Archive

IPv6 addresses parsed properly?

Communicator

Does splunk have any issues with parsing out IPv6 addresses from firewall events? I guess it all depends on how the transforms are written and how the fields are delimited (Cisco App written to parse IPv6).

Has anyone successfully parsed IPv6 or noticed any issues or caveats that we should be aware of?

Tags (2)
1 Solution

Splunk Employee
Splunk Employee

There are several formats in which IPv6 can be displayed in your event log. You will want to use transforms.conf to find and parse these addresses. Here is a list of regex that matches the different forms. (The IPv4 address converted to IPv6 used in the examples below is 192.168.10.100 with a net mask of 255.255.255.0)

Full IPv6 address:

fe80:0000:0000:0000:0000:0000:c0a8:a64
Regex to match and return full address as $1:

([0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4})

IPv6 drop leading zero's:

fe80:0:0:0:0:0:c0a8:a64
Regex to match and return full address as $1 (yes, its the same as the above):
([0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4})

IPv6 collapse multiple zero's:

fe80::c0a8:a64
Regex to match collapsed zero groups. This will also work with collapsed zeros at the beginning of the address but not for single group addresses(e.g. '::1') and does not check for illegal IPv6 addresses (e.g. fe80::c0a8::a64):
(:?:?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[[::]?[0-9A-Fa-f]{1,4}]?)


To account for mixed IPv4 and IPv6 addresses, IPv6 allows for changing the last 4 bits to include the IPv4 address fe80:0000:0000:0000:0000:0000:c0a8:a64 would then be noted with the quad address at the end and become 'fe80:0000:0000:0000:0000:0000:192.168.10.100'.

Full IPv6 with IPv4 quad:

fe80:0000:0000:0000:0000:0000:192.168.10.100
Regex to match:
([0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:(?:\d{1,3}.){3}\d{1,3}) 

IPv6 dropping leading zero's with IPv4 quad:

fe80:0:0:0:0:0:192.168.10.100
Regex to match (same as above):
 ([0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:(?:\d{1,3}.){3}\d{1,3}) 

IPv6 with collapsed zero's and IPv4 quad:

fe80::192.168.10.100
Regex to match:
(:?:?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[[::]?[0-9A-Fa-f]{1,4}]?(?:\d{1,3}.){3}\d{1,3}) 

Depending on the IPv6 address type that you are seeing in your events, you may want to tailor the regex to fit your IPv6 addresses more specifically.

View solution in original post

Contributor

Note that the IETF has proposed RFC 5952 to "define a canonical textual representation format" across all systems and codes. Currently, IPv6 is difficult to parse, and the wide range of regex rules is going to leave holes in many apps. Hopefully RFC 5952 will bring some sanity to this mess.

0 Karma

Splunk Employee
Splunk Employee

Certainly some example IPv6 addresses in the events themselves would be useful....

0 Karma

Splunk Employee
Splunk Employee

There are several formats in which IPv6 can be displayed in your event log. You will want to use transforms.conf to find and parse these addresses. Here is a list of regex that matches the different forms. (The IPv4 address converted to IPv6 used in the examples below is 192.168.10.100 with a net mask of 255.255.255.0)

Full IPv6 address:

fe80:0000:0000:0000:0000:0000:c0a8:a64
Regex to match and return full address as $1:

([0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4})

IPv6 drop leading zero's:

fe80:0:0:0:0:0:c0a8:a64
Regex to match and return full address as $1 (yes, its the same as the above):
([0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4})

IPv6 collapse multiple zero's:

fe80::c0a8:a64
Regex to match collapsed zero groups. This will also work with collapsed zeros at the beginning of the address but not for single group addresses(e.g. '::1') and does not check for illegal IPv6 addresses (e.g. fe80::c0a8::a64):
(:?:?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[[::]?[0-9A-Fa-f]{1,4}]?)


To account for mixed IPv4 and IPv6 addresses, IPv6 allows for changing the last 4 bits to include the IPv4 address fe80:0000:0000:0000:0000:0000:c0a8:a64 would then be noted with the quad address at the end and become 'fe80:0000:0000:0000:0000:0000:192.168.10.100'.

Full IPv6 with IPv4 quad:

fe80:0000:0000:0000:0000:0000:192.168.10.100
Regex to match:
([0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:(?:\d{1,3}.){3}\d{1,3}) 

IPv6 dropping leading zero's with IPv4 quad:

fe80:0:0:0:0:0:192.168.10.100
Regex to match (same as above):
 ([0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:(?:\d{1,3}.){3}\d{1,3}) 

IPv6 with collapsed zero's and IPv4 quad:

fe80::192.168.10.100
Regex to match:
(:?:?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[[::]?[0-9A-Fa-f]{1,4}]?(?:\d{1,3}.){3}\d{1,3}) 

Depending on the IPv6 address type that you are seeing in your events, you may want to tailor the regex to fit your IPv6 addresses more specifically.

View solution in original post

Splunk Employee
Splunk Employee

How do you use these in an actual search?

0 Karma

Contributor

Can I use all 6 of these patterns and combine them into a single 'type' called 'IPv6 address'?

Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!