All Apps and Add-ons

eNcore v4.0.7 Correlation Events converted IP to decimal

Path Finder

Hello All,

The eNcore v4.0.7 app started converting IP (src_ip and dest_ip) to decimal ONLY in the "correlation events." Does anyone know how to fix that?

 

Labels (2)
0 Karma

SplunkTrust
SplunkTrust

Which app is this?  The only one in Splunkbase for eNcore is still in the version 3.x range, as is the only one archived in Splunkbase.

What do you mean by "to decimal"?  Actual unsigned integers (ranging from negative to positive 2.1 billion or so) like 10.1.0.15 turning into 167837711?  Or just dropping the dots between dotted quads so 10.1.0.15 turns into 101015?

If the former, then I suspect what's actually happening is that the device started reporting them as integers, or always had, and the 'fix them back to dotted quads' conversion is for some reason not working on that page.  Because if they're reporting as actual integers, I can't imagine anyone would write all the terrible conversion code to convert from dotted quad to integer.  Just wouldn't be sensible, so I figure that it's converting the other way, and that other backwards that normally would happen to make them readable is broken for some reason.

If the latter, well, ... that's weird. I guess a sedcmd somewhere?  Or replace or something?  But why would that be *anywhere* in the code?

So, if you could be more specific about the actual app in use, I may be able to take a look. And even if I can't, then probably someone else can!

0 Karma

Path Finder

I am still running into this issue with the newest release, 4.0.9.  For example, if the IP were 69.74.26.104 (which I randomly made up) and the source were 10.0.0.1, the Correlation Event looks like this:

 

rec_type=112 event_sec=1603290117 policy_uuid=00000000-0000- blocked=No client_id=0 client_version="" dest_ip_country="united states" dest_criticality=None dest_host_type=Host dest_ip=5457451624 est_os_fingerprint_uuid=00000000.............. src_ip=167772161.......

0 Karma

Path Finder

Encore 4.0.9 crashed after a day (Cisco wasn't able to help) and  I ended up downgrading to 3.x.

I got my IP's back!

https://splunkbase.splunk.com/app/3662/

0 Karma

Path Finder

Thanks for responding

- 4.0.7 is available on Splunk base (https://splunkbase.splunk.com/app/3662/), but it is in beta so you have to manually select that version (v3.6.8  comes up by default).  I am playing with it because it is the only version that supports Splunk 8.

- The app is reporting decimal instead of ip, similar to your first example - "167837711" instead of 10.1.0.15

- This change started happening exactly when I migrated from 3.6.8 to 4.0.7 rather than an FMC upgrade. I haven't been able to find another other cause. But again, the app is in beta. 

0 Karma