Archive
Highlighted

how to get DNS resolution for public source IP ?

New Member

Hi All,

I have written a search which shows which all countries are trying to access our servers from outside. It works fine and gives me loads of information. I was trying to tweak this search so that it will also give me the DNS resolution for the source IP from where the traffic is originating. The original search is as follows

index=netscreen sourcetype=netscreen:firewall | iplocation src dst | search Country=China OR Country=Syria OR Country=Iran OR Country=Israel OR Country=Yemen OR Country=Romania OR Country=Russia OR desttranslatedip | stats count by Country src srcport dst desttranslatedip dstport policyid | rex field=raw "dst-xlated\sip=(?[^\s]+)" | sort count 50 | dedup src | rename Country as OrginCountry, src as SOURCEIP, srcport as SourcePort, dst as DESTINATIONIP, dstport as DestinationPort, desttranslatedip as REALIP,policyid as POLICYID

The modification I made is follows :

index=netscreen sourcetype=netscreen:firewall sourcetype!=optivthreatlist | lookup dnslookup clientip AS src OUTPUT clienthost as Hostname| iplocation src dst | search Country=China OR Country=Syria OR Country=Iran OR Country=Israel OR Country=Yemen OR Country=Romania OR Country=Russia OR desttranslatedip | stats count by Country src srcport dst desttranslatedip dstport policyid | rex field=raw "dst-xlated\sip=(?[^\s]+)" | sort count 50 | dedup src | rename Country as OrginCountry, src as SOURCEIP, srcport as SourcePort, dst as DESTINATIONIP, dstport as DestinationPort, desttranslatedip as REALIP,policyid as POLICYID

The first search works perfectly but the second one does not yield any result. What am I doing incorrectly ?

Regards
Pradeep

Tags (1)
0 Karma
Highlighted

Re: how to get DNS resolution for public source IP ?

Influencer

Most likely you search index=netscreen sourcetype=netscreen:firewall sourcetype!=optiv_threat_list does not contain the field dst, or alternatively you have no hits with Country=China OR Country=Syria OR Country=Iran OR Country=Israel OR Country=Yemen OR Country=Romania OR Country=Russia

0 Karma
Highlighted

Re: how to get DNS resolution for public source IP ?

Splunk Employee
Splunk Employee

Hi Pradeep,

I think the rex syntax in your search may be incorrect. A field name should be provided so that the regex-captured group value can be assigned to it.

For example, the following search assigns anything after From: to the new from field and anything after To: to the new to field.

... | rex field=_raw "From: (?<from>.*) To: (?<to>.*)"

Therefore, you might need to supply a field name - sip, for exaple - in your search as well:

...| rex field=_raw "dst-xlated\sip=(?<sip>[^\s]+)" ... 

Hope this helps. Thanks!
Hunter

0 Karma
Highlighted

Re: how to get DNS resolution for public source IP ?

New Member

Hi Hunter,

I modified the regex as you suggested but still I am not able to resolve the DNS for the source IP

0 Karma