All Apps and Add-ons

Add-on for Infoblox and extractions for src_ip when DNS client is IPV6

wryanthomas
Communicator

We're seeing DNS events (sourcetype=infoblox:dns) where "client" has IPV6 address not getting extracted. For example, the following does not get extracted correctly -- while events with IPV4 addresses are getting extracted correctly:

2019-07-31T16:00:15+00:00 dns1.illinois.edu named[23473]: client 2001:558:fe04:a:69:252:244:142#53661 (xxxx.ad.uillinois.edu): query 'xxxx.ad.uillinois.edu/A/IN' denied

I see some add-ons have specifically addressed IPV6:
https://docs.splunk.com/Documentation/AddOns/released/CiscoASA/Extractions

Does Infoblox add-on need this done too?

1 Solution

djl
Explorer

For our purposes with ipv6 I had to create a new transform and append it to the field extraction that came with the Infoblox app. After some digging I found the primary culprit to be the infoblox_dns_extract_field_16 extraction.

Since we are on Splunk Cloud this is all done in the GUI, but you can probably imagine the local/props.conf & local/transforms.conf settings that was needed behind the scenes.

#Transforms.conf
[illinois-urbana-infoblox_dns_extract_field_16]
REGEX = client\s((?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::))#(\d{1,5})\:?\s[\S]+\s(?:query\s)?(?:\(cache\)\s)?'(\S+)'\sdenied
SOURCE_KEY = named_message
FORMAT = src_ip::$1 src_port::$2 cache_query::$3

#Props.conf
[infoblox:dns]
REPORT-dns_fields_2  = infoblox_dns_extract_field_11,infoblox_dns_extract_field_12,infoblox_dns_extract_field_13,infoblox_dns_extract_field_14,infoblox_dns_extract_field_15,infoblox_dns_extract_field_16,infoblox_dns_extract_field_17,illinois-urbana-infoblox_dns_extract_field_16

View solution in original post

djl
Explorer

For our purposes with ipv6 I had to create a new transform and append it to the field extraction that came with the Infoblox app. After some digging I found the primary culprit to be the infoblox_dns_extract_field_16 extraction.

Since we are on Splunk Cloud this is all done in the GUI, but you can probably imagine the local/props.conf & local/transforms.conf settings that was needed behind the scenes.

#Transforms.conf
[illinois-urbana-infoblox_dns_extract_field_16]
REGEX = client\s((?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::))#(\d{1,5})\:?\s[\S]+\s(?:query\s)?(?:\(cache\)\s)?'(\S+)'\sdenied
SOURCE_KEY = named_message
FORMAT = src_ip::$1 src_port::$2 cache_query::$3

#Props.conf
[infoblox:dns]
REPORT-dns_fields_2  = infoblox_dns_extract_field_11,infoblox_dns_extract_field_12,infoblox_dns_extract_field_13,infoblox_dns_extract_field_14,infoblox_dns_extract_field_15,infoblox_dns_extract_field_16,infoblox_dns_extract_field_17,illinois-urbana-infoblox_dns_extract_field_16

View solution in original post

chaispaquichui
Explorer

The regex used by the add-on is currently limited to extract IPv4 addresses...

[dns_request]
 REGEX = client\s(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|(?:::)?(?:[a-zA-Z\d]{1,4}::?){1,7}[a-zA-Z\d]{0,4})#(?\d+).*\s(?query):\s(?\S+)\s(?\w+)\s(?\w+)\s(?(?:\+|\-)\S*)\s\((?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|(?:::)?(?:[a-zA-Z\d]{1,4}::?){1,7}[a-zA-Z\d]{0,4})\)

And the regex doesn't work at all if you use NIOS 8.4.x

https://answers.splunk.com/answers/752080/splunk-add-on-for-infoblox-v110-field-extractions.html

If you have the possibility to open a case with splunk to fix the add-on, please do it

If you can provide more samples of logs with IPv6 addresses, I can try to fix the regex

0 Karma

wryanthomas
Communicator

Also -- it looks like we're still on 8.2.x (not 8.4.x).

0 Karma

wryanthomas
Communicator

Thanks. I did submit a support request and referenced this post.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!