Hi,
After upgrading our Infoblox solution to release 8.4.x a new hexadecimal field is introduced in the DNS syslog messages.
We were told by Infoblox support that there has been a change in behavior with the new BIND DNS which is Work as per Design.
This obviously had an impact on our datamodels in Enterprise Security.
Sample event
Jun 13 13:45:40 11.11.11.11 named[1234]: client @0x7f9df0e8b720 11.11.111.11#12345 (helloworld.com): query: helloworld.com IN AAAA +E(0) (11.11.11.1)
Does anyone know if Splunk plan to upgrade this TA?
We don't log responses so I couldn't dig into those events but I managed to solve it for requests, thought I might aswell share it here if anyone end up in the same situation 🙂
default/transforms.conf
[dns_request]
REGEX = client\s(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|(?:::)?(?:[a-zA-Z\d]{1,4}::?){1,7}[a-zA-Z\d]{0,4})#(?\d+).*\s(?query):\s(?\S+)\s(?\w+)\s(?\w+)\s(?(?:\+|\-)\S*)\s\((?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|(?:::)?(?:[a-zA-Z\d]{1,4}::?){1,7}[a-zA-Z\d]{0,4})\)
local/transforms.conf
[dns_request]
REGEX = client(.*[^\s]*\s)(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|(?:::)?(?:[a-zA-Z\d]{1,4}::?){1,7}[a-zA-Z\d]{0,4})#(?\d+).*\s(?query):\s(?\S+)\s(?\w+)\s(?\w+)\s(?(?:\+|\-)\S*)\s\((?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|(?:::)?(?:[a-zA-Z\d]{1,4}::?){1,7}[a-zA-Z\d]{0,4})\)
Same issue here...
Btw, don't use .* in the beginning of this regex, it's not optimised because it cause a lot of backtracking. You can see it in regex101 (1407 steps to match)
https://regex101.com/r/fiPsS9/1
You can use \s\S+\s to match the id :
client\s\S+\s(?<dns_request_client_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|(?:::)?(?:[a-zA-Z\d]{1,4}::?){1,7}[a-zA-Z\d]{0,4})#(?<dns_request_client_port>\d+).*\s(?<message_type>query):\s(?<dns_request_queried_domain>\S+)\s(?<dns_request_class_name>\w+)\s(?<dns_request_type_name>\w+)\s(?<dns_request_setDC>(?:\+|\-)\S*)\s\((?<dns_request_name_serverIP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|(?:::)?(?:[a-zA-Z\d]{1,4}::?){1,7}[a-zA-Z\d]{0,4})\)
https://regex101.com/r/Dfl9pc/1
I don't have the permissions to open a case unfortunately...
Yepp that's a nicer regex, thanks! I submitted a case at June 19th and they raised an enhancement request. I was told that I would receive future updates via our AM but haven't heard anything yet.
Thx !
There is also a request to add ipv6 support to the regex
We just have to wait 🙂
Nice! Ty for info 🙂
If you open a support case and include your solution, Splunk will be more likely to patch the TA.