All Apps and Add-ons

Splunk Add-on for Infoblox v.1.1.0: Field extractions break with 8.4.x release

Explorer

Hi,

After upgrading our Infoblox solution to release 8.4.x a new hexadecimal field is introduced in the DNS syslog messages.
We were told by Infoblox support that there has been a change in behavior with the new BIND DNS which is Work as per Design.
This obviously had an impact on our datamodels in Enterprise Security.

Sample event

Jun 13 13:45:40 11.11.11.11 named[1234]: client @0x7f9df0e8b720 11.11.111.11#12345 (helloworld.com): query: helloworld.com IN AAAA +E(0) (11.11.11.1)

Does anyone know if Splunk plan to upgrade this TA?

We don't log responses so I couldn't dig into those events but I managed to solve it for requests, thought I might aswell share it here if anyone end up in the same situation 🙂

default/transforms.conf

[dns_request]
REGEX = client\s(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|(?:::)?(?:[a-zA-Z\d]{1,4}::?){1,7}[a-zA-Z\d]{0,4})#(?\d+).*\s(?query):\s(?\S+)\s(?\w+)\s(?\w+)\s(?(?:\+|\-)\S*)\s\((?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|(?:::)?(?:[a-zA-Z\d]{1,4}::?){1,7}[a-zA-Z\d]{0,4})\)

local/transforms.conf

[dns_request]
REGEX = client(.*[^\s]*\s)(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|(?:::)?(?:[a-zA-Z\d]{1,4}::?){1,7}[a-zA-Z\d]{0,4})#(?\d+).*\s(?query):\s(?\S+)\s(?\w+)\s(?\w+)\s(?(?:\+|\-)\S*)\s\((?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|(?:::)?(?:[a-zA-Z\d]{1,4}::?){1,7}[a-zA-Z\d]{0,4})\)

Explorer

Same issue here...

Btw, don't use .* in the beginning of this regex, it's not optimised because it cause a lot of backtracking. You can see it in regex101 (1407 steps to match)

https://regex101.com/r/fiPsS9/1

You can use \s\S+\s to match the id :

client\s\S+\s(?<dns_request_client_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|(?:::)?(?:[a-zA-Z\d]{1,4}::?){1,7}[a-zA-Z\d]{0,4})#(?<dns_request_client_port>\d+).*\s(?<message_type>query):\s(?<dns_request_queried_domain>\S+)\s(?<dns_request_class_name>\w+)\s(?<dns_request_type_name>\w+)\s(?<dns_request_setDC>(?:\+|\-)\S*)\s\((?<dns_request_name_serverIP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|(?:::)?(?:[a-zA-Z\d]{1,4}::?){1,7}[a-zA-Z\d]{0,4})\)

https://regex101.com/r/Dfl9pc/1

I don't have the permissions to open a case unfortunately...

Explorer

Yepp that's a nicer regex, thanks! I submitted a case at June 19th and they raised an enhancement request. I was told that I would receive future updates via our AM but haven't heard anything yet.

0 Karma

Explorer

Thx !

There is also a request to add ipv6 support to the regex

https://answers.splunk.com/answers/762543/add-on-for-infoblox-and-extractions-for-src-ip-whe-1.html#...

We just have to wait 🙂

0 Karma

Explorer

Nice! Ty for info 🙂

0 Karma

SplunkTrust
SplunkTrust

If you open a support case and include your solution, Splunk will be more likely to patch the TA.

---
If this reply helps you, an upvote would be appreciated.
0 Karma