Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

DGA Regex in Splunk

masfar
Engager
‎02-11-2017 07:52 AM

I am trying to search through logs for unusual domains generated by DGAs. I want to use regex to search for domain names with 7-12 characters ending with TLD. The characters are alphanumeric.
For example, abc1djdfkf.xyz

I have used the following regex patterns, but did not see the desired results.

rex field=URL "(?\w{7,12}.(XYZ))$"

Tags (2)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-11-2017 10:16 AM

So... you're looking for seven to twelve alphanumeric characters where at least one is a digit and at least one is a letter?
I'll be lazy and cheat:

| rex field=URL "(?<url_dga>(?=\w*\d)(?=\w*[a-zA-Z])\w{7,12}\.xyz)"
| regex URL="(?=\w*\d)(?=\w*[a-zA-Z])\w{7,12}\.xyz"

Note 1: I've added regex, in case you're trying to filter and not extract a field.
Note 2: djdhdjahdja.xyz is technically alphanumeric 😛
Note 3: To add more laziness, take a look at https://splunkbase.splunk.com/app/3435 - one of its examples targets algorithmically generated domains.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-11-2017 01:15 PM

I've added back the rex command to extract fields rather than searching by regex.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-11-2017 11:36 AM

Well, it does match the example you gave that should match, and doesn't match the example you gave that shouldn't match.

Are you trying to extract a new field |rex or filter results |regex?

0 Karma
Reply

masfar
Engager
‎02-11-2017 12:43 PM

Martin- I am looking to extract the field.

0 Karma
Reply

masfar
Engager
‎02-11-2017 10:53 AM

Martin- Thanks, but the query you mentioned is not providing the desired results. For example, the results include abc.zybdkdke12.xyz , www.dahdha2ddalk.xyz, when I am only interested in the main domain itself (zybdkdke12.xyz and dahdha2ddalk.xyz).

0 Karma
Reply

somesoni2
SplunkTrust
SplunkTrust
‎02-11-2017 08:38 AM

Try this

...| rex field=URL "(?<domain>\w{7,12}\.xyz)"
Reply

masfar
Engager
‎02-11-2017 09:02 AM

somesoni2- The DGA I am observing generates domains in alphanumeric characters, so in my regex I want to be able to search for domains that contain ONLY alphanumeric values. For example, I want to get a hit on ababdbdb233.xyz and not on djdhdjahdja.xyz.

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unveiled: Navigating OpenTelemetry's Framework and Deployment Options

Observability Unveiled: Navigating OpenTelemetry's Framework and Deployment Options A recent Tech Talk, ...

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...