Archive

Splunk 6.2.4, TA-tippingpoint 3.3.0 - Failed extractions

Engager

I have TA-tippingpoint 3.3.0 app installed on Enterprise Splunk 6.2.4, but there are no field extractions for the IPS data. Are there any known bugs that would cause the extractions to fail? Also, I searched the Splunk app store for the TippingPoint app with the intention of reinstalling it, but I couldnt find anything related to Tipping Point. Is there somewhere else that I should look for this app? Thanks.

Explorer

i still use the old TA-tippingpoint v4.7.2,I still use the old TA-tippingpoint v4.7.2

Communicator

where can i get that? do you have the link?

0 Karma

Explorer

if i'm not wrong, Trend Micro bought TippingPoint. that's why the SPLUNK-add-on for TippingPoint does not exist anymore. Now the logs from tippingpoint appliances should be parsed with the Trend Micro SPLUNK add-on, perhaps Something like that https://splunkbase.splunk.com/app/1936/
I hope it helps...

0 Karma

Communicator

would you mind telling me which apps you used for capturing logs from Tipping Point??

0 Karma

Explorer

Hi,
I had the same problem regarding field-extraction. The regular expression is buggy => Sometimes it works and sometimes not, depending of the date (day of the month, single oder double digit).

I changed the regex in transforms.conf like this (I also added new fields for ReputationDV Feed):

[tab_kv_for_tippingpoint]
REGEX = ^\w{3}\s+\d+\s+\d{2}:\d{2}:\d{2}\s+\S+\s+(?:\w{3}\s+\d{2}\s+\d{2}:\d{2}:\d{2}\s+)?([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t\"?\d+:\s+([^\t"]+)\"?\t([^\t]+)\t\"?([^\t"]+)\"?\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]
+)\t([^\t]+)\t\"?([^\t"]+)\"?\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)
FORMAT = vendor_action::$1 severity_id::$2 policy_uuid::$3 signature_uuid::$4 signature::$5 signature_id::$6 app::$7 src_ip::$8 src_port::$9 dest_ip::$10 dest_port::$11 hit_count::$12 dvc_slot::$13 dvc_segment::$14 dvc::$15 category_id::
$16 ioc::$20

[pipe_kv_for_tippingpoint]
REGEX = ^\w{3}\s+\d+\s+\d{2}:\d{2}:\d{2}\s+\S+\s+(?:\w{3}\s+\d{2}\s+\d{2}:\d{2}:\d{2}\s+)?([^|]+)\|([^|]+)\|([^|]+)\|([^|]+)\|\"(?:\d+:\s)?([^|]+)\"\|([^|]+)\|\"?([^|"]+)\"?\|([^|]+)\|([^|]+)\|([^|]+)\|([^|]+)\|([^|]+)\|([^|]+)\|([^|]+)\
|\"?([^|"]+)\"?\|([^|]+)\|([^|]+)\|([^|]+)\|([^|]+)\|([^|]+)\|([^|]+)
FORMAT = vendor_action::$1 severity_id::$2 policy_uuid::$3 signature_uuid::$4 signature::$5 signature_id::$6 app::$7 src_ip::$8 src_port::$9 dest_ip::$10 dest_port::$11 hit_count::$12 dvc_slot::$13 dvc_segment::$14 dvc::$15 category_id::
$16 ips_host::$17 ioc::$20

I hope this helps. Let me know if it works for you.
Regards,
filou

0 Karma

Path Finder

I changed the regex in transforms.conf like you did but nothing happend 😞

0 Karma