Archive
Highlighted

IF DNS searched then lookup IP to allow search on IP in index

New Member

I have an App that allows users to enter IP addresses and find if the connections between source and destination have been allowed.

I thought it would be useful if the user could enter a DNS entry as this is more user friendly so I started experimenting with searches that use the external_lookup.py script. I started off with this one just to prove the script worked:

index=network srcip=10.1.12.123 AND dstip=10.1.22.10 AND (scrport=80 OR dstport=88) AND Built   
| lookup dnsLookup ip as srcip OUTPUT host AS scrhost
| lookup dnsLookup ip as dstip OUTPUT host AS dsthost
| table scrhost,srcport,dsthost,dstport,host

All well and good so far but what if the user enters a DNS name in the applications form and the search fields srcip and/or dstip become DNS names instead of IP addresses.

How do I tell dnsLookup to look for host? Do I even bother, would it be better to convert the DNS name back to an IP and keep the lookups as they are?

I know that external_lookup.py will perform Reverse DNS lookups but I can't get my head round how achieve this in this situation.

Should I just do a lookup for both then display the DNS returns only (I don't want the IP addresses in the results only the DNS)?

Any thoughts are welcome.

It probably worth pointing out that the index contains no DNS entries only IP addresses.

0 Karma
Highlighted

Re: IF DNS searched then lookup IP to allow search on IP in index

Legend

So that my answer makes some sense, assume that your form accepted a source host name or ip as input from the user and put it in a token named $srcinput$

Your search could then look like this

index=xyz and other search terms
| eval hostinput = $srcinput$
| eval hostip = if(match(hostinput,"^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$"),hostinput,null())
| eval hostname = if(isnull(hostip),hostinput,null())
| lookup dnsLookup ip as hostip host AS hostname OUTPUT ip as srcipToMatch
| where srcip = srcipToMatch

You could also do something similar for the destination ip. Note that dnsLookup can work with either the ip or host as input. The eval commands make sure that either ip or host is supplied to the lookup, but not both.

I am not entirely sure that this will work,,,

0 Karma
Highlighted

Re: IF DNS searched then lookup IP to allow search on IP in index

New Member

Hi lguinn, I have been working with your answer on and off today and it is a good start and has got me thinking. The answer seems to have a problem outputting host as hostname if I set $srcinput as a DNS name. I may have interpreted your answer incorrectly as I can't see why the "where" command is needed or why. I am currently building the query in Search as I can't get the App to use external_lookup.py (I think I need to restart Splunk to accept the App changes, new transforms.conf etc). Do I need to do another search after the where once I have populated srcipToMatch?

0 Karma