All Apps and Add-ons

Splunk_TA_cisco-esa src_ip parses incorrectly

TonyLeeVT
Builder

The src_ip field in the Cisco ESA TA is not parsing correctly. I usually only get the last two digits of an IP address.

Original parser in stanza:

[src_dest_fields_for_cisco_esa]
REGEX = (?:DCID|ICID)\s+\d+\s+interface\s+.*[\s\(]*(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}).*\s+(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})(?:\s+port\s+(\d+))?
FORMAT = src_ip::$1 dest_ip::$2 dest_port::$3

I think the issue is that a greedy match is used where a non-greedy match should be used:

.* = greedy
.*? = non-greedy

See the revision below with the non-greedy match: "interface\s+.*?[\s(]"

[src_dest_fields_for_cisco_esa]
REGEX = (?:DCID|ICID)\s+\d+\s+interface\s+.*?[\s\(]*(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}).*\s+(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})(?:\s+port\s+(\d+))?
FORMAT = src_ip::$1 dest_ip::$2 dest_port::$3

Check out the regex101 link below to verify the non-greedy match:
https://regex101.com/r/tV6fJ5/1

rpille_splunk
Splunk Employee
Splunk Employee

Yes, this was also reported here: https://answers.splunk.com/answers/365911/small-bugreport-about-version-121.html

I have just added a Known Issue to the documentation here: http://docs.splunk.com/Documentation/AddOns/released/CiscoESA/Releasenotes#Known_issues so that you can follow along as this gets fixed.

Thanks!

Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...