Splunk Enterprise Security

Why is Check Point OPSEC LEA is parsing out dst to src and src to dst?

nb1030
New Member

In the logs for "New Anti Virus", the logs contain a "dst=" and "src=" field. For some logs, it is placing the "dst=" value into both the dst and the src fields. In other logs, it is placing the "dst=" value into the src field, and the "src=" value into the dst field. In other logs, it is putting the "dst=" value into both fields, but these logs then have the dest, dest_ip, and src_ip fields that contain the wrong values.

Examples for the "New Anti Virus" logs:
Log type 1
log contains dst=10.20.30.40; dst field contains 10.20.30.40
log contains src=50.60.70.80; src field contains 10.20.30.40

Log type 2
log contains dst=10.20.30.40; dst field contains 50.60.70.80
log contains src=50.60.70.80; src field contains 10.20.30.40

Log type 3
log contains dst=10.20.30.40; dst field contains 10.20.30.40, dest field contains 50.60.70.80, dest_ip=50.60.70.80
log contains src=50.60.70.80; src field contains 10.20.30.40, src_ip field contains 10.20.30.40

Is there anyway to fix this?

0 Karma

mgaudie_splunk
Splunk Employee
Splunk Employee

Looks like an issue with the field alaising. Have you made any changes to the add-on's props.conf file or added a local props.conf file?

0 Karma

nb1030
New Member

We have a ticket open now as it seems there are a few reasons this could be happening.

0 Karma

astatrial
Contributor

Hello,
Did you manage to figure out the reason for this behavior ?
Thanks !!

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!