Hi All,
I have written a search which shows which all countries are trying to access our servers from outside. It works fine and gives me loads of information. I was trying to tweak this search so that it will also give me the DNS resolution for the source IP from where the traffic is originating. The original search is as follows
index=netscreen sourcetype=netscreen:firewall | iplocation src dst | search Country=China OR Country=Syria OR Country=Iran OR Country=Israel OR Country=Yemen OR Country=Romania OR Country=Russia OR dest_translated_ip | stats count by Country src src_port dst dest_translated_ip dst_port policy_id | rex field=_raw "dst-xlated\sip=(?[^\s]+)" | sort count 50 | dedup src | rename Country as Orgin_Country, src as SOURCE_IP, src_port as Source_Port, dst as DESTINATION_IP, dst_port as Destination_Port, dest_translated_ip as REAL_IP,policy_id as POLICY_ID
The modification I made is follows :
index=netscreen sourcetype=netscreen:firewall sourcetype!=optiv_threat_list | lookup dnslookup clientip AS src OUTPUT clienthost as Hostname| iplocation src dst | search Country=China OR Country=Syria OR Country=Iran OR Country=Israel OR Country=Yemen OR Country=Romania OR Country=Russia OR dest_translated_ip | stats count by Country src src_port dst dest_translated_ip dst_port policy_id | rex field=_raw "dst-xlated\sip=(?[^\s]+)" | sort count 50 | dedup src | rename Country as Orgin_Country, src as SOURCE_IP, src_port as Source_Port, dst as DESTINATION_IP, dst_port as Destination_Port, dest_translated_ip as REAL_IP,policy_id as POLICY_ID
The first search works perfectly but the second one does not yield any result. What am I doing incorrectly ?
Regards
Pradeep
Hi Pradeep,
I think the rex syntax in your search may be incorrect. A field name should be provided so that the regex-captured group value can be assigned to it.
For example, the following search assigns anything after From: to the new from field and anything after To: to the new to field.
... | rex field=_raw "From: (?<from>.*) To: (?<to>.*)"
Therefore, you might need to supply a field name - sip, for exaple - in your search as well:
...| rex field=_raw "dst-xlated\sip=(?<sip>[^\s]+)" ...
Hope this helps. Thanks!
Hunter
Hi Hunter,
I modified the regex as you suggested but still I am not able to resolve the DNS for the source IP
Most likely you search index=netscreen sourcetype=netscreen:firewall sourcetype!=optiv_threat_list
does not contain the field dst, or alternatively you have no hits with Country=China OR Country=Syria OR Country=Iran OR Country=Israel OR Country=Yemen OR Country=Romania OR Country=Russia