'\sdenied
SOURCE_KEY = named_message
FORMAT = src_ip::$1 src_port::$2 cache_query::$3

#Props.conf
[infoblox:dns]
REPORT-dns_fields_2  = infoblox_dns_extract_field_11,infoblox_dns_extract_field_12,infoblox_dns_extract_field_13,infoblox_dns_extract_field_14,infoblox_dns_extract_field_15,infoblox_dns_extract_field_16,infoblox_dns_extract_field_17,illinois-urbana-infoblox_dns_extract_field_16

chaispaquichui
Explorer

The regex used by the add-on is currently limited to extract IPv4 addresses...

[dns_request]
 REGEX = client\s(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|(?:::)?(?:[a-zA-Z\d]{1,4}::?){1,7}[a-zA-Z\d]{0,4})#(?\d+).*\s(?query):\s(?\S+)\s(?\w+)\s(?\w+)\s(?(?:\+|\-)\S*)\s\((?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|(?:::)?(?:[a-zA-Z\d]{1,4}::?){1,7}[a-zA-Z\d]{0,4})\)

And the regex doesn't work at all if you use NIOS 8.4.x

https://answers.splunk.com/answers/752080/splunk-add-on-for-infoblox-v110-field-extractions.html

If you have the possibility to open a case with splunk to fix the add-on, please do it

If you can provide more samples of logs with IPv6 addresses, I can try to fix the regex

0 Karma

wryanthomas
Contributor

Also -- it looks like we're still on 8.2.x (not 8.4.x).

0 Karma

wryanthomas
Contributor

Thanks. I did submit a support request and referenced this post.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...