Splunk Search

I need a wildcard in reg

RNB
Path Finder

I have an event that I want to extract the inside/outside IP Addresses and Port numbers.

Mar 6 13:59:59 192.168.140.215 %ASA-4-106023: Deny udp src outside:xxx.xxx.xxx.xxx/xxxxx dst inside:xxx.xxx.xxx.xxx/xxxxx by access-group "outside_access_in" [0x0, 0x0]

In a response to a previous question, the recommended search works successfully.

| rex "outside:(?<outside_ip>[^/]+)/(?<outside_port>\S+)" | stats count by outside_ip outside_port

The issue I am having is to expand the rex to get both the inside and outside IP/ports. Another complicating factor is that inside: is actually inside_zone-app: where zone and app are variable. Obviously, my experience with regex is limited and I can't find a method to find inside*: and grab the data between the : and / assigning it to inside_ip. I have tried various ways unsuccessfully.

| rex "inside*:(?<inside_ip>[^/]+)/(?<inside_port>\S+)/outside:(?<outside_ip>[^/]+)/(?<outside_port>\S+)" | stats count by inside_ip inside_port outside_ip outside_port

Any help is appreciated.

Update:

I could not get this to work as just a single rex statement, but I was able to get it working with two rex's but without the wildcard. Of the wildcards that I tried that sort of worked returned the information after the second : in the message, not the information after inside*:.

| rex "inside_zoneB-AppA:(?<inside_ip>[^/]+)/(?<inside_port>\S+)" | rex "outside:(?<outside_ip>[^/]+)/(?<outside_port>\S+)" | stats count by inside_ip inside_port outside_ip outside_port

Update[2]:

I don't think my explanations were clear enough and a single sample from the results likely did not help. All recomendations so far are appreciated, but I am not having any luck in using them as-is or incorporating them. (I am waiting for my manager to come in to buy RegexBuddy and RegexMagic.) I have included three non-redacted samples that I am trying to count and display in columns. I have stats and sort down, the Perl and Linux regex wildcard samples I have found and tried are not working when I try wildcard between inside*: as in inside_emr-gnplc: and inside_emr-frontdesk:.

Mar 7 13:59:58 192.168.140.215 %ASA-4-106023: Deny udp src inside_lab-gcpc:10.15.13.17/65227 dst outside:10.14.2.15/161 by access-group "lab-gcpc_access_in" [0x0, 0x0]

Mar 7 13:59:36 192.168.140.215 %ASA-4-106023: Deny tcp src inside_lab-frontdesk:10.15.7.5/54094 dst outside:10.2.103.71/26334 by access-group "lab-frontdesk_access_in" [0x0, 0x0]

Mar 7 13:57:51 192.168.140.215 %ASA-4-106023: Deny udp src outside:dhcp.admin.georgianc.on.ca/67 dst inside-work:10.15.11.19/68 by access-group "outside_access_in" [0x0, 0x0]

Tags (3)
0 Karma

bmacias84
Champion

Hello,

Here is a regex that I've tested and it works with your sample data.


outside:(?<scr_ip>((\d{1,3}.)){3}\d{1,3})/(?<scr_port>\d+[^\s])(?:[\s\w]+):(?<dest_ip>((\d{1,3}.)){3}\d{1,3})/(?<dest_port>\d+[^\s])

wildcard:

outside:(?<scr_ip>[^/:]+)/(?<scr_port>\d+[^\s])(?:[\s\w]+):(?<dest_ip>[^/:]+)/(?<dest_port>\d+[^\s])

Also I would consider adding this to Field extractions for that source type. which would look like this.

outside:(?P<scr_ip>((\d{1,3}.)){3}\d{1,3})/(?P<scr_port>\d+[^\s])(?:[\s\w]+):(?P<dest_ip>((\d{1,3}.)){3}\d{1,3})/(?P<dest_port>\d+[^\s])

wildcard:

outside:(?P<scr_ip>[^/:]+)/(?P<scr_port>\d+[^\s])(?:[\s\w]+):(?P<dest_ip>[^/:]+)/(?P<dest_port>\d+[^\s])

You could alternatively added this to your transform.conf and associated with the source within your props.conf.

I also suggest purchasing Regex tool like RegexBuddy it very handy.
Hope this helps or gets you started. If it does dont foget to accept or vote it up.

Updated and verified regex for your examples listed:
wildcard:


src\s+(?:[\w_-]+):(?<scr_ip>[^/:]+)/(?<scr_port>[^\s]+)\s+dst\s+(?:[\w_-]+):(?<dest_ip>[^/:]+)/(?<dest_port>[^\s]+)

Regex break down:

  • src\s+ - set begin of regex and match scr and white space
  • (?:[\w_-]+): -None capture group to match everything before colon(:) and after previous regex
  • (?<scr_ip>[^/:]+) - capture group that capture any data after colon(:) and before slash(/). Basiclly wild card with expections -(?<scr_port>[^\s]+) - capture group that capture any data after slash(/) and with no white space.Basiclly wild card with expections
  • \s+dst\s+ - regex for white space and dst
  • (?:[\w_-]+) - None capture group for any data after dst and before colon (:)
  • (?<dest_ip>[^/:]+) - Capture group for any data not colon or slash. Basiclly wild card with expections
  • : - regex for slash (/)
  • (?<dest_port>[^\s]+) -Capture group for any data not whitespace.Basiclly wild card with expections

I can create a regex wild card capture as long as you specify upper and lower bounds of your string.

Gilberto_Castil
Splunk Employee
Splunk Employee

Try this snippet in your extraction:

outside:(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\/(?<src_port>\d{1,4})\s+dst\s+inside:(?<dest_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\/(?<dest_port>\d{1,4})

As a personal preference I tend to avoid lazy expressions and wildcards as I always struggle with matching unknown possibilities. The field names used in the example above use part of the Common Information Model used by many apps in Splunk. Of course, you can rename to your own liking.

Good luck,

--gc

0 Karma

Gilberto_Castil
Splunk Employee
Splunk Employee

Well... If you have time, please post some sanitized log lines so we can extropolate an appropriate procedure. Five or ten lines should do for both IP-based and FQDN variants.

0 Karma

RNB
Path Finder

I like the idea of explicitly identifying the data I am trying to collect, but I am not getting any results with the snippet yet. I'll try again tomorrow.

I think I might have an issue with the d{1,3} as some of the outside addresses are resolved leaving me with a mixture of IP's and FQDN's.

I am still hoping to find the right syntax to get a wildcard working so that I can do something like this inside*: to return for things like inside_emr-gnplc, inside_emr-frontdesk, etc.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...