Alerting

Extracting a network address from a trap message

smithjnick
Path Finder

Hi All

I am trying to create an alert that triggers whenever i receive a high risk notification from my IPS. I have my splunk search term below that returns the correct trap message, but i need to know how i can filter further by the victims network address. The victims IP is contained in the following line:

      cidsAlertVictimAddress:= osIdSource="unknown" osRelevance="relevant" osType="unknown" 10.37.99.223:161

I would like to trigger my alert whenever this trap message comes in from any 10.37.0.0 source. I had a bash at regex but couldnt get past:

      | rex field=cidsAlertVictimAddress

My Splunk query is this:

      index=myindex source=ips  sourcetype=ips_threat

What do i need to append my query with in order to only alert on the victimaddress sitting on network 10.37.0.0

The trap message looks like this:

 11/22/2013 4:13 PM 123.123.123.123:123.123.123.123  CISCO-CIDS-MIB:ciscoCidsAlert  SNMP Trap
 Received Time:11/22/2013 4:13:58 PM
 Source:456.456.456.456(456.456.456.456)
 Community:public
 Variable Bindings
      sysUpTime:= 112 days 19 hours 59 minutes 37.05 seconds (974877705)
      snmpTrapOID:= CISCO-CIDS-MIB:ciscoCidsAlert (1.3.6.1.4.1.9.9.383.0.1)
      cidsGeneralEventId:= 1323036804139549916
      cidsGeneralLocalTime:= 11/22/2013 4:13:58 PM (B90LFhANOgA=)
      cidsGeneralUTCTime:= 11/22/2013 4:13:58 PM (B90LFhANOgA=)
      cidsGeneralOriginatorHostId:= ZBTDCSRMP002
      cidsAlertSeverity:= high
      cidsAlertAlarmTraits:= 2147483648
      cidsAlertSignature:= Community Invalid Length
      cidsAlertSignatureSigName:= SNMP Protocol Violation
      cidsAlertSignatureSigId:= 4507
      cidsAlertSignatureSubSigId:= 6
      cidsAlertSignatureVersion:= S17
      cidsAlertInterfaceGroup:= 0
      cidsAlertVlan:= 0
      cidsAlertAttackerAddress:= 192.168.188.20:50556
      cidsAlertVictimAddress:= osIdSource="unknown" osRelevance="relevant" osType="unknown" 10.37.99.223:161
      cidsAlertDetails:= InterfaceAttributes:  context="single_vf" physical="Unknown" backplane="GigabitEthernet0/1" ; 
      cidsAlertEventRiskRating:= 100
      cidsAlert.26:= 3
      cidsAlert.27:= 17
      cidsAlert.42:= 65
      cidsAlert.46:= 1

any help appreciated
ta

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try following.

index=myindex source=ips  sourcetype=ips_threat
| rex  "(?<victim_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | eval shouldAlert=if(match(victim_ip, "10\.37\.\d{1,3}\.\d{1,3}$"), "Yes", "No") | where shouldAlert="Yes"

Alert should be raised if above search returns rows.

This search is searching all the IPs in the form 10.37.XXX.XXX.
To search 10.37.0.XXX, use

"10\.37\.0\.\d{1,3}$". 

Updated Search

There should work for you (tested with sample data you posted [should have done this earlier])

index=myindex source=ips  sourcetype=ips_threat
    | rex  "cidsAlertVictimAddress.* (?<victim_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | eval shouldAlert=if(match(victim_ip, "10\.37\.\d{1,3}\.\d{1,3}$"), "Yes", "No") | where shouldAlert="Yes"
0 Karma

somesoni2
SplunkTrust
SplunkTrust

You can add all thos in the shouldAlert eval command.e.g.
if(match(victim_ip, "10\.37\.\d{1,3}\.\d{1,3}$") OR match(victim_ip, "10\.28\.\d{1,3}\.\d{1,3}$"), "Yes", "No")

0 Karma

smithjnick
Path Finder

many thanks S - this worked a treat and does exactly what i need it to do. Without pushing you too much, how could i refine this search to include other network addresses i.e. 10.37 OR 10.28 OR 10.20.30 etc...

0 Karma

somesoni2
SplunkTrust
SplunkTrust

updated the answer.

0 Karma

smithjnick
Path Finder

thanks for your reply S
this search also produced no hits for me. Would your regex above search the whole trap message for a network address beginning 10.37? Reason i ask is that i do not see any reference directed at line cidsAlertVictimAddress? This is the line i need to focus on for generating an alert or search result.

From your post though i am gaining a better understanding of the regex query and i find the ability to change the victim ip search query quite useful as this is also a requirement of mine. cheers.

0 Karma

pradeepkumarg
Influencer

Your query should be something like this

index=myindex source=ips  sourcetype=ips_threat | rex "(?m)osType=\W\S*\W\s(?P.*?)\:" | search VICTIM_IP="10.37.0.0"
0 Karma

pradeepkumarg
Influencer

Try this

index=myindex source=ips  sourcetype=ips_threat | rex "(?i)(?P.*?\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})\:\d+" | search VICTIM_IP="10.37*"

Make sure the case of VICTIM_IP is same in the both the places in the query. For some reason this page is converting to lower case on the regex

0 Karma

smithjnick
Path Finder

thanks for the reply G
this did not produce any results i'm afraid. I notice your regex includes a reference to the osType. This could differ depending on the message coming in and may not be present in some trap messages.

From the following line:

cidsAlertVictimAddress:= osIdSource="unknown" osRelevance="relevant" osType="unknown" 10.37.99.223:161

I only need to search on the victim ip network address 10.37. i would just need to ignore all other characters on this line if possible.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...